OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Nik (niknik.com.au)
Date: Mon Jan 21 2002 - 09:41:08 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Just some tips in terms of procedures and processes that can be used
    against a target site. This is in no particular order, just putting them
    down as they come to me.

    * Initial information gathering (Platform, Technologies used)
    * Pen-test against generic/default holes on the particular
    platform/technology used (+.htr, msadc.dll etc.).
    * Information leakage with malformed requests.
    * Brute force against comon directory names (/admin etc.)
    * Brute force against backup files (/default.asp.backup etc., use to
    reveal source)
    * AFXR of DNS records to reveal possible other sites/virtual hosts.
    * Wget or other spider of site to reveal directory structure, try and
    retrieve directory listings.
    * Google search (site:www.example.com), for password files etc.
    * Open SQL servers (default accounts, security holes)
    * mapping of network block for other hosts belonging to the company
    * <form> injection, brute forcing (poision null, SQL modification, system
    commands), cross-site scripting tests with injected javascript (can be
    further encoded to evade detection)
    * Open proxy servers within network block that might allow attacker to
    bypass IP-based filtering on protected sites.

    Sorry if I am not elaborating more, just a quick overview.

    Regards,

    Nik Cubrilovic
    http://www.nik.com.au

    >
    > As you know we are starting to build the testing framework....we are
    > going to capture the mailing list debate and thoughts to want your input.
    > Well then publish it for community review and input.
    >
    > One of the areas that seems really important is What to test ? I put
    > some provisional headings down at http://www.owasp.org/projects/testing/
    >
    > Imaginary scneario : you are presented with a site dns name and asked
    > to review its security of the applications running on it.
    >
    > Where do you start ?
    > Do you spider the site looking for any place that sends paramaters to
    > an application ?
    > How do you find where application reside ?
    > What about web services and WDSL ? Do you look at a UDDI ?
    > Should you test an application issolation (ie a single cgi) or all
    > applications
    > on that site ?
    >
    > These are just a few thoughts, really just a few...
    >
    > So does anyone want to share the way they approach deciding what should
    > be tested with the list ?
    >