This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Testing: Information Gathering"
(→Information Gathering) |
(→Information Gathering) |
||
| Line 4: | Line 4: | ||
=== Information Gathering === | === Information Gathering === | ||
---- | ---- | ||
| − | + | Every activity about security testing needs a first phase oriented to collection of the information necessary for the correct development of penetration test on web applications. | |
| − | .. | + | This information collection can be carried out to search on different sources and with many methods using public tools as search engine or using fictitious requests purposely forged so we can receive error messages that give back the versions and technologies used for the application. |
| + | Often it’s possible to gather this information by receiving a response from the application targets because there are default bad configurations not changed from administrators. | ||
| + | <br> | ||
[[Spidering and googling AoC|4.2.1 Spidering and googling]]<br> | [[Spidering and googling AoC|4.2.1 Spidering and googling]]<br> | ||
Revision as of 15:52, 17 October 2006
[Up]
OWASP Testing Guide v2 Table of Contents
Information Gathering
Every activity about security testing needs a first phase oriented to collection of the information necessary for the correct development of penetration test on web applications.
This information collection can be carried out to search on different sources and with many methods using public tools as search engine or using fictitious requests purposely forged so we can receive error messages that give back the versions and technologies used for the application.
Often it’s possible to gather this information by receiving a response from the application targets because there are default bad configurations not changed from administrators.
4.2.1 Spidering and googling
4.2.2 Analisys of error code
4.2.3 Infrastructure configuration management testing
4.2.3.1 SSL/TLS Testing
4.2.3.2 DB Listener Testing
4.2.4 Application configuration management testing
4.2.4.1 File extensions handling
4.2.4.1 Old, backup and unreferenced files
