[Techtalk] Re: security testing

Raven Alder raven at oneeyedcrow.net
Mon Apr 19 00:41:26 EST 2004


Heya --

Quoth Becky L. Norum (Thu, Apr 15, 2004 at 04:57:17PM -0400):
> I'm curious to hear what other people use to help with web app security
> testing, especially Java apps.  Things that can facilitate URL hacking,
> form forging, etc.  I've played with TCPMon a bit and am wondering about
> (free or cheap) alternatives.

	I don't know much about Java apps, but I have found that for Web
testing in general, these are useful:

Nikto:
http://www.cirt.net/code/nikto.shtml
Version 2.0 is coming out Real Soon Now.

Achilles:
http://www.packetstormsecurity.org/web/ (digizen-security is down)
If you're in Windows (or run it under WINE), it's quite useful for MITM
and changing data as it passes through your inserted proxy.

	And, of course, Nessus and Ethereal.  At the least, the
auto-scanners will give you places to start monkeying with the input,
etc.

	I keep meaning to code an automated site-crawler that checks for
basic things like SQL injection and cross-site scripting
vulnerabilities, but it's about item 10,000 on the to-do list.

Cheers,
Raven
 
"manglement never notices when doing X kept them from having a
 disaster.  they only notice disasters."
  -- Randy Bush, on patching and prevention



More information about the Techtalk mailing list