Penetration Testing mailing list archives
RE: Pentest of BPM Product
From: "Paul Melson" <pmelson () gmail com>
Date: Thu, 8 Apr 2010 15:02:47 -0400
Does anybody have experience in carrying out an application pentest of any
BPM
products like Pega? If so, then can anybody please let me know what are
the basic
points to keep in mind while carrying out pentest of such products?
The truly significant difference in testing a BPM app is the rules engine. You'll want to see if you can escalate privileges within the app or otherwise compromise different types of accounts in order to bypass rules that support separation of duties and so on. So understanding your client's intended use case is probably important to demonstrating a vulnerability like this. Otherwise it's the typical webapp/appsvr/db stack of stuff most COTS web apps are built on. So bring your WebSphere sploits from 2002. They probably still work.
On an additional note, are there any legal issues in carrying out a
pentest of a
product application which is deployed at a client's organization?
Yes. :-) PaulM ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- Pentest of BPM Product Anant Iyer (Apr 08)
- RE: Pentest of BPM Product Paul Melson (Apr 13)