How does a pen tester check that an app doesn't make privileged information available to unprivileged users?

How does a pen tester check that an app doesn't make privileged information available to unprivileged users?
David GeerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

By trying to access sections to which they should not have rights.
Including, but not limited to depending on where the application runs I.e. On a web, trying to add entries to the URL to make it appear .....

You need to be more detailed.
btanExec ConsultantCommented:
Auditor will ask for error log for attemots of the non privileged user accessing those sensitive information. This is the most straightforward. But pentester has to do better as ot would be a blackbox and not going throught this route of reviewing logs.

Do some first cut on open services of the system and identify which is critical system, specifically know how amd where the sensitive information are stored. Giod if you can map out logical segment of the infrastructure and the tiered architecture (web/app/db).

Do a check on the identity directory or possibly AD scan for user credential, commonly is to phished for user email account publicly available and attempt some phished email to solicit faked login to  spoof and siphon away identity login. I must say you need sanction from the user and can really stop here since the rest is just to show you know the network and you have the list of user.

Best of you can scope down the yarheted services otherwise it is too huge to say pentest based on objectives.

Ultimately, you need to find a way to get those acl off the identity store or siphon codes from the appl service to validate ACL check logic. May be easier if you know the services targeted and do a "call" on it and enumerate the expose public interfaces..
Shaun VermaakTechnical SpecialistCommented:
From a database point of view, a common attack vector (still) is SQL injection which tricks server to give more information than initially intended. This can sometimes even be used to create a full dump of the DB.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
btanExec ConsultantCommented:
Another area that I am thinking is weak authentication
Frequently, administrators and technicians choose weak passwords, never change the default or do not set any password at all. Manuals for most software and hardware can be easily found online, and will provide the default credentials. Internet forums and official vendor mailing lists can provide information on undocumented accounts, commonly-used passwords and frequently misconfigured accounts. Finally, many web sites document default/backdoor passwords and should be checked for every identified system.
David GeerAuthor Commented:
Thank you all. I love complete answers that you can explain clearly and simply.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.