Penetration Testing mailing list archives
RE: Application & Iplanet/Apache web server vulnerability and pen etration testing
From: "Cox, Michael" <mscox () ti com>
Date: Tue, 17 Sep 2002 08:33:58 -0500
2) The NIST has a doc here http://csrc.nist.gov/publications/drafts.html called "Special Publication 800-44, Guidelines on Securing Public Web Servers." The NSA has guides on iPlanet and Apache here http://nsa1.www.conxion.com/support/download.htm. 3) There's a guide due out in October from these good people http://www.owasp.org/. There are a couple of recent books that look good, but I've just received them so I can't comment in detail - _Hacking Web Applications Exposed_ and _Web Hacking: Attacks and Defense_. Regards, Michael
-----Original Message----- From: Steven Walker [mailto:swalker7799 () yahoo com] Sent: Monday, September 16, 2002 12:05 PM To: Pen-Test Security Focus Subject: Application & Iplanet/Apache web server vulnerability and penetration testing Importance: High Dear Group, I have been given a project to perform web application vulnerability testing on iPlanet and Apache web servers. The servers run on NT/2000, Solaris 2.7-8, (iPlanet) and Linux, Solaris (Apache). In house tools are Wisker, WHArenal, NMAP, NESSUS. I have only used NMAP and NESSUS so far for firewall and internal network testing. I am at a loss at where to start the process and am trying to determine if additional tools are needed. 1. I would obviously harden the web server OS's by closing unnecessary ports, ensuring proper patch levels, getting rid of rhost and equiv files, enforcing password policies, limiting accounts, use ssh for administration, etc. 2. I don't know what to do on the web servers other than delete example scripts and ensure default passwords are changed to stronger ones. Are there any links that you know of that would provide a checklist of iPlanet and Apache vulnerability checks. Are there any recommended tools that can automate this process? Any suggestions on iPlanet and Apache security? 3. Regarding web applications, I will be expected to test applications before they go into production. I know to test for buffer overflows buy inputting non expected characters into fields. Beyond that what advice could you give or methodology could you direct me too. Jobs are tough to find out there, I could use your help in keeping this one. Thanks for all of you who will help me. Sincerely Steven M. Walker CISSP, GSEC, ABCP Security Specialist 44 W. Douglas Dr. Saint Peters, MO 63376 Office: 636.279.2206 Home: 636.278.8004 -------------------------------------------------------------- -------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
Current thread:
- RE: Application & Iplanet/Apache web server vulnerability and pen etration testing Cox, Michael (Sep 18)
- RE: Application & Iplanet/Apache web server vulnerability and pen etration testing Dave Piscitello (Sep 19)
- Re: Application & Iplanet/Apache web server vulnerability and penetration testing Riley Hassell (Sep 19)