.

Black box testing on a website

Black box testing

without hacking tools
1
100%
using snort
0
No votes
 
Total votes : 1
<<

jamesb7555

Newbie
Newbie

Posts: 2

Joined: Sat Apr 02, 2011 8:31 am

Post Sat Apr 02, 2011 8:43 am

Black box testing on a website

Can anyone help me how to perform black box testing for a website.

Need urgent help!!!!!!!

Thanks in advance
James.b
<<

KrisTeason

User avatar

Hero Member
Hero Member

Posts: 515

Joined: Sat Sep 08, 2007 7:48 pm

Location: /dev/null

Post Sat Apr 02, 2011 11:46 am

Re: Black box testing on a website

hey jamesb7555!

Chances of you asking that question makes the chances of you being hired for that position slim. This would make us wonder if you had permission at all to go about performing this test. We don't condone illegal activity here, welcome to the EthicalHacker Network.

-Kris
eCPPT (Silver/Gold), eWPT, GSEC, GISP, GCIH, OSCP, OSWP
<<

AndyB67

User avatar

Full Member
Full Member

Posts: 100

Joined: Fri Jan 14, 2011 7:13 am

Location: UK

Post Sat Apr 02, 2011 3:13 pm

Re: Black box testing on a website

If someone can point me in the right direction of some good reading materials, i'd be interested in finding out how to black and white box a website. 

I'd like to find out if there are any vunerabilities in a website I admin as i'm not to happy with the patching and updates as well as the software versions that the host is running.
Net+ Sec+ More to come
<<

rattis

User avatar

Hero Member
Hero Member

Posts: 1172

Joined: Mon Jul 27, 2009 1:25 pm

Post Sat Apr 02, 2011 5:25 pm

Re: Black box testing on a website

AndyB wrote:If someone can point me in the right direction of some good reading materials, i'd be interested in finding out how to black and white box a website. 

I'd like to find out if there are any vunerabilities in a website I admin as i'm not to happy with the patching and updates as well as the software versions that the host is running.


Hacking for Dummies. I'm not kidding either. The latest edition will explain them enough to understand what they are.

However for your patches and what not, go with something like Nessus. However, it depends on the rules that the hosting provider allows, and you'll probably still want to let them know a head of time, and get a get out of jail free card.
OSWP, Sec+
<<

rattis

User avatar

Hero Member
Hero Member

Posts: 1172

Joined: Mon Jul 27, 2009 1:25 pm

Post Sat Apr 02, 2011 5:32 pm

Re: Black box testing on a website

xXxKrisxXx wrote:
Chances of you asking that question makes the chances of you being hired for that position slim.


Kris, could have been worse, he could have asked how to do a Black HAT pentest instead. Director said he had contracts for a WHITE HAT and a BLACK HAT pen-test on his desk.

Sadder thing is, that's actually what the contract said.

Worst than that, I had t break it to him that we wouldn't past a Vulnerability test, let alone a full on pen test. Actually had a policy in place to not upgrade the boxes there.
OSWP, Sec+
<<

UNIX

User avatar

Hero Member
Hero Member

Posts: 1244

Joined: Mon Apr 28, 2008 9:20 am

Post Sun Apr 03, 2011 2:27 am

Re: Black box testing on a website

AndyB wrote:If someone can point me in the right direction of some good reading materials, i'd be interested in finding out how to black and white box a website. 

I'd like to find out if there are any vunerabilities in a website I admin as i'm not to happy with the patching and updates as well as the software versions that the host is running.


The Web Application Hacker's Handbook gives a gentle introduction into the topic.
<<

venom77

User avatar

Hero Member
Hero Member

Posts: 1905

Joined: Mon Dec 11, 2006 3:23 pm

Post Sun Apr 03, 2011 10:09 am

Re: Black box testing on a website

<<

AndyB67

User avatar

Full Member
Full Member

Posts: 100

Joined: Fri Jan 14, 2011 7:13 am

Location: UK

Post Sun Apr 03, 2011 1:51 pm

Re: Black box testing on a website

chrisj wrote:However for your patches and what not, go with something like Nessus. However, it depends on the rules that the hosting provider allows, and you'll probably still want to let them know a head of time, and get a get out of jail free card.


The site has been hacked 3 times in 4 years (they changed the sites default language to swedish once) and I know from the logs that it's not the php app that we're using or that they brute forced the passwords (26 character pass-phrase) but the SQL on the machine was a much older version and not patched fully.

Have had quite a disussion with their tech and sales guys about this and was thinking about doing a discreete white & black test to give me some ammo to light a fire up their asses
Net+ Sec+ More to come
<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Mon Apr 04, 2011 6:35 am

Re: Black box testing on a website

Have had quite a disussion with their tech and sales guys about this and was thinking about doing a discreete white & black test to give me some ammo to light a fire up their asses


BTW AndyB, you know that by doing a "discreete" pentest on a web site, even on a Dev box, you must have a written permission?

Don't get yourself into trouble!!!  ;)
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

arkansasclp

User avatar

Newbie
Newbie

Posts: 2

Joined: Mon Apr 04, 2011 1:34 pm

Post Mon Apr 04, 2011 2:03 pm

Re: Black box testing on a website

I would agree with H1t M0nk3y. Even performing a pentest against a resource that is owned by the company you work for, does not give you permission to perform the test. I have seen helpdesk techs get into hot water for "pentesting" the company web server.
MCSA / MCSE / CLA / CLP / CCNA / CCDA / CEH / SECURITY+
<<

jamesb7555

Newbie
Newbie

Posts: 2

Joined: Sat Apr 02, 2011 8:31 am

Post Sat Apr 09, 2011 12:38 pm

Re: Black box testing on a website

Thanks to one and all who replies.I am doing my dessertation as a part of that i need to assess a fake website.for that i have to know the steps for black box testing.
<<

AndyB67

User avatar

Full Member
Full Member

Posts: 100

Joined: Fri Jan 14, 2011 7:13 am

Location: UK

Post Sat Apr 09, 2011 5:04 pm

Re: Black box testing on a website

I've got the verbal go-ahead and should have the written go-ahead in my inbox when I get back into work after my weeks leave.

Got some books on the way and, if this weather holds up, will spend the week in the back garden with a cold drink or 3 and do some serious reading. 

Work out a plan of attack and see just what I can do.  Will be interesting to have the website/server control console up, watching the logs realtime on one machine whilst I probe from another!
Net+ Sec+ More to come
<<

treasur3

User avatar

Newbie
Newbie

Posts: 5

Joined: Sat May 07, 2011 11:34 pm

Location: Sri Lanka

Post Sun May 08, 2011 2:26 pm

Re: Black box testing on a website

I don't know what did u ment by directions . but 1st of all you need to have the legal permission from the target environment. better make it written. if your question is how to perform a pentest . its the normal process of a pentest , everyone have their own methods
Treasure's Security Blog
http://treasuresec.com
Follow me on Twitter
http://twitter.com/treasure_sec
<<

sil

User avatar

Hero Member
Hero Member

Posts: 551

Joined: Thu Mar 20, 2008 8:01 am

Location: ::1

Post Mon May 09, 2011 7:31 am

Re: Black box testing on a website

Without getting into a Wikipedia like entry here, let's take a look at what goes on with white-listing.

You have a machine with an application - say notepad. You create an entry called acc_note which when notepad is called, is validated against a list, then allowed to run. How is this application being validated?

Unless there are strong checksums against that application, nothing stops me - as an attacker - from binding rogue calls to that application, to which when run, will allow me to run code even more-so now, because that application was deemed trusted. You also need to understand that in order to whitelist, you will likely need to whitelist includables (DLLs. *.so's and so on to make it truly effective.) Any updates, you will need to go back through the whole process. See the dilemma here?

This is not to say that whitelisting is a failure however, this is to point out the notion that simply by whitelisting all is well. In an enterprise environment, maintaining a list of what is legitimate and what is not can be cumbersome. This is because most operating systems issue updates which would change any checksummed based systems. Administrators tasked with maintaning these systems will likely learn to overlook re-calculating checksums. Most of this overlooking can come directly from management in their effort to get things done "right now."

You can read more from two heavyweights (Ranum and Schneier) on this subject here:
http://searchsecurity.techtarget.com/ma ... acklisting

A better approach at whitelisting boils down to whitelisting CONNECTIVITY. This is the MOST CRUCIAL, misunderstood and overlooked element here. E.g., you have a machine say a DB. Its role is to take data stored INSIDE the environment and populate it elsewhere. It makes much more sense to whitelist all the machines INSIDE the the local network and block the others. Same rings true across the board. Even in an outbreak, the machine would be programmed to talk to no one else BUT trusted sources. This can be accomplished on the local machine as well as egress points to ensure there would be no data leaks.

This is where people fail miserably. In their approach, not to forget the fact that too many people have been following the words of others for so long when the initial design was wrong to begin with. E.g.: "Input validation versus Output Validation" Can you seriously control what people try to input? If you think you can, you're mistaken. You may be able to control what your machine processes, but it won't stop anyone from attempting to input it will it? You will beat yourself to a bloody pulp trying to concoct massive amounts of counters however, you CAN control what your machine puts OUT every single time. YOU and only YOU know what your machine is supposed to distribute. This is ALWAYS under your control and the applicable rules ARE under your control. It's all in the approach and understanding.

E.g., statistically, a DB needs to return a total of 10 variable with a sum of say 10k to render a query complete (to show someone their account summary). You can easily create a counter that says: "Look machine, at no point in time should you ever go over this maximum amount of variables. 10 fields for a sum of 10k" This is a much stronger rule since your machine would not OUTPUT an error message or website with more than that. Data leakage is minimized to 10 variables at 10k. Versus trying to create voodoo rules that won't work because you won't be able to keep up with millions of attackers consistently trying.
<<

jacobadam

Newbie
Newbie

Posts: 10

Joined: Thu May 12, 2011 1:31 am

Post Thu May 12, 2011 1:57 am

Re: Black box testing on a website

Specific knowledge of the application's code/internal structure and programming knowledge in general is not required. Test cases are built around specifications and requirements, i.e., what the application is supposed to do. It uses external descriptions of the software, including specifications, requirements, and design to derive test cases. These tests can be functional or non-functional, though usually functional. The test designer selects valid and invalid inputs and determines the correct output. There is no knowledge of the test object's internal structure.
Next

Return to Web Applications

Who is online

Users browsing this forum: No registered users and 0 guests

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software