Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: A new Start

From: kartsios_list () secureinfohighway com
Date: 21 Jun 2006 16:14:48 -0000
What you are talking about (port 8401 open with telnet access, mysql running and apache with urchin5) could lead you to 
a penetration testing of the server.. 
But to perform a penetration test for the web application you must follow a different approach, such as source code 
auditing, file injection, sql injection etc.. 

Talking about this could take a lot of space so it is easier to direct you to some papers that already exist on the net 
and could be a helpfull start for you.

Some of them in securityfocus are 
Common security vulnerabilities in e-commerce systems in www.securityfocus.com/infocus/1775
Penetration testing for web applications part one two and three in www.securityfocus.com/infocus/1704 1709 and 1722 
respectively.

In addition you can also go for some tools of the trade by the form of freeware or even trial if you want to try them 
out.. Such tools could be appdetective or similar.. that tests both the application and the db backend..
Now if you want to follow a more hands-on approach, as it concernes DOS attacks or malformed input, sql injection etc. 
You must identify all input methods to your application and then try input validation on it.(malformed input, too 
large, too small,not expected input..etc.)

Vasilis Kartsios
Information Security Analyst
_____________________

Secure Information Highway
B.Georgiou 20A
55132 
Thessaloniki, Greece
_____________________

Tel.: +30 (2310)=A0887889
Fax.: +30 (2310)=A0850265 
www.secureinfohighway.com

------------------------------------------------------------------------------
This List Sponsored by: Cenzic

Concerned about Web Application Security? 
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's 
Choice Award from eWeek. As attacks through web applications continue to rise, 
you need to proactively protect your applications from hackers. Cenzic has the 
most comprehensive solutions to meet your application security penetration 
testing and vulnerability management needs. You have an option to go with a 
managed service (Cenzic ClickToSecure) or an enterprise software 
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can 
help you: http://www.cenzic.com/news_events/wpappsec.php 
And, now for a limited time we can do a FREE audit for you to confirm your 
results from other product. Contact us at request () cenzic com for details.
------------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: