Hi Given your "no buget" constraint, I'd go with something like OWASP Live CD ( http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project).
If you have a basic understanding of how web appls work, and how to attack them this should give you a starting point. As for the completeness of scannings I can't say. I myself is in the process of evaluating. rgds Johan Møller On Sat, Jun 6, 2009 at 8:55 PM, <[email protected]> wrote: > Hello All: > > I am task with doing a basic web app pentest of a server that we are about > to given external users access too. > > Background: > > I work for a university no security department, no budget to hire a > auditor. > > We are about to put one of our training servers on our DMZ this way Faculty > and Staff members can access it from home for Microsoft and other > application video tutorials. > > > Since my boss is aware that I am interested in infosec I was given the > green light to test the app/server and report back anything that can aid in > locking it down. > > Question: > > Since there are so much tools and ways to go about this I would like to > know how do others go about a web app pentest, don't have to give away any > trade secrets :)-. > > I am just looking for an efficient way to go about this! > > > Specs: > > OS: Windows 2003 running in a VMware, ESX 3.5. > > Application: Training package, with a bundled windows version of a LAMP > setup. > > Acess Method: http. > > Thanks in advance. > Sent from my Verizon Wireless BlackBerry > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com >
_______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
