SANS released a paper on Web Applications Audit. It’s more of a guide to low hanging fruit website assessment, but still is a good resource . The article begins with setting up , adjusting and configuring the tool arsenal and then walks the reader trough implementation and conclusions. As simple as the SANS workflow may seem, there are numerous website which won’t pass this security test.

These tests will only find obvious problems and are less likely to find more complex issues. We totally neglect some common problems like response-splitting or secondary SQL injection issues, and we spent little time on actually exploiting these problems. See this 1 hour audit as a due diligence test that should be done periodically.

However, what I find to be intriguing is that there are no web application scanners listed. And I appreciate this. Well .. they could have listed WebInspect . Did I say i love this tool ? * I’m not affiliated with SPI Dynamics in any way , I just hope that mentioning the tool quite often will get me a personal license - Hint ! Hint

Share This

If you enjoyed this post, make sure you subscribe to my RSS feed!