Since you mentioned Nessus.... :) There are several settings that can help Nessus provide better results with respects to scanning web servers and applications. See my OWASP presentation for more [1].
Also, we just released (like yesterday afternoon) some new functionality into Nessus with respects to web app scanning. So, let me know if you notice anything (false positives) or other strangeness. I will be following up with a blog post that will summarize some of the improvements, but specifically check out to the new advanced option "HTTP Audit Settings". Cheers, Paul [1] http://tenablesecurity.com/whitepapers/OWASP-05-2009-NessusWebAppTesting.pdf [email protected] wrote: > @ Irongeek its "password" :), Paul thanks for your input. Going to > looking over Owasp v3 testing guide to get a feel of some of the > things mentioned. If I can convince my boss to purchase a pro feed of > Nessus I will have follow up questions! > > > Sent from my Verizon Wireless BlackBerry > > -----Original Message----- From: Adrian Crenshaw > <[email protected]> > > Date: Mon, 8 Jun 2009 11:57:05 To: PaulDotCom Security Weekly Mailing > List<[email protected]> Subject: Re: [Pauldotcom] Steps > taken During a Web App Pentest > > > _______________________________________________ Pauldotcom mailing > list [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main > Web Site: http://pauldotcom.com > > _______________________________________________ Pauldotcom mailing > list [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main > Web Site: http://pauldotcom.com -- Paul Asadoorian PaulDotCom Enterprises Web: http://pauldotcom.com Phone: 401.829.9552 _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
