Web application testing

[only.samurai at gmail.com (Andrew Ellis)]

I'm a big fan of the WASC TC v2 for a comprehensive list of
vulnerabilities to look for:
http://projects.webappsec.org/Threat-Classification

As for testing, there's a few ways to do this based on the environment
you're working with. If your customer only has a production
environment and no development servers can be tested, have them backup
the databases and turn off any sort of email notifications (don't want
to be spamming with our testing) and run the test outside of business
hours.

Estimating time lines depends on your methodology. If you're using an
automated scanner, generally I've looked to the number of pages/forms
and my past experience with the tool to generate a rough estimate.
Even with a lot of experience with a given tool, I still come across
sites that were built with very little regard to conventional web
standards and have seen scans I expected to take a few hours run for a
day or too. This is also very dependent on your level of skill
configuring the scanner for the particular application.

If the site you're looking to evaluate is small, you may be able to do
this by-hand depending on your experience. I wouldn't recommend going
at a large web application (something very active with hundreds of
pages and many features) by-hand alone. Those I generally tackle with
a well thought-out automated scan and from those results I run the
manual assessment.

~andrew

On Thu, Feb 11, 2010 at 7:57 PM, Tim Mugherini <gbugbear at gmail.com> wrote:
> I'm not a heavy web guy but I Agree a good place to start reading would be OWASP
>
> http://www.owasp.org/index.php/File:OWASP_T10_-_2010_rc1.pdf
>
> http://www.greebo.net/owasp/OWASP%202010%20Top%2010%20Cheat%20Sheet.pdf
>
> T
>
> On Thu, Feb 11, 2010 at 5:40 PM, Christian Frichot <xntrik at gmail.com> wrote:
> > Hi Aaron,
> > I would start by having a look at the materials that www.owasp.org have to
> > provide.
> > That would be a good start.
> > And as you mentioned, you should always test against a non-production
> > environment, if possible (and/or based on a risk assessment).
> > I know some testers can give estimates based on the number of pages, but I
> > can't comment on how accurate that is. It depends on your experience and the
> > size of the app and what sort of results they're expecting.
> > Good luck!
> >
> > On Thu, Feb 11, 2010 at 11:42 PM, Aaron <subdriven at gmail.com> wrote:
> > > Hello, all!
> > >
> > > There may come a time where I'll have to do some web application
> > > testing. I was wondering if this wonderful group had some good
> > > resources for best practices, good reporting methodologies, estimates
> > > of time involved to just do basic testing, etc. Of course since it
> > > will be web application testing it is going to require doing XSS, SQL
> > > injection testing/attacking, and possibly some code review.
> > >
> > > I'm also wondering how most people go about this sort of test. I am
> > > not sure I would feel comfortable testing against a live system in
> > > case I manage to really destroy stuff so I would have to test against
> > > a copy or a test/dev site. From the experiences others have had, is
> > > that something the customer usually provides or do they hand over the
> > > basics of the application and it becomes my responsibility to set it
> > > up in a lab environment? Is there a rule of thumb for time estimates
> > > for these kinds of tests or is it just a shot in the dark guess?
> > >
> > > Thanks in advance for any insight!
> > >
> > > Aaron
> > > _______________________________________________
> > > Pauldotcom mailing list
> > > Pauldotcom at mail.pauldotcom.com
> > > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> > > Main Web Site: http://pauldotcom.com
> >
> >
> >
> > --
> > Christian Frichot
> > e: xntrik at gmail.com
> > w: http://un-excogitate.org
> >
> >
> > _______________________________________________
> > Pauldotcom mailing list
> > Pauldotcom at mail.pauldotcom.com
> > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> > Main Web Site: http://pauldotcom.com
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom at mail.pauldotcom.com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com



-- 
Andrew Ellis
http://blog.psych0tik.net