Penetration Testing mailing list archives
RE: Looking for help against Chinese Hacking Team
From: "Alex Eden" <Alex.Eden () senet-int com>
Date: Tue, 16 Dec 2008 11:22:43 -0500
Yes, consider porting, we won't debate linux vs win here, but linux is securer and easier to adapt, you know.
It's a web application... So, it would not really matter what it runs on. We all have seen web applications hosted on linux that have XSS, SQL Injection, and all the rest? I personally prefer UNIX (OpenBSD and Solaris) over any type of Windows, but in case of a web application you are barking at a wrong tree. Going through the web server logs would also be of little benefit. Do you have a middleware server? Where is the business logic of this application implemented? Start off with these two: 1. Enable debugging/tracing of queries (or whatever your database supports) in your database and monitor them 2. Identify scripts or executables in your application that have forms or user input fields (search field, login field, etc). Then identify ones that are the most likely culprits. Then modify their source code by adding debugging/tracing of the variables that are mostly likely to be overloaded. Monitor. Web application assessment in the United States takes anywhere from 80 hours to 5000 hours depending on its size and complexity. Multiply it by $120 per hour (it is not an average rate since high-end rates go up to $600 an hour). If using WebInspect or AppScan, keep in mind that fully automated scan may yield no meaningful results - you need to do manual step-thru scan and audit to get at least some good results. ------------------------------------------------------------------------ This list is sponsored by: Cenzic Security Trends Report from Cenzic Stay Ahead of the Hacker Curve! Get the latest Q2 2008 Trends Report now www.cenzic.com/landing/trends-report ------------------------------------------------------------------------
Current thread:
- Looking for help against Chinese Hacking Team harveyfrank (Dec 12)
- Re: Looking for help against Chinese Hacking Team Mike Hale (Dec 12)
- RE: Looking for help against Chinese Hacking Team Shenk, Jerry A (Dec 12)
- Message not available
- Re: Looking for help against Chinese Hacking Team Mike Hale (Dec 14)
- Re: Looking for help against Chinese Hacking Team ArcSighter Elite (Dec 15)
- Re: Looking for help against Chinese Hacking Team Adriel T. Desautels (Dec 15)
- RE: Looking for help against Chinese Hacking Team Alex Eden (Dec 16)
- Re: Looking for help against Chinese Hacking Team Mike Hale (Dec 12)
- Re: Looking for help against Chinese Hacking Team David Glosser (Dec 13)
- Re: Looking for help against Chinese Hacking Team Adriel T. Desautels (Dec 15)
- Re: Looking for help against Chinese Hacking Team Daniel Clemens (Dec 16)
- Re: Looking for help against Chinese Hacking Team Adriel T. Desautels (Dec 16)
- Re: Looking for help against Chinese Hacking Team Adriel T. Desautels (Dec 18)
- <Possible follow-ups>
- Re: Looking for help against Chinese Hacking Team Adriel T. Desautels (Dec 15)