Skip to main content

Security Testing - ASP.NET Web Applications

The following are some of the tools (non-exhaustive) to conduct a "Security Test" on ASP.Net web applications. Do share with us the ones you are using too.

HTTP Proxying/Editing
  • Burp
    An intercepting proxy server for security testing of web applications. It operates as a man-in-the-middle between your browser and the target application

  • Web Proxy Editor
    A multithreaded fast proxy checking software. This software is able to support SOCKS4/SOCKS5/HTTP/HTTPS proxies.

  • Paros
    Through Paros's proxy nature, all HTTP and HTTPS data between server and client, including cookies and form fields, can be intercepted and modified.

  • WebScarab
    A framework for analysing applications that communicate using the HTTP and HTTPS protocols.

Security Scanners
  • Nessus
    Features high-speed discovery, configuration auditing, asset profiling, sensitive data discovery and vulnerability analysis of your security posture.

  • N-Stealth
    Provides checks to enhance the overall security of your web server infrastructure, using the most complete web attack signature database available in the market such as cross-site scripting.

  • Nikto/Wikto
    An Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 6400 potentially dangerous files/CGIs, checks for outdated versions of over 1200 servers, and version specific problems on over 270 servers. It also checks for server configuration items such as the presence of multiple index files, HTTP server options, and will attempt to identify installed web servers and software.

  • HP WebInspect
    A web application security assessment software designed to thoroughly analyze today's complex web applications. It delivers fast scanning capabilities, broad assessment coverage and accurate web application scanning results.

Password Crackers
  • L0phtCrack
    A password auditing and recovery software, packed with powerful features such as scheduling, hash extraction from 64 bit Windows versions, multiprocessor algorithms, and networks monitoring and decoding.

  • RainbowCrack
    Crack hashes with rainbow tables.

Other Security Tools
  • SSLDigger
    A tool to assess the strength of SSL servers by testing the ciphers supported.

Popular Posts

Ho Ching named 5th most powerful and is mistaken as first lady by Forbes

Forbes named Singapore Prime Minister wife and CEO of Temasek Holdings, Ho Ching, as the 5th most powerful woman in the world. Ho Ching is mistaken as Singapore's first lady! OMG!

I wonder how can Forbes makes such a blunder. For a complete list, refer to here.

My opinion on PRUinvestor guaranteed plus product

I got to know of Prudential's new product PRUinvestor guaranteed plus only recently.

From agents, it is said to be 1) 100% Capital Guaranteed at maturity, 2) 2.5% p.a. interest guaranteed (Total 13.14%), 3) able to accept both cash and SRS, 4) and telling people application date for such "cool" product is ending soon but that's not really the case. I do not like the way products are marketed by agents.

1. 100% Capital Guaranteed at maturity

It is not really 100% guaranteed if it is guaranteed upon 36 months.

2. Sometimes marketed as 13.14%

This is a common tactic to "fool" aunties and uncles who are unaware of the compounding effect.

3. Able to accept SRS

At the rate of 2.5% p.a., I would say investing SRS monies in such product does not make sense to me since the new CPF interest rate structure is close to 2.5% p.a. too. At least CPF is truly 100% capital guaranteed.

4. Publish application date to be earlier than actual

This tactic attempts to make consumers make r…

How to stop FortiClient from starting automatically?

Installed FortiClient recently but the challenge in disabling the application/service from running automatically on every start-up annoyed me. Attempt to stop 'FortiClient Service Scheduler' only return 'Parameter is incorrect' error message.

An article on Technet help solve my trouble. To stop FortiClient from starting automatically, try the following:
Shut down FortiClient from the system tray.
Run net stop fortishield on command prompt.
Run msconfig.
On msconfig, switch to the Services tab. Clear the FortiClient Service Scheduler check box and click Apply.Run services.msc on command prompt to open up show all available services.Look for FortiClient Service Scheduler. Switch Startup type to Manual.Restart your computer. FortiClient should not be running automatically the next time round. Hope it helps.