Penetration Testing mailing list archives
RE: Web App Complexity Metrics / Scoping a Web App
From: "Debasis Mohanty" <debasis.mohanty.listmails () gmail com>
Date: Tue, 31 Mar 2009 08:53:04 +0530
You may like to take a look at - TA-Mapper: Application Penetration Testing Effort Estimator http://www.coffeeandsecurity.com/resources/tools/tamapper.aspx -d -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Jonathan Cran Sent: 27 March 2009 20:42 To: NeZa Cc: pen-test () securityfocus com Subject: RE: Web App Complexity Metrics / Scoping a Web App
-----Original Message----- From: NeZa [mailto:danuxx () gmail com] Sent: Friday, March 27, 2009 2:07 AM To: Jonathan Cran Cc: pen-test () securityfocus com Subject: Re: Web App Complexity Metrics / Scoping a Web App Hi Jonathan, I think in order to know the complexity of a web app you do not need to take care of number of backend components like databases because at the end of the day, you will be talking to the Web App Front End trying to hit the backend indirectly so if you have a cluster of databases or just one or 3 different data bases engines you do not care cause the front end is the same. App with Web service interface: I think this is a totally different scope so even if you come to know the web app also has a client to talk to a web service you should put this effort as part of another test with another scope. Javascript, FLASH supported: Good point. It can add complexity. Number of Static - Dynamic pages: Sometimes even Developers do not know this info, but lets suppose you get a response of 5 static and 10 dynamic pages ... so???? This does not tell you anything about complexity, you could have one dynamic page with dozens of AJAX and POST Requests but this detail of info is not going to be gotten from previous answer (5, 10). So, in my personal experience the ideal situation is to have a Functional Testing Team so that you can ask them for test cases and this way you can understand application flow and the complexity by yourself. Second option, if no functional testing team is there, then, prepare your own test cases, understand the application flow the complexity to fill out the forms (sometimes because of AJAX updates on the fly), kind of access control, the app support AJAX, FLEX, FLASH, others. After doing this exercise which is one time effort, in coming testing to the app you will know for sure the complexity. My 2 cents!! On Wed, Mar 25, 2009 at 1:44 PM, Jonathan Cran <jcran () 0x0e org> wrote:Since we're on the topic of metrics, I'd like to throw out thisquestion:How are you currently scoping web applications for review? I'm trying to come up with a better way to measure the complexity ofapplications (and thus, the time required to test). I'd like to keep it as simple as possible.Here's what I've got so far: - How many backend components are involved? (Database / Middle Tier) - Does the application have a web services interface? - Are client-side - javascript - flash - or other RIA technologiesused for business logic?- How many static pages? - How many dynamic pages? What other metrics are you using to scope application assessments? jcran jcran () 0x0e org-- Daniel Regalado aka NeZa Hacker Wanna Be from Nezahualcoyotl www.macula-group.com
NeZa You're right. I include questions about the back-end structure more as an indicator of complexity of the application, rather than a direct correlation with testing resources / time. Dynamic pages vs static pages - yeah. Horrible metric. Good point about AJAX. I agree that web services can add significantly to scope, and it's a different type of testing. However, I'm seeing more and more applications architected with /some form/ of web services, whether it's 3rd party or in-house. GREAT IDEA on asking for functional testing plans. Hadn't thought of this. I'll definitely ask on my next test. Also, if you can get the client to agree to a webex with an engineer, it's helpful. This has saved me a significant amount of time trying to understand the app, even if you can only get the engineer for an hour or two. jcran ------------------------------------------------------------------------ This list is sponsored by: InfoSec Institute No time or budget for traveling to a training course in this fiscal year? Check out the online penetration testing courses available at InfoSec Institute. More than a boring "talking head", train in our virtual labs for a total hands-on training experience. Get the certs you need as well: CEH, CPT, CEPT, ECSA, LPT. http://www.infosecinstitute.com/request_online_training.html ------------------------------------------------------------------------ ------------------------------------------------------------------------ This list is sponsored by: InfoSec Institute No time or budget for traveling to a training course in this fiscal year? Check out the online penetration testing courses available at InfoSec Institute. More than a boring "talking head", train in our virtual labs for a total hands-on training experience. Get the certs you need as well: CEH, CPT, CEPT, ECSA, LPT. http://www.infosecinstitute.com/request_online_training.html ------------------------------------------------------------------------
Current thread:
- RE: Web App Complexity Metrics / Scoping a Web App Debasis Mohanty (Apr 03)
- <Possible follow-ups>
- RE: Web App Complexity Metrics / Scoping a Web App Debasis Mohanty (Apr 03)