|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Robinson DELAUGERRE (rdelaugerre
sdninternational.com)
Date: Tue Jul 07 2009 - 15:37:25 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Ow come ON! You sniff the traffic only if you can, and you can manipulate it as much as you want , if proper input validation has been made, you won't be able to do anything.
To answer OP, I hope you have validated your app against:
-XSS (do you output anything to the user based on its input? Do you filter it?)
-Remote code exec (is your server hardened enough?)
-SQL Injection (if relevant, may be far fetched, but if some of the input makes its way into a database query, make sure you filter it)
One of my mottos is that client-side security doesn't exist. So you must (as Mervyn suggested) suppose that an xml file will be injected in your app without any client side validation. Therefore, you should be certain that all input from the xml is filtered (whitelisted) server-side.
Pointers to pen test the app? OWASP disc. If nothing comes from all the apps included in this, you'll be safe from the skiddies. The 2 rest is up to you.
What kind of attacker do you expect?
Will he allow a few minutes, some days, or a few month to try and hack your app? Then you'll know what you have to protect yourself against..
My 2 cents anyway..
rob'
----- Mail Original -----
De: "Mervyn" <barcajaxgmail.com>
À: "Anant Iyer" <iyer.anant.rgmail.com>
Cc: pen-testsecurityfocus.com
Envoyé: Mardi 7 Juillet 2009 19h40:12 GMT +01:00 Amsterdam / Berlin / Berne / Rome / Stockholm / Vienne
Objet: Re: Testing Middleware Application
You already mentioned the obvious! XML over HTTP. Opportunity to sniff
and manipulate the traffic.
On Tue, Jul 7, 2009 at 12:17 PM, Anant Iyer<iyer.anant.rgmail.com> wrote:
> Hello,
>
> We have a middleware application to be pen-tested for security
> bugs.The application serves requests from various front-end systems
> (XML over HTTP) and depending on these requests, retrieves the data
> from various back-end repositories.
> The development team has built a front-end just for testing
> (functional) this application in the UAT environment. In such a
> scenario, I need some pointers on how should I perform the pentest of
> this middleware application.
>
> Regards,
>
> Anant Iyer
>
------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board
Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.
http://www.iacertification.org
------------------------------------------------------------------------
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]