Re: [WEB SECURITY] Do we need desktop admin rights for webapplication penetration testing?

[Sharevane <sharevane@xxxxxxxxx>]

--0-1080749981-1217147284=:89857
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable

thanks for the email
=A0
Laptop is not possible at all as per client=A0 and=20
I=A0meant desktop access for the tester's pc not for the web application.
For web=A0application testing=A0I will get two separate login id for testin=
g privilege escalation.
=A0
I=A0need to know whether=A0admin rights is required=A0for tester's pc or no=
t after all the appscan and opensource tools installed?(ie pc used to insta=
ll appscan and opensource)
=A0
=A0
regards
=A0
--- On Sat, 7/26/08, Matthew Chalmers <matthew.chalmers@owasp.org> wrote:

From: Matthew Chalmers <matthew.chalmers@owasp.org>
Subject: Re: [WEB SECURITY] Do we need desktop admin rights for webapplicat=
ion penetration testing?
To: sharevane@yahoo.com
Cc: websecurity@webappsec.org
Date: Saturday, July 26, 2008, 3:25 AM




A couple things you said confuse me so I'm not sure if I=A0(or others) will=
=A0properly address your question, but...I'm going to assume you're talking=
 about doing a remote (i.e. c/s)=A0security assessment of a web site/applic=
ation over some network and you at least have the ability to connect to a h=
ome page/front door to this site/app. You might be talking about admin acce=
ss to the machine on which AppScan must be installed--you may or may not ne=
ed that. Got a spare PC? Just try installing with a 'normal' user to see if=
 it works. My question is, why are you required to use a certain desktop fr=
om which to run your tools? Can you bring a laptop to the customer's data c=
enter? Can you scan from somewhere else on the network? AppScan and other t=
ools can give you some limited vulnerability info about a web site/app with=
out a login even if the root page requires a login to do/see anything, but =
you might want to start with some basic manual fingerprinting and
 enumeration first. Also, are you limited to just the web app or can you ta=
ke advantage of other potential vectors like open ports/running services, t=
he OS, etc.?
=A0
If you're really "penetration testing" you're probably attempting to "break=
 in" in which case you should not need any legitimate access, admin or othe=
rwise, but there are so many layers to that onion it's hard to assess witho=
ut some more details. If you're really "vulnerability testing" you might be=
 better off with separate accounts for all authority levels (including or e=
xcluding full admin)=A0to see the web app from all perspectives--the busine=
ss logic may be different for each.
=A0
If you're simply looking for some explanation to give to management as to w=
hy you need admin access to their application in order to pen test it, I do=
ubt anyone will help, because you're basically asking for a huge crutch/han=
dicap/head start. That's not really penetration IMHO.
=A0
Matt


On Fri, Jul 25, 2008 at 5:13 AM, Sharevane <sharevane@yahoo.com> wrote:





Hi=20

I have to perform web application penetration testing for banking applicati=
on within the company(intranet scanning)
But the environment is ,they will not be providing admin rights and interne=
t access for performing penetration testing.

I will be using the open source tools other than appscan for this activity.
But I am not sure can we perform penetration testing without admin right?
Till now I have not tried penetration testing without admin rights in the d=
esktop system which is used for scanning the webapplication using appscan a=
nd opensource tools.

I am looking for quick responses so that i can explain to management here.

thanks&regards

=0A=0A=0A      
--0-1080749981-1217147284=:89857
Content-Type: text/html; charset=us-ascii

<table cellspacing='0' cellpadding='0' border='0' ><tr><td valign='top' style='font: inherit;'><P>thanks for the email</P>
<P>&nbsp;</P>
<P>Laptop is not possible at all as per client&nbsp; and </P>
<P>I&nbsp;meant desktop access for the tester's pc not for the web application.</P>
<P>For web&nbsp;application testing&nbsp;I will get two separate login id for testing privilege escalation.</P>
<P>&nbsp;</P>
<P>I&nbsp;need to know whether&nbsp;admin rights is required&nbsp;for tester's pc or not after all the appscan and opensource tools installed?(ie pc used to install appscan and opensource)</P>
<P>&nbsp;</P>
<P>&nbsp;</P>
<P>regards</P>
<P>&nbsp;</P>
<P>--- On <B>Sat, 7/26/08, Matthew Chalmers <I>&lt;matthew.chalmers@owasp.org&gt;</I></B> wrote:<BR></P>
<BLOCKQUOTE style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: rgb(16,16,255) 2px solid">From: Matthew Chalmers &lt;matthew.chalmers@owasp.org&gt;<BR>Subject: Re: [WEB SECURITY] Do we need desktop admin rights for webapplication penetration testing?<BR>To: sharevane@yahoo.com<BR>Cc: websecurity@webappsec.org<BR>Date: Saturday, July 26, 2008, 3:25 AM<BR><BR>
<DIV id=yiv359459412>
<DIV dir=ltr>
<DIV>A couple things you said confuse me so I'm not sure if I&nbsp;(or others) will&nbsp;properly address your question, but...I'm going to assume you're talking about doing a remote (i.e. c/s)&nbsp;security assessment of a web site/application over some network and you at least have the ability to connect to a home page/front door to this site/app. You might be talking about admin access to the machine on which AppScan must be installed--you may or may not need that. Got a spare PC? Just try installing with a 'normal' user to see if it works. My question is, why are you required to use a certain desktop from which to run your tools? Can you bring a laptop to the customer's data center? Can you scan from somewhere else on the network? AppScan and other tools can give you some limited vulnerability info about a web site/app without a login even if the root page requires a login to do/see anything, but you might want to start with some basic manual
 fingerprinting and enumeration first. Also, are you limited to just the web app or can you take advantage of other potential vectors like open ports/running services, the OS, etc.?</DIV>
<DIV>&nbsp;</DIV>
<DIV>If you're really "penetration testing" you're probably attempting to "break in" in which case you should not need any legitimate access, admin or otherwise, but there are so many layers to that onion it's hard to assess without some more details. If you're really "vulnerability testing" you might be better off with separate accounts for all authority levels (including or excluding full admin)&nbsp;to see the web app from all perspectives--the business logic may be different for each.</DIV>
<DIV>&nbsp;</DIV>
<DIV>If you're simply looking for some explanation to give to management as to why you need admin access to their application in order to pen test it, I doubt anyone will help, because you're basically asking for a huge crutch/handicap/head start. That's not really penetration IMHO.</DIV>
<DIV>&nbsp;</DIV>
<DIV>Matt<BR><BR></DIV>
<DIV class=gmail_quote>On Fri, Jul 25, 2008 at 5:13 AM, Sharevane &lt;<A href="mailto:sharevane@yahoo.com"; target=_blank rel=nofollow>sharevane@yahoo.com</A>&gt; wrote:<BR>
<BLOCKQUOTE class=gmail_quote style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">
<TABLE cellSpacing=0 cellPadding=0 border=0>
<TBODY>
<TR>
<TD vAlign=top>Hi <BR><BR>I have to perform web application penetration testing for banking application within the company(intranet scanning)<BR>But the environment is ,they will not be providing admin rights and internet access for performing penetration testing.<BR><BR>I will be using the open source tools other than appscan for this activity.<BR>But I am not sure can we perform penetration testing without admin right?<BR>Till now I have not tried penetration testing without admin rights in the desktop system which is used for scanning the webapplication using appscan and opensource tools.<BR><BR>I am looking for quick responses so that i can explain to management here.<BR><BR>thanks&amp;regards</TD></TR></TBODY></TABLE><BR></BLOCKQUOTE></DIV><BR></DIV></DIV></BLOCKQUOTE></td></tr></table><br>

      
--0-1080749981-1217147284=:89857--