Results 1 to 3 of 3

Thread: Web application pentesting strategy

  1. #1
    Just burned his ISO
    Join Date
    Jan 2012

    Default Web application pentesting strategy

    hi everyone
    i would like to know what strategy do you use to pentest web application, i usually do:

    - wafw00f to reveal firewall
    - dnsmap & gxfr to detect subnets
    - theHarvest to find mail addresses and so uso social engineering(->SET). (and other subnets missing before)
    - (ua-tester to check different answare by different browser, but i don't understande if it can be really helpful...)

    - nikto to find vulnerability or bad configurations
    - fimap local and remote file inclusion bugs in webapps
    - asp-auditor for .aspx pages
    - xsser for xss injection
    - dir buster when i'm disperate

    then to mantain access i could use web backdoors...
    i love set and nikto, i use others tools to support them...
    this strategy doesn't work very well, probably because of me, have you got any suggestions? what you usually do to pentest web-app?
    thx a lot for your answares ^^

    P.S. sorry for my bad english

  2. #2
    Good friend of the forums scottm99's Avatar
    Join Date
    Feb 2010

    Default Re: Web application pentesting strategy

    Well, my thought is technique over tool. Sure, having the right tools is a big help, but more important is how you approach the test. Do you have a methodical way to go about it? Do you vary your methods based on feedback you get when testing? Do you repeat your tests to confirm the vulnerabilities you found? There are lots more questions that I haven't put here...this is what I came up with right away.

    That's not really an answer to your question...what you're asking is very open-ended and subjective. You might have a look at for further ideas. Many of the authors are well known in the security field.
    If I could figure out how to scuba dive & hack at the same time, there would be nothing I couldn't do...

  3. #3
    Just burned his ISO
    Join Date
    Jan 2012

    Default Riferimento: Web application pentesting strategy

    i would like to know tecniques over tools, your experiences and opinions to make a successful pentest on web app.
    i read that site yet but i didn't understand everything, i read a lot about theory but now i'm trying practice, but i'm not very good in this side :S
    thx for your anwares

Similar Threads

  1. Pentesting Microsoft Silverlight Application
    By m-1-k-3 in forum OLD Pentesting
    Replies: 2
    Last Post: 07-22-2009, 09:03 PM
  2. add application to Backtrack
    By Jan-1990 in forum OLD Newbie Area
    Replies: 3
    Last Post: 10-12-2008, 01:24 AM
  3. How can I make an application to add BT
    By Jan-1990 in forum OLD Newbie Area
    Replies: 1
    Last Post: 05-19-2008, 12:43 PM
  4. application to add BT
    By Jan-1990 in forum OLD Newbie Area
    Replies: 1
    Last Post: 05-17-2008, 10:37 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts