Penetration Testing mailing list archives

Re: Web Application Tester

From: Anders Thulin <Anders.Thulin () tietoenator com>
Date: Wed, 15 Sep 2004 09:09:56 +0200

Andrew Bagrin wrote:

Does anyone know of an application tester similar to AppDetective
thats not as hard on the pocket book?
I need to pentest a web app and am looking for some tools


  Haven't tried AppDetective for Web Applications myself, so I'm
not sure of just what capabilities you're looking for. Nothing
magic I hope. Take a look at:

  * Nikto (http://www.cirt.net/code/nikto.shtml)
    Freeware
    Useful for single-shot exercies, less useful for mass deployment.
    Looks mainly at the server and the server set-up, not the web-site
    itself.

  * Xenu's Link Sleuth (http://home.snafu.de/tilman/xenulink.html)
    Freeware
    Intended for finding broken links, but also helps enumerate all
    reachable pages on a site, given a starting point (and in some
    cases an account/password).

  * wget (http://www.gnu.org/software/wget/wget.html)
    Freeware -- typically part of free Unixes, including Cygwin
    Useful for getting a 'copy' of the web site: search for keywords,
    comments, etc.

  A SSL-proxy is sometimes useful, as is some kind of brute-force
login tool (THC-Hydra is well known - http://thc.org/)

  And, in general, the book Scambray & Shema: 'Hacking Exposed:
Web Applications' is one of the best places to start preparing for
this kind of exercise.

--
Anders Thulin   anders.thulin () tietoenator com   040-661 50 63        
TietoEnator Telecom & Media AB, Box 85, SE-201 20 Malmö


------------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. All of our class sizes are
guaranteed to be 12 students or less to facilitate one-on-one interaction
with one of our expert instructors. Check out our Advanced Hacking course,
learn to write exploits and attack security infrastructure. Attend a course
taught by an expert instructor with years of in-the-field pen testing
experience in our state of the art hacking lab. Master the skills of an
Ethical Hacker to better assess the security of your organization.

http://www.infosecinstitute.com/courses/ethical_hacking_training.html
-------------------------------------------------------------------------------

Current thread:

Web Application Tester Andrew Bagrin (Sep 14)
- Re: Web Application Tester A.R. (Sep 15)
- Re: Web Application Tester Anders Thulin (Sep 15)
  - Re: Web Application Tester cbc (Sep 16)
  - Re: Web Application Tester brennan stewart (Sep 16)
- Re: Web Application Tester Danux (Sep 15)
  - Re: Web Application Tester Mambo Dsouza (Sep 16)
  - Re: Web Application Tester GUsh-T (Sep 16)
- Re: Web Application Tester Darren Bounds (Sep 21)
- <Possible follow-ups>
- Re: Web Application Tester mkraisi (Sep 15)
- RE: Web Application Tester Hayden Searle (Sep 15)
  - Re: Web Application Tester Mambo Dsouza (Sep 16)
- RE: Web Application Tester John Floyd (Sep 16)

(Thread continues...)