Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Application & Iplanet/Apache web server vulnerability and pen etration testing

From: "Cox, Michael" <mscox () ti com>
Date: Tue, 17 Sep 2002 08:33:58 -0500
2) The NIST has a doc here http://csrc.nist.gov/publications/drafts.html
called "Special Publication 800-44, Guidelines on Securing Public Web
Servers." The NSA has guides on iPlanet and Apache here
http://nsa1.www.conxion.com/support/download.htm.

3) There's a guide due out in October from these good people
http://www.owasp.org/. There are a couple of recent books that look good,
but I've just received them so I can't comment in detail - _Hacking Web
Applications Exposed_ and _Web Hacking: Attacks and Defense_.

Regards,
Michael



-----Original Message-----
From: Steven Walker [mailto:swalker7799 () yahoo com]
Sent: Monday, September 16, 2002 12:05 PM
To: Pen-Test Security Focus
Subject: Application & Iplanet/Apache web server vulnerability and
penetration testing
Importance: High


Dear Group,

I have been given a project to perform web application 
vulnerability testing
on iPlanet and Apache web servers.  The servers run on 
NT/2000, Solaris
2.7-8, (iPlanet) and Linux, Solaris (Apache).

In house tools are Wisker, WHArenal, NMAP, NESSUS.  I have 
only used NMAP
and NESSUS so far for firewall and internal network testing.

I am at a loss at where to start the process and am trying to 
determine if
additional tools are needed.

1. I would obviously harden the web server OS's by closing unnecessary
ports, ensuring proper patch levels, getting rid of rhost and 
equiv files,
enforcing password policies, limiting accounts, use ssh for 
administration,
etc.

2. I don't know what to do on the web servers other than 
delete example
scripts and ensure default passwords are changed to stronger 
ones.  Are
there any links that you know of that would provide a 
checklist of iPlanet
and Apache vulnerability checks.  Are there any recommended 
tools that can
automate this process?  Any suggestions on iPlanet and Apache 
security?

3. Regarding web applications, I will be expected to test applications
before they go into production.  I know to test for buffer 
overflows buy
inputting non expected characters into fields.  Beyond that 
what advice
could you give or methodology could you direct me too.  Jobs 
are tough to
find out there, I could use your help in keeping this one.  
Thanks for all
of you who will help me.

Sincerely

Steven M. Walker  CISSP, GSEC, ABCP
Security Specialist
44 W. Douglas Dr.
Saint Peters, MO 63376
Office:  636.279.2206
Home: 636.278.8004




--------------------------------------------------------------
--------------
This list is provided by the SecurityFocus Security 
Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security 
vulnerabilities please see:
https://alerts.securityfocus.com/



----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
Previous By Date Next
Previous By Thread Next

Current thread: