Home page logo
/

pauldotcom logo PaulDotCom mailing list archives

Steps taken During a Web App Pentest
From: mmcgrew1 at mail.csuchico.edu (Michael McGrew)
Date: Mon, 8 Jun 2009 12:04:54 -0700

Probably the first thing I do when I come across a web app is try to get to
place that I should not be. For example, I just got hired on a development
team for a web application. Being a new hire, I didn't have a username or
password for the web app, and the web app is such that you need a username
and password to get anywhere in the application. So I poked around... I
found a javascript file that has some window.open methods for popup windows.
So I took those URLs that the window.open methods opens, put them in the web
browser, and it turns out that they left out the block of authorization code
on some pages! So I was given access to pages with out a username and
password! And on these pages, I was able to read, update, and delete data.
Moral of the story, poke around, you will have to do things manually.

Every web app is very different, it's not like network pen testing. It takes
actual manual testing and web knowledge to get anywhere in a web app pen
test. Understand how ajax works, understand cookies, understand how a SQL
authentication query most likely looks like.

On Sat, Jun 6, 2009 at 11:55 AM, <infolookup at gmail.com> wrote:

Hello All:

I am task with doing a basic web app pentest of a server that we are about
to given external users access too.

Background:

I work for a university no security department, no budget to hire a
auditor.

We are about to put one of our training servers on our DMZ this way Faculty
and Staff members can access it from home for  Microsoft and other
application video tutorials.


Since my boss is aware that I am interested in infosec I was given the
green light to test the app/server and report back anything that can aid in
locking it down.

Question:

Since there are so much tools and ways to go about this I would like to
know how do others go about a web app pentest, don't have to give away any
trade secrets  :)-.

I am just looking for an efficient way to go about this!


Specs:

OS: Windows 2003 running in a VMware, ESX 3.5.

Application:  Training package, with a bundled windows version of a LAMP
setup.

Acess Method: http.

Thanks in advance.
Sent from my Verizon Wireless BlackBerry
_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20090608/f77f4839/attachment.htm 


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]