Jump to content

Web application penetration testing strategy


RRROAR

Recommended Posts

Hello! I'm currently applying for a job as a computer security engineer. I have some knowledge in technical details of attacks on web apps and networks which allowed me to pass the first 2.5 hour long interview. Now i'm facing another technical interview tomorrow.

Having passed the 1st one, i asked the interviewer what i'd need to pass the second one, what were my shortcomings. He answered that i have some technical skills, but my knowledge lacks "system" (which is understandable since i'm self educated in infosec). Meaning, i don't know in what sequence the techniques have to be used, what the main stages of penetration testing of a web facing app are, and thus, what the step-by-step plan should be to assess the information security integrity of a web app.

I would highly appreciate it if someone with experience in penetration testing could clarify this mater, the strategic stages of a penetration test of a web facing application. Or, if there are resources detailing this (i failed to find the answer i'm looking for), please feel free to suggest some reading.

Thanks and best regards!

Link to comment
Share on other sites

Have you looked at PTES? http://www.pentest-standard.org/index.php/Main_Page

This is a framework we set up to help guide people through what should be involved in a full test.

You talk about going for a security engineer job then mention web apps so I'll assume that is what you will be testing.

If you want the very cut down version:

Use the app, get to know it, don't attack it just click around. Use your eyes and see what is there. Notice if the technology changes or if URL structure alters. Look for distinct sections.

Start manually going through the app based on what you already identified, target sections you feel will be most vulnerable.

If you want to use automated testing then stop manual, start the automated tools and take a break. It isn't a good idea to run automated and manual at the same time as you interfere with each other.

Look at the automated results and go back to manual to confirm those.

Restore system wherever possible removing anything you added

Write report

Link to comment
Share on other sites

Have you looked at PTES? http://www.pentest-standard.org/index.php/Main_Page

This is a framework we set up to help guide people through what should be involved in a full test.

You talk about going for a security engineer job then mention web apps so I'll assume that is what you will be testing.

If you want the very cut down version:

Use the app, get to know it, don't attack it just click around. Use your eyes and see what is there. Notice if the technology changes or if URL structure alters. Look for distinct sections.

Start manually going through the app based on what you already identified, target sections you feel will be most vulnerable.

If you want to use automated testing then stop manual, start the automated tools and take a break. It isn't a good idea to run automated and manual at the same time as you interfere with each other.

Look at the automated results and go back to manual to confirm those.

Restore system wherever possible removing anything you added

Write report

Had that link in my clipboard ready2rock... Then realised I'd been beaten to it.

But, thank you for maintaining that page. It's very handy.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...