Hi, 
Guest
Pic
Sign In

websecurity@lists.webappsec.org

The Web Security Mailing List

View all threads

Penetration Testing Requirements

MS
Mostafa Siraj
Mon, Feb 27, 2012 9:12 AM

Hello,

I'm about to perform several WEB penetration testing activities, I was
wondering if there is any standard for the requirements I should be asking
for before performing the pentest, I have a lot of things in mind but I
don't want to reinvent the wheel. so is there a comprehensive list that
lists all the requirements needed before performing the pentest

These are some of the stuff that are in my mind (but I want something
standard and more complete)

  • Network diagram for the system
  • All system documentation (SRS, Architecture Diagram, Dataflow
    Diagrams,..etc)
  • All previous pentest reports
    ....
    etc

Thanks in Advance

--
Best Regards,
Mostafa Siraj http://twitter.com/mostafasiraj

"Our deepest fear is not that we are inadequate. Our deepest fear is that
we are powerful beyond measure. It is our light, not our darkness, that
most frightens us. We ask ourselves, who am I to be brilliant, gorgeous,
talented, and fabulous?Actually, who are you not to be? You are a child of
God. Your playing small doesn't serve the world. There's nothing
enlightened about shrinking so that other people won't feel insecure around
you. We are all meant to shine, as children do. We are born to make
manifest the glory of God that is within us. It's not just in some of us,
it's in everyone. And as we let our own light shine, we unconsciously give
other people permission to do the same. As we are liberated from our own
fear, our presence automatically liberates others." --Nelson Mandela--

Hello, I'm about to perform several WEB penetration testing activities, I was wondering if there is any standard for the requirements I should be asking for before performing the pentest, I have a lot of things in mind but I don't want to reinvent the wheel. so is there a comprehensive list that lists all the requirements needed before performing the pentest These are some of the stuff that are in my mind (but I want something standard and more complete) * Network diagram for the system * All system documentation (SRS, Architecture Diagram, Dataflow Diagrams,..etc) * All previous pentest reports .... etc Thanks in Advance -- Best Regards, Mostafa Siraj <http://twitter.com/mostafasiraj> "Our deepest fear is not that we are inadequate. Our deepest fear is that we are powerful beyond measure. It is our light, not our darkness, that most frightens us. We ask ourselves, who am I to be brilliant, gorgeous, talented, and fabulous?Actually, who are you not to be? You are a child of God. Your playing small doesn't serve the world. There's nothing enlightened about shrinking so that other people won't feel insecure around you. We are all meant to shine, as children do. We are born to make manifest the glory of God that is within us. It's not just in some of us, it's in everyone. And as we let our own light shine, we unconsciously give other people permission to do the same. As we are liberated from our own fear, our presence automatically liberates others." --Nelson Mandela--
CH
Christian Heinrich
Mon, Feb 27, 2012 8:17 PM

Mostafa,

This would depend on the scope i.e. number of networks, hosts, web
applications and whatever they are in production, dev, etc and if an
unscheduled outage is acceptable during business hours, etc

As a rule of thumb you shouldn't be able to view the previous report(s)
during the penetration test for independence but at the conclusion to
comparison to the established baseline.

On Mon, Feb 27, 2012 at 8:12 PM, Mostafa Siraj mostafa.siraj@gmail.comwrote:

Hello,

I'm about to perform several WEB penetration testing activities, I was
wondering if there is any standard for the requirements I should be asking
for before performing the pentest, I have a lot of things in mind but I
don't want to reinvent the wheel. so is there a comprehensive list that
lists all the requirements needed before performing the pentest

These are some of the stuff that are in my mind (but I want something
standard and more complete)

  • Network diagram for the system
  • All system documentation (SRS, Architecture Diagram, Dataflow
    Diagrams,..etc)
  • All previous pentest reports
    ....
    etc

Thanks in Advance

--
Best Regards,
Mostafa Siraj http://twitter.com/mostafasiraj

--
Regards,
Christian Heinrich

http://cmlh.id.au/contact

Mostafa, This would depend on the scope i.e. number of networks, hosts, web applications and whatever they are in production, dev, etc and if an unscheduled outage is acceptable during business hours, etc As a rule of thumb you shouldn't be able to view the previous report(s) during the penetration test for independence but at the conclusion to comparison to the established baseline. On Mon, Feb 27, 2012 at 8:12 PM, Mostafa Siraj <mostafa.siraj@gmail.com>wrote: > Hello, > > I'm about to perform several WEB penetration testing activities, I was > wondering if there is any standard for the requirements I should be asking > for before performing the pentest, I have a lot of things in mind but I > don't want to reinvent the wheel. so is there a comprehensive list that > lists all the requirements needed before performing the pentest > > These are some of the stuff that are in my mind (but I want something > standard and more complete) > * Network diagram for the system > * All system documentation (SRS, Architecture Diagram, Dataflow > Diagrams,..etc) > * All previous pentest reports > .... > etc > > Thanks in Advance > > -- > Best Regards, > Mostafa Siraj <http://twitter.com/mostafasiraj> > -- Regards, Christian Heinrich http://cmlh.id.au/contact
S
Subin
Mon, Feb 27, 2012 9:31 PM

Hi

Does anybody have a check list / guidelines or suggestions for performing an FFIEC assessment ( two factor authentication on a financial/cards web site )

Thanks
Subin

Sent from my iPhone

Hi Does anybody have a check list / guidelines or suggestions for performing an FFIEC assessment ( two factor authentication on a financial/cards web site ) Thanks Subin Sent from my iPhone
MS
Mostafa Siraj
Tue, Feb 28, 2012 8:56 AM

But is there any standard -from OWASP for example- that covers all the
areas you mentioned? -I tried searching and found a very few requirements
in the PCI-

On Mon, Feb 27, 2012 at 10:17 PM, Christian Heinrich <
christian.heinrich@cmlh.id.au> wrote:

Mostafa,

This would depend on the scope i.e. number of networks, hosts, web
applications and whatever they are in production, dev, etc and if an
unscheduled outage is acceptable during business hours, etc

As a rule of thumb you shouldn't be able to view the previous report(s)
during the penetration test for independence but at the conclusion to
comparison to the established baseline.

On Mon, Feb 27, 2012 at 8:12 PM, Mostafa Siraj mostafa.siraj@gmail.comwrote:

Hello,

I'm about to perform several WEB penetration testing activities, I was
wondering if there is any standard for the requirements I should be asking
for before performing the pentest, I have a lot of things in mind but I
don't want to reinvent the wheel. so is there a comprehensive list that
lists all the requirements needed before performing the pentest

These are some of the stuff that are in my mind (but I want something
standard and more complete)

  • Network diagram for the system
  • All system documentation (SRS, Architecture Diagram, Dataflow
    Diagrams,..etc)
  • All previous pentest reports
    ....
    etc

Thanks in Advance

--
Best Regards,
Mostafa Siraj http://twitter.com/mostafasiraj

--
Regards,
Christian Heinrich

http://cmlh.id.au/contact

--
Best Regards,
Mostafa Siraj http://twitter.com/mostafasiraj

"Our deepest fear is not that we are inadequate. Our deepest fear is that
we are powerful beyond measure. It is our light, not our darkness, that
most frightens us. We ask ourselves, who am I to be brilliant, gorgeous,
talented, and fabulous?Actually, who are you not to be? You are a child of
God. Your playing small doesn't serve the world. There's nothing
enlightened about shrinking so that other people won't feel insecure around
you. We are all meant to shine, as children do. We are born to make
manifest the glory of God that is within us. It's not just in some of us,
it's in everyone. And as we let our own light shine, we unconsciously give
other people permission to do the same. As we are liberated from our own
fear, our presence automatically liberates others." --Nelson Mandela--

But is there any standard -from OWASP for example- that covers all the areas you mentioned? -I tried searching and found a very few requirements in the PCI- On Mon, Feb 27, 2012 at 10:17 PM, Christian Heinrich < christian.heinrich@cmlh.id.au> wrote: > Mostafa, > > This would depend on the scope i.e. number of networks, hosts, web > applications and whatever they are in production, dev, etc and if an > unscheduled outage is acceptable during business hours, etc > > As a rule of thumb you shouldn't be able to view the previous report(s) > during the penetration test for independence but at the conclusion to > comparison to the established baseline. > > On Mon, Feb 27, 2012 at 8:12 PM, Mostafa Siraj <mostafa.siraj@gmail.com>wrote: > >> Hello, >> >> I'm about to perform several WEB penetration testing activities, I was >> wondering if there is any standard for the requirements I should be asking >> for before performing the pentest, I have a lot of things in mind but I >> don't want to reinvent the wheel. so is there a comprehensive list that >> lists all the requirements needed before performing the pentest >> >> These are some of the stuff that are in my mind (but I want something >> standard and more complete) >> * Network diagram for the system >> * All system documentation (SRS, Architecture Diagram, Dataflow >> Diagrams,..etc) >> * All previous pentest reports >> .... >> etc >> >> Thanks in Advance >> >> -- >> Best Regards, >> Mostafa Siraj <http://twitter.com/mostafasiraj> >> > > > -- > Regards, > Christian Heinrich > > http://cmlh.id.au/contact > -- Best Regards, Mostafa Siraj <http://twitter.com/mostafasiraj> "Our deepest fear is not that we are inadequate. Our deepest fear is that we are powerful beyond measure. It is our light, not our darkness, that most frightens us. We ask ourselves, who am I to be brilliant, gorgeous, talented, and fabulous?Actually, who are you not to be? You are a child of God. Your playing small doesn't serve the world. There's nothing enlightened about shrinking so that other people won't feel insecure around you. We are all meant to shine, as children do. We are born to make manifest the glory of God that is within us. It's not just in some of us, it's in everyone. And as we let our own light shine, we unconsciously give other people permission to do the same. As we are liberated from our own fear, our presence automatically liberates others." --Nelson Mandela--
CH
Christian Heinrich
Tue, Feb 28, 2012 10:27 PM

Mostafa,

On Tue, Feb 28, 2012 at 7:56 PM, Mostafa Siraj mostafa.siraj@gmail.com wrote:

But is there any standard -from OWASP for example- that covers all the areas
you mentioned? -I tried searching and found a very few requirements in the
PCI-

I researched this further overnight.

http://www.pentest-standard.org/index.php/Pre-engagement is the most
complete resource while both
https://www.owasp.org/index.php/The_OWASP_Testing_Framework#Phase_4:_During_Deployment
and http://www.isecom.org/research/osstmm.html have little guidance on
this aspect.

--
Regards,
Christian Heinrich

http://cmlh.id.au/contact

Mostafa, On Tue, Feb 28, 2012 at 7:56 PM, Mostafa Siraj <mostafa.siraj@gmail.com> wrote: > But is there any standard -from OWASP for example- that covers all the areas > you mentioned? -I tried searching and found a very few requirements in the > PCI- I researched this further overnight. http://www.pentest-standard.org/index.php/Pre-engagement is the most complete resource while both https://www.owasp.org/index.php/The_OWASP_Testing_Framework#Phase_4:_During_Deployment and http://www.isecom.org/research/osstmm.html have little guidance on this aspect. -- Regards, Christian Heinrich http://cmlh.id.au/contact
DD
debanjan dey
Wed, Feb 29, 2012 8:09 AM

Hi,

http://www.ffiec.gov/pdf/authentication_guidance.pdf

On Tue, Feb 28, 2012 at 3:01 AM, Subin subin.net@gmail.com wrote:

Hi

Does anybody have a check list / guidelines or suggestions for performing
an FFIEC assessment ( two factor authentication on a financial/cards web
site )

Thanks
Subin

Sent from my iPhone

The Web Security Mailing List

WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss

Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA

WASC on Twitter
http://twitter.com/wascupdates

websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org

--
Thanks and Regards
Debanjan Dey,  (CPISI,ISO 27001 Lead Implementor,CEH,CHFI,ITIL
Foundation,CCSA,RHCE)
Mobile-9970506972

Hi, http://www.ffiec.gov/pdf/authentication_guidance.pdf On Tue, Feb 28, 2012 at 3:01 AM, Subin <subin.net@gmail.com> wrote: > Hi > > Does anybody have a check list / guidelines or suggestions for performing > an FFIEC assessment ( two factor authentication on a financial/cards web > site ) > > Thanks > Subin > > > Sent from my iPhone > _______________________________________________ > The Web Security Mailing List > > WebSecurity RSS Feed > http://www.webappsec.org/rss/websecurity.rss > > Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA > > WASC on Twitter > http://twitter.com/wascupdates > > websecurity@lists.webappsec.org > http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org > -- Thanks and Regards Debanjan Dey, (CPISI,ISO 27001 Lead Implementor,CEH,CHFI,ITIL Foundation,CCSA,RHCE) Mobile-9970506972
S
Subin
Tue, Mar 13, 2012 5:10 PM

Hi,

I have an application that needs to allow to switch between a new and old version of the application . By requesting a new session from the SSO server (Ajax request)

Eg : mywebsite.com/SSO?ticket=(3des encrypted

The response having the SSO ticket (encrypted XML ) would complete the switch over to new application de-authenticating the old session with old version of application .

The ticket request URL works for 3 minutes , if replayed even on a different machine within 3 minutes you pretty much get a new session to the new version of the application and continue with that session.

I do not see any risks with such an
Implementation , it's the same scenario of replaying a request if some one gets hold of the session cookie except that the token is in url , not in the header .
(Session cookie in URL scenario I guess)

Is any one of you aware of or came across any risks of such an implementation ?

Thanks
Subin

Hi, I have an application that needs to allow to switch between a new and old version of the application . By requesting a new session from the SSO server (Ajax request) Eg : mywebsite.com/SSO?ticket=(3des encrypted The response having the SSO ticket (encrypted XML ) would complete the switch over to new application de-authenticating the old session with old version of application . The ticket request URL works for 3 minutes , if replayed even on a different machine within 3 minutes you pretty much get a new session to the new version of the application and continue with that session. I do not see any risks with such an Implementation , it's the same scenario of replaying a request if some one gets hold of the session cookie except that the token is in url , not in the header . (Session cookie in URL scenario I guess) Is any one of you aware of or came across any risks of such an implementation ? Thanks Subin
TD
The Dead
Sat, Mar 17, 2012 10:19 AM

Hello Subin.

You can implement some solution that implements the SAML Protocol.

If you don't have the time and resources now you can add some security
features to your token like:

  • Sign your token
  • Make it one time use
  • Use the less time for the token possible (3 minutes is too much)
  • Try to follow OASIS recommendations for SAML in your protocol

http://docs.oasis-open.org/security/saml/v2.0/saml-sec-consider-2.0-os.pdf

There are solutions free like PicketLink (RedHat) that implements SAML 2.

TH3D34D

On Tue, Mar 13, 2012 at 2:10 PM, Subin subin.net@gmail.com wrote:

Hi,

I have an application that needs to allow to switch between a new and old version of the application . By requesting a new session from the SSO server (Ajax request)

Eg : mywebsite.com/SSO?ticket=(3des encrypted

The response having the SSO ticket (encrypted XML ) would complete the switch over to new application de-authenticating the old session with old version of application .

The ticket request URL works for 3 minutes , if replayed even on a different machine within 3 minutes you pretty much get a new session to the new version of the application and continue with that session.

I do not see any risks with such an
Implementation , it's the same scenario of replaying a request if some one gets hold of the session cookie except that the token is in url , not in the header .
(Session cookie in URL scenario I guess)

Is any one of you aware of or came across any risks of such an implementation ?

Thanks
Subin

The Web Security Mailing List

WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss

Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA

WASC on Twitter
http://twitter.com/wascupdates

websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org

Hello Subin. You can implement some solution that implements the SAML Protocol. If you don't have the time and resources now you can add some security features to your token like: - Sign your token - Make it one time use - Use the less time for the token possible (3 minutes is too much) - Try to follow OASIS recommendations for SAML in your protocol http://docs.oasis-open.org/security/saml/v2.0/saml-sec-consider-2.0-os.pdf There are solutions free like PicketLink (RedHat) that implements SAML 2. TH3D34D On Tue, Mar 13, 2012 at 2:10 PM, Subin <subin.net@gmail.com> wrote: > Hi, > > I have an application that needs to allow to switch between a new and old version of the application . By requesting a new session from the SSO server (Ajax request) > > Eg : mywebsite.com/SSO?ticket=(3des encrypted > > The response having the SSO ticket (encrypted XML ) would complete the switch over to new application de-authenticating the old session with old version of application . > > The ticket request URL works for 3 minutes , if replayed even on a different machine within 3 minutes you pretty much get a new session to the new version of the application and continue with that session. > > I do not see any risks with such an > Implementation , it's the same scenario of replaying a request if some one gets hold of the session cookie except that the token is in url , not in the header . > (Session cookie in URL scenario I guess) > > Is any one of you aware of or came across any risks of such an implementation ? > > Thanks > Subin > > > > > > _______________________________________________ > The Web Security Mailing List > > WebSecurity RSS Feed > http://www.webappsec.org/rss/websecurity.rss > > Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA > > WASC on Twitter > http://twitter.com/wascupdates > > websecurity@lists.webappsec.org > http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
Empathy v1.0   2024 ©Harmonylists.com