MS
Mostafa Siraj
Mon, Feb 27, 2012 9:12 AM
Hello,
I'm about to perform several WEB penetration testing activities, I was
wondering if there is any standard for the requirements I should be asking
for before performing the pentest, I have a lot of things in mind but I
don't want to reinvent the wheel. so is there a comprehensive list that
lists all the requirements needed before performing the pentest
These are some of the stuff that are in my mind (but I want something
standard and more complete)
- Network diagram for the system
- All system documentation (SRS, Architecture Diagram, Dataflow
Diagrams,..etc)
- All previous pentest reports
....
etc
Thanks in Advance
--
Best Regards,
Mostafa Siraj http://twitter.com/mostafasiraj
"Our deepest fear is not that we are inadequate. Our deepest fear is that
we are powerful beyond measure. It is our light, not our darkness, that
most frightens us. We ask ourselves, who am I to be brilliant, gorgeous,
talented, and fabulous?Actually, who are you not to be? You are a child of
God. Your playing small doesn't serve the world. There's nothing
enlightened about shrinking so that other people won't feel insecure around
you. We are all meant to shine, as children do. We are born to make
manifest the glory of God that is within us. It's not just in some of us,
it's in everyone. And as we let our own light shine, we unconsciously give
other people permission to do the same. As we are liberated from our own
fear, our presence automatically liberates others." --Nelson Mandela--
Hello,
I'm about to perform several WEB penetration testing activities, I was
wondering if there is any standard for the requirements I should be asking
for before performing the pentest, I have a lot of things in mind but I
don't want to reinvent the wheel. so is there a comprehensive list that
lists all the requirements needed before performing the pentest
These are some of the stuff that are in my mind (but I want something
standard and more complete)
* Network diagram for the system
* All system documentation (SRS, Architecture Diagram, Dataflow
Diagrams,..etc)
* All previous pentest reports
....
etc
Thanks in Advance
--
Best Regards,
Mostafa Siraj <http://twitter.com/mostafasiraj>
"Our deepest fear is not that we are inadequate. Our deepest fear is that
we are powerful beyond measure. It is our light, not our darkness, that
most frightens us. We ask ourselves, who am I to be brilliant, gorgeous,
talented, and fabulous?Actually, who are you not to be? You are a child of
God. Your playing small doesn't serve the world. There's nothing
enlightened about shrinking so that other people won't feel insecure around
you. We are all meant to shine, as children do. We are born to make
manifest the glory of God that is within us. It's not just in some of us,
it's in everyone. And as we let our own light shine, we unconsciously give
other people permission to do the same. As we are liberated from our own
fear, our presence automatically liberates others." --Nelson Mandela--
CH
Christian Heinrich
Mon, Feb 27, 2012 8:17 PM
Mostafa,
This would depend on the scope i.e. number of networks, hosts, web
applications and whatever they are in production, dev, etc and if an
unscheduled outage is acceptable during business hours, etc
As a rule of thumb you shouldn't be able to view the previous report(s)
during the penetration test for independence but at the conclusion to
comparison to the established baseline.
On Mon, Feb 27, 2012 at 8:12 PM, Mostafa Siraj mostafa.siraj@gmail.comwrote:
Hello,
I'm about to perform several WEB penetration testing activities, I was
wondering if there is any standard for the requirements I should be asking
for before performing the pentest, I have a lot of things in mind but I
don't want to reinvent the wheel. so is there a comprehensive list that
lists all the requirements needed before performing the pentest
These are some of the stuff that are in my mind (but I want something
standard and more complete)
- Network diagram for the system
- All system documentation (SRS, Architecture Diagram, Dataflow
Diagrams,..etc)
- All previous pentest reports
....
etc
Thanks in Advance
--
Best Regards,
Mostafa Siraj http://twitter.com/mostafasiraj
Mostafa,
This would depend on the scope i.e. number of networks, hosts, web
applications and whatever they are in production, dev, etc and if an
unscheduled outage is acceptable during business hours, etc
As a rule of thumb you shouldn't be able to view the previous report(s)
during the penetration test for independence but at the conclusion to
comparison to the established baseline.
On Mon, Feb 27, 2012 at 8:12 PM, Mostafa Siraj <mostafa.siraj@gmail.com>wrote:
> Hello,
>
> I'm about to perform several WEB penetration testing activities, I was
> wondering if there is any standard for the requirements I should be asking
> for before performing the pentest, I have a lot of things in mind but I
> don't want to reinvent the wheel. so is there a comprehensive list that
> lists all the requirements needed before performing the pentest
>
> These are some of the stuff that are in my mind (but I want something
> standard and more complete)
> * Network diagram for the system
> * All system documentation (SRS, Architecture Diagram, Dataflow
> Diagrams,..etc)
> * All previous pentest reports
> ....
> etc
>
> Thanks in Advance
>
> --
> Best Regards,
> Mostafa Siraj <http://twitter.com/mostafasiraj>
>
--
Regards,
Christian Heinrich
http://cmlh.id.au/contact
S
Subin
Mon, Feb 27, 2012 9:31 PM
Hi
Does anybody have a check list / guidelines or suggestions for performing an FFIEC assessment ( two factor authentication on a financial/cards web site )
Thanks
Subin
Sent from my iPhone
Hi
Does anybody have a check list / guidelines or suggestions for performing an FFIEC assessment ( two factor authentication on a financial/cards web site )
Thanks
Subin
Sent from my iPhone
MS
Mostafa Siraj
Tue, Feb 28, 2012 8:56 AM
But is there any standard -from OWASP for example- that covers all the
areas you mentioned? -I tried searching and found a very few requirements
in the PCI-
On Mon, Feb 27, 2012 at 10:17 PM, Christian Heinrich <
christian.heinrich@cmlh.id.au> wrote:
Mostafa,
This would depend on the scope i.e. number of networks, hosts, web
applications and whatever they are in production, dev, etc and if an
unscheduled outage is acceptable during business hours, etc
As a rule of thumb you shouldn't be able to view the previous report(s)
during the penetration test for independence but at the conclusion to
comparison to the established baseline.
On Mon, Feb 27, 2012 at 8:12 PM, Mostafa Siraj mostafa.siraj@gmail.comwrote:
Hello,
I'm about to perform several WEB penetration testing activities, I was
wondering if there is any standard for the requirements I should be asking
for before performing the pentest, I have a lot of things in mind but I
don't want to reinvent the wheel. so is there a comprehensive list that
lists all the requirements needed before performing the pentest
These are some of the stuff that are in my mind (but I want something
standard and more complete)
- Network diagram for the system
- All system documentation (SRS, Architecture Diagram, Dataflow
Diagrams,..etc)
- All previous pentest reports
....
etc
Thanks in Advance
--
Best Regards,
Mostafa Siraj http://twitter.com/mostafasiraj
--
Best Regards,
Mostafa Siraj http://twitter.com/mostafasiraj
"Our deepest fear is not that we are inadequate. Our deepest fear is that
we are powerful beyond measure. It is our light, not our darkness, that
most frightens us. We ask ourselves, who am I to be brilliant, gorgeous,
talented, and fabulous?Actually, who are you not to be? You are a child of
God. Your playing small doesn't serve the world. There's nothing
enlightened about shrinking so that other people won't feel insecure around
you. We are all meant to shine, as children do. We are born to make
manifest the glory of God that is within us. It's not just in some of us,
it's in everyone. And as we let our own light shine, we unconsciously give
other people permission to do the same. As we are liberated from our own
fear, our presence automatically liberates others." --Nelson Mandela--
But is there any standard -from OWASP for example- that covers all the
areas you mentioned? -I tried searching and found a very few requirements
in the PCI-
On Mon, Feb 27, 2012 at 10:17 PM, Christian Heinrich <
christian.heinrich@cmlh.id.au> wrote:
> Mostafa,
>
> This would depend on the scope i.e. number of networks, hosts, web
> applications and whatever they are in production, dev, etc and if an
> unscheduled outage is acceptable during business hours, etc
>
> As a rule of thumb you shouldn't be able to view the previous report(s)
> during the penetration test for independence but at the conclusion to
> comparison to the established baseline.
>
> On Mon, Feb 27, 2012 at 8:12 PM, Mostafa Siraj <mostafa.siraj@gmail.com>wrote:
>
>> Hello,
>>
>> I'm about to perform several WEB penetration testing activities, I was
>> wondering if there is any standard for the requirements I should be asking
>> for before performing the pentest, I have a lot of things in mind but I
>> don't want to reinvent the wheel. so is there a comprehensive list that
>> lists all the requirements needed before performing the pentest
>>
>> These are some of the stuff that are in my mind (but I want something
>> standard and more complete)
>> * Network diagram for the system
>> * All system documentation (SRS, Architecture Diagram, Dataflow
>> Diagrams,..etc)
>> * All previous pentest reports
>> ....
>> etc
>>
>> Thanks in Advance
>>
>> --
>> Best Regards,
>> Mostafa Siraj <http://twitter.com/mostafasiraj>
>>
>
>
> --
> Regards,
> Christian Heinrich
>
> http://cmlh.id.au/contact
>
--
Best Regards,
Mostafa Siraj <http://twitter.com/mostafasiraj>
"Our deepest fear is not that we are inadequate. Our deepest fear is that
we are powerful beyond measure. It is our light, not our darkness, that
most frightens us. We ask ourselves, who am I to be brilliant, gorgeous,
talented, and fabulous?Actually, who are you not to be? You are a child of
God. Your playing small doesn't serve the world. There's nothing
enlightened about shrinking so that other people won't feel insecure around
you. We are all meant to shine, as children do. We are born to make
manifest the glory of God that is within us. It's not just in some of us,
it's in everyone. And as we let our own light shine, we unconsciously give
other people permission to do the same. As we are liberated from our own
fear, our presence automatically liberates others." --Nelson Mandela--
CH
Christian Heinrich
Tue, Feb 28, 2012 10:27 PM
But is there any standard -from OWASP for example- that covers all the areas
you mentioned? -I tried searching and found a very few requirements in the
PCI-
Mostafa,
On Tue, Feb 28, 2012 at 7:56 PM, Mostafa Siraj <mostafa.siraj@gmail.com> wrote:
> But is there any standard -from OWASP for example- that covers all the areas
> you mentioned? -I tried searching and found a very few requirements in the
> PCI-
I researched this further overnight.
http://www.pentest-standard.org/index.php/Pre-engagement is the most
complete resource while both
https://www.owasp.org/index.php/The_OWASP_Testing_Framework#Phase_4:_During_Deployment
and http://www.isecom.org/research/osstmm.html have little guidance on
this aspect.
--
Regards,
Christian Heinrich
http://cmlh.id.au/contact
DD
debanjan dey
Wed, Feb 29, 2012 8:09 AM
--
Thanks and Regards
Debanjan Dey, (CPISI,ISO 27001 Lead Implementor,CEH,CHFI,ITIL
Foundation,CCSA,RHCE)
Mobile-9970506972
Hi,
http://www.ffiec.gov/pdf/authentication_guidance.pdf
On Tue, Feb 28, 2012 at 3:01 AM, Subin <subin.net@gmail.com> wrote:
> Hi
>
> Does anybody have a check list / guidelines or suggestions for performing
> an FFIEC assessment ( two factor authentication on a financial/cards web
> site )
>
> Thanks
> Subin
>
>
> Sent from my iPhone
> _______________________________________________
> The Web Security Mailing List
>
> WebSecurity RSS Feed
> http://www.webappsec.org/rss/websecurity.rss
>
> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
> WASC on Twitter
> http://twitter.com/wascupdates
>
> websecurity@lists.webappsec.org
> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
>
--
Thanks and Regards
Debanjan Dey, (CPISI,ISO 27001 Lead Implementor,CEH,CHFI,ITIL
Foundation,CCSA,RHCE)
Mobile-9970506972
S
Subin
Tue, Mar 13, 2012 5:10 PM
Hi,
I have an application that needs to allow to switch between a new and old version of the application . By requesting a new session from the SSO server (Ajax request)
Eg : mywebsite.com/SSO?ticket=(3des encrypted
The response having the SSO ticket (encrypted XML ) would complete the switch over to new application de-authenticating the old session with old version of application .
The ticket request URL works for 3 minutes , if replayed even on a different machine within 3 minutes you pretty much get a new session to the new version of the application and continue with that session.
I do not see any risks with such an
Implementation , it's the same scenario of replaying a request if some one gets hold of the session cookie except that the token is in url , not in the header .
(Session cookie in URL scenario I guess)
Is any one of you aware of or came across any risks of such an implementation ?
Thanks
Subin
Hi,
I have an application that needs to allow to switch between a new and old version of the application . By requesting a new session from the SSO server (Ajax request)
Eg : mywebsite.com/SSO?ticket=(3des encrypted
The response having the SSO ticket (encrypted XML ) would complete the switch over to new application de-authenticating the old session with old version of application .
The ticket request URL works for 3 minutes , if replayed even on a different machine within 3 minutes you pretty much get a new session to the new version of the application and continue with that session.
I do not see any risks with such an
Implementation , it's the same scenario of replaying a request if some one gets hold of the session cookie except that the token is in url , not in the header .
(Session cookie in URL scenario I guess)
Is any one of you aware of or came across any risks of such an implementation ?
Thanks
Subin
TD
The Dead
Sat, Mar 17, 2012 10:19 AM
Hello Subin.
You can implement some solution that implements the SAML Protocol.
If you don't have the time and resources now you can add some security
features to your token like:
- Sign your token
- Make it one time use
- Use the less time for the token possible (3 minutes is too much)
- Try to follow OASIS recommendations for SAML in your protocol
http://docs.oasis-open.org/security/saml/v2.0/saml-sec-consider-2.0-os.pdf
There are solutions free like PicketLink (RedHat) that implements SAML 2.
TH3D34D
On Tue, Mar 13, 2012 at 2:10 PM, Subin subin.net@gmail.com wrote:
Hi,
I have an application that needs to allow to switch between a new and old version of the application . By requesting a new session from the SSO server (Ajax request)
Eg : mywebsite.com/SSO?ticket=(3des encrypted
The response having the SSO ticket (encrypted XML ) would complete the switch over to new application de-authenticating the old session with old version of application .
The ticket request URL works for 3 minutes , if replayed even on a different machine within 3 minutes you pretty much get a new session to the new version of the application and continue with that session.
I do not see any risks with such an
Implementation , it's the same scenario of replaying a request if some one gets hold of the session cookie except that the token is in url , not in the header .
(Session cookie in URL scenario I guess)
Is any one of you aware of or came across any risks of such an implementation ?
Thanks
Subin
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
Hello Subin.
You can implement some solution that implements the SAML Protocol.
If you don't have the time and resources now you can add some security
features to your token like:
- Sign your token
- Make it one time use
- Use the less time for the token possible (3 minutes is too much)
- Try to follow OASIS recommendations for SAML in your protocol
http://docs.oasis-open.org/security/saml/v2.0/saml-sec-consider-2.0-os.pdf
There are solutions free like PicketLink (RedHat) that implements SAML 2.
TH3D34D
On Tue, Mar 13, 2012 at 2:10 PM, Subin <subin.net@gmail.com> wrote:
> Hi,
>
> I have an application that needs to allow to switch between a new and old version of the application . By requesting a new session from the SSO server (Ajax request)
>
> Eg : mywebsite.com/SSO?ticket=(3des encrypted
>
> The response having the SSO ticket (encrypted XML ) would complete the switch over to new application de-authenticating the old session with old version of application .
>
> The ticket request URL works for 3 minutes , if replayed even on a different machine within 3 minutes you pretty much get a new session to the new version of the application and continue with that session.
>
> I do not see any risks with such an
> Implementation , it's the same scenario of replaying a request if some one gets hold of the session cookie except that the token is in url , not in the header .
> (Session cookie in URL scenario I guess)
>
> Is any one of you aware of or came across any risks of such an implementation ?
>
> Thanks
> Subin
>
>
>
>
>
> _______________________________________________
> The Web Security Mailing List
>
> WebSecurity RSS Feed
> http://www.webappsec.org/rss/websecurity.rss
>
> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
> WASC on Twitter
> http://twitter.com/wascupdates
>
> websecurity@lists.webappsec.org
> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org