Conducting a thorough security assessment requires that you obtain a certain degree of understanding about the Web
application that you plan to test. Knowing something about the architecture of the application and its functionality will go
a long way toward ensuring a successful assessment.
In some cases, your assignment may have a broader scope. You may be given a range of IP addresses and required to
assess if there are any Web properties on that range that expose the organization to a security risk. If that is the
case, you will have to identify all of the hosts of Web properties (applications) on the given IP range. There are
different tools and techniques for doing this. Security auditors often utilize port scanners for this task.
In other cases, your assignment may include testing only several or a single Web application. It is generally
recommended that you request a walk-through of the application by one of its developers.
Here are some examples of what you need to learn about an application:
-
Application hosts
-
Web server type
-
Web technologies
-
Authentication and authorization mechanisms
-
Login management details (for instance, concurrent logins and logout links)
-
Session state implementation
-
Application functions
-
Areas that require user input
|