RE: Application & Iplanet/Apache web server vulnerability and pen etration testing

From: Dave Piscitello (dave@corecom.com)
Date: Thu Sep 19 2002 - 09:50:23 EDT

• Next message: Wolf, Glenn: "RE: MS Access password crackers"
• Previous message: Nick Jacobsen: "Re: Wardialing"
• In reply to: Cox, Michael: "RE: Application & Iplanet/Apache web server vulnerability and pen etration testing"
• Next in thread: Riley Hassell: "Re: Application & Iplanet/Apache web server vulnerability and penetration testing"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

I've read Web Hacking.

(Disclosure: I know the authors and do advisory work for the their company
but I don't get
compensated for helping them sell books)

It's a very good book for learning the methodology of and tools for web
hacking and thus a way to learn self-assessment and pen-testing/auditing,
and of course, indirectly you will learn how to protect web servers, but
from the "what not to do" perspective. I wouldn't buy the book if you are
looking for a neat and tidy list of guidelines; frankly, I don't think such
a list will ever give you a convenient checklist of how to redress *all*
the issues/threats you must consider, anyway.

At 08:33 AM 9/17/2002 -0500, Cox Michael wrote:
>2) The NIST has a doc here http://csrc.nist.gov/publications/drafts.html
>called "Special Publication 800-44, Guidelines on Securing Public Web
>Servers." The NSA has guides on iPlanet and Apache here
>http://nsa1.www.conxion.com/support/download.htm.
>
>3) There's a guide due out in October from these good people
>http://www.owasp.org/. There are a couple of recent books that look good,
>but I've just received them so I can't comment in detail - _Hacking Web
>Applications Exposed_ and _Web Hacking: Attacks and Defense_.
>
>Regards,
>Michael
>
>
> > -----Original Message-----
> > From: Steven Walker [mailto:swalker7799@yahoo.com]
> > Sent: Monday, September 16, 2002 12:05 PM
> > To: Pen-Test Security Focus
> > Subject: Application & Iplanet/Apache web server vulnerability and
> > penetration testing
> > Importance: High
> >
> >
> > Dear Group,
> >
> > I have been given a project to perform web application
> > vulnerability testing
> > on iPlanet and Apache web servers. The servers run on
> > NT/2000, Solaris
> > 2.7-8, (iPlanet) and Linux, Solaris (Apache).
> >
> > In house tools are Wisker, WHArenal, NMAP, NESSUS. I have
> > only used NMAP
> > and NESSUS so far for firewall and internal network testing.
> >
> > I am at a loss at where to start the process and am trying to
> > determine if
> > additional tools are needed.
> >
> > 1. I would obviously harden the web server OS's by closing unnecessary
> > ports, ensuring proper patch levels, getting rid of rhost and
> > equiv files,
> > enforcing password policies, limiting accounts, use ssh for
> > administration,
> > etc.
> >
> > 2. I don't know what to do on the web servers other than
> > delete example
> > scripts and ensure default passwords are changed to stronger
> > ones. Are
> > there any links that you know of that would provide a
> > checklist of iPlanet
> > and Apache vulnerability checks. Are there any recommended
> > tools that can
> > automate this process? Any suggestions on iPlanet and Apache
> > security?
> >
> > 3. Regarding web applications, I will be expected to test applications
> > before they go into production. I know to test for buffer
> > overflows buy
> > inputting non expected characters into fields. Beyond that
> > what advice
> > could you give or methodology could you direct me too. Jobs
> > are tough to
> > find out there, I could use your help in keeping this one.
> > Thanks for all
> > of you who will help me.
> >
> > Sincerely
> >
> > Steven M. Walker CISSP, GSEC, ABCP
> > Security Specialist
> > 44 W. Douglas Dr.
> > Saint Peters, MO 63376
> > Office: 636.279.2206
> > Home: 636.278.8004
> >
> >
> >
> >
> > --------------------------------------------------------------
> > --------------
> > This list is provided by the SecurityFocus Security
> > Intelligence Alert (SIA)
> > Service. For more information on SecurityFocus' SIA service which
> > automatically alerts you to the latest security
> > vulnerabilities please see:
> > https://alerts.securityfocus.com/
> >
>
>----------------------------------------------------------------------------
>This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
>Service. For more information on SecurityFocus' SIA service which
>automatically alerts you to the latest security vulnerabilities please see:
>https://alerts.securityfocus.com/

David M. Piscitello
Core Competence, Inc. &
3 Myrtle Bank Lane
Hilton Head, SC 29926
dave@corecom.com
843.689.5595
www.corecom.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

• Next message: Wolf, Glenn: "RE: MS Access password crackers"
• Previous message: Nick Jacobsen: "Re: Wardialing"
• In reply to: Cox, Michael: "RE: Application & Iplanet/Apache web server vulnerability and pen etration testing"
• Next in thread: Riley Hassell: "Re: Application & Iplanet/Apache web server vulnerability and penetration testing"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:25 EDT