Penetration Testing mailing list archives
Web site testing
From: "Jerry Shenk" <jshenk () decommunications com>
Date: Thu, 22 Apr 2004 16:09:08 -0400
I've got a web site that I'm pretty sure has some holes and I've reported the problems I've seen but the developer doesn't seem to be getting things fixed...seems that they need a little more evidence to prove that there's a problem and I'm supposed to find that. It's a financial web site that uses session IDs that are a mix of the user id and the seconds since midnight to the thousandth of a second (ie. Very predictable). The server (IIS5) will also readily give up the current time. A predictable session ID is a bad thing but I'm not sure quite how to prove that. The server is also installed on the C: drive. If I mess up some of the form data correctly, and submit the page, it will respond with a directory where the file doesn't exist. This new SSL vulnerability will probably give a chance to prove that installing a web server on the C: drive is a bad idea 'cuz something will eventually come up. What are some good web server auditing tools. ------------------------------------------------------------------------------ Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html -------------------------------------------------------------------------------
Current thread:
- Questions: nmap, nessus unreliability, setting up a packet capture box, using Impacket Paul Johnston (Apr 22)
- Web site testing Jerry Shenk (Apr 23)
- Re: Web site testing Josh Tolley (Apr 23)
- Re: Web site testing Dan Goldberg (Apr 23)
- RE: Web site testing Jerry Shenk (Apr 23)
- RE: Web site testing Clement Dupuis (Apr 26)
- Re: Questions: nmap, nessus unreliability, setting up a packet capture box, using Impacket Anders Thulin (Apr 27)
- Re: Questions: nmap, nessus unreliability, setting up a packet capture box, using Impacket James Davis (Apr 30)
- Re: Questions: nmap, nessus unreliability, setting up a packet capture box, using Impacket Renaud Deraison (Apr 30)
- <Possible follow-ups>
- Re: Questions: nmap, nessus unreliability, setting up a packet capture box, using Impacket Don Parker (Apr 23)
(Thread continues...)
- Web site testing Jerry Shenk (Apr 23)