Steps taken During a Web App Pentest

[paul at pauldotcom.com (Paul Asadoorian)]

Since you mentioned Nessus.... :)

There are several settings that can help Nessus provide better results
with respects to scanning web servers and applications.  See my OWASP
presentation for more [1].

Also, we just released (like yesterday afternoon) some new functionality
into Nessus with respects to web app scanning.  So, let me know if you
notice anything (false positives) or other strangeness.  I will be
following up with a blog post that will summarize some of the
improvements, but specifically check out to the new advanced option
"HTTP Audit Settings".

Cheers,
Paul

[1]
http://tenablesecurity.com/whitepapers/OWASP-05-2009-NessusWebAppTesting.pdf

infolookup at gmail.com wrote:
> @ Irongeek its "password" :), Paul thanks for your input. Going to
> looking over Owasp v3 testing guide to get a feel of some of the
> things mentioned. If I can convince my boss to purchase a pro feed of
> Nessus I will have follow up questions!
>
>
> Sent from my Verizon Wireless BlackBerry
>
> -----Original Message----- From: Adrian Crenshaw
> <irongeek at irongeek.com>
>
> Date: Mon, 8 Jun 2009 11:57:05 To: PaulDotCom Security Weekly Mailing
> List<pauldotcom at mail.pauldotcom.com> Subject: Re: [Pauldotcom] Steps
> taken During a Web App Pentest
>
>
> _______________________________________________ Pauldotcom mailing
> list Pauldotcom at mail.pauldotcom.com 
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main
> Web Site: http://pauldotcom.com
>
> _______________________________________________ Pauldotcom mailing
> list Pauldotcom at mail.pauldotcom.com 
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main
> Web Site: http://pauldotcom.com

-- 
Paul Asadoorian
PaulDotCom Enterprises
Web: http://pauldotcom.com
Phone: 401.829.9552