Scanning for phpMyAdmin

[paul at pauldotcom.com (Paul Asadoorian)]

Tom Brennan - Personal wrote:
> and of course there can be no other issues in a webapp if nikto can't
> find them :)
>
> Nmap+Nessus+Nikto a good way to find Network Layer aka known problems
> known systems for low cost or CVE

Nessus now supports web application testing, it will perform a spider
and fuzz parameters of any web apps.  Its not a substitute for manual
testing.

> When you have a custom developed website (example:
> www.ALLWEBSITES.xxx). You need to look at logic flows, dynamic forms
> and other such as
> http://www.webappsec.org/projects/threat/classes_of_attack.shtml
> think CWE http://cwe.mitre.org/

My suggestions in pervious posts were specifically targeted for
phpMyAdmin, NOT a custom web app.  For a custom web app, that is an
entirely different conversation.

> Since 2001, OWASP www.owasp.org also has well known resources such as
> owasp-top 10, developer guide, webgoat, SAMM and 50+ others for FREE

Yes, and Nessus can log into a system and check the configuration
against the OWASP top ten list :)

> If you have a custom webapp and don't think you have any webapp
> issues I got $20 bucks who wants to bet?

I complete agree :)

Cheers,
Paul

-- 
Paul Asadoorian
PaulDotCom Enterprises
Web: http://pauldotcom.com
Phone: 401.829.9552