Re: [WEB SECURITY] Do we need desktop admin rights for webapplication penetration testing?

[clintwill@xxxxxxxxxxx]

--NextPart_Webmail_9m3u9jl4l_6158_1217210090_0
Content-Type: text/plain
Content-Transfer-Encoding: 8bit

Nice response.

Only yesterday I Subscribed to this list.

A group wants me to host their SQL database.

The last thing on Earth I want to do is host an SQL database.

So I thought I'd Subscribe to a professional's list, buy a few books and become acquainted with associated problems.

I do have computers on which I could mock-host SQL, then mock-hack-away from "outside" to expose problems.  "Mock-ups."

Pointers to relevant information, greatly appreciated.

Best regards, 

Clint Williams.


--NextPart_Webmail_9m3u9jl4l_6158_1217210090_0
Content-Type: message/rfc822

From:    Sharevane <sharevane@yahoo.com>
To:    Matthew Chalmers <matthew.chalmers@owasp.org>
Cc:    websecurity@webappsec.org
Subject:    Re: [WEB SECURITY] Do we need desktop admin rights for webapplication penetration testing?
Date:    Mon, 28 Jul 2008 01:32:32 +0000
Content-Type: Multipart/alternative;
 boundary="NextPart_Webmail_9m3u9jl4l_6158_1217210090_1"

--NextPart_Webmail_9m3u9jl4l_6158_1217210090_1
Content-Type: text/html; charset=us-ascii

<table cellspacing='0' cellpadding='0' border='0' ><tr><td valign='top' style='font: inherit;'><P>thanks for the email</P>
<P>&nbsp;</P>
<P>Laptop is not possible at all as per client&nbsp; and </P>
<P>I&nbsp;meant desktop access for the tester's pc not for the web application.</P>
<P>For web&nbsp;application testing&nbsp;I will get two separate login id for testing privilege escalation.</P>
<P>&nbsp;</P>
<P>I&nbsp;need to know whether&nbsp;admin rights is required&nbsp;for tester's pc or not after all the appscan and opensource tools installed?(ie pc used to install appscan and opensource)</P>
<P>&nbsp;</P>
<P>&nbsp;</P>
<P>regards</P>
<P>&nbsp;</P>
<P>--- On <B>Sat, 7/26/08, Matthew Chalmers <I>&lt;matthew.chalmers@owasp.org&gt;</I></B> wrote:<BR></P>
<BLOCKQUOTE style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: rgb(16,16,255) 2px solid">From: Matthew Chalmers &lt;matthew.chalmers@owasp.org&gt;<BR>Subject: Re: [WEB SECURITY] Do we need desktop admin rights for webapplication penetration testing?<BR>To: sharevane@yahoo.com<BR>Cc: websecurity@webappsec.org<BR>Date: Saturday, July 26, 2008, 3:25 AM<BR><BR>
<DIV id=yiv359459412>
<DIV dir=ltr>
<DIV>A couple things you said confuse me so I'm not sure if I&nbsp;(or others) will&nbsp;properly address your question, but...I'm going to assume you're talking about doing a remote (i.e. c/s)&nbsp;security assessment of a web site/application over some network and you at least have the ability to connect to a home page/front door to this site/app. You might be talking about admin access to the machine on which AppScan must be installed--you may or may not need that. Got a spare PC? Just try installing with a 'normal' user to see if it works. My question is, why are you required to use a certain desktop from which to run your tools? Can you bring a laptop to the customer's data center? Can you scan from somewhere else on the network? AppScan and other tools can give you some limited vulnerability info about a web site/app without a login even if the root page requires a login to do/see anything, but you might want to start with some basic manual
 fingerprinting and enumeration first. Also, are you limited to just the web app or can you take advantage of other potential vectors like open ports/running services, the OS, etc.?</DIV>
<DIV>&nbsp;</DIV>
<DIV>If you're really "penetration testing" you're probably attempting to "break in" in which case you should not need any legitimate access, admin or otherwise, but there are so many layers to that onion it's hard to assess without some more details. If you're really "vulnerability testing" you might be better off with separate accounts for all authority levels (including or excluding full admin)&nbsp;to see the web app from all perspectives--the business logic may be different for each.</DIV>
<DIV>&nbsp;</DIV>
<DIV>If you're simply looking for some explanation to give to management as to why you need admin access to their application in order to pen test it, I doubt anyone will help, because you're basically asking for a huge crutch/handicap/head start. That's not really penetration IMHO.</DIV>
<DIV>&nbsp;</DIV>
<DIV>Matt<BR><BR></DIV>
<DIV class=gmail_quote>On Fri, Jul 25, 2008 at 5:13 AM, Sharevane &lt;<A href="mailto:sharevane@yahoo.com"; target=_blank rel=nofollow>sharevane@yahoo.com</A>&gt; wrote:<BR>
<BLOCKQUOTE class=gmail_quote style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">
<TABLE cellSpacing=0 cellPadding=0 border=0>
<TBODY>
<TR>
<TD vAlign=top>Hi <BR><BR>I have to perform web application penetration testing for banking application within the company(intranet scanning)<BR>But the environment is ,they will not be providing admin rights and internet access for performing penetration testing.<BR><BR>I will be using the open source tools other than appscan for this activity.<BR>But I am not sure can we perform penetration testing without admin right?<BR>Till now I have not tried penetration testing without admin rights in the desktop system which is used for scanning the webapplication using appscan and opensource tools.<BR><BR>I am looking for quick responses so that i can explain to management here.<BR><BR>thanks&amp;regards</TD></TR></TBODY></TABLE><BR></BLOCKQUOTE></DIV><BR></DIV></DIV></BLOCKQUOTE></td></tr></table><br>

      
--NextPart_Webmail_9m3u9jl4l_6158_1217210090_1--


--NextPart_Webmail_9m3u9jl4l_6158_1217210090_0
Content-Type: text/plain; charset=us-ascii

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA
--NextPart_Webmail_9m3u9jl4l_6158_1217210090_0--