Home page logo

pen-test logo Penetration Testing mailing list archives

Re: Web Application Tester
From: Anders Thulin <Anders.Thulin () tietoenator com>
Date: Wed, 15 Sep 2004 09:09:56 +0200

Andrew Bagrin wrote:

Does anyone know of an application tester similar to AppDetective
thats not as hard on the pocket book?
I need to pentest a web app and am looking for some tools

  Haven't tried AppDetective for Web Applications myself, so I'm
not sure of just what capabilities you're looking for. Nothing
magic I hope. Take a look at:

  * Nikto (http://www.cirt.net/code/nikto.shtml)
    Useful for single-shot exercies, less useful for mass deployment.
    Looks mainly at the server and the server set-up, not the web-site

  * Xenu's Link Sleuth (http://home.snafu.de/tilman/xenulink.html)
    Intended for finding broken links, but also helps enumerate all
    reachable pages on a site, given a starting point (and in some
    cases an account/password).

  * wget (http://www.gnu.org/software/wget/wget.html)
    Freeware -- typically part of free Unixes, including Cygwin
    Useful for getting a 'copy' of the web site: search for keywords,
    comments, etc.

  A SSL-proxy is sometimes useful, as is some kind of brute-force
login tool (THC-Hydra is well known - http://thc.org/)

  And, in general, the book Scambray & Shema: 'Hacking Exposed:
Web Applications' is one of the best places to start preparing for
this kind of exercise.

Anders Thulin   anders.thulin () tietoenator com   040-661 50 63        
TietoEnator Telecom & Media AB, Box 85, SE-201 20 Malmö

Ethical Hacking at the InfoSec Institute. All of our class sizes are
guaranteed to be 12 students or less to facilitate one-on-one interaction
with one of our expert instructors. Check out our Advanced Hacking course,
learn to write exploits and attack security infrastructure. Attend a course
taught by an expert instructor with years of in-the-field pen testing
experience in our state of the art hacking lab. Master the skills of an
Ethical Hacker to better assess the security of your organization.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]