Steven,
A couple of basic things on a black perspective that you should look for
are below. You can also download webinspect from www.spidynamics.com
and have it check for all of these things for you.
1 - requests for diffrent directories on the webserver such as
/admin/
/adm/
/test/
/logs/ etc..
also match these requests with the type of business the app is
running , for instance if it's a bank and the name is 'freebank' then
look for directories such as /freebank/,/banking/,/finance/ etc. this
might get you access to directory listings that could show valuable
files
2 - check for common files in each of the directories , look for core
files or ws_ftp.log,test.html files, these can give great info on the
system
3 - look for any pages with user input on the site and check for
directory traversal attacks such as /../etc/passwd, or command execution
|/bin/ls etc.. feed the website with odd input like *,!,` etc, look for
any detailed error msgs that might lead you further
4 - Crawl the site and search the text for any comments '<!--' see if
any valuable info is located in them, also look for hidden tags
'type=hidden' to see if file locations or prices are stored there
5 - Identify the way cookies are setup, if they have cookies are thier
id numbers sequential or easily munged with base64 or XOR, if they are
then try to identify a protected page and send requests with other id
numbers to see if access is given
6 - Check for old/backup files that might have been created, if thier is
a login.php page look for login.php.bak,login.old etc.. these can return
source code
7 - In all input fields check for sql injection, input single quotes
into the fields and look for database errors
8 - Check for all the known issues, do a search on neohapsis for
netscape or apache,
netscape : host.com/?wp-ver-info
host.com/?properties
host.com/admin-serv/config/adm.conf
host.com/search?
etc..
Apache:
check for openssl overflow issue
chunked encoding
host.com/server-info
host.com/server-status
etc..
On Mon, 2002-09-16 at 13:05, Steven Walker wrote:
> Dear Group,
>
> I have been given a project to perform web application vulnerability testing
> on iPlanet and Apache web servers. The servers run on NT/2000, Solaris
> 2.7-8, (iPlanet) and Linux, Solaris (Apache).
>
> In house tools are Wisker, WHArenal, NMAP, NESSUS. I have only used NMAP
> and NESSUS so far for firewall and internal network testing.
>
> I am at a loss at where to start the process and am trying to determine if
> additional tools are needed.
>
> 1. I would obviously harden the web server OS's by closing unnecessary
> ports, ensuring proper patch levels, getting rid of rhost and equiv files,
> enforcing password policies, limiting accounts, use ssh for administration,
> etc.
>
> 2. I don't know what to do on the web servers other than delete example
> scripts and ensure default passwords are changed to stronger ones. Are
> there any links that you know of that would provide a checklist of iPlanet
> and Apache vulnerability checks. Are there any recommended tools that can
> automate this process? Any suggestions on iPlanet and Apache security?
>
> 3. Regarding web applications, I will be expected to test applications
> before they go into production. I know to test for buffer overflows buy
> inputting non expected characters into fields. Beyond that what advice
> could you give or methodology could you direct me too. Jobs are tough to
> find out there, I could use your help in keeping this one. Thanks for all
> of you who will help me.
>
> Sincerely
>
> Steven M. Walker CISSP, GSEC, ABCP
> Security Specialist
> 44 W. Douglas Dr.
> Saint Peters, MO 63376
> Office: 636.279.2206
> Home: 636.278.8004
>
>
>
>
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
> Service. For more information on SecurityFocus' SIA service which
> automatically alerts you to the latest security vulnerabilities please see:
> https://alerts.securityfocus.com/
>
----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Wed Sep 18 2002 - 12:13:53 PDT