Black box testing on a website

This topic contains 18 replies, has 12 voices, and was last updated by  AndyB67 8 years, 6 months ago.

  • Author
    Posts
  • #6261
     jamesb7555 
    Participant

    Can anyone help me how to perform black box testing for a website.

    Need urgent help!!!!!!!

    Thanks in advance
    James.b

  • #39101
     KrisTeason 
    Participant

    hey jamesb7555!

    Chances of you asking that question makes the chances of you being hired for that position slim. This would make us wonder if you had permission at all to go about performing this test. We don’t condone illegal activity here, welcome to the EthicalHacker Network.

    -Kris

  • #39102
     AndyB67 
    Participant

    If someone can point me in the right direction of some good reading materials, i’d be interested in finding out how to black and white box a website. 

    I’d like to find out if there are any vunerabilities in a website I admin as i’m not to happy with the patching and updates as well as the software versions that the host is running.

  • #39103
     rattis 
    Participant

    @AndyB wrote:

    If someone can point me in the right direction of some good reading materials, i’d be interested in finding out how to black and white box a website. 

    I’d like to find out if there are any vunerabilities in a website I admin as i’m not to happy with the patching and updates as well as the software versions that the host is running.

    Hacking for Dummies. I’m not kidding either. The latest edition will explain them enough to understand what they are.

    However for your patches and what not, go with something like Nessus. However, it depends on the rules that the hosting provider allows, and you’ll probably still want to let them know a head of time, and get a get out of jail free card.

  • #39104
     rattis 
    Participant

    @xXxKrisxXx wrote:

    Chances of you asking that question makes the chances of you being hired for that position slim.

    Kris, could have been worse, he could have asked how to do a Black HAT pentest instead. Director said he had contracts for a WHITE HAT and a BLACK HAT pen-test on his desk.

    Sadder thing is, that’s actually what the contract said.

    Worst than that, I had t break it to him that we wouldn’t past a Vulnerability test, let alone a full on pen test. Actually had a policy in place to not upgrade the boxes there.

  • #39105
     UNIX 
    Participant

    @AndyB wrote:

    If someone can point me in the right direction of some good reading materials, i’d be interested in finding out how to black and white box a website. 

    I’d like to find out if there are any vunerabilities in a website I admin as i’m not to happy with the patching and updates as well as the software versions that the host is running.

    The Web Application Hacker’s Handbook gives a gentle introduction into the topic.

  • #39106
     BillV 
    Participant
  • #39107
     AndyB67 
    Participant

    @chrisj wrote:

    However for your patches and what not, go with something like Nessus. However, it depends on the rules that the hosting provider allows, and you’ll probably still want to let them know a head of time, and get a get out of jail free card.

    The site has been hacked 3 times in 4 years (they changed the sites default language to swedish once) and I know from the logs that it’s not the php app that we’re using or that they brute forced the passwords (26 character pass-phrase) but the SQL on the machine was a much older version and not patched fully.

    Have had quite a disussion with their tech and sales guys about this and was thinking about doing a discreete white & black test to give me some ammo to light a fire up their asses

  • #39108
     caissyd 
    Participant

    Have had quite a disussion with their tech and sales guys about this and was thinking about doing a discreete white & black test to give me some ammo to light a fire up their asses

    BTW AndyB, you know that by doing a “discreete” pentest on a web site, even on a Dev box, you must have a written permission?

    Don’t get yourself into trouble!!!  😉

  • #39109
     arkansasclp 
    Participant

    I would agree with H1t M0nk3y. Even performing a pentest against a resource that is owned by the company you work for, does not give you permission to perform the test. I have seen helpdesk techs get into hot water for “pentesting” the company web server.

  • #39110
     jamesb7555 
    Participant

    Thanks to one and all who replies.I am doing my dessertation as a part of that i need to assess a fake website.for that i have to know the steps for black box testing.

  • #39111
     AndyB67 
    Participant

    I’ve got the verbal go-ahead and should have the written go-ahead in my inbox when I get back into work after my weeks leave.

    Got some books on the way and, if this weather holds up, will spend the week in the back garden with a cold drink or 3 and do some serious reading. 

    Work out a plan of attack and see just what I can do.  Will be interesting to have the website/server control console up, watching the logs realtime on one machine whilst I probe from another!

  • #39112
     treasur3 
    Participant

    I don’t know what did u ment by directions . but 1st of all you need to have the legal permission from the target environment. better make it written. if your question is how to perform a pentest . its the normal process of a pentest , everyone have their own methods

  • #39113
     sil 
    Participant

    Without getting into a Wikipedia like entry here, let’s take a look at what goes on with white-listing.

    You have a machine with an application – say notepad. You create an entry called acc_note which when notepad is called, is validated against a list, then allowed to run. How is this application being validated?

    Unless there are strong checksums against that application, nothing stops me – as an attacker – from binding rogue calls to that application, to which when run, will allow me to run code even more-so now, because that application was deemed trusted. You also need to understand that in order to whitelist, you will likely need to whitelist includables (DLLs. *.so’s and so on to make it truly effective.) Any updates, you will need to go back through the whole process. See the dilemma here?

    This is not to say that whitelisting is a failure however, this is to point out the notion that simply by whitelisting all is well. In an enterprise environment, maintaining a list of what is legitimate and what is not can be cumbersome. This is because most operating systems issue updates which would change any checksummed based systems. Administrators tasked with maintaning these systems will likely learn to overlook re-calculating checksums. Most of this overlooking can come directly from management in their effort to get things done “right now.”

    You can read more from two heavyweights (Ranum and Schneier) on this subject here:
    http://searchsecurity.techtarget.com/magazineContent/Schneier-Ranum-Face-Off-on-whitelisting-and-blacklisting

    A better approach at whitelisting boils down to whitelisting CONNECTIVITY. This is the MOST CRUCIAL, misunderstood and overlooked element here. E.g., you have a machine say a DB. Its role is to take data stored INSIDE the environment and populate it elsewhere. It makes much more sense to whitelist all the machines INSIDE the the local network and block the others. Same rings true across the board. Even in an outbreak, the machine would be programmed to talk to no one else BUT trusted sources. This can be accomplished on the local machine as well as egress points to ensure there would be no data leaks.

    This is where people fail miserably. In their approach, not to forget the fact that too many people have been following the words of others for so long when the initial design was wrong to begin with. E.g.: “Input validation versus Output Validation” Can you seriously control what people try to input? If you think you can, you’re mistaken. You may be able to control what your machine processes, but it won’t stop anyone from attempting to input it will it? You will beat yourself to a bloody pulp trying to concoct massive amounts of counters however, you CAN control what your machine puts OUT every single time. YOU and only YOU know what your machine is supposed to distribute. This is ALWAYS under your control and the applicable rules ARE under your control. It’s all in the approach and understanding.

    E.g., statistically, a DB needs to return a total of 10 variable with a sum of say 10k to render a query complete (to show someone their account summary). You can easily create a counter that says: “Look machine, at no point in time should you ever go over this maximum amount of variables. 10 fields for a sum of 10k” This is a much stronger rule since your machine would not OUTPUT an error message or website with more than that. Data leakage is minimized to 10 variables at 10k. Versus trying to create voodoo rules that won’t work because you won’t be able to keep up with millions of attackers consistently trying.

  • #39114
     jacobadam 
    Participant

    Specific knowledge of the application’s code/internal structure and programming knowledge in general is not required. Test cases are built around specifications and requirements, i.e., what the application is supposed to do. It uses external descriptions of the software, including specifications, requirements, and design to derive test cases. These tests can be functional or non-functional, though usually functional. The test designer selects valid and invalid inputs and determines the correct output. There is no knowledge of the test object’s internal structure.

  • #39115
     caissyd 
    Participant

    @jacobadam: I agree with you, but in general, security is a non-functional requirement that developers tend not to understand properly. So they may build the required system, build it to spec, but since they are not experts at security, we try to help them see what they have missed.

    I don’t know if that’s what you were refering too, even if internal knowledge of the code is not required (I agree with you!), pentesting is about finding the little hole that was forget. So to me, understanding the internal mechanism speed up the process of finding vulnerabilities, thus providing better value to a client.

    Finally, I have yet to see one system with perfect requirements and perfect specs, so developer “mistakes” end up happening in the end… 😉

    @sil: Great post, as always. But even if I agree that filtering input data is sometime a very difficult task, it’s usually possible to do quite well. There’s always the easy cases of validating phone numbers (using regular expressions), age (must be an integer), etc. But the more difficult ones are the Text Area, which includes comments field, descriptions, etc. I use things like the Ship Validator (http://sourceforge.net/projects/shipvalidator/) and AntiSamy (https://www.owasp.org/index.php/Antisamy). They may not do miracle, but by adding these calls in my code, I know I get rid of most hackers.

    Using these libraries combined with things like white and black lists, least privileges, use of prepared statement, etc make the application quite secure. Then of course, like you said, we limit access to the system. Like you know, security in depth is the key!

    But I found that the easier the solution is to implement and support, the more people will do it. So I tend to focus on that for “regular” systems. Highly secure systems are a different ball game!

    But great comments guys!

  • #39116
     AndyB67 
    Participant

    The UK Cyber Security Challenge website is behind schedule this year due to the fact that the designers built a nice looking site that was ‘about as secure as a wet paper bag’ and thats a direct quote from one of the challenge organisers.

    They now have two ‘security’ teams working on the site, one trying to secure it and one trying to break it!

  • #39117
     Anonymous 
    Participant

    @AndyB wrote:

    The UK Cyber Security Challenge website is behind schedule this year due to the fact that the designers built a nice looking site that was ‘about as secure as a wet paper bag’ and thats a direct quote from one of the challenge organisers.

    They now have two ‘security’ teams working on the site, one trying to secure it and one trying to break it!

    They should just made that the challenge 😛

  • #39118
     AndyB67 
    Participant

    The’ve got a nice dynamic site planned with online registration and they thought it would be too much of a target.  Considering some of the fines being handed out over here due to data protection breaches….!

You must be logged in to reply to this topic.

Copyright ©2019 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?