RRROAR Posted July 22, 2013 Share Posted July 22, 2013 Hello! I'm currently applying for a job as a computer security engineer. I have some knowledge in technical details of attacks on web apps and networks which allowed me to pass the first 2.5 hour long interview. Now i'm facing another technical interview tomorrow. Having passed the 1st one, i asked the interviewer what i'd need to pass the second one, what were my shortcomings. He answered that i have some technical skills, but my knowledge lacks "system" (which is understandable since i'm self educated in infosec). Meaning, i don't know in what sequence the techniques have to be used, what the main stages of penetration testing of a web facing app are, and thus, what the step-by-step plan should be to assess the information security integrity of a web app. I would highly appreciate it if someone with experience in penetration testing could clarify this mater, the strategic stages of a penetration test of a web facing application. Or, if there are resources detailing this (i failed to find the answer i'm looking for), please feel free to suggest some reading. Thanks and best regards! Quote Link to comment Share on other sites More sharing options...
digininja Posted July 22, 2013 Share Posted July 22, 2013 Have you looked at PTES? http://www.pentest-standard.org/index.php/Main_Page This is a framework we set up to help guide people through what should be involved in a full test. You talk about going for a security engineer job then mention web apps so I'll assume that is what you will be testing. If you want the very cut down version: Use the app, get to know it, don't attack it just click around. Use your eyes and see what is there. Notice if the technology changes or if URL structure alters. Look for distinct sections. Start manually going through the app based on what you already identified, target sections you feel will be most vulnerable. If you want to use automated testing then stop manual, start the automated tools and take a break. It isn't a good idea to run automated and manual at the same time as you interfere with each other. Look at the automated results and go back to manual to confirm those. Restore system wherever possible removing anything you added Write report Quote Link to comment Share on other sites More sharing options...
j4k3 Posted July 22, 2013 Share Posted July 22, 2013 Have you looked at PTES? http://www.pentest-standard.org/index.php/Main_Page This is a framework we set up to help guide people through what should be involved in a full test. You talk about going for a security engineer job then mention web apps so I'll assume that is what you will be testing. If you want the very cut down version: Use the app, get to know it, don't attack it just click around. Use your eyes and see what is there. Notice if the technology changes or if URL structure alters. Look for distinct sections. Start manually going through the app based on what you already identified, target sections you feel will be most vulnerable. If you want to use automated testing then stop manual, start the automated tools and take a break. It isn't a good idea to run automated and manual at the same time as you interfere with each other. Look at the automated results and go back to manual to confirm those. Restore system wherever possible removing anything you added Write report Had that link in my clipboard ready2rock... Then realised I'd been beaten to it. But, thank you for maintaining that page. It's very handy. Quote Link to comment Share on other sites More sharing options...
Xeph Posted July 29, 2013 Share Posted July 29, 2013 MDSec has a good checklist in collaboration with the Web Application Hackers Handbook (IMHO, one the best resources for app pen testing out there). It's located here: http://mdsec.net/wahh/tasks.html Nice and condensed, and pretty much uniform with most pentest strategies. Quote Link to comment Share on other sites More sharing options...
Alok Posted July 30, 2013 Share Posted July 30, 2013 Following may help: Web application Testing Guide (PDF) https://www.owasp.org/images/5/56/OWASP_Testing_Guide_v3.pdf More Inf here: https://www.owasp.org/index.php/OWASP_Testing_Project#tab=Old_OWASP_Testing_Guides Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.