Home page logo

pauldotcom logo PaulDotCom mailing list archives

Steps taken During a Web App Pentest
From: johan at johans.dk (Johan Peder Møller)
Date: Mon, 8 Jun 2009 15:53:49 +0200


Given your "no buget" constraint, I'd go with something like OWASP Live CD (

If you have a basic understanding of how web appls work, and how to attack
them this should give you a starting point. As for the completeness of
scannings I can't say. I myself is in the process of evaluating.

Johan M?ller

On Sat, Jun 6, 2009 at 8:55 PM, <infolookup at gmail.com> wrote:

Hello All:

I am task with doing a basic web app pentest of a server that we are about
to given external users access too.


I work for a university no security department, no budget to hire a

We are about to put one of our training servers on our DMZ this way Faculty
and Staff members can access it from home for  Microsoft and other
application video tutorials.

Since my boss is aware that I am interested in infosec I was given the
green light to test the app/server and report back anything that can aid in
locking it down.


Since there are so much tools and ways to go about this I would like to
know how do others go about a web app pentest, don't have to give away any
trade secrets  :)-.

I am just looking for an efficient way to go about this!


OS: Windows 2003 running in a VMware, ESX 3.5.

Application:  Training package, with a bundled windows version of a LAMP

Acess Method: http.

Thanks in advance.
Sent from my Verizon Wireless BlackBerry
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
Main Web Site: http://pauldotcom.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20090608/b8eecf4f/attachment.htm 

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]