Results 1 to 6 of 6

Thread: Testing Web application for vulnerability

  1. #1
    Just burned his ISO
    Join Date
    May 2010
    Posts
    7

    Default Testing Web application for vulnerability

    Hello.

    My friend is developing one web application and ask me to test it for security vulnerability. Since I'm not pentester and I don't have enought knowledge for now, I plan to do this:

    First I will do manual examination for insecure login mechanisms, hard coding errors and JavaScript statements. Then I plan to execute scan with W3AF (Audit & Grep) and also used Paros Prox for URL crawling (Spider) & Scan All funciton. Just for practice, I will also try with DirBuster.

    My questions are: What do you think about my plan? And even more important: How bad is auditing web application with W3AF on remote web server, which is commercial? I think that there is option to IPS to cut me off. How should I scan web app? If I set up my own local web server (which I don't have), then that's not the web application's natural environment.

    Thank you.

  2. #2
    Super Moderator Archangel-Amael's Avatar
    Join Date
    Jan 2010
    Location
    Somewhere
    Posts
    8,012

    Default Re: Testing Web application for vulnerability

    Since you don't know what you are doing, here is a better idea. Stop and tell your "friend" you don't know what you are doing and therefore are not the best for the job.

  3. #3
    My life is this forum thorin's Avatar
    Join Date
    Jan 2010
    Posts
    2,629

    Default Re: Testing Web application for vulnerability

    You should simply suggest that your friend hire someone who possesses the skills and knowledge to carry out the testing he requires.

    Yes you could use this as an opportunity to learn but your learning experience should not over-ride his need for a thorough test/audit.

    As for laws or terms of use etc which may get in your way there are all kinds. If you do a search around here there are lots of threads on legalities etc and it is highly unlikely that as a home user you have an ISP that will be friendly when you decide to attack (test) someone's app. Nor is it likely that your friend's hosting provider or ISP is likely to be happy with you either.

    http://www.backtrack-linux.org/forum...-opinions.html
    http://www.backtrack-linux.org/forum...-pointers.html

    Home - Web Application Security Consortium
    OWASP

    State Hacking Laws (US)
    Laws You May Not Even Know You're Breaking (US)
    C-46, Section 326 (Canada/Federal)
    C-46, Section 430 (Canada/Federal)
    I'm a compulsive post editor, you might wanna wait until my post has been online for 5-10 mins before quoting it as it will likely change.

    I know I seem harsh in some of my replies. SORRY! But if you're doing something illegal or posting something that seems to be obvious BS I'm going to call you on it.

  4. #4
    Just burned his ISO
    Join Date
    May 2010
    Posts
    7

    Default

    Ofcourse I'm far away to be the best for the job. But interpet results could be a good start. I already told him that this is not my area of work. But it is better to do some checks then nothing at all.

    @thorin: Thanks. I will tell him that I can't to the job. I have searched for web application security on forums and read this threads, and then I decide to publish this one. I didn't mean to exploit or do any attack on application. I just thought to do some checks and look on report.

    About IPS, I mean Intrusion detection system on web server's side.

    Thanks for both responses.
    Last edited by balding_parrot; 06-04-2010 at 12:39 AM.

  5. #5
    Junior Member roybatty's Avatar
    Join Date
    Jan 2010
    Location
    Tannhauser Gate
    Posts
    55

    Default Re: Testing Web application for vulnerability

    Quote Originally Posted by Kenda View Post
    My questions are: What do you think about my plan?
    Forget it.
    I've seen things you people wouldn't believe.

  6. #6
    My life is this forum thorin's Avatar
    Join Date
    Jan 2010
    Posts
    2,629

    Default Re: Testing Web application for vulnerability

    Quote Originally Posted by Kenda View Post
    Ofcourse I'm far away to be the best for the job. But interpet results could be a good start. I already told him that this is not my area of work. But it is better to do some checks then nothing at all.
    Yes I agree, some sort of testing is better than nothing. I was simply concerned that your friend might not do anything beyond your testing.

    @thorin: Thanks. I will tell him that I can't to the job. I have searched for web application security on forums and read this threads, and then I decide to publish this one. I didn't mean to exploit or do any attack on application. I just thought to do some checks and look on report.
    With web application testing you can't really do much without actually "attacking" the application. For example you can't verify if he's vulnerable to cross-site scripting attacks without trying to do a cross-site scripting attack (even if all you do is pop up an alert dialog, you've still carried out an "attack").

    About IPS, I mean Intrusion detection system on web server's side.
    Understood. The implications of IPS or IDS depend on how his app is hosted/served. Regardless of what mechanism identifies your activity (@ the server, @ your Internet Service Provider [ISP], @ his ISP or Hosting provider, etc) it's still highly likely that you'd be breaking terms of use or the law. I'm sure this seems very disconcerting but there are companies that do this type of work, it simply requires the correct contractual and legal framework in order to stay out of trouble.
    I'm a compulsive post editor, you might wanna wait until my post has been online for 5-10 mins before quoting it as it will likely change.

    I know I seem harsh in some of my replies. SORRY! But if you're doing something illegal or posting something that seems to be obvious BS I'm going to call you on it.

Similar Threads

  1. Replies: 1
    Last Post: 11-16-2010, 07:01 AM
  2. Looking to learn web application testing, any pointers?
    By natedmac in forum Experts Forum
    Replies: 12
    Last Post: 05-28-2010, 02:53 PM
  3. Testing cold fusion application ????
    By while in forum OLD BackTrack 4 General Support
    Replies: 0
    Last Post: 01-21-2010, 02:44 PM
  4. testing cisco vulnerability and GNS3
    By imported_IPRoute in forum OLD General IT Discussion
    Replies: 3
    Last Post: 09-14-2009, 09:14 AM
  5. Testing web based application
    By Magnet in forum OLD BackTrack v2.0 Final
    Replies: 5
    Last Post: 08-01-2007, 07:15 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •