Penetration Testing mailing list archives
Re: Pointers to Free Web Vulnerability Scanners for Blackbox testing
From: "Serg B" <sergeslists () gmail com>
Date: Wed, 12 Dec 2007 09:10:19 +1100
Hi Rajiv, I get a little defensive when people try to pass-off an automatic scan as a valid pen-test conclusion. Since you have clarified your self I do apologise. In regards to original questions: 1. See #3 RE: scope, it's actually important since you want to be testing a webapp, not the server or an underlying infrastructure. It's important to know where to stop and pass the out-of-scope items to another team. 2. Burp and Paros are proxies that you should use. As for an automatic scanner, Parros has a spiderling and scanning ability; to be honest though I have never got a true positive when I use its scanning feature. You should just check manually for the issues described in the OWASP guide, it provides enough details to know how to test them. Automatic tools will not find most of them including a more serious class of issues such as authorisation and authentication, this are application specific and require human intervention. Also have a look at SQL Ninja (I have never used it) it may be useful for scanning for some obvious SQL injection stuff, as for me: I use SQL cheat sheet (http://ferruh.mavituna.com/makale/sql-injection-cheatsheet/). Below are semi-automatic tools that I strongly recommend (in addition to the proxies): FireFox with the following add-ons: Firebug (v1.05 or above) Greasemonkey (and XSS Assistant for the add-on). Cookie Editor (v0.2.1.2 or above) RefControl (v0.8.9 or above) Web Developer Toolbar (v1.1.4 or above) JSView (1.5 or above) This are my preferred tools though, somebody else may have their own bag of tricks. 3. OWASP is pretty much all you need. You may also want to take a look at: http://download.microsoft.com/documents/uk/msdn/security/The%20Developer%20Highway%20Code.pdf Which is very much like OWASP. Searching Security Focus and OSVDB websites may also yield some good results. I am sure other people will have a lot to add as well. Serg On Dec 11, 2007 10:09 PM, Rajiv Vishwa <rajivvishwa () gmail com> wrote:
Hi Serg, I'm new to pen test group and also to the company i work at. The project i was talking about is not a commercial one. This is an just an 'activity' which is assigned to me by non security guy. I was asked all the questions i asked you guys. I've used tools like nessus,nmapFE,metasploit,paros,fortify scanner,nCircle etc but i was told to get some free tool and get a report which is similar to the report generated by 'Acunetix' or 'WebInspect'. I think i can explain my questions better1. What are the important things to remember while doing blackbox web apptesting? I wanted a checklist which i can use to make sure i dont miss out something at the end of project. Like the pentest framework in " http://www.vulnerabilityassessment.co.uk/Penetration%20Test.html" i needed a framework for webapp testing. > 2. Suggest some best free tools which are available to perform the test? I did not mean notepad++ kind of tools obviously. I meant free tools like the ones in the backtrack, but meant for web app testing in Windows preferably.3. Where do i find the recommendation in case the tools reports variousvulns in the site? I meant websites like owasp.org which is a fav for sec experts to check for the details of vuln's and mitigation. So instead of searching in google i can search in these websites first. On Dec 11, 2007 11:08 AM, Serg B <sergeslists () gmail com> wrote:1. What are the important things to remember while doing blackbox webapp testing?You need to define a scope (perhaps one has been defined for you already) and stay within scope. If there is something interesting slightly outside of it; make a quick note (in case you want to come back to it and move on).2. Suggest some best free tools which are available to perform the test?WASP security guide, Paros proxy, Charles proxy (not free), Burp proxy, Notepad++, a scripting language of your choice. Depends on what you are doing...3. Where do i find the recommendation in case the tools reports variousvulns in the site?Google? Or ask the guy who has assigned you to the project.4. What is the traffic generated on the site due to the test?As much as you generate with those best free tools of yours. From the above questions (and please don't take it the wrong way) but perhaps you are not the best person for the task? Serg On 7 Dec 2007 03:22:07 -0000, <rajivvishwa () gmail com> wrote:Hi Guys, I've been assigned to a project in which i'm asked to get a report onvulnerabilities present in a website hosted by my client. I'm new to blackbox testing on web applications. The duration of the project is 1.5 months. Can anyone comment on the following points1. What are the important things to remember while doing blackbox webapp testing?2. Suggest some best free tools which are available to perform the test? 3. Where do i find the recommendation in case the tools reports variousvulns in the site?4. What is the traffic generated on the site due to the test? Any suggestions would be appreciated. Regards, Rajiv, Security Team ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
Current thread:
- Pointers to Free Web Vulnerability Scanners for Blackbox testing rajivvishwa (Dec 10)
- Re: Pointers to Free Web Vulnerability Scanners for Blackbox testing Serg B (Dec 12)
- Message not available
- Re: Pointers to Free Web Vulnerability Scanners for Blackbox testing Serg B (Dec 12)
- Message not available
- Re: Pointers to Free Web Vulnerability Scanners for Blackbox testing Serg B (Dec 12)
- Re: Pointers to Free Web Vulnerability Scanners for Blackbox testing Lee Lawson (Dec 12)
- Message not available
- Re: Pointers to Free Web Vulnerability Scanners for Blackbox testing Thiago Zaninotti (Dec 13)
- Message not available