I want to cron it since I'm developing using the Scrum methodology and I
want to set up a system that every 4 weeks (the end of my iterations)
check if I miss something that would be a security problem.
And related to your ideas, I was thinking about developing a something
similiar to what you said.
But if I do it it's easy to miss some attacks and give false negatives.
So what i thought was create a crawler that takes the ajax requests and
give them to a scanner, like for example nikto or wapiti. Since the
problem is getting the requests, then, when i have them, is the same as
attacking a normal GET/POST request.
On 07/02/12 14:47, Carlos Pantelides wrote:
>
> Joel:
>
>> I'm getting crazy to find a vulnerability scanner that evaluates the
> security of a website done with Ajax. I need it to have a API or a
> console mode so I would be able to integrate it into a cron.
>
>> Any ideas?
> Only ideas
>
> Why do you want to cron it? I would run the tests whenever there is a new test or a change to the application.
>
>
> Divide and conquer. You have something like a rich client and a API, right?
>
> First the api: make your tests with your favorite language/technology (I like wget/curl with some grep magic and shunit), first the positive cases then the negative ones: try to trespass the workflow of calls, bypass the authentication and authorization scheme, inject html, javascript or sql, overflows
>
> For the "rich client" perhaps you will have to repeat, reuse or extend some tests, like the xss.
>
> Use the owasp top ten for both.
>
> I know that I am not answering your question, but hope it help you
>
>
>
> Carlos Pantelides
> -----------------
> http://seguridad-agile.blogspot.com/
>
> ------------------------------------------------------------------------
> Securing Apache Web Server with thawte Digital Certificate
> In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.
>
> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442
f727d1
> ------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.
want to set up a system that every 4 weeks (the end of my iterations)
check if I miss something that would be a security problem.
And related to your ideas, I was thinking about developing a something
similiar to what you said.
But if I do it it's easy to miss some attacks and give false negatives.
So what i thought was create a crawler that takes the ajax requests and
give them to a scanner, like for example nikto or wapiti. Since the
problem is getting the requests, then, when i have them, is the same as
attacking a normal GET/POST request.
On 07/02/12 14:47, Carlos Pantelides wrote:
>
> Joel:
>
>> I'm getting crazy to find a vulnerability scanner that evaluates the
> security of a website done with Ajax. I need it to have a API or a
> console mode so I would be able to integrate it into a cron.
>
>> Any ideas?
> Only ideas
>
> Why do you want to cron it? I would run the tests whenever there is a new test or a change to the application.
>
>
> Divide and conquer. You have something like a rich client and a API, right?
>
> First the api: make your tests with your favorite language/technology (I like wget/curl with some grep magic and shunit), first the positive cases then the negative ones: try to trespass the workflow of calls, bypass the authentication and authorization scheme, inject html, javascript or sql, overflows
>
> For the "rich client" perhaps you will have to repeat, reuse or extend some tests, like the xss.
>
> Use the owasp top ten for both.
>
> I know that I am not answering your question, but hope it help you
>
>
>
> Carlos Pantelides
> -----------------
> http://seguridad-agile.blogspot.com/
>
> ------------------------------------------------------------------------
> Securing Apache Web Server with thawte Digital Certificate
> In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.
>
> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442
f727d1
> ------------------------------------------------------------------------
>
------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.
http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442
f727d1
------------------------------------------------------------------------
[ reply ]