headers
AK | 1 Mar 2011 01:38
Picon

Re: web application vulnerability tools list needed

Have you tried googling?
http://www.owasp.org/index.php/Category:Penetration_Testing_Tools

On 02/28/2011 07:54 PM, Rajesh R wrote:
> Hi
>
>
> As I need to do vulnerability assessment for a web application in my
> project .Please
> let me know the tools which are available to find out vulnerability in a web
> application.
>
> for both platforms windows and unix/linux and also both
> opensource/commercial products.
>
> Thanks
>
> --
>
> ------------------------------------------
>
> Thanks,
>
> Rajesh R
>
> Mobile: +91-9000-581-806
>
>
>
(Continue reading)

Permalink | Reply | 5 comments |
headers
SecPro | 1 Mar 2011 16:21

Re: product to send confidnetial informatiion to clients


Sending how?  Via email, FTP(secure) or some other manner?  This is a 
rather broad request, your DLP/Data Handling policies should come in to 
play.  From a very high level there are a couple of ways to approach 
this.  If you're speaking about data exchange via email you can look at 
products like vontu which can enforce encryption, can determine policy 
for what can and can't be sent, audit log etc.  If you have a scheduled 
data transfer via FTP for example, you can use PGP to encrypt the data 
before being sent.  A little more detail would be helpful in order to 
better understand your situation.

Regards

On 2/28/11 3:39 PM, Juan B wrote:
>
>
> hi all
>
> I am looking for a product/application which will manage all the sending of
> information to 3 parties working with the bank.
>
> I dont mean to implement a VPN or ssh. Im looking for a app which will manage
> sending information in a secure way.
>
> someone knows about such an application?
>
> thanks,
>
> marco
>
(Continue reading)

Permalink | Reply | 1 comment |
headers
John Kellerman | 1 Mar 2011 02:02
Picon

Directly attacking a firewall

Hi Paul,
I am responding to the post below:

I saw your email about "how hard and long would it take to attack directly a firewall....."

Sorry but 'short and sweet'... with the abundance of web vulnerabilities (Cross site scripting, SQL
injecting and the plethora of IIS Vulnerabilities and Apache vulnerabilities).. .hackers and pen
testers rarely spend their time 'directly attacking a firewall' to get to the jewels behind the firewall...
There are the common ports (especially web services) that are always allowed in and that's the path of least
resistance.  The attack vector is now web vulnerabilities and phishing(email)... drive by downloads, etc....
Once a hacker or pentester for a project can get to a web server - he/she has a pivot point to go further into the
network. That's the reasons security engineers always emphasize to separate internet facing servers
and as well as 2 tier components like DB servers.  Web Servers in one DMZ, DB servers in another DMZ with
strict access controls and MOST IMPORTANT regular patch updates of OS and applications as well as
thorough code review on web code to ensure that Cross Site Scripting vulnerabilities and SQL Inject
Vulnerabilities dont exist..
Defense in layers always is the best defense.

I whole-heartedly agree with the Social Engineering attack  vector - and I would say next to web
vulnerabilities and drive by downloads, that's just as prevalent as a risk.

Anyways..
Great question...
Just my 0.02.... and/or opinion... for what it's worth

Cheers..
JMK, CISSP

POST below I am responding to.....
(Continue reading)

Permalink | Reply | 1 comment |
headers
Edd Burgess | 1 Mar 2011 03:10
Favicon

Re: product to send confidnetial informatiion to clients

Most MUAs offer end-to-end PGP, is there any reason you cant just use email?
Edd.

On 28/02/2011 20:39, Juan B wrote:
>
>
> hi all
>
> I am looking for a product/application which will manage all the sending of
> information to 3 parties working with the bank.
>
> I dont mean to implement a VPN or ssh. Im looking for a app which will manage
> sending information in a secure way.
>
> someone knows about such an application?
>
> thanks,
>
> marco
>
>
>
>
> ------------------------------------------------------------------------
> Securing Apache Web Server with thawte Digital Certificate
> In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL
works, how it benefits your company and how your customers can tell if a site is secure. You will find out how
to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout,
best practices for set-up are highlighted to help you ensure efficient ongoing management of your
encryption keys and digital certificates.
(Continue reading)

Permalink | Reply | 0 comments |
headers
TAS | 1 Mar 2011 03:53
Picon

Re: web application vulnerability tools list needed

Skipfish, Arachni, Netsparker, Appscan, Acunetix etc.

HTH


Sent from BlackBerry® - Vodafone

-----Original Message-----
From: Rajesh R <rajeshr1988 <at> gmail.com>
Sender: listbounce <at> securityfocus.com
Date: Mon, 28 Feb 2011 23:24:40 
To: <pen-test <at> securityfocus.com>; <security-basics <at> securityfocus.com>
Subject: web application vulnerability tools list needed

Hi


As I need to do vulnerability assessment for a web application in my
project .Please
let me know the tools which are available to find out vulnerability in a web
application.

for both platforms windows and unix/linux and also both
opensource/commercial products.

Thanks

--

------------------------------------------
(Continue reading)

Permalink | Reply | 0 comments |
headers
a.alii85 | 1 Mar 2011 07:02
Picon

How to tunnel https traffic in VPN based connecton?

I have Site(s) Ani....i=1,..10 sites which communicate with site B to access a website/application.
That's simple enough. 

However, the traffic is http well we primarily don't need https on ipsec tunnel right?. But since attacks
related to eavesdropping of traffic come a real reality once it gets terminated by the ipsec device on both sides.

I have two options either to purchase a third-party ssl certificate to encrypt the traffic between two
nodes or use a custom made one.

I don't want to use a custom made one because this make the browser prompt an ugly untrusted certificate
message; its ugly not from security perspective but for clients inconvenience and assuring users
confidence in our systems is a critical issue for us.

Based upon above discussion i have the following two queries:-

a) How its possible to remove ugly un-certifcate message from user screen? Does the company need to
register its certificate to some kind of CA body? or what ...

b) Due to some tcp acceleration issues, ssl traffic slows down the traffic between the nodes so we only
require the encryption to stand just during the initial handshake when the username and password are
being validated ; after that we
want to revert back to http? Could this be achieved? If yes how...?

Thanks for your help.

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL
works, how it benefits your company and how your customers can tell if a site is secure. You will find out how
to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout,
(Continue reading)

Permalink | Reply | 2 comments |
headers
Shalini Chandel | 1 Mar 2011 07:24
Favicon

RE: web application vulnerability tools list needed

HI ,

Some tools are :

Open Source :

*       Paros Proxy
*       Web Scarab
*       Metasploit Framework

Commercial Tools :

*       Accountix WVS
*       Web Inspect
*       Rational AppScan
*       Burp suit
*       MileScan
*       NTOSpider
*       Cenzic hailstorm

Thanks ,
SC

-----Original Message-----
From: listbounce <at> securityfocus.com [mailto:listbounce <at> securityfocus.com] On Behalf Of Rajesh R
Sent: Monday, February 28, 2011 11:25 PM
To: pen-test <at> securityfocus.com; security-basics <at> securityfocus.com
Subject: web application vulnerability tools list needed

Hi
(Continue reading)

Permalink | Reply | 0 comments |
headers
psiinon | 1 Mar 2011 08:12
Picon

Re: web application vulnerability tools list needed

Hi Rajesh,

If you are new to web app security then you'll probably be best
starting with vulnerability scanners.
They wont find all of the vulnerabilities, but they will be a good start.
Theres a fairly comprehensive list here:
http://projects.webappsec.org/w/page/13246988/Web-Application-Security-Scanner-List

I will (of course) mention ZAP
(http://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project) which
is on that list and is free, open source, cross platform and
specifically aimed at people with less security experience ;)

Psiinon

OWASP ZAP Project Lead

On Mon, Feb 28, 2011 at 5:54 PM, Rajesh R <rajeshr1988 <at> gmail.com> wrote:
> Hi
>
>
> As I need to do vulnerability assessment for a web application in my
> project .Please
> let me know the tools which are available to find out vulnerability in a web
> application.
>
> for both platforms windows and unix/linux and also both
> opensource/commercial products.
>
> Thanks
(Continue reading)

Permalink | Reply | 0 comments |
headers
Tasos Laskos | 1 Mar 2011 11:54
Picon
Gravatar

Re: web application vulnerability tools list needed

Hi,

This list is pretty comprehensive: 
http://projects.webappsec.org/w/page/13246988/Web-Application-Security-Scanner-List

- Tasos L.

On 02/28/2011 05:54 PM, Rajesh R wrote:
> Hi
>
>
> As I need to do vulnerability assessment for a web application in my
> project .Please
> let me know the tools which are available to find out vulnerability in a web
> application.
>
> for both platforms windows and unix/linux and also both
> opensource/commercial products.
>
> Thanks
>
> --
>
> ------------------------------------------
>
> Thanks,
>
> Rajesh R
>
> Mobile: +91-9000-581-806
(Continue reading)

Permalink | Reply | 0 comments |
headers
Adam Pal | 1 Mar 2011 12:22
Picon

Re: product to send confidnetial informatiion to clients

Hello Juan,

What classification has the information you intend to send?
Please note that Level3 Data should be send only via an encrypted
channel, minimum requirements are mentioned in the respective
pci-standard.
For Level2 data, email encryption (S/MIME or PGP) shall be sufficient,
for less traffic solid encryption implemented in zip should work too
but for automated mechanisms you wont get around VPN or dial-in +
other encryption.

--

-- 
Best regards,
 Adam Pal   

Monday, February 28, 2011, 9:39:32 PM, you wrote:

<==============Original message text===============

JB> hi all

JB> I am looking for a product/application which will manage all the sending of
JB> information to 3 parties working with the bank.

JB> I dont mean to implement a VPN or ssh. Im looking for a app which will manage
JB> sending information in a secure way.

JB> someone knows about such an application?

JB> thanks,
(Continue reading)

Permalink | Reply | 0 comments |

Gmane