Penetration Testing mailing list archives
RE: Web site testing
From: "Jerry Shenk" <jshenk () decommunications com>
Date: Fri, 23 Apr 2004 12:39:57 -0400
Nikto's helpful, I know there are problem....but none of them are 'standard' problems that I have a 'ready exploit' for ....like a double-unicode or something like that. Like this deal of 'screwing up the button press' and getting an error with the full path...I stumbled across that 'cuz Opera sent the page on hitting ENTER but no other browser does. They only send the page when the "GO button" is pressed. I can however duplicate the issue in any browser if I modify the outgoing request (after clicking on the GO button) to change "Go" to anything else. -----Original Message----- From: OBrien, Brennan [mailto:BOBrien () columbia com] Sent: Friday, April 23, 2004 12:32 PM To: Jerry Shenk Subject: RE: Web site testing Nikto. It rocks. -----Original Message----- From: Jerry Shenk [mailto:jshenk () decommunications com] Sent: Thursday, April 22, 2004 1:09 PM To: pen-test () securityfocus com Subject: Web site testing I've got a web site that I'm pretty sure has some holes and I've reported the problems I've seen but the developer doesn't seem to be getting things fixed...seems that they need a little more evidence to prove that there's a problem and I'm supposed to find that. It's a financial web site that uses session IDs that are a mix of the user id and the seconds since midnight to the thousandth of a second (ie. Very predictable). The server (IIS5) will also readily give up the current time. A predictable session ID is a bad thing but I'm not sure quite how to prove that. The server is also installed on the C: drive. If I mess up some of the form data correctly, and submit the page, it will respond with a directory where the file doesn't exist. This new SSL vulnerability will probably give a chance to prove that installing a web server on the C: drive is a bad idea 'cuz something will eventually come up. What are some good web server auditing tools. ------------------------------------------------------------------------ ------ Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ------------------------------------------------------------------------ ------- ------------------------------------------------------------------------------ Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html -------------------------------------------------------------------------------
Current thread:
- RE: Web site testing Jerry Shenk (Apr 23)