Re: Application & Iplanet/Apache web server vulnerability and penetration testing

["Kevin Spett" <kspett () spidynamics com>]

Moderator: I know recommendations for commercial tools are generally
rejected, but this is what the person is asking for and would be relevent to
any security professionals interested in this poster's questions.

WebInspect is designed specifically for this kind of situation.  It has
checks for over 3,000 checks (no marketting BS), including ones for all
remotely detectable vulnerabilities in popular software, such as Apache and
iPlanet (which is built on top of Netscape) and a comprehensive unknown
application testing methodology.  This includes everything from checking for
backup files to parameter manipulation attacks to common ACL bypass and
source disclosure methods, just to name a few.  It also has very
sophisticated tools for use in manual attacks, such as a great request
editor, policy editor, etc.

There's a free download available: http://www.spidynamics.com/download.html


Kevin Spett
SPI Labs, Inc.
http://www.spidynamics.com/

----- Original Message -----
From: "Steven Walker" <swalker7799 () yahoo com>
To: "Pen-Test Security Focus" <pen-test () securityfocus com>
Sent: Monday, September 16, 2002 1:05 PM
Subject: Application & Iplanet/Apache web server vulnerability and
penetration testing


> Dear Group,
>
> I have been given a project to perform web application vulnerability
testing
> on iPlanet and Apache web servers.  The servers run on NT/2000, Solaris
> 2.7-8, (iPlanet) and Linux, Solaris (Apache).
>
> In house tools are Wisker, WHArenal, NMAP, NESSUS.  I have only used NMAP
> and NESSUS so far for firewall and internal network testing.
>
> I am at a loss at where to start the process and am trying to determine if
> additional tools are needed.
>
> 1. I would obviously harden the web server OS's by closing unnecessary
> ports, ensuring proper patch levels, getting rid of rhost and equiv files,
> enforcing password policies, limiting accounts, use ssh for
administration,
> etc.
>
> 2. I don't know what to do on the web servers other than delete example
> scripts and ensure default passwords are changed to stronger ones.  Are
> there any links that you know of that would provide a checklist of iPlanet
> and Apache vulnerability checks.  Are there any recommended tools that can
> automate this process?  Any suggestions on iPlanet and Apache security?
>
> 3. Regarding web applications, I will be expected to test applications
> before they go into production.  I know to test for buffer overflows buy
> inputting non expected characters into fields.  Beyond that what advice
> could you give or methodology could you direct me too.  Jobs are tough to
> find out there, I could use your help in keeping this one.  Thanks for all
> of you who will help me.
>
> Sincerely
>
> Steven M. Walker  CISSP, GSEC, ABCP
> Security Specialist
> 44 W. Douglas Dr.
> Saint Peters, MO 63376
> Office:  636.279.2206
> Home: 636.278.8004
>
>
>
>
> --------------------------------------------------------------------------
--
> This list is provided by the SecurityFocus Security Intelligence Alert
(SIA)
> Service. For more information on SecurityFocus' SIA service which
> automatically alerts you to the latest security vulnerabilities please
see:
> https://alerts.securityfocus.com/


----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/