.

Web Applications PenTesting Methodology

<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Fri Feb 12, 2010 7:24 am

Web Applications PenTesting Methodology

Hi,

I currently have to perform a security evaluation of a web site. The server itself (OS) and the network are not in the scope because my client has no power over them. However, they can change the web server configuration and since they're the ones developing the web application, they can modify it.

So, my task is to do a security evaluation of the web application and the web server. Where do I start?

I have completed the reconnaissance phase. I suspect some XSS and SQL Injection vulnerabilities. But if I really want to do a good job and produce a very complete report, with the ad-hoc way I am doing this, I am afraid of missing some stuff...

I have looked a 3 books on the subject and browsed the OWASP web site, but I just can't seem to find a good methodology for pentesting web apps.

Any suggestions?

Thanks
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Fri Feb 12, 2010 8:10 am

Re: Web Applications PenTesting Methodology

I think that the same methodology as usual applies.  You have your automated scanners, proxies, manual testing, source code audit, fuzzing, exploiting, etc. 

I like to use this framework for pen testing.  I think that you can adapt it to your project.

http://www.vulnerabilityassessment.co.uk/Penetration%20Test.html
~~~~~~~~~~~~~~
Ketchup
<<

UNIX

User avatar

Hero Member
Hero Member

Posts: 1244

Joined: Mon Apr 28, 2008 9:20 am

Post Fri Feb 12, 2010 9:12 am

Re: Web Applications PenTesting Methodology

In terms of OWASP you might have a look at their Testing Guide, which may help additionally to what Ketchup already recommended.

Is source code audit within the scope?
<<

Dark_Knight

User avatar

Sr. Member
Sr. Member

Posts: 294

Joined: Mon Aug 11, 2008 7:03 pm

Post Fri Feb 12, 2010 7:04 pm

Re: Web Applications PenTesting Methodology

Ketchup wrote:I think that the same methodology as usual applies.   You have your automated scanners, proxies, manual testing, source code audit, fuzzing, exploiting, etc. 

I like to use this framework for pen testing.  I think that you can adapt it to your project.

http://www.vulnerabilityassessment.co.uk/Penetration%20Test.html

Thanks for posting this. :)
CEH, OSCP, GPEN, GWAPT, GCIA
http://sector876.blogspot.com
<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Sun Feb 14, 2010 8:16 am

Re: Web Applications PenTesting Methodology

Yes, source code audit is within the scope.
But with 60 000 lines of code, where should I start?

BTW, I am a web developer, so I understand the code well.
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Sun Feb 14, 2010 9:51 am

Re: Web Applications PenTesting Methodology

There are a bunch of source code auditing tools that may help you with this problem.  You can add a bit of manual spot checking as well. 

http://www.owasp.org/index.php/Source_Code_Analysis_Tools
~~~~~~~~~~~~~~
Ketchup
<<

zeroflaw

User avatar

Full Member
Full Member

Posts: 208

Joined: Fri Feb 12, 2010 10:41 am

Location: Holland, Den Helder

Post Sun Feb 14, 2010 9:52 am

Re: Web Applications PenTesting Methodology

Well if you're going to audit the source code, then I guess you could scan the code for possibly dangerous functions that perform jobs such as string concatenation or forms that allow users to upload files to the server. Also find out how the applications deals with sessions.

Because you already suspect some XSS and SQL injection vulnerabilities, I would mark all input fields and other possible entry points. Then find out how the code deals with those. Document all your findings, explain the vulnerabilities and how to fix them.

I don't know much about good tools, but I've used Acunetix Web Vulnerability Scanner last year and was very pleased with the results.

You probably figured most of this out already, but I'm just trying to help :P

ZF
ZF
<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Sun Feb 14, 2010 6:58 pm

Re: Web Applications PenTesting Methodology

Thank you very much guys, I will give these tools a try this week.
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)

Return to Web Applications

Who is online

Users browsing this forum: No registered users and 0 guests

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software