Application & Iplanet/Apache web server vulnerability and penetration testing

From: Steven Walker (swalker7799@yahoo.com)
Date: Mon Sep 16 2002 - 13:05:05 EDT

• Next message: Cesar: "Re: SQL INJECTION IN Coldfusion"
• Previous message: Gianpiero Porchia: "R: finding ethereal"
• Next in thread: Caleb Sima: "Re: Application & Iplanet/Apache web server vulnerability and penetration testing"
• Reply: Caleb Sima: "Re: Application & Iplanet/Apache web server vulnerability and penetration testing"
• Reply: Kevin Spett: "Re: Application & Iplanet/Apache web server vulnerability and penetration testing"
• Reply: Scott Nursten: "Re: Application & Iplanet/Apache web server vulnerability and penetration testing"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Dear Group,

I have been given a project to perform web application vulnerability testing
on iPlanet and Apache web servers. The servers run on NT/2000, Solaris
2.7-8, (iPlanet) and Linux, Solaris (Apache).

In house tools are Wisker, WHArenal, NMAP, NESSUS. I have only used NMAP
and NESSUS so far for firewall and internal network testing.

I am at a loss at where to start the process and am trying to determine if
additional tools are needed.

1. I would obviously harden the web server OS's by closing unnecessary
ports, ensuring proper patch levels, getting rid of rhost and equiv files,
enforcing password policies, limiting accounts, use ssh for administration,
etc.

2. I don't know what to do on the web servers other than delete example
scripts and ensure default passwords are changed to stronger ones. Are
there any links that you know of that would provide a checklist of iPlanet
and Apache vulnerability checks. Are there any recommended tools that can
automate this process? Any suggestions on iPlanet and Apache security?

3. Regarding web applications, I will be expected to test applications
before they go into production. I know to test for buffer overflows buy
inputting non expected characters into fields. Beyond that what advice
could you give or methodology could you direct me too. Jobs are tough to
find out there, I could use your help in keeping this one. Thanks for all
of you who will help me.

Sincerely

Steven M. Walker CISSP, GSEC, ABCP
Security Specialist
44 W. Douglas Dr.
Saint Peters, MO 63376
Office: 636.279.2206
Home: 636.278.8004

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

• Next message: Cesar: "Re: SQL INJECTION IN Coldfusion"
• Previous message: Gianpiero Porchia: "R: finding ethereal"
• Next in thread: Caleb Sima: "Re: Application & Iplanet/Apache web server vulnerability and penetration testing"
• Reply: Caleb Sima: "Re: Application & Iplanet/Apache web server vulnerability and penetration testing"
• Reply: Kevin Spett: "Re: Application & Iplanet/Apache web server vulnerability and penetration testing"
• Reply: Scott Nursten: "Re: Application & Iplanet/Apache web server vulnerability and penetration testing"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:25 EDT