Home page logo

pen-test logo Penetration Testing mailing list archives

RE: Looking for help against Chinese Hacking Team
From: "Alex Eden" <Alex.Eden () senet-int com>
Date: Tue, 16 Dec 2008 11:22:43 -0500

Yes, consider porting, we won't debate linux vs win here, but linux is
securer and easier to adapt, you know.

It's a web application... So, it would not really matter what it runs on. 

We all have seen web applications hosted on linux that have XSS, SQL
Injection, and all the rest?

I personally prefer UNIX (OpenBSD and Solaris) over any type of Windows, but
in case of a web application you are barking at a wrong tree.

Going through the web server logs would also be of little benefit.

Do you have a middleware server? Where is the business logic of this
application implemented? 

Start off with these two:

1. Enable debugging/tracing of queries (or whatever your database supports)
in your database and monitor them
2. Identify scripts or executables in your application that have forms or
user input fields (search field, login field, etc). Then identify ones that
are the most likely culprits. Then modify their source code by adding
debugging/tracing of the variables that are mostly likely to be overloaded.

Web application assessment in the United States takes anywhere from 80 hours
to 5000 hours depending on its size and complexity. Multiply it by $120 per
hour (it is not an average rate since high-end rates go up to $600 an hour).

If using WebInspect or AppScan, keep in mind that fully automated scan may
yield no meaningful results - you need to do manual step-thru scan and audit
to get at least some good results.

This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]