[WEB SECURITY] Resources for testing hosted/ASP sites

Evans, Arian Arian.Evans at fishnetsecurity.com
Fri Aug 25 11:46:13 EDT 2006 

http://www.owasp.net

http://msdn.microsoft.com

Also Google for and look at MasterBugs. IIRC it's all ASP Classic,
though not so much related to shared/hosted environments.

For ASP.NET, see the above two links.
 
Arian J. Evans

> -----Original Message-----
> From: Joshua Jabs [mailto:JJabs at rothcp.com] 
> Sent: Friday, August 25, 2006 8:51 AM
> To: websecurity at webappsec.org
> Subject: [WEB SECURITY] Resources for testing hosted/ASP sites
> 
> Anyone know of a good resource/research for looking at 
> webappsec issues common in a co-hosted our outsourced environment?
> 
> Thank you,
> Josh
>  
> Roth Capital Partners, LLC 
>  
>  
> 
> -----Original Message-----
> From: P. J. W. Hoogerheide [mailto:ph at hotex.nl] On Behalf Of 
> Enis Karaarslan
> Sent: Thursday, August 24, 2006 7:47 AM
> To: 'Jeff Robertson'
> Cc: enis.karaarslan at ege.edu.tr; 'Evans, Arian'; rwp at gmx.de; 
> websecurity at webappsec.org; webappsec at securityfocus.com
> Subject: RE: [WEB SECURITY] RE: Environment for testing 
> WebApp Security Scanners
> 
> Well, the phrase is fom it's "collector". The applications 
> are samples of
> blog, buletin board, ...etc. Ofcourse they should'nt be used 
> as they are
> in "real life" implementations. It can happen that a patch 
> isn't timely
> published. Also in enterprise networks, it's sometimes 
> possible that a web
> server is managed by some other administrator and not updated timely.
> 
> For a security lab, no patches should be applied.
> Well, in a lab environment, I keep them as they are.
> 
> They can be put in  a honeypot also to see what happens :)
> 
> Enis
> 
> >
> > "Real-life" programs meaning applications intended for 
> actual use, not
> > just for security benchmarking? Wouldn't you want to fix 
> the vulns you
> > find in those, thereby ruining their value as benchmarks?
> >
> > -----Original Message-----
> > From: Enis Karaarslan [mailto:enis.karaarslan at ege.edu.tr]
> > Sent: Thu 8/24/2006 3:08 AM
> > To: Evans, Arian; rwp at gmx.de
> > Cc: websecurity at webappsec.org; webappsec at securityfocus.com
> > Subject: Re: [WEB SECURITY] RE: Environment for testing 
> WebApp Security
> >  Scanners
> >
> > Hello all,
> >
> > I am currently working on web/web application security issues in
> > enterprise networks as an academic study. I think, the 
> fundamental problem
> > (especially in campus networks), there is usually no 
> "network awareness".
> > In enterprise networks, hundreds of different web servers 
> and different
> > web applications can be present, where usually nobody knows 
> detailed info
> > about web servers and applications running on them.
> >
> > Maybe most of you know,
> > For security testing environment there is Stanford 
> Securibench, which is a
> > set of open source real-life programs to be used as a 
> testing ground for
> > static and dynamic security tools. Release .91a focuses on Web-based
> > applications written in Java.
> > http://suif.stanford.edu/~livshits/securibench/
> >
> > There are many web/ web application security scanners. If 
> anyone intrested
> > in this subject and also for a joint work, s/he is always welcome.
> >
> > Enis Karaarslan
> > Ege University
> >
> >> I added the WASC list, since many folks there are sensitive
> >> to this same subject.
> >>
> >>> -----Original Message-----
> >>> From: René Palige [mailto:rwp at gmx.de]
> >>>
> >>> I?m currently working on my bachelor thesis which is about
> >>> the development  of a testsuite for different Web Application
> >>> Security Scanners. My goal is to provide an environment
> >>
> >> This, I discovered, was very challenging. When I post the OWASP
> >> Tools v3, one section of it is going to be about my trials and
> >> tribulations, mistakes, misfires and general stupidity in trying
> >> to scientifically, systematically evaluate tools, which culminated
> >> in the HEWA2 book.
> >>
> >> No one has done a good job at this, most reviews are just plain
> >> crap (sorry, everyone, it's the truth; if there's a good review
> >> to defend please step up to the plate).
> >>
> >> I have been holding off releasing v3 (which is a narrative doc)
> >> until I can put it out for peer review before making a final,
> >> hard, PDF. (should I just post to the list and let everyone chime
> >> in?...I'm afraid to do this b/c some of it is _not_nice_) I hope
> >> someone will wikify the end product.
> >>
> >>>I?m planning to use OWASPs WebGoat as some kind of groundwork.
> >>
> >> Not bad, but you will need more. Unless your thesis is "how
> >> effectively do webappscanner vendors code to detect issues
> >> in WebGoat?"
> >>
> >>>Would it be best to focus on "real-life scenarios"?
> >>
> >> That's what I fell upon. It's a bit more realistic.
> >>
> >> You get no tautology from the scanner vendors. You get real
> >> use-case scenarios, and a story to tell.
> >>
> >>> Or rather to cover as many
> >>> aspects of a special class of vulnerabilities as possible?
> >>
> >> This, also, I tackled, and have an evolving-complexity XSS
> >> generator; I have a couple of types now and continue to add
> >> more as time permits, and it is use specifically to generate
> >> XSS-vuln pages of varying filter/encoding complexity.
> >>
> >> It really should be in SiteGenerator (owasp.net) but it helps
> >> me make sure I'm not misunderstanding something to force myself
> >> to write complicated mistakes out by hand. :)
> >>
> >> Maybe I'll just rip the scanner eval story and post just that.
> >>
> >> Very cool, we need some smart grad work here.
> >>
> >> Arian J. Evans
> >>
> >>
> >>
> --------------------------------------------------------------
> --------------
> >> The Web Security Mailing List:
> >> http://www.webappsec.org/lists/websecurity/
> >>
> >> The Web Security Mailing List Archives:
> >> http://www.webappsec.org/lists/websecurity/archive/
> >> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
> >>
> >>
> >
> >
> >
> >
> >
> --------------------------------------------------------------
> --------------
> > The Web Security Mailing List:
> > http://www.webappsec.org/lists/websecurity/
> >
> > The Web Security Mailing List Archives:
> > http://www.webappsec.org/lists/websecurity/archive/
> > http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
> >
> >
> >
> 
> 
> 
> 
> --------------------------------------------------------------
> -----------
> Sponsored by: Watchfire
> 
> Watchfire was recently named the worldwide market leader in Web 
> application security assessment tools by both Gartner and IDC. 
> Download a free trial of AppScan today and see why more 
> customers choose 
> AppScan then any other solution. Try it today!
>   
> https://www.watchfire.com/securearea/appscancamp.aspx?id=70150
> 0000008VnB
> --------------------------------------------------------------
> ------------
> 
> 
> --------------------------------------------------------------
> --------------
> The Web Security Mailing List: 
> http://www.webappsec.org/lists/websecurity/
> 
> The Web Security Mailing List Archives: 
> http://www.webappsec.org/lists/websecurity/archive/
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
> 
> 
> 
> For an important electronic communications disclaimer, from 
> an Internet browser, please go to : 
> http://www.rothcp.com/emaildisclaimer.html
> 
> 
> 
> --------------------------------------------------------------
> --------------
> The Web Security Mailing List: 
> http://www.webappsec.org/lists/websecurity/
> 
> The Web Security Mailing List Archives: 
> http://www.webappsec.org/lists/websecurity/archive/
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
> 
> 

----------------------------------------------------------------------------
The Web Security Mailing List: 
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

More information about the websecurity mailing list