From: pagvac (unknown.pentester@gmail.com)
Date: Sat Feb 11 2006 - 09:17:23 EST
Following a methodology is good from an engineering point of view, but
this way of thinking will also make you skip security holes that can
only be found using a more fuzzy and artistic approach (thinking
outside the box).
This is why I believe that you need to experiment besides following a
methodological approach.
On 2/9/06, Michael Gargiullo <mgargiullo@pvtpt.com> wrote:
>
>
> > -----Original Message-----
> > From: Edmond Chow [mailto:echow@videotron.ca]
> > Sent: Tuesday, February 07, 2006 10:45 PM
> > To: 'Michael Gargiullo'; pen-test@securityfocus.com
> > Cc: 'Edmond Chow'
> > Subject: RE: Penetration test of 1 IP address
> >
> >
> >
> >
> > To all:
> >
> > I have been asked to perform a security audit of 1 IP address
> > for client.
> > They have given me the 1 IP address and a clue (webblaze).
> >
> > If I enter the IP address and then /webblaze, I am taken to a
> > login page (user name and password requested).
> >
> > What tools would you recommend that I use for this assignment?
> >
> > Thanks for your help.
> >
> > Regards,
> >
> >
> > Edmond
> >
> >
> > --------------------------------------------------------------
>
> Edmond,
>
> You really need to set ground rules with your client. Set the clients
> expectations on what is inbounds vs. what is out of bounds. For
> example, some clients want you to handle their equipment with kid
> gloves, but others want you to test with a sledgehammer.
>
> You need to agree on a large number of issues.
>
> Honestly, if a client approached me with only those 2 items (an IP and
> Hint), I'd probably turn them down. I'd explain that using those two
> items would give them a low level of assurance on the security of the
> site. I'd only be able to tell them if their server is vulnerable (nmap,
> nessus, Nikto, google the app, company, etc...) and if the app login
> algorithm is sound.
>
> For real assurance, that should only be the first step. Once it's
> determined that the login is secure (if it is), you really should move
> on to actually testing the app.
>
> Id have to say if they only want assurance that the login algorithm
> sound, then go for it. Do your homework, and attack based on what
> you've agreed upon.
>
> If they want to make sure the whole application is sound, you need more
> then they've given you after you've finished the blind testing.
>
> -Mike
>
>
>
> ------------------------------------------------------------------------------
> Audit your website security with Acunetix Web Vulnerability Scanner:
>
> Hackers are concentrating their efforts on attacking applications on your
> website. Up to 75% of cyber attacks are launched on shopping carts, forms,
> login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
> futile against web application hacking. Check your website for vulnerabilities
> to SQL injection, Cross site scripting and other web attacks before hackers do!
> Download Trial at:
>
> http://www.securityfocus.com/sponsor/pen-test_050831
> -------------------------------------------------------------------------------
>
>
-- pagvac (Adrian Pastor) www.ikwt.com - In Knowledge We Trust ------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:30 EDT