.

Zend Framwork - Pentest

<<

ledieu

Newbie
Newbie

Posts: 2

Joined: Sat Jan 14, 2012 9:06 am

Post Sat Jan 14, 2012 9:08 am

Zend Framwork - Pentest

Hi there,

Soon i'll be performing an pentest on a webapplication that has been build using the Zend framework.
Are there any suggestions what I should look for besides the normal web vulnerabilities? So anything in particular related to the Zend framework?

Cheers.
LeDieu.
<<

millwalll

Post Sun Jan 15, 2012 7:44 am

Re: Zend Framwork - Pentest

If I was you I would look for owasp top 10 then look for default directories might be idea to install zend on local machine to have look where things like database settings are stored.

Apart from that it hard to give any more advice as it depends on what version they are using.
<<

MaXe

User avatar

Hero Member
Hero Member

Posts: 671

Joined: Tue Aug 17, 2010 9:49 am

Post Sun Jan 15, 2012 2:53 pm

Re: Zend Framwork - Pentest

Along with what Jamie.R suggested, try to do a completely "default" installation, where you don't alter settings to improve security. Look for misconfigurations that could lead to various types of bugs as described in e.g., the owasp top 10 or whatever you prefer  :) For many years, cPanel had a few misconfigurations that lead to e.g., dns zone transfers, etc.
I'm an InterN0T'er
<<

nytfox

User avatar

Newbie
Newbie

Posts: 20

Joined: Mon Nov 28, 2011 1:54 am

Post Sun Jan 29, 2012 2:35 am

Re: Zend Framwork - Pentest

I'm not sure how much this will help . but in to knowledge Zend Core Framework is pretty secured, once I did a pentest on a Zend . their was not much exploit . but I found some XSS , and Redirection flows and miss functions in vote poll . all because of poor verification on submitions
Unlike others I love NULLS
http://treasuresec.com
<<

ledieu

Newbie
Newbie

Posts: 2

Joined: Sat Jan 14, 2012 9:06 am

Post Sun Jan 29, 2012 3:40 am

Re: Zend Framwork - Pentest

nytfox wrote:I'm not sure how much this will help . but in to knowledge Zend Core Framework is pretty secured, once I did a pentest on a Zend . their was not much exploit . but I found some XSS , and Redirection flows and miss functions in vote poll . all because of poor verification on submitions


@nytfox Ahh great thanks mate that is just the stuff I was looking for!

@Jamie.R and @MaXe Thanks for your advice, but your advice is more applicable to PHP in general. OWASP Top 10 and default installation failures are pretty common in the default PHP install. But I am really looking for issues that Zend framework based apps have. Still thanks for your comment though!

LeDieu
<<

nytfox

User avatar

Newbie
Newbie

Posts: 20

Joined: Mon Nov 28, 2011 1:54 am

Post Tue Jan 31, 2012 12:27 am

Re: Zend Framwork - Pentest

BTW if its possible for you do a code analysis and see if you can identify bugs inside the code. 
Unlike others I love NULLS
http://treasuresec.com

Return to Web Applications

Who is online

Users browsing this forum: No registered users and 0 guests

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software