This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Testing: Information Gathering"

From OWASP
Jump to: navigation, search
(Information Gathering)
(Information Gathering)
Line 8: Line 8:
 
Often it’s possible to gather this information by receiving a response from the application targets because there're old and backup files or default bad configurations not changed from administrators on web server.<br>
 
Often it’s possible to gather this information by receiving a response from the application targets because there're old and backup files or default bad configurations not changed from administrators on web server.<br>
  
''Application Discovery:''<br>
+
''Application Discovery:'' The application discovery testing is an activity oriented to the identification of the web applications hosted on a web server.<br>
 +
This analysis is important because many times there isn't a direct link with the main application because they are applications for administration or old web-app used for testing or others never deleted.<br>
 +
For these reasons this part of information gathering process is
 
''Spidering and googling:''<br>
 
''Spidering and googling:''<br>
 
''Analisys of error code:''<br>
 
''Analisys of error code:''<br>

Revision as of 14:00, 2 November 2006

[Up]
OWASP Testing Guide v2 Table of Contents

Information Gathering


Every step about security testing needs a first phase oriented to collection of the information necessary for the correct development of penetration test on web applications.
This activity can be carried out to search on different sources and with many methods using public tools as search engine, using fictitious requests purposely forged to receive error messages that give back the versions and technologies used for the application or analyzing and discovering the front-end/back-end infrastructure and applications with the purpose to collect many other useful information.
Often it’s possible to gather this information by receiving a response from the application targets because there're old and backup files or default bad configurations not changed from administrators on web server.

Application Discovery: The application discovery testing is an activity oriented to the identification of the web applications hosted on a web server.
This analysis is important because many times there isn't a direct link with the main application because they are applications for administration or old web-app used for testing or others never deleted.
For these reasons this part of information gathering process is Spidering and googling:
Analisys of error code:
Infrastructure configuration management testing:
SSL/TLS Testing:
DB Listener Testing:
Application configuration management testing:
File extensions handling:
Old file testing:
4.2.1 Application Discovery
4.2.2 Spidering and googling
4.2.3 Analisys of error code
4.2.4 Infrastructure configuration management testing
4.2.4.1 SSL/TLS Testing
4.2.4.2 DB Listener Testing
4.2.5 Application configuration management testing
4.2.5.1 File extensions handling
4.2.5.2 Old, backup and unreferenced files


OWASP Testing Guide v2 Table of Contents