[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [WEB SECURITY] Do we need desktop admin rights for webapplication penetration testing?

From: "Matthew Chalmers" <matthew.chalmers@xxxxxxxxx>
Subject: Re: [WEB SECURITY] Do we need desktop admin rights for webapplication penetration testing?
Date: Fri, 25 Jul 2008 16:55:18 -0500

------=_Part_25292_12138627.1217022918980
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

A couple things you said confuse me so I'm not sure if I (or others)
will properly address your question, but...I'm going to assume you're
talking about doing a remote (i.e. c/s) security assessment of a web
site/application over some network and you at least have the ability to
connect to a home page/front door to this site/app. You might be talking
about admin access to the machine on which AppScan must be installed--you
may or may not need that. Got a spare PC? Just try installing with a
'normal' user to see if it works. My question is, why are you required to
use a certain desktop from which to run your tools? Can you bring a laptop
to the customer's data center? Can you scan from somewhere else on the
network? AppScan and other tools can give you some limited vulnerability
info about a web site/app without a login even if the root page requires a
login to do/see anything, but you might want to start with some basic manual
fingerprinting and enumeration first. Also, are you limited to just the web
app or can you take advantage of other potential vectors like open
ports/running services, the OS, etc.?

If you're really "penetration testing" you're probably attempting to "break
in" in which case you should not need any legitimate access, admin or
otherwise, but there are so many layers to that onion it's hard to assess
without some more details. If you're really "vulnerability testing" you
might be better off with separate accounts for all authority levels
(including or excluding full admin) to see the web app from all
perspectives--the business logic may be different for each.

If you're simply looking for some explanation to give to management as to
why you need admin access to their application in order to pen test it, I
doubt anyone will help, because you're basically asking for a huge
crutch/handicap/head start. That's not really penetration IMHO.

Matt

On Fri, Jul 25, 2008 at 5:13 AM, Sharevane <sharevane@yahoo.com> wrote:

>   Hi
>
> I have to perform web application penetration testing for banking
> application within the company(intranet scanning)
> But the environment is ,they will not be providing admin rights and
> internet access for performing penetration testing.
>
> I will be using the open source tools other than appscan for this activity.
> But I am not sure can we perform penetration testing without admin right?
> Till now I have not tried penetration testing without admin rights in the
> desktop system which is used for scanning the webapplication using appscan
> and opensource tools.
>
> I am looking for quick responses so that i can explain to management here.
>
> thanks&regards
>

------=_Part_25292_12138627.1217022918980
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

<div dir=3D"ltr"><div>A couple things you said confuse me so I&#39;m not su=
re if I&nbsp;(or others) will&nbsp;properly address your question, but...I&=
#39;m going to assume you&#39;re talking about doing a remote (i.e. c/s)&nb=
sp;security assessment of a web site/application over some network and you =
at least have the ability to connect to a home page/front door to this site=
/app. You might be talking about admin access to the machine on which AppSc=
an must be installed--you may or may not need that. Got a spare PC? Just tr=
y installing with a &#39;normal&#39; user to see if it works. My question i=
s, why are you required to use a certain desktop from which to run your too=
ls? Can you bring a laptop to the customer&#39;s data center? Can you scan =
from somewhere else on the network? AppScan and other tools can give you so=
me limited vulnerability info about a web site/app without a login even if =
the root page requires a login to do/see anything, but you might want to st=
art with some basic manual fingerprinting and enumeration first. Also, are =
you limited to just the web app or can you take advantage of other potentia=
l vectors like open ports/running services, the OS, etc.?</div>

<div>&nbsp;</div>
<div>If you&#39;re really &quot;penetration testing&quot; you&#39;re probab=
ly attempting to &quot;break in&quot; in which case you should not need any=
 legitimate access, admin or otherwise, but there are so many layers to tha=
t onion it&#39;s hard to assess without some more details. If you&#39;re re=
ally &quot;vulnerability testing&quot; you might be better off with separat=
e accounts for all authority levels (including or excluding full admin)&nbs=
p;to see the web app from all perspectives--the business logic may be diffe=
rent for each.</div>

<div>&nbsp;</div>
<div>If you&#39;re simply looking for some explanation to give to managemen=
t as to why you need admin access to their application in order to pen test=
 it, I doubt anyone will help, because you&#39;re basically asking for a hu=
ge crutch/handicap/head start. That&#39;s not really penetration IMHO.</div=
>

<div>&nbsp;</div>
<div>Matt<br><br></div>
<div class=3D"gmail_quote">On Fri, Jul 25, 2008 at 5:13 AM, Sharevane &lt;<=
a href=3D"mailto:sharevane@yahoo.com";>sharevane@yahoo.com</a>&gt; wrote:<br=
>
<blockquote class=3D"gmail_quote" style=3D"PADDING-LEFT: 1ex; MARGIN: 0px 0=
px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">
<table cellspacing=3D"0" cellpadding=3D"0" border=3D"0">
<tbody>
<tr>
<td valign=3D"top">Hi <br><br>I have to perform web application penetration=
 testing for banking application within the company(intranet scanning)<br>B=
ut the environment is ,they will not be providing admin rights and internet=
 access for performing penetration testing.<br>
<br>I will be using the open source tools other than appscan for this activ=
ity.<br>But I am not sure can we perform penetration testing without admin =
right?<br>Till now I have not tried penetration testing without admin right=
s in the desktop system which is used for scanning the webapplication using=
 appscan and opensource tools.<br>
<br>I am looking for quick responses so that i can explain to management he=
re.<br><br>thanks&amp;regards</td></tr></tbody></table><br></blockquote></d=
iv><br></div>

------=_Part_25292_12138627.1217022918980--

Follow-Ups:
- Re: [WEB SECURITY] Do we need desktop admin rights for webapplication penetration testing?
  - From: Sharevane

References:
- [WEB SECURITY] Do we need desktop admin rights for webapplication penetration testing?
  - From: Sharevane

Prev by Date: Re: [WEB SECURITY] Do we need desktop admin rights for webapplication penetration testing?
Next by Date: Re: [WEB SECURITY] Do we need desktop admin rights for webapplication penetration testing?
Previous by thread: Re: [WEB SECURITY] Do we need desktop admin rights for webapplication penetration testing?
Next by thread: Re: [WEB SECURITY] Do we need desktop admin rights for webapplication penetration testing?
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site