From: Serg B (sergeslists@gmail.com)
Date: Tue Dec 11 2007 - 17:10:19 EST
Hi Rajiv,
I get a little defensive when people try to pass-off an automatic scan
as a valid pen-test conclusion. Since you have clarified your self I
do apologise.
In regards to original questions:
1.
See #3
RE: scope, it's actually important since you want to be testing a
webapp, not the server or an underlying infrastructure. It's important
to know where to stop and pass the out-of-scope items to another team.
2.
Burp and Paros are proxies that you should use. As for an automatic
scanner, Parros has a spiderling and scanning ability; to be honest
though I have never got a true positive when I use its scanning
feature. You should just check manually for the issues described in
the OWASP guide, it provides enough details to know how to test them.
Automatic tools will not find most of them including a more serious
class of issues such as authorisation and authentication, this are
application specific and require human intervention.
Also have a look at SQL Ninja (I have never used it) it may be useful
for scanning for some obvious SQL injection stuff, as for me: I use
SQL cheat sheet
(http://ferruh.mavituna.com/makale/sql-injection-cheatsheet/).
Below are semi-automatic tools that I strongly recommend (in addition
to the proxies):
FireFox with the following add-ons:
Firebug (v1.05 or above)
Greasemonkey (and XSS Assistant for the add-on).
Cookie Editor (v0.2.1.2 or above)
RefControl (v0.8.9 or above)
Web Developer Toolbar (v1.1.4 or above)
JSView (1.5 or above)
This are my preferred tools though, somebody else may have their own
bag of tricks.
3.
OWASP is pretty much all you need. You may also want to take a look at:
http://download.microsoft.com/documents/uk/msdn/security/The%20Developer%20Highway%20Code.pdf
Which is very much like OWASP.
Searching Security Focus and OSVDB websites may also yield some good results.
I am sure other people will have a lot to add as well.
Serg
On Dec 11, 2007 10:09 PM, Rajiv Vishwa <rajivvishwa@gmail.com> wrote:
> Hi Serg,
>
> I'm new to pen test group and also to the company i work at.
> The project i was talking about is not a commercial one.
> This is an just an 'activity' which is assigned to me by non security guy. I
> was asked all the questions i asked you guys.
> I've used tools like nessus,nmapFE,metasploit,paros,fortify scanner,nCircle
> etc but i was told to get some free tool and get a report which is similar
> to the report generated by 'Acunetix' or 'WebInspect'.
>
> I think i can explain my questions better
>
> >1. What are the important things to remember while doing blackbox web app
> testing?
> I wanted a checklist which i can use to make sure i dont miss out something
> at the end of project. Like the pentest framework in "
> http://www.vulnerabilityassessment.co.uk/Penetration%20Test.html" i needed a
> framework for webapp testing.
>
> > 2. Suggest some best free tools which are available to perform the test?
> I did not mean notepad++ kind of tools obviously. I meant free tools like
> the ones in the backtrack, but meant for web app testing in Windows
> preferably.
>
> > 3. Where do i find the recommendation in case the tools reports various
> vulns in the site?
> I meant websites like owasp.org which is a fav for sec experts to check for
> the details of vuln's and mitigation. So instead of searching in google i
> can search in these websites first.
>
>
>
>
> On Dec 11, 2007 11:08 AM, Serg B <sergeslists@gmail.com> wrote:
> >
> > > 1. What are the important things to remember while doing blackbox web
> app testing?
> > You need to define a scope (perhaps one has been defined for you
> > already) and stay within scope. If there is something interesting
> > slightly outside of it; make a quick note (in case you want to come
> > back to it and move on).
> >
> >
> > > 2. Suggest some best free tools which are available to perform the test?
> > WASP security guide, Paros proxy, Charles proxy (not free), Burp
> > proxy, Notepad++, a scripting language of your choice. Depends on what
> > you are doing...
> >
> >
> > > 3. Where do i find the recommendation in case the tools reports various
> vulns in the site?
> > Google? Or ask the guy who has assigned you to the project.
> >
> >
> >
> > > 4. What is the traffic generated on the site due to the test?
> > As much as you generate with those best free tools of yours.
> >
> >
> > From the above questions (and please don't take it the wrong way) but
> > perhaps you are not the best person for the task?
> >
> >
> > Serg
> >
> >
> >
> >
> >
> >
> > On 7 Dec 2007 03:22:07 -0000, <rajivvishwa@gmail.com> wrote:
> > > Hi Guys,
> > >
> > >
> > > I've been assigned to a project in which i'm asked to get a report on
> vulnerabilities present in a website hosted by my client. I'm new to
> blackbox testing on web applications. The duration of the project is 1.5
> months. Can anyone comment on the following points
> > >
> > > 1. What are the important things to remember while doing blackbox web
> app testing?
> > >
> > > 2. Suggest some best free tools which are available to perform the test?
> > >
> > > 3. Where do i find the recommendation in case the tools reports various
> vulns in the site?
> > >
> > > 4. What is the traffic generated on the site due to the test?
> > >
> > >
> > > Any suggestions would be appreciated.
> > >
> > >
> > > Regards,
> > >
> > > Rajiv,
> > >
> > > Security Team
> > >
> > > ------------------------------------------------------------------------
> > > This list is sponsored by: Cenzic
> > >
> > > Need to secure your web apps NOW?
> > > Cenzic finds more, "real" vulnerabilities fast.
> > > Click to try it, buy it or download a solution FREE today!
> > >
> > > http://www.cenzic.com/downloads
> > > ------------------------------------------------------------------------
> > >
> > >
> >
>
>
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:15 EDT