WebApp Sec mailing list archives
Re: Web Pen Test Honeypot
From: "Jamie Riden" <jamie.riden () gmail com>
Date: Fri, 11 Jul 2008 14:18:52 +0100
2008/7/8 John Evans <admin () kilnar com>:
Greetings, I am in the middle of evaluating the wide variety of web security pen-test tools that exist. I'm currently pointing each piece of software to a site that I have written. None of the tools are finding issues. My task right now is to find the right tool for the job, and the job is finding web-based security issues. Either the tools are not working, or my site is secure. I'm not willing to put money on which of the two is true. :) What I need is a web application that has known security issues. I would prefer one that was intentionally written to have scanners pointed to it for testing the scanners. Does such a thing exist? I hope so, because I hardly have time right now to write even the simplest web application that has all of the various holes that I need to test for. If someone could point me to a "web honeypot" that I could install in my own environment I would appreciate it.
Try: http://www.foundstone.com/us/resources/proddesc/hacmebank.htm or one of the older versions of awstats, phpBB, or phpNuke that had issues (SQL injection, command injection, php code injection.) Tools may show up some faults, but they won't find them all - but to be sure you should really do a source code audit. cheers, Jamie -- Jamie Riden / jamesr () europe com / jamie () honeynet org uk UK Honeynet Project: http://www.ukhoneynet.org/ ------------------------------------------------------------------------- Sponsored by: Watchfire Methodologies & Tools for Web Application Security Assessment With the rapid rise in the number and types of security threats, web application security assessments should be considered a crucial phase in the development of any web application. What methodology should be followed? What tools can accelerate the assessment process? Download this Whitepaper today! https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F -------------------------------------------------------------------------
Current thread:
- Web Pen Test Honeypot John Evans (Jul 11)
- Re: Web Pen Test Honeypot Thanasis Kostopoulos (Jul 11)
- Re: Web Pen Test Honeypot Jeff Robertson (Jul 11)
- Re: Web Pen Test Honeypot Thanasis Kostopoulos (Jul 15)
- Re: Web Pen Test Honeypot Jeff Robertson (Jul 11)
- Re: Web Pen Test Honeypot Jamie Riden (Jul 11)
- Re: Web Pen Test Honeypot Mathias Huber (Jul 11)
- RE: Web Pen Test Honeypot Paul Melson (Jul 11)
- Re: Web Pen Test Honeypot James Landis (Jul 11)
- RE: Web Pen Test Honeypot Alex Eden (Jul 15)
- RE: Web Pen Test Honeypot Stevens, Scott (Jul 11)
- RE: Web Pen Test Honeypot Thakrar, Saurabh (Jul 11)
- <Possible follow-ups>
- Re: RE: Web Pen Test Honeypot mike (Jul 17)
- Re: Web Pen Test Honeypot Thanasis Kostopoulos (Jul 11)