Re: Web Application Tester

From: Anders Thulin (Anders.Thulin@tietoenator.com)
Date: Wed Sep 15 2004 - 03:09:56 EDT

• Next message: Danux: "Re: Web Application Tester"
• Previous message: Shashank Rai: "Strange response from network"
• In reply to: Andrew Bagrin: "Web Application Tester"
• Next in thread: cbc: "Re: Web Application Tester"
• Reply: cbc: "Re: Web Application Tester"
• Reply: brennan stewart: "Re: Web Application Tester"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Andrew Bagrin wrote:

> Does anyone know of an application tester similar to AppDetective
> thats not as hard on the pocket book?
> I need to pentest a web app and am looking for some tools

   Haven't tried AppDetective for Web Applications myself, so I'm
not sure of just what capabilities you're looking for. Nothing
magic I hope. Take a look at:

   * Nikto (http://www.cirt.net/code/nikto.shtml)
     Freeware
     Useful for single-shot exercies, less useful for mass deployment.
     Looks mainly at the server and the server set-up, not the web-site
     itself.

   * Xenu's Link Sleuth (http://home.snafu.de/tilman/xenulink.html)
     Freeware
     Intended for finding broken links, but also helps enumerate all
     reachable pages on a site, given a starting point (and in some
     cases an account/password).

   * wget (http://www.gnu.org/software/wget/wget.html)
     Freeware -- typically part of free Unixes, including Cygwin
     Useful for getting a 'copy' of the web site: search for keywords,
     comments, etc.

   A SSL-proxy is sometimes useful, as is some kind of brute-force
login tool (THC-Hydra is well known - http://thc.org/)

   And, in general, the book Scambray & Shema: 'Hacking Exposed:
Web Applications' is one of the best places to start preparing for
this kind of exercise.

-- 
Anders Thulin   anders.thulin@tietoenator.com   040-661 50 63	
TietoEnator Telecom & Media AB, Box 85, SE-201 20 Malmö
------------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. All of our class sizes are
guaranteed to be 12 students or less to facilitate one-on-one interaction
with one of our expert instructors. Check out our Advanced Hacking course,
learn to write exploits and attack security infrastructure. Attend a course
taught by an expert instructor with years of in-the-field pen testing
experience in our state of the art hacking lab. Master the skills of an
Ethical Hacker to better assess the security of your organization.
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
-------------------------------------------------------------------------------

• Next message: Danux: "Re: Web Application Tester"
• Previous message: Shashank Rai: "Strange response from network"
• In reply to: Andrew Bagrin: "Web Application Tester"
• Next in thread: cbc: "Re: Web Application Tester"
• Reply: cbc: "Re: Web Application Tester"
• Reply: brennan stewart: "Re: Web Application Tester"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:05 EDT