[OWASP-TESTING] Chapter 5 BlackBox Testing
jeff.williams at aspectsecurity.com
Sun Apr 4 11:40:50 EDT 2004
This seems to be shaping up nicely. I think there should be a separate
mention of access control testing (aka authorization). Many web sites simply
rely on the user interface to enforce access control -- as long as the link
isn't there, you can't get to it right?? And most sites that have created
an access control mechanism have not implemented it to be tamperproof and
non-bypassable. The test procedure is fairly simple. Using a highly
privileged role, figure out how to access sensitive assets and functions.
Then using a less privileged role, attempt to access them. If you succeed,
their mechanism is flawed.
----- Original Message -----
From: "David Wong" <dw280 at yahoo.com>
To: "Nishchal Bhalla" <nishchalbhalla at yahoo.ca>;
<owasp-testing at lists.sourceforge.net>
Sent: Thursday, April 01, 2004 12:18 PM
Subject: Re: [OWASP-TESTING] Chapter 5 BlackBox Testing
> Comments and changes in the attached doc.
> But here's a summary
> - Goal for pen-test may not be to get root or shell
> access. App security is just as important as getting
> - It's not always more cost-effective than other
> forms. I think grey-box is ultimately the best balance
> - Main disadvantages are that you only see the exposed
> UI. It's not holistic security. You don't see the
> backend. You may or may not find out about security
> through obscurity. Do you get a false sense of
> security when the pen-test company comes back and says
> you are "above average" :)
> --- Nishchal Bhalla <nishchalbhalla at yahoo.ca> wrote:
> > Hi
> > Attached are the details on black box testing.
> > Please provide any/all feedback (recommended changes
> > esp.).
> > Thanks
> > Nish.
> > ---------------------------------
> > Post your free ad now! Yahoo! Canada Personals
> > ATTACHMENT part 2 application/msword
> Do you Yahoo!?
> Yahoo! Small Business $15K Web Design Giveaway
More information about the Owasp-testing