Moderator: I know recommendations for commercial tools are generally rejected, but this is what the person is asking for and would be relevent to any security professionals interested in this poster's questions. WebInspect is designed specifically for this kind of situation. It has checks for over 3,000 checks (no marketting BS), including ones for all remotely detectable vulnerabilities in popular software, such as Apache and iPlanet (which is built on top of Netscape) and a comprehensive unknown application testing methodology. This includes everything from checking for backup files to parameter manipulation attacks to common ACL bypass and source disclosure methods, just to name a few. It also has very sophisticated tools for use in manual attacks, such as a great request editor, policy editor, etc. There's a free download available: http://www.spidynamics.com/download.html Kevin Spett SPI Labs, Inc. http://www.spidynamics.com/ ----- Original Message ----- From: "Steven Walker" <swalker7799at_private> To: "Pen-Test Security Focus" <pen-testat_private> Sent: Monday, September 16, 2002 1:05 PM Subject: Application & Iplanet/Apache web server vulnerability and penetration testing > Dear Group, > > I have been given a project to perform web application vulnerability testing > on iPlanet and Apache web servers. The servers run on NT/2000, Solaris > 2.7-8, (iPlanet) and Linux, Solaris (Apache). > > In house tools are Wisker, WHArenal, NMAP, NESSUS. I have only used NMAP > and NESSUS so far for firewall and internal network testing. > > I am at a loss at where to start the process and am trying to determine if > additional tools are needed. > > 1. I would obviously harden the web server OS's by closing unnecessary > ports, ensuring proper patch levels, getting rid of rhost and equiv files, > enforcing password policies, limiting accounts, use ssh for administration, > etc. > > 2. I don't know what to do on the web servers other than delete example > scripts and ensure default passwords are changed to stronger ones. Are > there any links that you know of that would provide a checklist of iPlanet > and Apache vulnerability checks. Are there any recommended tools that can > automate this process? Any suggestions on iPlanet and Apache security? > > 3. Regarding web applications, I will be expected to test applications > before they go into production. I know to test for buffer overflows buy > inputting non expected characters into fields. Beyond that what advice > could you give or methodology could you direct me too. Jobs are tough to > find out there, I could use your help in keeping this one. Thanks for all > of you who will help me. > > Sincerely > > Steven M. Walker CISSP, GSEC, ABCP > Security Specialist > 44 W. Douglas Dr. > Saint Peters, MO 63376 > Office: 636.279.2206 > Home: 636.278.8004 > > > > > -------------------------------------------------------------------------- -- > This list is provided by the SecurityFocus Security Intelligence Alert (SIA) > Service. For more information on SecurityFocus' SIA service which > automatically alerts you to the latest security vulnerabilities please see: > https://alerts.securityfocus.com/ > > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Wed Sep 18 2002 - 12:22:10 PDT