Since you don't know what you are doing, here is a better idea. Stop and tell your "friend" you don't know what you are doing and therefore are not the best for the job.
Testing Web application for vulnerability
Hello.
My friend is developing one web application and ask me to test it for security vulnerability. Since I'm not pentester and I don't have enought knowledge for now, I plan to do this:
First I will do manual examination for insecure login mechanisms, hard coding errors and JavaScript statements. Then I plan to execute scan with W3AF (Audit & Grep) and also used Paros Prox for URL crawling (Spider) & Scan All funciton. Just for practice, I will also try with DirBuster.
My questions are: What do you think about my plan? And even more important: How bad is auditing web application with W3AF on remote web server, which is commercial? I think that there is option to IPS to cut me off. How should I scan web app? If I set up my own local web server (which I don't have), then that's not the web application's natural environment.
Thank you.
Re: Testing Web application for vulnerability
Since you don't know what you are doing, here is a better idea. Stop and tell your "friend" you don't know what you are doing and therefore are not the best for the job.
Re: Testing Web application for vulnerability
You should simply suggest that your friend hire someone who possesses the skills and knowledge to carry out the testing he requires.
Yes you could use this as an opportunity to learn but your learning experience should not over-ride his need for a thorough test/audit.
As for laws or terms of use etc which may get in your way there are all kinds. If you do a search around here there are lots of threads on legalities etc and it is highly unlikely that as a home user you have an ISP that will be friendly when you decide to attack (test) someone's app. Nor is it likely that your friend's hosting provider or ISP is likely to be happy with you either.
http://www.backtrack-linux.org/forum...-opinions.html
http://www.backtrack-linux.org/forum...-pointers.html
Home - Web Application Security Consortium
OWASP
State Hacking Laws (US)
Laws You May Not Even Know You're Breaking (US)
C-46, Section 326 (Canada/Federal)
C-46, Section 430 (Canada/Federal)
I'm a compulsive post editor, you might wanna wait until my post has been online for 5-10 mins before quoting it as it will likely change.
I know I seem harsh in some of my replies. SORRY! But if you're doing something illegal or posting something that seems to be obvious BS I'm going to call you on it.
Ofcourse I'm far away to be the best for the job. But interpet results could be a good start. I already told him that this is not my area of work. But it is better to do some checks then nothing at all.
@thorin: Thanks. I will tell him that I can't to the job. I have searched for web application security on forums and read this threads, and then I decide to publish this one. I didn't mean to exploit or do any attack on application. I just thought to do some checks and look on report.
About IPS, I mean Intrusion detection system on web server's side.
Thanks for both responses.
Last edited by balding_parrot; 06-04-2010 at 12:39 AM.
Re: Testing Web application for vulnerability
Forget it.Originally Posted by Kenda
I've seen things you people wouldn't believe.
Re: Testing Web application for vulnerability
Yes I agree, some sort of testing is better than nothing. I was simply concerned that your friend might not do anything beyond your testing.
With web application testing you can't really do much without actually "attacking" the application. For example you can't verify if he's vulnerable to cross-site scripting attacks without trying to do a cross-site scripting attack (even if all you do is pop up an alert dialog, you've still carried out an "attack").@thorin: Thanks. I will tell him that I can't to the job. I have searched for web application security on forums and read this threads, and then I decide to publish this one. I didn't mean to exploit or do any attack on application. I just thought to do some checks and look on report.
Understood. The implications of IPS or IDS depend on how his app is hosted/served. Regardless of what mechanism identifies your activity (@ the server, @ your Internet Service Provider [ISP], @ his ISP or Hosting provider, etc) it's still highly likely that you'd be breaking terms of use or the law. I'm sure this seems very disconcerting but there are companies that do this type of work, it simply requires the correct contractual and legal framework in order to stay out of trouble.About IPS, I mean Intrusion detection system on web server's side.
I'm a compulsive post editor, you might wanna wait until my post has been online for 5-10 mins before quoting it as it will likely change.
I know I seem harsh in some of my replies. SORRY! But if you're doing something illegal or posting something that seems to be obvious BS I'm going to call you on it.
Posting Permissions