Penetration Testing mailing list archives
Re: Testing Middleware Application
From: Robinson DELAUGERRE <rdelaugerre () sdninternational com>
Date: Tue, 7 Jul 2009 22:37:25 +0200 (CEST)
Ow come ON! You sniff the traffic only if you can, and you can manipulate it as much as you want , if proper input validation has been made, you won't be able to do anything. To answer OP, I hope you have validated your app against: -XSS (do you output anything to the user based on its input? Do you filter it?) -Remote code exec (is your server hardened enough?) -SQL Injection (if relevant, may be far fetched, but if some of the input makes its way into a database query, make sure you filter it) One of my mottos is that client-side security doesn't exist. So you must (as Mervyn suggested) suppose that an xml file will be injected in your app without any client side validation. Therefore, you should be certain that all input from the xml is filtered (whitelisted) server-side. Pointers to pen test the app? OWASP disc. If nothing comes from all the apps included in this, you'll be safe from the skiddies. The 2 rest is up to you. What kind of attacker do you expect? Will he allow a few minutes, some days, or a few month to try and hack your app? Then you'll know what you have to protect yourself against.. My 2 cents anyway.. rob' ----- Mail Original ----- De: "Mervyn" <barcajax () gmail com> À: "Anant Iyer" <iyer.anant.r () gmail com> Cc: pen-test () securityfocus com Envoyé: Mardi 7 Juillet 2009 19h40:12 GMT +01:00 Amsterdam / Berlin / Berne / Rome / Stockholm / Vienne Objet: Re: Testing Middleware Application You already mentioned the obvious! XML over HTTP. Opportunity to sniff and manipulate the traffic. On Tue, Jul 7, 2009 at 12:17 PM, Anant Iyer<iyer.anant.r () gmail com> wrote:
Hello, We have a middleware application to be pen-tested for security bugs.The application serves requests from various front-end systems (XML over HTTP) and depending on these requests, retrieves the data from various back-end repositories. The development team has built a front-end just for testing (functional) this application in the UAT environment. In such a scenario, I need some pointers on how should I perform the pentest of this middleware application. Regards, Anant Iyer
------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- Testing Middleware Application Anant Iyer (Jul 07)
- Re: Testing Middleware Application Mervyn (Jul 07)
- <Possible follow-ups>
- Re: Testing Middleware Application Robinson DELAUGERRE (Jul 07)