Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
From: James Fleming (jamesfleming94588yahoo.com)
Date: Fri Jan 11 2002 - 16:49:05 CST
Well I guess there are a few ways to do it. I really
was wanting to learn about source code analysis and
how you do that from this list for a web application
but cant find any hostoric threads so far. I usually
User Interactive applications - must take or allow
some form of input from user so you can spider a site
and intelligently parse html forms.....you usually can
get a really good idea of the expected parameters
passed as well.
My normal way is
Enumerate files (aka whisker type thing)
then parse all output and build list of potential
targets and attacks that could be applied to the
targets. Then run them. Use fuzzers and stuff for
parameter manipulation and create input for sql
injection and css etc myself although I really want to
As for should you test an indivisual application. Of
course it has its uses, but one application could
conceiveably compromise another application and so I
would say not if you dont have to.
--- Mark Curphey <mcurpheyonebox.com> wrote:
> As you know we are starting to build the testing
> framework....we are
> going to capture the mailing list debate and
> thoughts to want your input.
> Well then publish it for community review and input.
> One of the areas that seems really important is What
> to test ? I put
> some provisional headings down at
> Imaginary scneario : you are presented with a site
> dns name and asked
> to review its security of the applications running
> on it.
> Where do you start ?
> Do you spider the site looking for any place that
> sends paramaters to
> an application ?
> How do you find where application reside ?
> What about web services and WDSL ? Do you look at a
> UDDI ?
> Should you test an application issolation (ie a
> single cgi) or all applications
> on that site ?
> These are just a few thoughts, really just a few...
> So does anyone want to share the way they approach
> deciding what should
> be tested with the list ?
> FREE voicemail, email, and fax...all in one place.
> Sign Up Now! http://www.onebox.com
Do You Yahoo!?
Send FREE video emails in Yahoo! Mail!