Tuesday, July 31, 2007

Partners and Security, Part 3

Continuing with our cursory look at our partners...

Navigate through the site, look for clues. Hover over links, note if the pages are scripted (file names and URLs ending in .asp/.aspx, .cgi, etc.) or basic html.

Look for help pages, do they give away anything? Is there help available before you log in? Are password recovery procedures listed? Anything questionable there?

Look for forms- fill out a few poorly and see if they handle mistakes gracefully. NOTE, I am not suggesting you try to break the application, do not enter "or one equals one" type entries in an attempt to hack the system. You don't have (are are highly unlikely to ever get) permission, so be nice. We are looking for common mistakes and simple oversights on the part of the developer(s).

If you do find errors, look at the error messages, they can tell you quite a bit. Google the errors, you may find some well known problems have been ignored.

Next time, we start using some tools to dig a little deeper into the website or application.