[OWASP-TESTING] finally!

Mauro Bregolin mauro.bregolin at gmail.com
Fri Apr 15 08:58:01 EDT 2005


A few comments of mine next - Mauro

First, what is the assumed point of view? Many areas may be performed
both black-box and white-box. Techniques will vary - just a trivial
example, black box testing to identify "backup files" left in the web
filesystem space amounts to do some sort of scanning, while if you go
white box and have access to the web server box, you can explore the
filesystem to spot those files. What is going to be the philosophy of
the guide? For example, if it will cover both scenarios (and in fact
it should, since we're talking about code review as well), for each
section it could separately detail black box techniques and white box
techniques.

- Configuration Management Infrastructure. The first items (Listening
HTTP ports, HTTP banner etc.) are part of a preliminary discovery
phase. I think  it would deserve its own section, sub topics are (I
assume black box in the following):
  - network services related to the applications (obviously this
includes HTTP(s) ports but other ports might be present as well in
some cases). This is akin to do some port scanning
  - http fingerprinting
  - other fingerprinting techniques; for example, trying to identify
web modules, technologies etc. by looking at URL filename extensions
(such as the obvious: .pl, .php, .exe... - and the less obvious, there
are dozen of weird extensions nowadays)
  - information leakage: looking for sensitive information on the
Internet which appear related to the target (which consists of: IP
address(es), dns name(s), application and corporate name and
information, etc.), via search engines (google...), newsgroups, news
portals, whois-like services, etc.
  - application architecture: trying to determine how the application
is structured; identify tiers (for example, balancers, web servers,
application servers, database etc.) and gather information about them
(IP, type/version etc.).

- what about google hacking? this is related to both what I called
"information leakage" above and scanning for known vulnerabilities
(though it is indirect...). In this area I guess it'd be appropriate
to look at the work being done by the folks at Sensepost (see wikto in
http://www.sensepost.com/garage_portal.html).




More information about the Owasp-testing mailing list