Penetration Testing mailing list archives
Re: Database for scan results
From: thomas springer <tuevsec () gmx net>
Date: Wed, 03 May 2006 09:15:23 +0200
I do quite many pentests on a regular base, using a far broader toolset than only nessus or mbsa. I'm focussed on webapps, which means there is quite a lot of "handwork" to do that can't be done via standard-solutions like nessus. I hacked together a database and quick'n'dirty php-app (which would misably fail my own pentests) for managing my cases (and boilerplates) and creating reports. The db consists of - N cases -- each case contains N Servers --- each server contains N check-families (to me: DNS-Config, Mail, IP-Checks, Webapp-Checks, Network-Checks) ---- each check-familiy contains N Checks (Title, Description, References (OSSTM, Wikipedia etc.), Freetext, Rating (5, from "INFO to SEVERE"), Screenshot-id, Default-Text (a set of automagically insertable boilerplates), Automatic-Check (using www.serversniff.net's API-Funktions to import Data from ipLookup, Traceroute, Whois, etc automatically) A simple webinterface allows you to fill every check with any text you like, any screenshot you take and will support a few checks to be filled in autmagically using the API from serversniff.net. I hacked an export-function for creating pseudoxml that can be imported into a winword-template using a simple vba-macro. I was thinking about offering this stuff as a simple service at serversniff.net - but this would require a bit of quality-assurance (plus translation and usermanagment) first. i think most "real" pentesters won't be allowed to store their cases on a third-party-database anyway. I'd love to see anything like this as OpenSource - but i wasn't able to find any configurable solution like this. I'd be really interested how others deal with handling and storing their results. tom xelerated wrote:
Im trying to figure a way to keep track of all scans via a DB, personally I dont care if its MySQL, MSSQL, MS Access, whatever.
------------------------------------------------------------------------------ This List Sponsored by: Cenzic Concerned about Web Application Security? Why not go with the #1 solution - Cenzic, the only one to win the Analyst's Choice Award from eWeek. As attacks through web applications continue to rise, you need to proactively protect your applications from hackers. Cenzic has the most comprehensive solutions to meet your application security penetration testing and vulnerability management needs. You have an option to go with a managed service (Cenzic ClickToSecure) or an enterprise software (Cenzic Hailstorm). Download FREE whitepaper on how a managed service can help you: http://www.cenzic.com/news_events/wpappsec.php And, now for a limited time we can do a FREE audit for you to confirm your results from other product. Contact us at request () cenzic com for details. ------------------------------------------------------------------------------
Current thread:
- Database for scan results xelerated (May 02)
- Re: Database for scan results thomas springer (May 03)
- Re: Database for scan results Laurent (May 04)
- Re: Database for scan results Ozgur Ozdemircili (May 04)
- Re: Database for scan results thomas springer (May 03)