The steps to find loopholes in web application

[sahamboi]

Hi all, how can i find a loopholes in web application. For example i have java web based application as a target. Expert says that java based application can be by passed without entering any password. So that what is a clue or loopholes should i find in the application. Is ther any tips can i refer.

Thanks

[scottm99]

If your expert was performing formal analysis on this web application, you should have received a report detailing the "how", "where", and "why" this application was compromised. Having someone tell you the application has holes in it without proof of said holes is useless, in my opinion.

That being said, there's no easy answer to your question. You've got to fuzz this application yourself.

[thorin]

For example i have java web based application as a target.

Are you talking about an JavaApplet or a JSP/Servlet web app?

Check for testing information via OWASP:
https://www.owasp.org/index.php/OWASP_Testing_Project
https://www.owasp.org/index.php/OWAS...le_of_Contents

If you actually have a grasp of how web applications function and how HTTP works, then you could try browsing the application via a personal proxy and analyzing the details that pass through the proxy for weaknesses.

Lastly if you really don't know much about web application and HTTP, then hire a professional to do a web application VA or penetration test on the web app in question.

Expert says that java based application can be by passed without entering any password.

If this is really the extent of the details provided by whatever "expert" then they aren't much of an "expert".