WebApp Sec mailing list archives
RE: Appsec toolkits
From: "Ramirez, Manuel N (CORP, DDEMESIS)" <Manuel.Ramirez () ddemesis ge com>
Date: Thu, 6 Mar 2003 17:38:50 -0500
Hi everybody, Does anyone have documents regarding security vulnerabilities related to applications developed in Lotus Domino? Specially, those types of attacks related to input validation, parameter tampering, SQl injection, etc. I mean those types of errors that are most common when programmers do not follow good security practices. Best regards, Manuel -----Original Message----- From: PPowenski () oag com [mailto:PPowenski () oag com] Sent: Thursday, March 06, 2003 12:47 PM To: shawnmer () io com; Craig_Sullivan () Waitrose co uk Cc: webappsec () securityfocus com Subject: RE: Appsec toolkits http://biatchux.sourceforge.net/ This toolkit does similar things. Can launch from windows or stand alone boot from CD and can mount NTFS volumes. Have not used it exensively but also has everything you need. -----Original Message----- From: shawnmer [mailto:shawnmer () io com] Sent: 06 March 2003 12:26 To: Craig_Sullivan () Waitrose co uk Cc: webappsec () securityfocus com Subject: Re: Appsec toolkits Hi Craig, Are you using any particular platform OS for the tools? One thing that's caught my fancy recently are linux "live" CDs; in particular the Knoppix distibution based on Debian <http://www.knopper.net>. The CD boots and runs in RAM and on a compressed loop filesystem. Lots of apps like X, OpenOffice, along with security apps like nessus, hping, nmap, etc. are already on the CD...the kicker is the CD installs on a HD in about 10 minutes. Toss on a bunch of tools from packetstorm, owasp, etc. and you've got a nice portable, yet flexible, distro :) Thanks, -scm :Craig_Sullivan () Waitrose co uk
Well, I've now started assembling my own toolkit for application assessment. When I have finished compiling, evaluating and using the tools I select, I'll publish the full list..... What tools do you use for web app sec assessment and can you share your toolkit with the list? Regards, Craig. Categories: Scanners (incl CGI and general scanners) Scarfers (programs for making offline copies of sites) Proxy servers (for viewing and tracing HTTP, state management, adjusting parameters) Sniffers (packet decode applications) Platform specific (platform specific checks that I'm going to run) Misc (miscellaneous tools). ********************************************************************* Notice: This email is confidential and may contain copyright material of the John Lewis Partnership. If you are not the intended recipient, please notify us immediately and delete all copies of this message. (Please note that it is your responsibility to scan this message for viruses). ********************************************************************* John Lewis plc Registered in England 233462 Registered office 171 Victoria Street London SW1E 5NN Websites: http://www.johnlewis.com and http://www.waitrose.com
Current thread:
- Appsec toolkits Craig_Sullivan (Mar 05)
- Re: Appsec toolkits shawnmer (Mar 06)
- <Possible follow-ups>
- RE: Appsec toolkits PPowenski (Mar 06)
- RE: Appsec toolkits Ramirez, Manuel N (CORP, DDEMESIS) (Mar 06)