RE: Penetration test of 1 IP address

["Beau Mersereau" <bm () fr com>]

Webblaze is the browser based version of Summation.  It only runs on
IIS.  Most likely the back end will not be a SQL based database.  While
Summation does have a SQL back end for their product, very few law firms
are running the SQL back end.  SQL back end product is fairly new.  The
DB is fairly proprietary.

http://www.ctsummation.com/

Summation is used for Litigation Support. 

-----Original Message-----
From: Ailton Caetano [mailto:guerrilha () gmail com] 
Sent: Thursday, February 09, 2006 6:51 AM
To: pen-test () securityfocus com
Subject: Re: Penetration test of 1 IP address

Hi you all,

Well, google told webblaze is a web aplication used by Law firms written
in asp (its login page is login.aspx), so they must be running some
version of IIS. Trying to access a non-existent folder could give you
the web server's name and version. You should also look for some sql
injection possibility on the login page...





2006/2/8, Dave <dlaud.flux () gmail com>:
> > To all:
> >
> > I have been asked to perform a security audit of 1 IP address for
client.
> > They have given me the 1 IP address and a clue (webblaze).
> >
> > If I enter the IP address and then /webblaze, I am taken to a login 
> > page (user name and password requested).
> >
> > What tools would you recommend that I use for this assignment?
> nmap and nessus will tell you more about the IP and what other 
> services are running that you might be able to exploit. If they just 
> want you to test the strength of the webpage login then possibly using

> Brutus will reveal weak passwords etc... although this is generally a
bad idea.
> Right off hand, I cant look now, but webblaze may be a publicly 
> available script...download it and check the source for any possible 
> coding errors that could be exploited.
>
> > Thanks for your help.
> >
> > Regards,
> >
> >
> > Edmond
> good luck and take it easy,
> dave
>
>
> ----------------------------------------------------------------------
> -------- Audit your website security with Acunetix Web Vulnerability 
> Scanner:
>
> Hackers are concentrating their efforts on attacking applications on 
> your website. Up to 75% of cyber attacks are launched on shopping 
> carts, forms, login pages, dynamic content etc. Firewalls, SSL and 
> locked-down servers are futile against web application hacking. Check 
> your website for vulnerabilities to SQL injection, Cross site
scripting and other web attacks before hackers do!
> Download Trial at:
>
> http://www.securityfocus.com/sponsor/pen-test_050831
> ----------------------------------------------------------------------
> ---------

------------------------------------------------------------------------
------
Audit your website security with Acunetix Web Vulnerability Scanner: 

Hackers are concentrating their efforts on attacking applications on
your website. Up to 75% of cyber attacks are launched on shopping carts,
forms, login pages, dynamic content etc. Firewalls, SSL and locked-down
servers are futile against web application hacking. Check your website
for vulnerabilities to SQL injection, Cross site scripting and other web
attacks before hackers do! 
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
------------------------------------------------------------------------
-------


------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------