Important Note - Interest is terrible thing to waste. Where are you?

\/ w4rri0r \/Hacking is not a crime - It's an art of Awareness. \/ w4rri0r mission \/ is to make the information systems more secure, more aware, more reliable and protect against possible security breaches.

\/ w4rri0r \/ internationally recognized as a Security Researcher or White-Hat Hacker and Hall of Fame by Google, Microsoft, Yahoo, AppleRedHat, AT&T, Adobe, PayPal, Yandex, eBay, Deutsche TelekomBarracuda Networks, Nokia Siemens Network, Tuenti, Opera, BlackBerry, Nokia, SpotifyZynga, Netflix, iFixit, Basecamp, SoundCloudConstant Contact, Xmarks, LaunchKey, Zendesk and we are currently building \/ w4rri0r group \/ and inviting to join worldwide Security Researchers and Professionals. If you think you can contribute anything for \/ w4rri0r group \/ you are heartily invited and we'll give credit for your contribution and is greatly appreciated. [Launching soon]

If you have any questions, ideas, suggestions or contributions please do not hesitate to contact @ This email address is being protected from spambots. You need JavaScript enabled to view it. and will respond you within 24 hours.

Open Panel
  • Register

HP WebInspect - Application Security Testing

logo-hp-WebInspectHP WebInspect gives security professionals and security novices alike the power and knowledge to quickly identify and validate critical, high-risk security vulnerabilities in applications running in development, QA, or production. HP WebInspect gives you the power to:

  • Increase modern Web technology coverage
  • Accelerate security through more actionable information
  • Elevate security knowledge across the business
  • Comply with legal, regulatory, and architectural requirements
  • Leverage automation to do more with less

Build an enterprise-wide application security programWith the exponential increase in internet usage, companies around the world are now obsessed about having a web application of their own which would provide all the functionalities to their users with a single click. In this quest for providing the customers with single click solutions, all the sensitive data is shifted on to a server which is then accessed by a web application. In most of the scenarios, web applications have direct access to the backend database and thus control valuable data. With a simple well crafted malicious payload a hacker can now get all the information from database. So it’s crucial that the web applications need to be secure enough to handle the attacks.

Securing Web applications:

It’s now apparent that securing web applications is essential for the companies to be in business. The real question is how it can be achieved. Below are some of the checks that are in place to ensure that security holes in the web application are identified:

  1. Threat Modeling deals with identifying threats, attacks, vulnerabilities, and countermeasures for your application in the design phase.
  2. Security Code Reviews come into picture at the end of development phase. The entire code is inspected to find vulnerabilities.
  3. Manual Penetration Testing is done after the application is deployed in some environment. The application is attacked and assessed for vulnerabilities.
  4. Automated Vulnerability Scanners are the tools which aid Penetration testers by identifying the vulnerabilities present.

HP WebInspect is one of the most widely used automated vulnerability scanners in the market today. It helps us to identify vulnerabilities present in the web application by taking necessary input from us. IBM Appscan Standard Edition, Acunetix Scanner, Burp scanner, Nikto are the other vulnerability scanners that are in place. For the rest of this article I will be focusing on using WebInspect to identify security vulnerabilities.

Advantages:

  • Saves time when dealing with large enterprise applications
  • Simulates the attack, shows the results and presents you with a comprehensive view.
  • It is not dependent on the underlying language.

Disadvantages:

  • It’s hard for any tool to find logical flaws, weak cryptographic storage, severity of the disclosed information etc.
  • It has a list of payloads that it uses on every web application. It does not use any wisdom in generating payloads depending on the type of application.
  • There could be false positives among the listed vulnerabilities.
  • Having said that, WebInspect scores high on many features and helps a great deal in providing scanning solutions.

Main Features in HP WebInspect 9HP WebInspect 9.10 is the latest version in use as of today. Below lines would throw an insight into various features that are available in WebInspect.

  • Presents you with tree structure: By crawling the entire application WebInspect presents you with the hierarchical tree structure of the web application and lists all the available URLS.
  • Customizable Views: While viewing the results of a scan WebInspect offers different views as per your requirement.
  • Scanning Policies: WebInspect gives you the freedom to edit and customize the scanning policies to suit your requirements and thus offers great flexibility.
  • Manual Hacking Control: With this option you can actually simulate an attack environment and see what’s really going on during a particular attack.
  • Report Generation: You can generate customizable reports by including desired sections and in desired format.
  • Remediation: WebInspect would provide a summary and the necessary fixes required to fix the vulnerabilities detected during a particular scan.
  • Web Services Scan: Web services usage is growing at a rapid pace. You can assess web service vulnerabilities by using WebInspect.

HP WebInspect is a security testing tool for web applications. This is part of HP Application Security Center product suite.

HP WebInspect includes checks for following vulnerabilities:

  • Data injection and manipulation attacks

    • Reflected cross-site scripting (XSS)

       

       

       

      Persistent XSS
    • DOM-based XSS
    • Cross-site request forgery
    • SQL injection
    • Blind SQL injection
    • Buffer overflows
    • Integer overflows
    • Log injection
    • Remote File Include (RFI) injection
    • Server Side Include (SSI) injection
    • Operating system command injection
    • Local File Include (LFI)
    • Parameter Redirection
    • Auditing of Redirect Chains

 Sessions and authentication

    • Session strength

       

       

       

      Authentication attacks
    • Insufficient authentication
    • Insufficient session expiration

Others

    • Ajax auditing
    • Flash Analysis
    • HTTP Header Auditing
    • Detection of Client-side Technologies
    • Secure Sockets Layer (SSL) certificate issues
    • SSL protocols supported
    • SSL ciphers supported
    • Server misconfiguration
    • Directory indexing and enumeration
    • Denial of service
    • HTTP response splitting
    • DOS device handle DoS
    • Canonicalization attacks
    • URL redirection attacks
    • Password auto complete
    • Cookie security
    • Custom fuzzing
    • Path manipulation—traversal
    • Path truncation
    • WebDAV auditing
    • Web services auditing
    • File enumeration
    • Information disclosure
    • Directory and path traversal
    • Spam gateway detection
    • Brute force authentication attacks

 

 

 

Check out HP WebInspect - Application Security Testing www.hp.com

 

CORE Impact Professional

Logo Core ImpactCORE Impact Professional is the most comprehensive software solution for assessing and testing security vulnerabilities throughout your organization.

 
 

Read More...

IBM Security AppScan

Logo IBM Rational AppScanIBM Rational AppScan Enterprise is a scalable solution to help resolve application security vulnerabilities, offering recommendations to simplify remediation.

 

Read More...

HP WebInspect

Logo - HP WebInspectHP WebInspect gives security professionals and security novices alike the power and knowledge to quickly identify and validate critical, high-risk security vulnerabilities.

 

Read More...

Acunetix WVS

logo acunetix web application securityAcunetix Web Vulnerability Scanner (WVS) is an automated web application security testing tool that audits web applications by checking for hacking vulnerabilities. 

 

Read More...

w4rri0r - Hacking Is Not A Crime - It's an art of Awareness

\/ w4rri0r - Hacking Is Not A Crime - It's an art of Awareness \/ -  w4rri0r work in the dark, w4rri0r do what w4rri0r can, w4rri0r give what w4rri0r have, w4rri0r doubt is w4rri0r passion and w4rri0r passion is w4rri0r task. The rest is the madness of art \/ w4rri0r \/ 

\/ w4rri0r.com \/ are the great resource for information security professionals and researcher. \/ w4rri0r \/ offers a extensive variation of information security services that include SECURITY EXPLOITS (Bug or Vulnerability), SECURITY ADVISORIES (Security Alerts), SECURITY RESEARCHER TOOLBOX (Freeware, Shareware & Open-Source), SHELLCODE (Attacker Controller - Chunk of Data), SECURITY TRAINING (Educational Purpose), SECURITY NEWS (Security Recent or Important Events) and with this group you can be assured that you’re in the right hands. \/ w4rri0r gr0up \/  efforts being endorsed and appreciated by administrators, security researchers and members of various underground hacking groups and communities worldwide.

\/ w4rri0r mission \/ are to make the information systems more secure, more aware, more reliable and protect against possible security breaches.