Continuing with our cursory look at our partners...
Navigate through the site, look for clues. Hover over links, note if the pages are scripted (file names and URLs ending in .asp/.aspx, .cgi, etc.) or basic html.
Look for help pages, do they give away anything? Is there help available before you log in? Are password recovery procedures listed? Anything questionable there?
Look for forms- fill out a few poorly and see if they handle mistakes gracefully. NOTE, I am not suggesting you try to break the application, do not enter "or one equals one" type entries in an attempt to hack the system. You don't have (are are highly unlikely to ever get) permission, so be nice. We are looking for common mistakes and simple oversights on the part of the developer(s).
If you do find errors, look at the error messages, they can tell you quite a bit. Google the errors, you may find some well known problems have been ignored.
Next time, we start using some tools to dig a little deeper into the website or application.
Jack
skip to main |
skip to sidebar
Just another security blog.
About Me
- Jack Daniel
- Storyteller, Information Security Curmudgeon, Security BSides Co-Founder, Community Advocate at Tenable Network Security, Co-host at Security Voices podcast.
Contact- jdaniel/at/voodooelectronics/dot/com
Blog Archive
-
▼
2007
(57)
-
▼
July
(13)
- But Jack, isn't that hypocritical?
- Partners and Security, Part 3
- A Convert!
- Mental Health, InfoSec and Playing with Fire
- Partners and Security, Part 2
- BeanSec!
- iEnough iAlready with the iPhone!
- The good things about small business IT
- Time for an introduction
- Are the vendors clueless, or are we?
- Happy Birthday USA
- Security and Business Partners
- Security Anecdote Theater, episode 2
-
▼
July
(13)