Re: A new Start

From: kartsios_list@secureinfohighway.com
Date: Wed Jun 21 2006 - 12:14:48 EDT

Next message: AdamT: "Re: Has anyone ever started a pen testing company?"
Previous message: Paul Sebastian Ziegler: "Re: Shellcode itself segfaults"
Maybe in reply to: tehseen sagar: "A new Start"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

('binary' encoding is not supported, stored as-is) What you are talking about (port 8401 open with telnet access, mysql running and apache with urchin5) could lead you to a penetration testing of the server..
But to perform a penetration test for the web application you must follow a different approach, such as source code auditing, file injection, sql injection etc..

Talking about this could take a lot of space so it is easier to direct you to some papers that already exist on the net and could be a helpfull start for you.

Some of them in securityfocus are
Common security vulnerabilities in e-commerce systems in www.securityfocus.com/infocus/1775
Penetration testing for web applications part one two and three in www.securityfocus.com/infocus/1704 1709 and 1722 respectively.

In addition you can also go for some tools of the trade by the form of freeware or even trial if you want to try them out.. Such tools could be appdetective or similar.. that tests both the application and the db backend..
Now if you want to follow a more hands-on approach, as it concernes DOS attacks or malformed input, sql injection etc. You must identify all input methods to your application and then try input validation on it.(malformed input, too large, too small,not expected input..etc.)

Vasilis Kartsios
Information Security Analyst
_____________________

Secure Information Highway
B.Georgiou 20A
55132
Thessaloniki, Greece
_____________________

Tel.: +30 (2310)=A0887889
Fax.: +30 (2310)=A0850265
www.secureinfohighway.com

------------------------------------------------------------------------------
This List Sponsored by: Cenzic

Concerned about Web Application Security?
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's
Choice Award from eWeek. As attacks through web applications continue to rise,
you need to proactively protect your applications from hackers. Cenzic has the
most comprehensive solutions to meet your application security penetration
testing and vulnerability management needs. You have an option to go with a
managed service (Cenzic ClickToSecure) or an enterprise software
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can
help you: http://www.cenzic.com/news_events/wpappsec.php
And, now for a limited time we can do a FREE audit for you to confirm your
results from other product. Contact us at request@cenzic.com for details.
------------------------------------------------------------------------------

Next message: AdamT: "Re: Has anyone ever started a pen testing company?"
Previous message: Paul Sebastian Ziegler: "Re: Shellcode itself segfaults"
Maybe in reply to: tehseen sagar: "A new Start"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:56:08 EDT