Penetration Testing
OWASP Top 10 penetration testing software? Feb 28 2012 07:35PM
webcat (matthew mckinzie lewin com) (7 replies)
Re: OWASP Top 10 penetration testing software? Feb 28 2012 09:40PM
Nathalie Vaiser (nvaiser gmail com)
Re: OWASP Top 10 penetration testing software? Feb 28 2012 08:50PM
David Mirza (dma subgraph com)
Re: OWASP Top 10 penetration testing software? Feb 28 2012 08:44PM
psiinon (psiinon gmail com) (1 replies)
Re: OWASP Top 10 penetration testing software? Mar 05 2012 11:00AM
Zaki Akhmad (zakiakhmad gmail com) (1 replies)
Re: OWASP Top 10 penetration testing software? Mar 05 2012 11:17AM
psiinon (psiinon gmail com) (1 replies)
Hi Zaki,

I this case I was refering to automated scanners, which wont detect
everything :)

Yes, penetration testing can find things like insecure cryptographic storage.
However to be sure you really need to have access to the servers (esp
databases) and the source code.

Cheers,

Simon

(Resent without formatting;)

On Mon, Mar 5, 2012 at 11:00 AM, Zaki Akhmad <zakiakhmad (at) gmail (dot) com [email concealed]> wrote:
>
> On Wed, Feb 29, 2012 at 3:44 AM, psiinon <psiinon (at) gmail (dot) com [email concealed]> wrote:
>
> > Hi,
> >
> > You should be careful with scanners that claim to test "the OWASP Top Ten".
> > For example, "Insecure Cryptographic Storage" is one of the OWASP Top
> > Ten but this is typically only detectable server side, so no web app
> > scanner will find it :)
>
> So Simon, a penetration testing won't cover all?
>
> The simplest test case for this insecure cryptographic storage is by
> requesting a forgot password. If the web application sends your
> password in clear text, then you found the issue.
>
> --
> Zaki Akhmad
> OWASP Indonesia

--
OWASP ZAP: Toolsmith Tool of the Year 2011

------------------------------------------------------------------------

This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------

[ reply ]
RE: OWASP Top 10 penetration testing software? Mar 05 2012 05:46PM
Adam Behnke (adam infosecinstitute com)
Re: OWASP Top 10 penetration testing software? Feb 28 2012 08:33PM
Tim Gonzales (tim gonzales gmail com)
Re: OWASP Top 10 penetration testing software? Feb 28 2012 08:15PM
martin mngoma gmail com (1 replies)
Re: OWASP Top 10 penetration testing software? Feb 28 2012 08:44PM
Robert Wood (robertwood50 gmail com) (1 replies)
Re: OWASP Top 10 penetration testing software? Feb 28 2012 08:53PM
martin mngoma gmail com
Re: OWASP Top 10 penetration testing software? Feb 28 2012 08:09PM
Michele Orru (antisnatchor gmail com)
Re: OWASP Top 10 penetration testing software? Feb 28 2012 08:07PM
M. Hani Benhailes (kroosec gmail com) (1 replies)
Re: OWASP Top 10 penetration testing software? Feb 28 2012 08:32PM
webcat (matthew mckinzie lewin com)


 

Privacy Statement
Copyright 2010, SecurityFocus