WebApp Sec mailing list archives

RE: Appsec toolkits

From: "Ramirez, Manuel N (CORP, DDEMESIS)" <Manuel.Ramirez () ddemesis ge com>
Date: Thu, 6 Mar 2003 17:38:50 -0500


Hi everybody,
Does anyone have documents regarding security vulnerabilities related to applications developed in Lotus Domino? 
Specially, those types of attacks related to input validation, parameter tampering, SQl injection, etc. I mean those 
types of errors that are most common when programmers do not follow good security practices.

Best regards,
Manuel



-----Original Message-----
From: PPowenski () oag com [mailto:PPowenski () oag com]
Sent: Thursday, March 06, 2003 12:47 PM
To: shawnmer () io com; Craig_Sullivan () Waitrose co uk
Cc: webappsec () securityfocus com
Subject: RE: Appsec toolkits



http://biatchux.sourceforge.net/

This toolkit does similar things. Can launch from windows or stand alone
boot from CD and can mount NTFS volumes.
Have not used it exensively but also has everything you need.


-----Original Message-----
From: shawnmer [mailto:shawnmer () io com] 
Sent: 06 March 2003 12:26
To: Craig_Sullivan () Waitrose co uk
Cc: webappsec () securityfocus com
Subject: Re: Appsec toolkits


Hi Craig,

Are you using any particular platform OS for the tools?  One thing that's 
caught my fancy recently are linux "live" CDs; in particular the Knoppix 
distibution based on Debian <http://www.knopper.net>.  The CD boots and 
runs in RAM and on a compressed loop filesystem.  Lots of apps like X, 
OpenOffice, along with security apps like nessus, hping, nmap, etc. are 
already on the CD...the kicker is the CD installs on a HD in about 10 
minutes.

Toss on a bunch of tools from packetstorm, owasp, etc. and you've got a 
nice portable, yet flexible, distro :)

Thanks,

-scm

:Craig_Sullivan () Waitrose co uk


Well,

I've now started assembling my own toolkit for application assessment.

When I have finished compiling, evaluating and using the tools I 
select, I'll publish the full list.....

What tools do you use for web app sec assessment and can you share your 
toolkit with the list?


Regards,

Craig.


Categories:
Scanners (incl CGI and general scanners)
Scarfers (programs for making offline copies of sites)
Proxy servers (for viewing and tracing HTTP, state management, 
adjusting
parameters)
Sniffers (packet decode applications)
Platform specific (platform specific checks that I'm going to run)
Misc (miscellaneous tools).





*********************************************************************

Notice:  This email is confidential and may contain
copyright material of the John Lewis Partnership.
If you are not the intended recipient, please
notify us immediately and delete all copies of this
message.  (Please note that it is your responsibility
to scan this message for viruses).


*********************************************************************

John Lewis plc                 Registered in England 233462
Registered office              171 Victoria Street London SW1E 5NN
     
Websites: http://www.johnlewis.com and http://www.waitrose.com

Current thread:

Appsec toolkits Craig_Sullivan (Mar 05)
- Re: Appsec toolkits shawnmer (Mar 06)
- <Possible follow-ups>
- RE: Appsec toolkits PPowenski (Mar 06)
- RE: Appsec toolkits Ramirez, Manuel N (CORP, DDEMESIS) (Mar 06)