Tom Brennan - Personal wrote: > and of course there can be no other issues in a webapp if nikto can't > find them :) > > Nmap+Nessus+Nikto a good way to find Network Layer aka known problems > known systems for low cost or CVE
Nessus now supports web application testing, it will perform a spider and fuzz parameters of any web apps. Its not a substitute for manual testing. > > When you have a custom developed website (example: > www.ALLWEBSITES.xxx). You need to look at logic flows, dynamic forms > and other such as > http://www.webappsec.org/projects/threat/classes_of_attack.shtml > think CWE http://cwe.mitre.org/ My suggestions in pervious posts were specifically targeted for phpMyAdmin, NOT a custom web app. For a custom web app, that is an entirely different conversation. > Since 2001, OWASP www.owasp.org also has well known resources such as > owasp-top 10, developer guide, webgoat, SAMM and 50+ others for FREE Yes, and Nessus can log into a system and check the configuration against the OWASP top ten list :) > If you have a custom webapp and don't think you have any webapp > issues I got $20 bucks who wants to bet? I complete agree :) Cheers, Paul -- Paul Asadoorian PaulDotCom Enterprises Web: http://pauldotcom.com Phone: 401.829.9552 _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
