This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Testing: Information Gathering"
(→Information Gathering) |
(→Information Gathering) |
||
| Line 8: | Line 8: | ||
Often it’s possible to gather this information by receiving a response from the application targets because there are default bad configurations not changed from administrators. | Often it’s possible to gather this information by receiving a response from the application targets because there are default bad configurations not changed from administrators. | ||
<br> | <br> | ||
| − | + | [[Application Discovery AoC|4.2.1 Application Discovery]]<br> | |
| − | [[Spidering and googling AoC|4.2. | + | [[Spidering and googling AoC|4.2.2 Spidering and googling]]<br> |
| − | [[Analisys of error code AoC|4.2. | + | [[Analisys of error code AoC|4.2.3 Analisys of error code]]<br> |
| − | [[Infrastructure configuration management testing AoC|4.2. | + | [[Infrastructure configuration management testing AoC|4.2.4 Infrastructure configuration management testing]]<br> |
| − | [[SSL/TLS Testing AoC|4.2. | + | [[SSL/TLS Testing AoC|4.2.4.1 SSL/TLS Testing]]<br> |
| − | [[DB Listener Testing AoC|4.2. | + | [[DB Listener Testing AoC|4.2.4.2 DB Listener Testing]]<br> |
| − | [[Application configuration management testing AoC|4.2. | + | [[Application configuration management testing AoC|4.2.5 Application configuration management testing]]<br> |
| − | [[File extensions handling AoC|4.2. | + | [[File extensions handling AoC|4.2.5.1 File extensions handling]]<br> |
| − | [[Old file testing AoC|4.2. | + | [[Old file testing AoC|4.2.5.2 Old, backup and unreferenced files]]<br> |
[[OWASP Testing Guide v2 Table of Contents]] | [[OWASP Testing Guide v2 Table of Contents]] | ||
Revision as of 16:19, 26 October 2006
[Up]
OWASP Testing Guide v2 Table of Contents
Information Gathering
Every activity about security testing needs a first phase oriented to collection of the information necessary for the correct development of penetration test on web applications.
This information collection can be carried out to search on different sources and with many methods using public tools as search engine or using fictitious requests purposely forged so we can receive error messages that give back the versions and technologies used for the application.
Often it’s possible to gather this information by receiving a response from the application targets because there are default bad configurations not changed from administrators.
4.2.1 Application Discovery
4.2.2 Spidering and googling
4.2.3 Analisys of error code
4.2.4 Infrastructure configuration management testing
4.2.4.1 SSL/TLS Testing
4.2.4.2 DB Listener Testing
4.2.5 Application configuration management testing
4.2.5.1 File extensions handling
4.2.5.2 Old, backup and unreferenced files
