WebApp Sec mailing list archives
Re: Web Pen Test Honeypot
From: "James Landis" <jcl24 () cornell edu>
Date: Fri, 11 Jul 2008 08:56:10 -0700
Most security tools are tuned to find issues in commonly-known sites like Webgoat and the vendor test sites. Hence, that might not be your best target for evaluation. You could try the OWASP SiteGenerator project for alternate data. If you're evaluating run-time testing tools for just one site or a set of sites that you or your company maintain, you can't do any better than testing the tools against your own code since that's what you'll be doing long-term, anyway. If you're concerned that the tools aren't finding anything and you're getting a lot of false negatives, get the vendors involved in the configuration + crawl phase or find an expert in the open-source tool you're evaluating and hire them for some consulting hours. -j On Tue, Jul 8, 2008 at 2:39 PM, John Evans <admin () kilnar com> wrote:
Greetings, I am in the middle of evaluating the wide variety of web security pen-test tools that exist. I'm currently pointing each piece of software to a site that I have written. None of the tools are finding issues. My task right now is to find the right tool for the job, and the job is finding web-based security issues. Either the tools are not working, or my site is secure. I'm not willing to put money on which of the two is true. :) What I need is a web application that has known security issues. I would prefer one that was intentionally written to have scanners pointed to it for testing the scanners. Does such a thing exist? I hope so, because I hardly have time right now to write even the simplest web application that has all of the various holes that I need to test for. If someone could point me to a "web honeypot" that I could install in my own environment I would appreciate it. Thanks. -- John Evans Administrator of kilnar.com ------------------------------------------------------------------------- Sponsored by: Watchfire Methodologies & Tools for Web Application Security Assessment With the rapid rise in the number and types of security threats, web application security assessments should be considered a crucial phase in the development of any web application. What methodology should be followed? What tools can accelerate the assessment process? Download this Whitepaper today! https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F -------------------------------------------------------------------------
------------------------------------------------------------------------- Sponsored by: Watchfire Methodologies & Tools for Web Application Security Assessment With the rapid rise in the number and types of security threats, web application security assessments should be considered a crucial phase in the development of any web application. What methodology should be followed? What tools can accelerate the assessment process? Download this Whitepaper today! https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F -------------------------------------------------------------------------
Current thread:
- Web Pen Test Honeypot John Evans (Jul 11)
- Re: Web Pen Test Honeypot Thanasis Kostopoulos (Jul 11)
- Re: Web Pen Test Honeypot Jeff Robertson (Jul 11)
- Re: Web Pen Test Honeypot Thanasis Kostopoulos (Jul 15)
- Re: Web Pen Test Honeypot Jeff Robertson (Jul 11)
- Re: Web Pen Test Honeypot Jamie Riden (Jul 11)
- Re: Web Pen Test Honeypot Mathias Huber (Jul 11)
- RE: Web Pen Test Honeypot Paul Melson (Jul 11)
- Re: Web Pen Test Honeypot James Landis (Jul 11)
- RE: Web Pen Test Honeypot Alex Eden (Jul 15)
- RE: Web Pen Test Honeypot Stevens, Scott (Jul 11)
- RE: Web Pen Test Honeypot Thakrar, Saurabh (Jul 11)
- <Possible follow-ups>
- Re: RE: Web Pen Test Honeypot mike (Jul 17)
- Re: Web Pen Test Honeypot Thanasis Kostopoulos (Jul 11)