Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



WebApp Sec: Re: Web Pen Test Honeypot

Re: Web Pen Test Honeypot

From: James Landis <jcl24_at_cornell.edu>
Date: Fri, 11 Jul 2008 08:56:10 -0700

Most security tools are tuned to find issues in commonly-known sites
like Webgoat and the vendor test sites. Hence, that might not be your
best target for evaluation. You could try the OWASP SiteGenerator
project for alternate data.

If you're evaluating run-time testing tools for just one site or a set
of sites that you or your company maintain, you can't do any better
than testing the tools against your own code since that's what you'll
be doing long-term, anyway. If you're concerned that the tools aren't
finding anything and you're getting a lot of false negatives, get the
vendors involved in the configuration + crawl phase or find an expert
in the open-source tool you're evaluating and hire them for some
consulting hours.

-j

On Tue, Jul 8, 2008 at 2:39 PM, John Evans <admin_at_kilnar.com> wrote:
> Greetings,
>
> I am in the middle of evaluating the wide variety of web security
> pen-test tools that exist. I'm currently pointing each piece of software
> to a site that I have written. None of the tools are finding issues.
>
> My task right now is to find the right tool for the job, and the job is
> finding web-based security issues. Either the tools are not working, or
> my site is secure. I'm not willing to put money on which of the two is
> true. :)
>
> What I need is a web application that has known security issues. I would
> prefer one that was intentionally written to have scanners pointed to it
> for testing the scanners.
>
> Does such a thing exist? I hope so, because I hardly have time right now
> to write even the simplest web application that has all of the various
> holes that I need to test for.
>
> If someone could point me to a "web honeypot" that I could install in my
> own environment I would appreciate it.
>
> Thanks.
>
>
> --
> John Evans
> Administrator of kilnar.com
>
> -------------------------------------------------------------------------
> Sponsored by: Watchfire Methodologies & Tools for Web Application Security
> Assessment With the rapid rise in the number and types of security threats,
> web application security assessments should be considered a crucial phase in
> the development of any web application. What methodology should be followed?
> What tools can accelerate the assessment process? Download this Whitepaper
> today!
> https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
> -------------------------------------------------------------------------
>
>

-------------------------------------------------------------------------
Sponsored by: Watchfire
Methodologies & Tools for Web Application Security Assessment
With the rapid rise in the number and types of security threats, web application security assessments should be considered a crucial phase in the development of any web application. What methodology should be followed? What tools can accelerate the assessment process? Download this Whitepaper today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
-------------------------------------------------------------------------
Received on Jul 11 2008

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos