APPLICATION PENTESTING TOOLKIT: YOUR OWN WEB&MOBILE PENTESTING WORKSHOP – PENTEST WEBAPP 01/2013 TEASER

Pentesting web and mobile applications is a fairly new and tricky concept. Although, the area is developing quickly and many new ideas come up every day. PenTest magazine prepared several articles on web/mobile penetration testing so you can verify your knowledge with experts. If you would like to know more on testing iOS, preventing CSRF attacks, or preparing a proper web/mobile pentest report, we encourage you to go through the following issue.

The teaser is available for free download and consists of the first pages of every article from the publication. Hope you will enjoy it.

TABLE OF CONTENTS

Pentesting Web Applications: The Process – Not Just another Report
by Rey Ayers
Pentesting Web Applications is usually conducted quarterly or on an annual basis by a third party vendor to ensure segregation and regulatory requirements are met. The level of testing would depend on the complexity of the application requiring specialized knowledge of the application and application development processes which can be very time consuming. These circumstances can result in varying costs in the scope of work. This article aims at describing the preperation to the test, as well as the process itself.

Application Testing Basic Checklist for Pentesters
by Nitesh Shilpkar
Web applications are the chief way in which the companies represent themselves in the Online World. The E-commerce often uses them for online transactions and common people like to provide them with private and personal information. We almost never ask ourselves how safe the web surfing really is? This article reminds what a pentester should remember to do in order to successfully assess web applications’ safety.

Mobile Applications: The True Potential Risks ‒ Where to Look for Information When Performing a Pentest on a Mobile Application
by Michael Trofi and Duane Schleen
This article mainly covers what security professionals should be looking for when performing a penetration test of a mobile application. Although, similar data concerns exist on the Android and Windows 7-based phones, the main discussion here concentrates on data found for iOS applications.

Black Box Analysis of iOS Applications
by Adam Kliarsky
Nowadays, security professionals have a new challenge; that of assessing and mitigating risk associated with mobile devices. Each device and installed application present potential risk to end users and organizations, whether directly or indirectly. It is imperative that penetration tests are conducted on mobile devices and applications used by our users on a regular basis as well. This article discusses on how to analyze iOS applications using black-box techniques to break down a given app into separate components to identify potential risks.

Remedy for Mobile Appliaction Vulnerabilities
by Patrice Coles
How can you identify and defend against the coming onslaught of mobile application vulnerabilities? How can you evaluate the effectiveness of your mobile application security program? This article will look at how performing a penetration test against a mobile application can pinpoint and remediate application security issues as well as get a picture of the risks posed by a mobile platform.

Pentester’s Suitcase: Everything You Need to Keep Web Applications Safe
by Atul Tiwari
Front facing web segments are always the target of malicious hackers. This article explains about how to save web applications by using various tools and techniques. Pentesting web applications from hacker’s perspective reveal the pesky applications to the web that could be targeted by bad guys.

AIDE (An Advanced Intrusion Detection Environment
by Deepanshu Khanna
This research paper defines how the integrity of the files can be checked, even if any attacker has made some changes in it. This technology is called AIDE which stands for an Advanced Intrusion Detection Environment.

Automating POST-Method CSRF Attacks
by Justin Hutchens
Cross-Site Request Forgery is often compared to XSS (Cross-Site Scripting), but really…this isn’t accurate. XSS exploits a vulnerability on a target server to access, manipulate, and exploit data on the client-side. Really, CSRF does just the opposite. CSRF uses an unsuspecting client system’s browser to manipulate data and/or perform unauthorized transactions on the server-side (although this data is often unique to the user’s account, profile, session, and so on). In this essay, I am going to discuss what a CSRF attack is, the distinction between GET-method and POST-method CSRF vulnerabilities, and how to streamline the exploitation process for more effective testing.

Facts and Myths About Cross-Site Request Forgery and Possible Protection Approaches
by Manikandan Swaminathan
One of the attacks which cannot be detected so easily, Cross Site Request Forgery(CSRF) is a trust exploit attack where a site exploits the trust that it has on a user browser, similarly to cross site scripting (XSS), which exploits the trust a user has for a particular site. Peter watkins coined this word in the year 2001 while posting to a Bugtraq mailing list. A predictable action structure where the user uses cookies, browser authentication, or client side certificates to authenticate the users. This article explores the attack itself and provides several solutions to protecting from it.

Interview with Mark Curphey
Mark Curphey – an outstanding information security specialist over 15 years in the game, founder of the famous OWASP Foundation, worked for several big companies including Microsoft, currently focused on his own startup – SourceClear. Born and raised in England, he got his master’s degree in information security from Royal Holloway, University of London. At the moment, living in Seatlle with his wife and three children, he is in the process of writing his book entitled Practical Software Security. We asked him a few questions about the upcoming publication, OWASP, his work, and web application security in general.