Web site testing

["Jerry Shenk" <jshenk () decommunications com>]

I've got a web site that I'm pretty sure has some holes and I've
reported the problems I've seen  but the developer doesn't seem to be
getting things fixed...seems that they need a little more evidence to
prove that there's a problem and I'm supposed to find that.  

It's a financial web site that uses session IDs that are a mix of the
user id and the seconds since midnight to the thousandth of a second
(ie. Very predictable).  The server (IIS5) will also readily give up the
current time.  A predictable session ID is a bad thing but I'm not sure
quite how to prove that.

The server is also installed on the C: drive.  If I mess up some of the
form data correctly, and submit the page, it will respond with a
directory where the file doesn't exist.  This new SSL vulnerability will
probably give a chance to prove that installing a web server on the C:
drive is a bad idea 'cuz something will eventually come up.

What are some good web server auditing tools.


------------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
-------------------------------------------------------------------------------