WebApp Sec mailing list archives
RE: Defining scope of web application pentest
From: "Marco M. Morana" <marco.m.morana () gmail com>
Date: Sat, 8 Dec 2007 15:53:24 -0500
Vishal Typically the pen test effort should be directed to test the web application for common web application vulnerabilities. The main areas that you would like to focus on in a pen test are: 1) configuration management, 2) session management, 3) input and output validation, 4) data protection and encryption, 5) error handling 6) authorization 7) authentication 8) auditing and logging. External penetration tests for internet facing web applications (also called ethical hacks or web application vulnerability assessments) usually exclude the back end infrastructure as scope for the test and focus on testing the application and the web server where the application resides. As part of the pen test you look at webs server vulnerabilities due to un-safe (un-hardened) configuration (e.g. SSL with weak ciphers enabled, default admin files not disabled, HTTP methods such as TRACE not disabled, admin port open, non required services etc). These vulnerabilities are the ones that can be exploited externally from the web site. You obviously need to look at the infrastructure as well but this usually is in scope for other assessments. Beside common vulnerabilities, you might also want to cover specific threats to the application that you had previously identified with a threat analysis of the application using threat modeling. You can also integrate security tests as part of your application functional tests during the verification phase of the SDLC where you will test for both functional and non-functional malicious scenarios. I suggest discussing the testing objectives with the project stakeholders and capture clearly the objectives for the test first. Are these for auditing purposes? Do you need to test for potential vulnerabilities? You should have testing objectives defined as well as testing criteria and a methodology that follow a guideline. If you do not know where to start I recommend looking at the OWASP testing guide http://www.owasp.org/index.php/Penetration_Testing as well as the other OWASP free available resources. Regards Marco Morana OWASP Cincinnati Chapter Leader http://www.owasp.org/index.php/Cincinnati http://securesoftware.blogspot.com -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Vishal Garg Sent: Friday, December 07, 2007 12:48 PM To: webappsec () securityfocus com Subject: Defining scope of web application pentest Hi, Can anyone please tell what needs to be considered while defining the scope of a web application penetration test. Here I am concerned only about the web application and the web server that would exclude every other bit related to the infrastructure (such as firewall or a proxy etc). Also how do we calculate the effort required to test a web application. The things which I think may be considered are the number of static and dynamic pages and types of users involved etc. But what else can be considered? Any inputs would be highly appreciated. Cheers Vishal ------------------------------------------------------------------------- Sponsored by: Watchfire Methodologies & Tools for Web Application Security Assessment With the rapid rise in the number and types of security threats, web application security assessments should be considered a crucial phase in the development of any web application. What methodology should be followed? What tools can accelerate the assessment process? Download this Whitepaper today! https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F ------------------------------------------------------------------------- ------------------------------------------------------------------------- Sponsored by: Watchfire Methodologies & Tools for Web Application Security Assessment With the rapid rise in the number and types of security threats, web application security assessments should be considered a crucial phase in the development of any web application. What methodology should be followed? What tools can accelerate the assessment process? Download this Whitepaper today! https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F -------------------------------------------------------------------------
Current thread:
- Defining scope of web application pentest Vishal Garg (Dec 08)
- RE: Defining scope of web application pentest Marco M. Morana (Dec 08)
- RE: Defining scope of web application pentest (now scope of an annual medical exam) Clement Dupuis (Dec 12)
- Re: Defining scope of web application pentest (now scope of an annual medical exam) Andy Steingruebl (Dec 14)
- RE: Defining scope of web application pentest (now scope of an annual medical exam) Clement Dupuis (Dec 14)
- Re: Defining scope of web application pentest (now scope of an annual medical exam) Andy Steingruebl (Dec 14)
- RE: Defining scope of web application pentest (now scope of an annual medical exam) Clement Dupuis (Dec 12)
- RE: Defining scope of web application pentest (now scope of an annual medical exam) Vishal Garg (Dec 14)
- RE: Defining scope of web application pentest Marco M. Morana (Dec 08)
- RE: Defining scope of web application pentest Debasis Mohanty (Dec 15)