and of course there can be no other issues in a webapp if nikto can't find them :)
Nmap+Nessus+Nikto a good way to find Network Layer aka known problems known systems for low cost or CVE When you have a custom developed website (example: www.ALLWEBSITES.xxx). You need to look at logic flows, dynamic forms and other such as http://www.webappsec.org/projects/threat/classes_of_attack.shtml think CWE http://cwe.mitre.org/ Since 2001, OWASP www.owasp.org also has well known resources such as owasp-top 10, developer guide, webgoat, SAMM and 50+ others for FREE If you have a custom webapp and don't think you have any webapp issues I got $20 bucks who wants to bet? www.twitter.com/brennantom -----Original Message----- From: Paul Asadoorian <[email protected]> Date: Mon, 03 Aug 2009 13:40:15 To: PaulDotCom Security Weekly Mailing List<[email protected]> Subject: Re: [Pauldotcom] Scanning for phpMyAdmin Looks like Nikto contains about 5 checks for phpmyadmin (grep -i phpmyadmin db_tests). Nmap scripts do not contain any references to phpmyadmin. Cheers, Paul Nathan Sweaney wrote: > Couple options off the top of my head. You’ll have to research them/try > them out to figure out which works for you. > > > > 1). Nessus. I’m pretty sure it’ll detect phpMyAdmin & even determine > old versions. Paul should be able to confirm that. > > > > 2). Nmap. It’ll find the webservers, but not specify the application > unless there’s an NSE script to detect it. If not you could probably > create one pretty easily. Awhile back Kevin Johnson did some work > converting the Nikto tests into Nmap NSE scripts. So he may have > something for that. > > > > 3). Nikto will show you where it’s installed, but I’m not sure it > includes which version. It could also take awhile to scan your entire > network. I’d use nmap first to find the servers & then Nikto. > > > > > > -- Nathan > > > > ------------------------------------------------------------------------ > > *From:* [email protected] > [mailto:[email protected]] *On Behalf Of *John Hoyt > *Sent:* Monday, August 03, 2009 9:08 AM > *To:* [email protected] > *Subject:* [Pauldotcom] Scanning for phpMyAdmin > > > > Does anyone know of a method that I can use to scan my network for > servers hosting phpMyAdmin? > > I'm potentially looking for vulnerable versions. > > Thanks, > > John Hoyt > > > ------------------------------------------------------------------------ > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com -- Paul Asadoorian PaulDotCom Enterprises Web: http://pauldotcom.com Phone: 401.829.9552 _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
