Why not get a proper cert for around $40 instead of teaching your users that it's OK to accept self signed certs, lending them more prone to a phishing or MITM attack?
On Mon, Jun 8, 2009 at 7:30 AM, <[email protected]> wrote: > Thanks for the feed back so far anyone else wants to state what testing > framework or tools the are using preferably open source. > > Once I am finish the initial testing my next steps will be to lock it done, > configure some sort of self sign cert for apache to use ssl instead of the > native http for starters. > > Sent from my Verizon Wireless BlackBerry > > ------------------------------ > *From*: Johan Peder Møller > *Date*: Mon, 8 Jun 2009 15:53:49 +0200 > *To*: <[email protected]>; PaulDotCom Security Weekly Mailing List< > [email protected]> > *Subject*: Re: [Pauldotcom] Steps taken During a Web App Pentest > > Hi > > Given your "no buget" constraint, I'd go with something like OWASP Live CD > (http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project). > > If you have a basic understanding of how web appls work, and how to attack > them this should give you a starting point. As for the completeness of > scannings I can't say. I myself is in the process of evaluating. > > rgds > Johan Møller > > > On Sat, Jun 6, 2009 at 8:55 PM, <[email protected]> wrote: > >> Hello All: >> >> I am task with doing a basic web app pentest of a server that we are about >> to given external users access too. >> >> Background: >> >> I work for a university no security department, no budget to hire a >> auditor. >> >> We are about to put one of our training servers on our DMZ this way >> Faculty and Staff members can access it from home for Microsoft and other >> application video tutorials. >> >> >> Since my boss is aware that I am interested in infosec I was given the >> green light to test the app/server and report back anything that can aid in >> locking it down. >> >> Question: >> >> Since there are so much tools and ways to go about this I would like to >> know how do others go about a web app pentest, don't have to give away any >> trade secrets :)-. >> >> I am just looking for an efficient way to go about this! >> >> >> Specs: >> >> OS: Windows 2003 running in a VMware, ESX 3.5. >> >> Application: Training package, with a bundled windows version of a LAMP >> setup. >> >> Acess Method: http. >> >> Thanks in advance. >> Sent from my Verizon Wireless BlackBerry >> _______________________________________________ >> Pauldotcom mailing list >> [email protected] >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> Main Web Site: http://pauldotcom.com >> > > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com >
_______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
