Hi,

I currently have to perform a security evaluation of a web site. The server itself (OS) and the network are not in the scope because my client has no power over them. However, they can change the web server configuration and since they're the ones developing the web application, they can modify it.

So, my task is to do a security evaluation of the web application and the web server. Where do I start?

I have completed the reconnaissance phase. I suspect some XSS and SQL Injection vulnerabilities. But if I really want to do a good job and produce a very complete report, with the ad-hoc way I am doing this, I am afraid of missing some stuff...

I have looked a 3 books on the subject and browsed the OWASP web site, but I just can't seem to find a good methodology for pentesting web apps.

Any suggestions?

Thanks
 

In terms of OWASP you might have a look at their Testing Guide, which may help additionally to what Ketchup already recommended.

Is source code audit within the scope?

Yes, source code audit is within the scope.
But with 60 000 lines of code, where should I start?

BTW, I am a web developer, so I understand the code well.

Well if you're going to audit the source code, then I guess you could scan the code for possibly dangerous functions that perform jobs such as string concatenation or forms that allow users to upload files to the server. Also find out how the applications deals with sessions.

Because you already suspect some XSS and SQL injection vulnerabilities, I would mark all input fields and other possible entry points. Then find out how the code deals with those. Document all your findings, explain the vulnerabilities and how to fix them.

I don't know much about good tools, but I've used Acunetix Web Vulnerability Scanner last year and was very pleased with the results.

You probably figured most of this out already, but I'm just trying to help

ZF