Ethical Hacking and Penetration Testing Guide
Yüklə 22,44 Mb. Pdf görüntüsü
|
- Bu səhifədəki naviqasiya:
- Categories of Penetration Test
|
7
OWASP As you might have noticed, both the methodologies focused more on performing a network pen- etration test rather than something specifically built for testing web applications. The OWASP testing methodology is what we follow for all “application penetration tests” we do here at the RHA InfoSEC. The OWASP testing guide basically contains almost everything that you would test a web application for. The methodology is comprehensive and is designed by some of the best web application security researchers. Categories of Penetration Test When the scope of the penetration test is defined, the category/type of the penetration test engage- ment is also defined along with it. The entire penetration test can be Black Box, White Box, or Gray Box depending upon what the organization wants to test and how it wants the security paradigm to be tested. Black Box A black box penetration test is where little or no information is provided about the specified target. In the case of a network penetration test this means that the target’s DMZ, target operating sys- tem, server version, etc., will not be provided; the only thing that will be provided is the IP ranges that you would test. In the case of a web application penetration test, the source code of the web application will not be provided. This is a very common scenario that you will encounter when performing an external penetration test. White Box A white box penetration test is where almost all the information about the target is provided. In the case of a network penetration test, information on the application running, the correspond- ing versions, operating system, etc., are provided. In the case of a web application penetration test the application’s source code is provided, enabling us to perform the static/dynamic “source code analysis.” This scenario is very common in internal/onsite penetration tests, since organizations are concerned about leakage of information. Gray Box In a gray box test, some information is provided and some hidden. In the case of a network pen- etration test, the organization provides the names of the application running behind an IP; how- ever, it doesn’t disclose the exact version of the services running. In the case of a web application penetration test, some extra information, such as test accounts, back end server, and databases, is provided. Yüklə 22,44 Mb. Dostları ilə paylaş:
|