|
Title: Web Applications PenTesting Methodology Post by: H1t M0nk3y on February 12, 2010, 06:24:15 AM Hi,
I currently have to perform a security evaluation of a web site. The server itself (OS) and the network are not in the scope because my client has no power over them. However, they can change the web server configuration and since they're the ones developing the web application, they can modify it. So, my task is to do a security evaluation of the web application and the web server. Where do I start? I have completed the reconnaissance phase. I suspect some XSS and SQL Injection vulnerabilities. But if I really want to do a good job and produce a very complete report, with the ad-hoc way I am doing this, I am afraid of missing some stuff... I have looked a 3 books on the subject and browsed the OWASP web site, but I just can't seem to find a good methodology for pentesting web apps. Any suggestions? Thanks Title: Re: Web Applications PenTesting Methodology Post by: Ketchup on February 12, 2010, 07:10:45 AM I think that the same methodology as usual applies. You have your automated scanners, proxies, manual testing, source code audit, fuzzing, exploiting, etc.
I like to use this framework for pen testing. I think that you can adapt it to your project. http://www.vulnerabilityassessment.co.uk/Penetration%20Test.html (http://www.vulnerabilityassessment.co.uk/Penetration%20Test.html) Title: Re: Web Applications PenTesting Methodology Post by: UNIX on February 12, 2010, 08:12:02 AM In terms of OWASP you might have a look at their Testing Guide (http://www.owasp.org/index.php/Category:OWASP_Testing_Project), which may help additionally to what Ketchup already recommended.
Is source code audit within the scope? Title: Re: Web Applications PenTesting Methodology Post by: Dark_Knight on February 12, 2010, 06:04:10 PM I think that the same methodology as usual applies. You have your automated scanners, proxies, manual testing, source code audit, fuzzing, exploiting, etc. Thanks for posting this. :)I like to use this framework for pen testing. I think that you can adapt it to your project. http://www.vulnerabilityassessment.co.uk/Penetration%20Test.html (http://www.vulnerabilityassessment.co.uk/Penetration%20Test.html) Title: Re: Web Applications PenTesting Methodology Post by: H1t M0nk3y on February 14, 2010, 07:16:21 AM Yes, source code audit is within the scope.
But with 60 000 lines of code, where should I start? BTW, I am a web developer, so I understand the code well. Title: Re: Web Applications PenTesting Methodology Post by: Ketchup on February 14, 2010, 08:51:41 AM There are a bunch of source code auditing tools that may help you with this problem. You can add a bit of manual spot checking as well.
http://www.owasp.org/index.php/Source_Code_Analysis_Tools (http://www.owasp.org/index.php/Source_Code_Analysis_Tools) Title: Re: Web Applications PenTesting Methodology Post by: zeroflaw on February 14, 2010, 08:52:58 AM Well if you're going to audit the source code, then I guess you could scan the code for possibly dangerous functions that perform jobs such as string concatenation or forms that allow users to upload files to the server. Also find out how the applications deals with sessions.
Because you already suspect some XSS and SQL injection vulnerabilities, I would mark all input fields and other possible entry points. Then find out how the code deals with those. Document all your findings, explain the vulnerabilities and how to fix them. I don't know much about good tools, but I've used Acunetix Web Vulnerability Scanner last year and was very pleased with the results. You probably figured most of this out already, but I'm just trying to help :P ZF Title: Re: Web Applications PenTesting Methodology Post by: H1t M0nk3y on February 14, 2010, 05:58:07 PM Thank you very much guys, I will give these tools a try this week.
Powered by SMF 1.1.18 |
SMF © 2013, Simple Machines
Joomla Bridge by JoomlaHacks.com |