Application & Iplanet/Apache web server vulnerability and penetration testing

From: Steven Walker (
Date: 09/16/02

From: "Steven Walker" <>
To: "Pen-Test Security Focus" <>
Date: Mon, 16 Sep 2002 12:05:05 -0500

Dear Group,

I have been given a project to perform web application vulnerability testing
on iPlanet and Apache web servers. The servers run on NT/2000, Solaris
2.7-8, (iPlanet) and Linux, Solaris (Apache).

In house tools are Wisker, WHArenal, NMAP, NESSUS. I have only used NMAP
and NESSUS so far for firewall and internal network testing.

I am at a loss at where to start the process and am trying to determine if
additional tools are needed.

1. I would obviously harden the web server OS's by closing unnecessary
ports, ensuring proper patch levels, getting rid of rhost and equiv files,
enforcing password policies, limiting accounts, use ssh for administration,

2. I don't know what to do on the web servers other than delete example
scripts and ensure default passwords are changed to stronger ones. Are
there any links that you know of that would provide a checklist of iPlanet
and Apache vulnerability checks. Are there any recommended tools that can
automate this process? Any suggestions on iPlanet and Apache security?

3. Regarding web applications, I will be expected to test applications
before they go into production. I know to test for buffer overflows buy
inputting non expected characters into fields. Beyond that what advice
could you give or methodology could you direct me too. Jobs are tough to
find out there, I could use your help in keeping this one. Thanks for all
of you who will help me.


Steven M. Walker CISSP, GSEC, ABCP
Security Specialist
44 W. Douglas Dr.
Saint Peters, MO 63376
Office: 636.279.2206
Home: 636.278.8004

This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:

Relevant Pages