How does a pen tester check that an app doesn't make privileged information available to unprivileged users?
How does a pen tester check that an app doesn't make privileged information available to unprivileged users?
Do more with
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
By trying to access sections to which they should not have rights.
Including, but not limited to depending on where the application runs I.e. On a web, trying to add entries to the URL to make it appear .....
You need to be more detailed.
Including, but not limited to depending on where the application runs I.e. On a web, trying to add entries to the URL to make it appear .....
You need to be more detailed.
Auditor will ask for error log for attemots of the non privileged user accessing those sensitive information. This is the most straightforward. But pentester has to do better as ot would be a blackbox and not going throught this route of reviewing logs.
Do some first cut on open services of the system and identify which is critical system, specifically know how amd where the sensitive information are stored. Giod if you can map out logical segment of the infrastructure and the tiered architecture (web/app/db).
Do a check on the identity directory or possibly AD scan for user credential, commonly is to phished for user email account publicly available and attempt some phished email to solicit faked login to spoof and siphon away identity login. I must say you need sanction from the user and can really stop here since the rest is just to show you know the network and you have the list of user.
Best of you can scope down the yarheted services otherwise it is too huge to say pentest based on objectives.
Ultimately, you need to find a way to get those acl off the identity store or siphon codes from the appl service to validate ACL check logic. May be easier if you know the services targeted and do a "call" on it and enumerate the expose public interfaces..
Do some first cut on open services of the system and identify which is critical system, specifically know how amd where the sensitive information are stored. Giod if you can map out logical segment of the infrastructure and the tiered architecture (web/app/db).
Do a check on the identity directory or possibly AD scan for user credential, commonly is to phished for user email account publicly available and attempt some phished email to solicit faked login to spoof and siphon away identity login. I must say you need sanction from the user and can really stop here since the rest is just to show you know the network and you have the list of user.
Best of you can scope down the yarheted services otherwise it is too huge to say pentest based on objectives.
Ultimately, you need to find a way to get those acl off the identity store or siphon codes from the appl service to validate ACL check logic. May be easier if you know the services targeted and do a "call" on it and enumerate the expose public interfaces..
From a database point of view, a common attack vector (still) is SQL injection which tricks server to give more information than initially intended. This can sometimes even be used to create a full dump of the DB.
Another area that I am thinking is weak authentication
Frequently, administrators and technicians choose weak passwords, never change the default or do not set any password at all. Manuals for most software and hardware can be easily found online, and will provide the default credentials. Internet forums and official vendor mailing lists can provide information on undocumented accounts, commonly-used passwords and frequently misconfigured accounts. Finally, many web sites document default/backdoor passwords and should be checked for every identified system.
Premium Content
You need an Expert Office subscription to comment.Start Free Trial