I've read Web Hacking. (Disclosure: I know the authors and do advisory work for the their company but I don't get compensated for helping them sell books) It's a very good book for learning the methodology of and tools for web hacking and thus a way to learn self-assessment and pen-testing/auditing, and of course, indirectly you will learn how to protect web servers, but from the "what not to do" perspective. I wouldn't buy the book if you are looking for a neat and tidy list of guidelines; frankly, I don't think such a list will ever give you a convenient checklist of how to redress *all* the issues/threats you must consider, anyway. At 08:33 AM 9/17/2002 -0500, Cox Michael wrote: >2) The NIST has a doc here http://csrc.nist.gov/publications/drafts.html >called "Special Publication 800-44, Guidelines on Securing Public Web >Servers." The NSA has guides on iPlanet and Apache here >http://nsa1.www.conxion.com/support/download.htm. > >3) There's a guide due out in October from these good people >http://www.owasp.org/. There are a couple of recent books that look good, >but I've just received them so I can't comment in detail - _Hacking Web >Applications Exposed_ and _Web Hacking: Attacks and Defense_. > >Regards, >Michael > > > > -----Original Message----- > > From: Steven Walker [mailto:swalker7799at_private] > > Sent: Monday, September 16, 2002 12:05 PM > > To: Pen-Test Security Focus > > Subject: Application & Iplanet/Apache web server vulnerability and > > penetration testing > > Importance: High > > > > > > Dear Group, > > > > I have been given a project to perform web application > > vulnerability testing > > on iPlanet and Apache web servers. The servers run on > > NT/2000, Solaris > > 2.7-8, (iPlanet) and Linux, Solaris (Apache). > > > > In house tools are Wisker, WHArenal, NMAP, NESSUS. I have > > only used NMAP > > and NESSUS so far for firewall and internal network testing. > > > > I am at a loss at where to start the process and am trying to > > determine if > > additional tools are needed. > > > > 1. I would obviously harden the web server OS's by closing unnecessary > > ports, ensuring proper patch levels, getting rid of rhost and > > equiv files, > > enforcing password policies, limiting accounts, use ssh for > > administration, > > etc. > > > > 2. I don't know what to do on the web servers other than > > delete example > > scripts and ensure default passwords are changed to stronger > > ones. Are > > there any links that you know of that would provide a > > checklist of iPlanet > > and Apache vulnerability checks. Are there any recommended > > tools that can > > automate this process? Any suggestions on iPlanet and Apache > > security? > > > > 3. Regarding web applications, I will be expected to test applications > > before they go into production. I know to test for buffer > > overflows buy > > inputting non expected characters into fields. Beyond that > > what advice > > could you give or methodology could you direct me too. Jobs > > are tough to > > find out there, I could use your help in keeping this one. > > Thanks for all > > of you who will help me. > > > > Sincerely > > > > Steven M. Walker CISSP, GSEC, ABCP > > Security Specialist > > 44 W. Douglas Dr. > > Saint Peters, MO 63376 > > Office: 636.279.2206 > > Home: 636.278.8004 > > > > > > > > > > -------------------------------------------------------------- > > -------------- > > This list is provided by the SecurityFocus Security > > Intelligence Alert (SIA) > > Service. For more information on SecurityFocus' SIA service which > > automatically alerts you to the latest security > > vulnerabilities please see: > > https://alerts.securityfocus.com/ > > > >---------------------------------------------------------------------------- >This list is provided by the SecurityFocus Security Intelligence Alert (SIA) >Service. For more information on SecurityFocus' SIA service which >automatically alerts you to the latest security vulnerabilities please see: >https://alerts.securityfocus.com/ David M. Piscitello Core Competence, Inc. & 3 Myrtle Bank Lane Hilton Head, SC 29926 daveat_private 843.689.5595 www.corecom.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Thu Sep 19 2002 - 13:31:22 PDT