Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

Software security > Pen testing for web applications > Flashcards

Pen testing for web applications Flashcards

1
Q

What are the steps for a successful web application test?

A
  1. Understand the application you are testing
    - google
    - Access to application code
    - talk to people
  2. Check for low-hanging fruits
    - scanners and tools
  3. Spend time diving into what makes sense
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

How do you know what to look for during a pen test?

A

Good resources:
- OWASP top 10
- OWASP Application Security Verification Standard (ASVS)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is a weakness of only using scanners or only working through a check list?

A

You have to be aware of how an application is supposed to work, and the context which you can see information. This could not be found by a scanner, and is easily missed when working through a checklist.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What are some weaknesses with tools?

A

Limited coverage

Can provide a false sense of security

As frameworks become better, automated scanners are less effective

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What causes vulnerabilities?

A

When developer have a limited view of what the application is actually doing.

This can be caused by having layers of libraries and frameworks that abstracts away what is actually happening under the hood.

Make stuff without knowing how it works

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

How to be an ethical pentester

A

Don’t hack things you don’t have explicit permission to or own yourself. Only use applications normally to see how they work, which may sometime reveal security issues.

If someone asks you to hack something, make sure they have the authorization to give you that task.

Keep within scope

Only go as far as necessary to demonstrate a risk

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What information is gathered during reconnaissance?

A

What information is public:
- open source
- google
- shodan
- certificate transparency logs

Can you decompile the code

Look at network traffic (burp, browser dev tool)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is important to consider during testing?

A

Because there are lots of grey areas - document your research

Regulations very between legal jurisdictions

If you are testing a system made by a company with different nationality, you may need to behave with your own country’s law, the company’s law and possibly EU

is reverse engineering allowed

How well did you know this?
1
Not at all
2
3
4
5
Perfectly

Software security (16 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions