|
|
Security Basics
Fw: Ajax Vulnerability Scanner Feb 07 2012 01:47PM Carlos Pantelides (carlos_pantelides yahoo com) (1 replies) Re: Fw: Ajax Vulnerability Scanner Feb 07 2012 03:07PM Joel Espunya (joel espunya appstylus com) (1 replies) |
|
Privacy Statement |
potentially in conjunction with tools like the OWASP Ajax Crawling
Tool (ACT).
I've documented a simple way of using ZAP for security regression
tests here: http://code.google.com/p/bodgeit/wiki/RegTests
ZAP has a command line API and daemon mode so that it can be run and
controlled without a UI - I added those features specifically for this
purpose :)
However in the above case its using a tool like Selenium and the ZAP spider.
ACT would probably be a better option than the ZAP spider for you.
This _is_ a bit bleeding edge, but its something that I want to
improve and make really robust, so feel free to get in touch with me
directly and I'll help where I can.
Note that we're planning on making it easier to use ZAP and ACT together :)
Cheers,
Psiinon (ZAP Project Lead)
On Tue, Feb 7, 2012 at 3:07 PM, Joel Espunya <joel.espunya (at) appstylus (dot) com [email concealed]> wrote:
>
> I want to cron it since I'm developing using the Scrum methodology and I want to set up a system that every 4 weeks (the end of my iterations) check if I miss something that would be a security problem.
>
> And related to your ideas, I was thinking about developing a something similiar to what you said.
>
> But if I do it it's easy to miss some attacks and give false negatives. So what i thought was create a crawler that takes the ajax requests and give them to a scanner, like for example nikto or wapiti. Since the problem is getting the requests, then, when i have them, is the same as attacking a normal GET/POST request.
>
>
> On 07/02/12 14:47, Carlos Pantelides wrote:
>>
>>
>> Joel:
>>
>>> I'm getting crazy to find a vulnerability scanner that evaluates the
>>
>> security of a website done with Ajax. I need it to have a API or a
>> console mode so I would be able to integrate it into a cron.
>>
>>> Any ideas?
>>
>> Only ideas
>>
>> Why do you want to cron it? I would run the tests whenever there is a new test or a change to the application.
>>
>>
>> Divide and conquer. You have something like a rich client and a API, right?
>>
>> First the api: make your tests with your favorite language/technology (I like wget/curl with some grep magic and shunit), first the positive cases then the negative ones: try to trespass the workflow of calls, bypass the authentication and authorization scheme, inject html, javascript or sql, overflows
>>
>> For the "rich client" perhaps you will have to repeat, reuse or extend some tests, like the xss.
>>
>> Use the owasp top ten for both.
>>
>> I know that I am not answering your question, but hope it help you
>>
>>
>>
>> Carlos Pantelides
>> -----------------
>> http://seguridad-agile.blogspot.com/
>> ------------------------------------------------------------------------
>> Securing Apache Web Server with thawte Digital Certificate
>> In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.
>>
>> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442
f727d1
>> ------------------------------------------------------------------------
>>
>
>
> ------------------------------------------------------------------------
> Securing Apache Web Server with thawte Digital Certificate
> In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.
>
> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442
f727d1
> ------------------------------------------------------------------------
>
--
OWASP ZAP: Toolsmith Tool of the Year 2011
------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.
http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442
f727d1
------------------------------------------------------------------------
[ reply ]