Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Testing Middleware Application

From: Robinson DELAUGERRE <rdelaugerre () sdninternational com>
Date: Tue, 7 Jul 2009 22:37:25 +0200 (CEST)
Ow come ON! You sniff the traffic only if you can, and you can manipulate it as much as you want , if proper input 
validation has been made, you won't be able to do anything.
To answer OP, I hope you have validated your app against:
    -XSS (do you output anything to the user based on its input? Do you filter it?)
    -Remote code exec (is your server hardened enough?)
    -SQL Injection (if relevant, may be far fetched, but if some of the input makes its way into a database query, make 
sure you filter it)
One of my mottos is that client-side security doesn't exist. So you must (as Mervyn suggested) suppose that an xml file 
will be injected in your app without any client side validation. Therefore, you should be certain that all input from 
the xml is filtered (whitelisted) server-side.

Pointers to pen test the app? OWASP disc. If nothing comes from all the apps included in this, you'll be safe from the 
skiddies. The 2 rest is up to you.
What kind of attacker do you expect?
Will he allow a few minutes, some days, or a few month to try and hack your app? Then you'll know what you have to 
protect yourself against..

My 2 cents anyway..

rob'

----- Mail Original -----
De: "Mervyn" <barcajax () gmail com>
À: "Anant Iyer" <iyer.anant.r () gmail com>
Cc: pen-test () securityfocus com
Envoyé: Mardi 7 Juillet 2009 19h40:12 GMT +01:00 Amsterdam / Berlin / Berne / Rome / Stockholm / Vienne
Objet: Re: Testing Middleware Application

You already mentioned the obvious! XML over HTTP. Opportunity to sniff
and manipulate the traffic.

On Tue, Jul 7, 2009 at 12:17 PM, Anant Iyer<iyer.anant.r () gmail com> wrote:

Hello,

We have a middleware application to be pen-tested for security
bugs.The application serves requests from various front-end systems
(XML over HTTP) and depending on these requests, retrieves the data
from various back-end repositories.
The development team has built a front-end just for testing
(functional) this application in the UAT environment. In such a
scenario, I need some pointers on how should I perform the pentest of
this middleware application.

Regards,

Anant Iyer



------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: