RE: Application & Iplanet/Apache web server vulnerability and pen etration testing

From: Cox, Michael (mscox@ti.com)
Date: Tue Sep 17 2002 - 09:33:58 EDT


2) The NIST has a doc here http://csrc.nist.gov/publications/drafts.html
called "Special Publication 800-44, Guidelines on Securing Public Web
Servers." The NSA has guides on iPlanet and Apache here
http://nsa1.www.conxion.com/support/download.htm.

3) There's a guide due out in October from these good people
http://www.owasp.org/. There are a couple of recent books that look good,
but I've just received them so I can't comment in detail - _Hacking Web
Applications Exposed_ and _Web Hacking: Attacks and Defense_.

Regards,
Michael

> -----Original Message-----
> From: Steven Walker [mailto:swalker7799@yahoo.com]
> Sent: Monday, September 16, 2002 12:05 PM
> To: Pen-Test Security Focus
> Subject: Application & Iplanet/Apache web server vulnerability and
> penetration testing
> Importance: High
>
>
> Dear Group,
>
> I have been given a project to perform web application
> vulnerability testing
> on iPlanet and Apache web servers. The servers run on
> NT/2000, Solaris
> 2.7-8, (iPlanet) and Linux, Solaris (Apache).
>
> In house tools are Wisker, WHArenal, NMAP, NESSUS. I have
> only used NMAP
> and NESSUS so far for firewall and internal network testing.
>
> I am at a loss at where to start the process and am trying to
> determine if
> additional tools are needed.
>
> 1. I would obviously harden the web server OS's by closing unnecessary
> ports, ensuring proper patch levels, getting rid of rhost and
> equiv files,
> enforcing password policies, limiting accounts, use ssh for
> administration,
> etc.
>
> 2. I don't know what to do on the web servers other than
> delete example
> scripts and ensure default passwords are changed to stronger
> ones. Are
> there any links that you know of that would provide a
> checklist of iPlanet
> and Apache vulnerability checks. Are there any recommended
> tools that can
> automate this process? Any suggestions on iPlanet and Apache
> security?
>
> 3. Regarding web applications, I will be expected to test applications
> before they go into production. I know to test for buffer
> overflows buy
> inputting non expected characters into fields. Beyond that
> what advice
> could you give or methodology could you direct me too. Jobs
> are tough to
> find out there, I could use your help in keeping this one.
> Thanks for all
> of you who will help me.
>
> Sincerely
>
> Steven M. Walker CISSP, GSEC, ABCP
> Security Specialist
> 44 W. Douglas Dr.
> Saint Peters, MO 63376
> Office: 636.279.2206
> Home: 636.278.8004
>
>
>
>
> --------------------------------------------------------------
> --------------
> This list is provided by the SecurityFocus Security
> Intelligence Alert (SIA)
> Service. For more information on SecurityFocus' SIA service which
> automatically alerts you to the latest security
> vulnerabilities please see:
> https://alerts.securityfocus.com/
>

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:25 EDT