Saturday, 12 April 2014

Web App Pentest - Part 5 XSS

Introduction

In my previous article we have seen which are the different ways of fuzzing including suffix and prefix. We used those fuzzing techniques in order to find error messages in web application. Now as we know how to fuzz, we will use that skill to find XSS generally known as cross site scripting.

Friday, 11 April 2014

Web App Pentest - Part 4 Suffix & Prefix in Fuzzing

Introduction
In this series of article, last time we talked about the fuzzing and various SQL statement special characters which can be used in fuzzing the web application. In this article I am going to focus on various prefixes and suffix of fuzzing in order to fuzz the target web application.

Web App Pentest - Part 3 Fuzzing



Introduction
When We test the web application, we do not test a single page but we test lot of page of a single web application. So each page may have more than one variable so technically you will be engaging with ton of variables within your web application test. So when you inject anything to the input it is good to know what kind of effect your injection is making to the server. In this part of these article series we will look at the importance of simple alphabetic injection along with the web page encoding technology and how it does effect on our testing and result.

Web App Pentest - Part 2 Indentifying Injection Points

Identifying Injection Points
If your web page is static, you cannot test it as far as security concern. You can test it at some sort of view but you can’t play with it much as compare to dynamic page. Nikto scanner is a good utility which works best in testing static sites. There has to be some interaction between client and server via login panel, comment section, register page, contact us form and so on.