Re: Defining scope of web application pentest

[Paul Johnston <paj () pajhome org uk>]

Hi,

In terms of the web application, first be sure to clarify exactly what 
you're covering. Just the user facing app? or is there an administration 
section as well? Often there can be lots of hidden parts of a site, e.g. 
for online banking there can be many different account types supported - 
they need to give you credentials which cover all the types that are in 
scope.

There are a few practical questions:
1) Black box application test, or code review?
I wouldn't recommend a purely black box test - at least give the testers 
credentials, and some design info.
2) Test against development or live?
Testing against a pre-production environment is usually best.
3) Is it just technical app testing, or does it include things like the 
testers social engineering your help desk?
This is more an "ass covering" question than anything; not expecting 
client to want social engineering.

In terms of sizing, I've generally found asking for numbers of dynamic 
pages and forms is a bit futile; I rarely get accurate answers, and they 
have limited utility. I'm fortunate, working in a in-house team without 
cross-charge - accurate estimates are not required. I simply rate jobs 
as little (2 days) or big (5 days) and if I don't finish, just ask for 
more time. If you need an accurate estimate the best approach is to get 
credentials and have a look round the application yourself.

In terms of reviewing the web server, there's a whole lot here:
Patch / vulnerability scan of the OS (like Nessus/Foundstone)
Config review of web server
Config review of application server

Quite often organisations will already have a decent setup for patch 
scanning all their servers, so you can skip the first one. One important 
point: while app scanning on pre-prod is usually ok (because code 
deployments tend to be well controlled), infrastructure type scanning is 
usually best done on live, unless you're happy with their controls to 
ensure consistent configuration between pre-prod and live.

Quality scoping is a mix of technical knowledge, understanding the 
client's business, and (for consultancies) sales. If you get the 
opportunity, shadow someone experienced doing a scoping meeting.

Paul


Vishal Garg wrote:

> Hi,
>
> Can anyone please tell what needs to be considered while defining the 
> scope of a web application penetration test. Here I am concerned only 
> about the web application and the web server that would exclude every 
> other bit related to the infrastructure (such as firewall or a proxy 
> etc). Also how do we calculate the effort required to test a web 
> application. The things which I think may be considered are the number 
> of static and dynamic pages and types of users involved etc. But what 
> else can be considered?
>
> Any inputs would be highly appreciated.
>
> Cheers
> Vishal
>
>
> -------------------------------------------------------------------------
> Sponsored by: Watchfire Methodologies & Tools for Web Application 
> Security Assessment With the rapid rise in the number and types of 
> security threats, web application security assessments should be 
> considered a crucial phase in the development of any web application. 
> What methodology should be followed? What tools can accelerate the 
> assessment process? Download this Whitepaper today!
> https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
> -------------------------------------------------------------------------


-------------------------------------------------------------------------
Sponsored by: Watchfire 
Methodologies & Tools for Web Application Security Assessment 
With the rapid rise in the number and types of security threats, web application security assessments should be considered a crucial phase in the development of any web application. What methodology should be followed? What tools can accelerate the assessment process? Download this Whitepaper today! 

https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
-------------------------------------------------------------------------