Re: nessus exceptions

["Andres Riancho" <andresit () fibertel com ar>]

Chris ,
    It depends on the type of scan your company pays for but if you want and
are carefull with what you do  , you could put one or two un-checked inputs
on your webpage in order to get some kind of XSS/SQL Injection. This kind of
tests arent checked (by default with default plugins) by nessus.
    If you are looking for something more like a buffer overflow , i suggest
you dont put any service online with this kind of flaw , because your
testing company could not find them with nessus or the scanner they use but
a skilled cracker/hacker/whatever could. Maybe you could put some daemon
from the honeypot project  [www.honeypots.net] to listen on some host that
is scanned but aint really important. But once again... production servers
are not a good place to test this.


Andres Riancho



----- Original Message ----- 
From: "Chris Griffin" <cgriffin () dcmindiana com>
To: <pen-test () securityfocus com>
Sent: Monday, August 02, 2004 3:58 PM
Subject: nessus exceptions


> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi list,
> Im trying to find some good holes, that aren't major security issues,
> that i can create on a machine to see if our testing company really
> uses anything other than nessus.
>
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.4 (GNU/Linux)
> Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
>
> iD8DBQFBDo7EeFLbG0PZdVwRAmaSAJ9gHU7w6vbI9DGKWa7xmUQ31qKSBQCgpcpq
> cC69CeYr16OsfuYu6u1oe8U=
> =bGZi
> -----END PGP SIGNATURE-----