Penetration Testing mailing list archives
Re: Manday for Web Pentest
From: "kevin horvath" <kevin.horvath () gmail com>
Date: Wed, 28 May 2008 22:54:08 -0400
you need to find out from the client how many transactions the app performs (not static pages but actual functions such as transactions done through servlets for example), how users authenticate (form based user/pass or multi stage with soft/hard tokens for example), and how many accounts at different privilege levels (need at least 2 accounts at every level to test horizontal and veritical attacks) Additionally you also want to know if this app is tied into any other apps, such as it takes in data and/or authentication tokens from another app such as from a business partner. Basically you need to walk through the application yourself briefly and get detailed information from the client for each app. With this said app tests should take anywhere from 4 to 20 working days (or even more) including reporting. Kevin On Wed, May 28, 2008 at 2:24 AM, <thientam82 () gmail com> wrote:
Dear list, Would you able to share with me how you estimate the efford (man-day) for a web pentest project? Previously, I quoted manday based on number of pages, number of functions, criticalness of transaction,.... Each project normally take about 3 to 6 mandays. I want to formalize the efford estimation for WebPT. Any suggestion is appreciated. Thanks ------------------------------------------------------------------------ This list is sponsored by: Cenzic Top 5 Common Mistakes in Securing Web Applications Find out now! Get Webinar Recording and PPT Slides www.cenzic.com/landing/securityfocus/hackinar ------------------------------------------------------------------------
------------------------------------------------------------------------ This list is sponsored by: Cenzic Top 5 Common Mistakes in Securing Web Applications Find out now! Get Webinar Recording and PPT Slides www.cenzic.com/landing/securityfocus/hackinar ------------------------------------------------------------------------
Current thread:
- Manday for Web Pentest thientam82 (May 28)
- Re: Manday for Web Pentest kevin horvath (May 28)
- Message not available
- Re: Manday for Web Pentest kevin horvath (May 29)
- Re: Manday for Web Pentest Ignacio Evans (May 30)
- Message not available
- Re: Manday for Web Pentest kevin horvath (May 28)