WebApp Sec mailing list archives

Re: Web Pen Test Honeypot

From: "James Landis" <jcl24 () cornell edu>
Date: Fri, 11 Jul 2008 08:56:10 -0700

Most security tools are tuned to find issues in commonly-known sites
like Webgoat and the vendor test sites. Hence, that might not be your
best target for evaluation. You could try the OWASP SiteGenerator
project for alternate data.

If you're evaluating run-time testing tools for just one site or a set
of sites that you or your company maintain, you can't do any better
than testing the tools against your own code since that's what you'll
be doing long-term, anyway. If you're concerned that the tools aren't
finding anything and you're getting a lot of false negatives, get the
vendors involved in the configuration + crawl phase or find an expert
in the open-source tool you're evaluating and hire them for some
consulting hours.

-j

On Tue, Jul 8, 2008 at 2:39 PM, John Evans <admin () kilnar com> wrote:

Greetings,

I am in the middle of evaluating the wide variety of web security
pen-test tools that exist. I'm currently pointing each piece of software
to a site that I have written. None of the tools are finding issues.

My task right now is to find the right tool for the job, and the job is
finding web-based security issues. Either the tools are not working, or
my site is secure. I'm not willing to put money on which of the two is
true. :)

What I need is a web application that has known security issues. I would
prefer one that was intentionally written to have scanners pointed to it
for testing the scanners.

Does such a thing exist? I hope so, because I hardly have time right now
to write even the simplest web application that has all of the various
holes that I need to test for.

If someone could point me to a "web honeypot" that I could install in my
own environment I would appreciate it.

Thanks.


--
John Evans
Administrator of kilnar.com

-------------------------------------------------------------------------
Sponsored by: Watchfire Methodologies & Tools for Web Application Security
Assessment With the rapid rise in the number and types of security threats,
web application security assessments should be considered a crucial phase in
the development of any web application. What methodology should be followed?
What tools can accelerate the assessment process? Download this Whitepaper
today!
https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
-------------------------------------------------------------------------


-------------------------------------------------------------------------
Sponsored by: Watchfire 
Methodologies & Tools for Web Application Security Assessment 
With the rapid rise in the number and types of security threats, web application security assessments should be 
considered a crucial phase in the development of any web application. What methodology should be followed? What tools 
can accelerate the assessment process? Download this Whitepaper today! 

https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
-------------------------------------------------------------------------

Current thread:

Web Pen Test Honeypot John Evans (Jul 11)
- Re: Web Pen Test Honeypot Thanasis Kostopoulos (Jul 11)
  - Re: Web Pen Test Honeypot Jeff Robertson (Jul 11)
    - Re: Web Pen Test Honeypot Thanasis Kostopoulos (Jul 15)
- Re: Web Pen Test Honeypot Jamie Riden (Jul 11)
- Re: Web Pen Test Honeypot Mathias Huber (Jul 11)
- RE: Web Pen Test Honeypot Paul Melson (Jul 11)
- Re: Web Pen Test Honeypot James Landis (Jul 11)
  - RE: Web Pen Test Honeypot Alex Eden (Jul 15)
- RE: Web Pen Test Honeypot Stevens, Scott (Jul 11)
  - RE: Web Pen Test Honeypot Thakrar, Saurabh (Jul 11)
- <Possible follow-ups>
- Re: RE: Web Pen Test Honeypot mike (Jul 17)