Penetration Testing for Web Applications

Networking/Security Forums -> General Security Discussion

Author: RottzLocation: East Coast, USA PostPosted: Tue Jun 24, 2003 4:17 pm    Post subject: Penetration Testing for Web Applications
    ----
Penetration Testing for Web Applications Part 1
By Jody Melbourne(jodym@secureET.com) and David Jorm(david.jorm@insightech.com.au)
Quote:
This is the first in a series of three articles on penetration testing for Web applications. The first installment provides the penetration tester with an overview of Web applications - how they work, how they interact with users, and most importantly how developers can expose data and systems with poorly written and secured Web application front-ends.

Note: It is assumed that the reader of this article has some knowledge of the HTTP protocol - specifically, the format of HTTP GET and POST requests, and the purpose of various header fields. This information is available in RFC2616.

In this article we have presented the penetration tester with an overview of web applications and how web developers obtain and handle user inputs. We have also shown the importance of fingerprinting the target environment and developing an understanding of the back-end of an application. Equipped with this information, the penetration tester can proceed to targeted vulnerability tests and exploits.

The next installment in this series will introduce code and content-manipulation attacks, such as PHP/ASP code injection, SQL injection, Server-Side Includes and Cross-site scripting.
Full Article: Penetration Testing for Web Applications (Part 1)

Another very good article for pen testers, I'll post part 2/3 when available.



Networking/Security Forums -> General Security Discussion


output generated using printer-friendly topic mod, All times are GMT + 2 Hours

Page 1 of 1

Powered by phpBB 2.0.x © 2001 phpBB Group