PaulDotCom mailing list archives
Scanning for phpMyAdmin
From: paul at pauldotcom.com (Paul Asadoorian)
Date: Tue, 04 Aug 2009 09:21:36 -0400
Tom Brennan - Personal wrote:
and of course there can be no other issues in a webapp if nikto can't find them :) Nmap+Nessus+Nikto a good way to find Network Layer aka known problems known systems for low cost or CVE
Nessus now supports web application testing, it will perform a spider and fuzz parameters of any web apps. Its not a substitute for manual testing.
When you have a custom developed website (example: www.ALLWEBSITES.xxx). You need to look at logic flows, dynamic forms and other such as http://www.webappsec.org/projects/threat/classes_of_attack.shtml think CWE http://cwe.mitre.org/
My suggestions in pervious posts were specifically targeted for phpMyAdmin, NOT a custom web app. For a custom web app, that is an entirely different conversation.
Since 2001, OWASP www.owasp.org also has well known resources such as owasp-top 10, developer guide, webgoat, SAMM and 50+ others for FREE
Yes, and Nessus can log into a system and check the configuration against the OWASP top ten list :)
If you have a custom webapp and don't think you have any webapp issues I got $20 bucks who wants to bet?
I complete agree :) Cheers, Paul -- Paul Asadoorian PaulDotCom Enterprises Web: http://pauldotcom.com Phone: 401.829.9552
Current thread:
- Scanning for phpMyAdmin John Hoyt (Aug 03)
- Scanning for phpMyAdmin Robin Wood (Aug 03)
- Scanning for phpMyAdmin Nathan Sweaney (Aug 03)
- Scanning for phpMyAdmin Paul Asadoorian (Aug 03)
- Scanning for phpMyAdmin Paul Asadoorian (Aug 03)
- Scanning for phpMyAdmin Tom Brennan - Personal (Aug 03)
- Scanning for phpMyAdmin Paul Asadoorian (Aug 04)
- Scanning for phpMyAdmin Paul Asadoorian (Aug 03)
- Scanning for phpMyAdmin Jim Halfpenny (Aug 03)
- <Possible follow-ups>
- Scanning for phpMyAdmin infolookup at gmail.com (Aug 03)