Penetration Testing mailing list archives
Re: Pen testing techniques
From: "Nathan Sportsman" <nsportsman () gmail com>
Date: Wed, 9 Apr 2008 16:32:49 -0500
Running an automated assessment tool, however expensive, should only be part of assessment. Tools such as Core Impact will help determine vulnerable services, etc, but cannot identify flaws in the business logic of the application. Similarly, you cannot solely rely on a static analysis tool to perform code reviews. Such tools only identify low hanging fruit. I continue to preach this over and over until I am blue in the face. The value add you should be giving the client is your insight, experience, and problem solving which goes beyond simply selecting tools from a bag. If you are testing for SQL injection, then I can assume the website is serving up dynamic pages that allows user interaction. From what you have stated it appears all data is transmitted in plaintext over port 80. Are credentials or other sensitive data passed to the application? If so, why is this not transmitted over SSL? This is a potential issue. If credentials are required and authentication is performed how is authtication handled? Authorization? User & session management? Error & Exception Handling? Yada yada yada. This is by no means an all encompassing and I cannot write out an entire checklist. Its just a starting point on the nomenclatures you should keep in mind. An assessment should not just focus on configuration management and data validation, which appear to be the areas you are trying to cover. There are other tests you should perform in these categories though too. I hope this helps. Good Luck, Nathan Sportsman On Wed, Apr 9, 2008 at 2:48 PM, Atif Azim <azim.atif () gmail com> wrote:
Hello, I am new to pen testing and am currently involved in doing an external pen test for one of our clients.We are doing it through Core Impact.Reconnaisance showed only port 80 as open and the web server running IIS 6.0.Core Impact did not find any vulnerabilities in the server and hence was unable to penetrate.The web application was also tested for SQL Injection and PHP remote file inclusion and did not find any vulnerabilities there either. My question is what else can we do besides relying on Core Impact for this pen test.And what impression can a client get if we say to them that there are no vulnerabilites in your network or web app.Its dificult to digest something like that for a security specialist that everythings alright. Looking forward to some great views.Thanks. Regards, Atif Azim ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
Current thread:
- Pen testing techniques Atif Azim (Apr 09)
- RE: Pen testing techniques Shenk, Jerry A (Apr 09)
- Re: Pen testing techniques Nathan Sportsman (Apr 09)
- Re: Pen testing techniques Jason (Apr 09)
- Re: Pen testing techniques jond (Apr 09)
- Re: Pen testing techniques Atif Azim (Apr 09)
- Re: Pen testing techniques Erik Harrison (Apr 11)
- Re: Pen testing techniques Joey Peloquin (Apr 11)
- Re: Pen testing techniques vtlists (Apr 11)
- Re: Pen testing techniques jond (Apr 09)
- Re: Pen testing techniques v3nd3rs5uck (Apr 11)
- RE: Pen testing techniques Jason (Apr 12)
- Re: Pen testing techniques Nathan Sportsman (Apr 12)
- Re: Pen testing techniques intel96 (Apr 09)