Re: Pen testing techniques

["Nathan Sportsman" <nsportsman () gmail com>]

Running an automated assessment tool, however expensive, should only
be part of assessment.  Tools such as Core Impact will help determine
vulnerable services, etc, but cannot identify flaws in the business
logic of the application.  Similarly, you cannot solely rely on a
static analysis tool to perform code reviews. Such tools only identify
low hanging fruit.  I continue to preach this over and over until I am
blue in the face.  The value add you should be giving the client is
your insight, experience, and problem solving which goes beyond simply
selecting tools from a bag.

If you are testing for SQL injection, then I can assume the website is
serving up dynamic pages that allows user interaction.  From what you
have stated it appears all data is transmitted in plaintext over port
80. Are credentials or other sensitive data passed to the application?
 If so, why is this not transmitted over SSL? This is a potential
issue. If credentials are required and authentication is performed how
is authtication handled?  Authorization? User & session management?
Error & Exception Handling?  Yada yada yada.  This is by no means an
all encompassing and I cannot write out an entire checklist.  Its just
a starting point on the nomenclatures you should keep in mind.  An
assessment should not just focus on configuration management and data
validation, which appear to be the areas you are trying to cover.
There are other tests you should perform in these categories though
too.  I hope this helps.

Good Luck,
Nathan Sportsman

On Wed, Apr 9, 2008 at 2:48 PM, Atif Azim <azim.atif () gmail com> wrote:
> Hello,
> I am new to pen testing and am currently involved in doing an external
> pen test for one of our clients.We are doing it through Core
> Impact.Reconnaisance showed only port 80 as open and the web server
> running IIS 6.0.Core Impact did not find any vulnerabilities in the
> server and hence was unable to penetrate.The web application was also
> tested for SQL Injection and PHP remote file inclusion and did not
> find any vulnerabilities there either.
>
> My question is what else can we do besides relying on Core Impact for
> this pen test.And what impression can a client get if we say to them
> that there are no vulnerabilites in your network or web app.Its
> dificult to digest something like that for a security specialist that
> everythings alright.
>
> Looking forward to some great views.Thanks.
>
> Regards,
> Atif Azim
>
> ------------------------------------------------------------------------
> This list is sponsored by: Cenzic
>
> Need to secure your web apps NOW?
> Cenzic finds more, "real" vulnerabilities fast.
> Click to try it, buy it or download a solution FREE today!
>
> http://www.cenzic.com/downloads
> ------------------------------------------------------------------------

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------