Testing: Information Gathering

[Up]

Information Gathering
Every activity about security testing needs a first phase oriented to collection of the information necessary for the correct development of penetration test on web applications. This information collection can be carried out to search on different sources and with many methods using public tools as search engine or using fictitious requests purposely forged so we can receive error messages that give back the versions and technologies used for the application. Often it’s possible to gather this information by receiving a response from the application targets because there are default bad configurations not changed from administrators. 4.2.1 Application Discovery 4.2.2 Spidering and googling 4.2.3 Analisys of error code 4.2.4 Infrastructure configuration management testing 4.2.4.1 SSL/TLS Testing 4.2.4.2 DB Listener Testing 4.2.5 Application configuration management testing 4.2.5.1 File extensions handling 4.2.5.2 Old, backup and unreferenced files

OWASP Testing Guide v2 Table of Contents