-----Original Message-----
From: Kevin Spett [mailto:kspettspidynamics.com]
Sent: Monday, January 21, 2002 5:12 PM
To: markcurphey.com; owaspsecurityfocus.com
Subject: Re: OWASP : What to test ?

    You guys seem to be on the right track... here are some things that are
frequently overlooked that we've found to be useful:
    Testing for "hidden" files on the server that exist for administration
purposes or that were left on the server by developers. Always check every
directory for files like "admin.asp" and "upload.asp" that may exist to help
administrators. Equally as interesting can be files like "test.asp" or
"example.asp" that may have been placed on the server by developers and
never removed. I cannot tell you how many times that I've ran into a
seemingly bulletproof server, and then found a "test.asp" that contains some
code that a developer abandoned. Lots of the time these will contain
information on other "hidden" files, failed database connection errors and
other such things. Along similar lines, looking for core dump files, CVS
files, and application logs can be very fruitful. For example, older
versions of WS FTP, by default, will always upload a file called
"WS_FTP.LOG" to the remote host.
    Who says you're the first person to check out a site's security? Look
for backdoors and other tools. The most common ones are obviously going to
be "root.exe" and "cmd.exe". Check for other common ones like
"ackcmds.exe", "nc.exe", etc.
    Another neat trick is abusing a site's search function. Nearly every
web site now has a search tool. If the admin is lazy and has the search
application index the /entire/ server from the webroot up, you can search
for the admin pages, configuration files, databases... anything at all above
the webroot.

    Kevin.

----- Original Message -----
From: "Mark Curphey" <mcurpheyonebox.com>
To: <webappsecsecurityfocus.com>
Sent: Friday, January 11, 2002 11:04 AM
Subject: OWASP : What to test ?

> As you know we are starting to build the testing framework....we are
> going to capture the mailing list debate and thoughts to want your input.
> Well then publish it for community review and input.
>
> One of the areas that seems really important is What to test ? I put
> some provisional headings down at http://www.owasp.org/projects/testing/
>
> Imaginary scneario : you are presented with a site dns name and asked
> to review its security of the applications running on it.
>
> Where do you start ?
> Do you spider the site looking for any place that sends paramaters to
> an application ?
> How do you find where application reside ?
> What about web services and WDSL ? Do you look at a UDDI ?
> Should you test an application issolation (ie a single cgi) or all
applications
> on that site ?
>
> These are just a few thoughts, really just a few...
>
> So does anyone want to share the way they approach deciding what should
> be tested with the list ?
>
> __________________________________________________
> FREE voicemail, email, and fax...all in one place.
> Sign Up Now! http://www.onebox.com
>
>

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]