I signed up yesterday evening. 'Broke' the 'cipher' within an hour.

I'm thinking I may have registered before it was officially open, I may have to re-register.

Congrats Jason. Great article! 

The unreleased OSSTMM v3.0 has a section (2.8 Error Handling) which gives information on calculating Auditor error. The acronym they use is TERM (Test Error Risk Margin). This calculation is carried out by the Auditor himself which of course is a biased view however if this is stated, TERM is still useful.

This still leaves:

0days
Scope
Future changes to the tested environment
Possibly more?

I'm a recent subscriber. My employer paid for my subscription so I'm not sure what price they paid.

You normal get a cd with some material on, the past 2 months they were wireless security I believe. The magazine content is mixed and varied. Some stuff more technical while other not so.

Overall I think it's worth having.

Hi,
This applies to both Network pen testing and web application assessments.

I was wondering if there had been any work done on calculating risk POST web app assessment or network pen testing?

There are a number of risks I can think of POST assessment:

0day vulnerabilities
Missed bugs due to time constraints
The skill/experience of the tester/s
Missed bugs due to tool/s not functioning as expected

Any help with this is much appreciated.

Thank you.

Sorry to bring up an old topic and thanks for the great script!

For some reason the cookies of a couple of sites I'm testing are not stored in the same place as other cookies. The only difference that I can see from the sites I'm testing and others is that the sites I'm testing are HTTPS. I tried logging into other HTTPS sites and they do seem to be saved into the same sqlite database.

I thought it may have been a problem with the script, however after openning the sqlite database and inspecting the data, the cookies were not there.

The location of my cookies.sqlite file:
/home/user/.mozilla/firefox/apj29vu2.default/cookies.sqlite

Does Firefox save HTTPS cookies in a different location? Is there something else going on here?

Thanks in advance. 

P.S. Firefox 3.0.15 / BackTrack4 Final

To be honest I have never used Grendel, I have seen it installed in BackTrack but never had a play. I agree that w3af's authentication settings do need improving, from the top of my head I think w3af uses a cookie jar file from an old version of Firefox?!

Off to play with Grendel. 

@ChrisG - I was surprised too, judging from some of the 'additional comments' they were voting for the Metasploit Framework itself and not the web application modules which was what was intended.

@Jhaddix - Grendel and Paros completely slipped my mind. I added an 'other' option which some people did vote for other applications which weren't on the list.

I think in future I am going to leave the poll run for longer and try to spread the word a little more to get more submissions.

Thanks to everyone who submitted responses! 

Here are the results:
http://www.ethicalhack3r.co.uk/2009/12/07/open-source-web-application-scanner-poll-results/

Thanks again!

Hello all,
I am trying to gather some info on which is the most used/favorite open source web application scanner out there. Would be grateful if you could spare 2secs to answer 3-4 questions.

http://spreadsheets.google.com/viewform?formkey=dFNpQmNfUWx4UEFicW0wQXlZTFQyV0E6MA

Thank you!

Hi Richard,
I am a second year Ethical Hacking for Computer Security student Northumbria Uni's CEIS. I guessing the course you will be taking is at Glasgow's Caledonian University?

I'm not sure of the ins and outs of your particular course however at Northumbria they teach us C/C++ programming, Networking (inc CCNA), ORACLE DBMS/SQL, forensics, ethical hacking, consultancy and more. If you completed your degree and wanted to take another path in IT rather than the security one, in my opinion you would have enough knowledge to go into programming, networking or another aspect of IT if you wished.

I would also like to say that I wouldn't expect to learn everthing there is to know about information security within your 4 year degree. A lot of what I have learnt has been learnt outside of university working on projects, experimenting, reading books, online resources, conferences and casual pentest work for different companies.

If you have any other questions let me know.

Great review Andrew. Will have to add this one to my 'to buy' list. 

Heres a security jobs RSS page I put together to keep an eye on the latest jobs in the UK. You can have a look at the salaries they are offering:
http://www.ethicalhack3r.co.uk/wp-content/themes/Fresh-Wordpress/rssjobs.php

Also heres a salary checker from CWJobs:
http://www.cwjobs.co.uk/SalaryChecker/SalaryCheckerSearch.aspx

Depending what country your in, you could be breaking the law. Either way what you are trying to accomplish is UN-ethical. This website is for ETHICAL hackers.

Who won?