Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Defining scope of web application pentest

from [Marco M. Morana] Network Security [Permanent Link]
Subject: RE: Defining scope of web application pentest
Date: Sat, 8 Dec 2007 15:53:24 -0500 
Vishal

Typically the pen test effort should be directed to test the web application
for common web application vulnerabilities. The main areas that you would
like to focus on in a pen test are: 1) configuration management, 2) session
management, 3) input and output validation, 4) data protection and
encryption, 5) error handling 6) authorization 7) authentication 8) auditing
and logging. 

External penetration tests for internet facing web applications (also called
ethical hacks or web application vulnerability assessments) usually exclude
the back end infrastructure as scope for the test and focus on testing the
application and the web server where the application resides. As part of the
pen test you look at webs server vulnerabilities due to un-safe
(un-hardened) configuration (e.g. SSL with weak ciphers enabled, default
admin files not disabled, HTTP methods such as TRACE not disabled, admin
port open, non required services etc). These vulnerabilities are the ones
that can be exploited externally from the web site. You obviously need to
look at the infrastructure as well but this usually is in scope for other
assessments.

Beside common vulnerabilities, you might also want to cover specific threats
to the application that you had previously identified with a threat analysis
of the application using threat modeling. You can also integrate security
tests as part of your application functional tests during the verification
phase of the SDLC where you will test for both functional and non-functional
malicious scenarios.
  
I suggest discussing the testing objectives with the project stakeholders
and capture clearly the objectives for the test first. Are these for
auditing purposes? Do you need to test for potential vulnerabilities? You
should have testing objectives defined as well as testing criteria and a
methodology that follow a guideline. If you do not know where to start I
recommend looking at the OWASP testing guide
http://www.owasp.org/index.php/Penetration_Testing as well as the other
OWASP free available resources.

Regards

Marco Morana
OWASP Cincinnati Chapter Leader
http://www.owasp.org/index.php/Cincinnati
http://securesoftware.blogspot.com



-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com] On
Behalf Of Vishal Garg
Sent: Friday, December 07, 2007 12:48 PM
To: webappsec@securityfocus.com
Subject: Defining scope of web application pentest

Hi,

Can anyone please tell what needs to be considered while defining the 
scope of a web application penetration test. Here I am concerned only 
about the web application and the web server that would exclude every 
other bit related to the infrastructure (such as firewall or a proxy 
etc). Also how do we calculate the effort required to test a web 
application. The things which I think may be considered are the 
number of static and dynamic pages and types of users involved etc. 
But what else can be considered?

Any inputs would be highly appreciated.

Cheers
Vishal


-------------------------------------------------------------------------
Sponsored by: Watchfire 
Methodologies & Tools for Web Application Security Assessment 
With the rapid rise in the number and types of security threats, web
application security assessments should be considered a crucial phase in the
development of any web application. What methodology should be followed?
What tools can accelerate the assessment process? Download this Whitepaper
today! 

https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
-------------------------------------------------------------------------


-------------------------------------------------------------------------
Sponsored by: Watchfire 
Methodologies & Tools for Web Application Security Assessment 
With the rapid rise in the number and types of security threats, web 
application security assessments should be considered a crucial phase in the 
development of any web application. What methodology should be followed? What 
tools can accelerate the assessment process? Download this Whitepaper today! 

https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
-------------------------------------------------------------------------
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Session security with cookies, Aaron Shelmire
Next by Date:  Re: Session security with cookies, Eduardo Tongson
Previous by Thread:  Defining scope of web application pentest, Vishal Garg
Next by Thread:  RE: Defining scope of web application pentest (now scope of an annual medical exam), Clement Dupuis
Indexes:  [Date] [Thread] [Top] [All Lists]