[Help] Web Hacking Testing

Discuss the many weaknesses of browser security and ways to mitigate the threat

[Help] Web Hacking Testing

Post by zerolimit on Wed Jul 17, 2013 3:17 am
([msg=76504]see [Help] Web Hacking Testing[/msg])

I'm asked by my company to test it security because it got hacked a week ago. I have no security experience whatsoever, only know a bit of networking and 2 years of web programming. Anyway, my boss asked me to check the security. So it means I need to learn about it.

At first, I tried to clear the basic missions first. But after a week, my boss got impatient and want me to test the website. He even threaten me to find at least one security hole in one month or he will cut my year end bonus. :shock:

I can't posted the url here because of a security reason and company policy.

Here's what i have done:
1. Use ZAP scanner to find holes but to no avail.
2. Running skipfish(still running) so no results yet.

What I know:
1. All user input and parameter steralized using sql prepared statement
2. use java and jsp language
3. use windows server and mysql database

How it hacked the first time: Someone using windows command to delete all the data. Damn Cracker :evil: .

What i want to ask, can you point me to the right direction to hack my company website?
Any method you can think of is fine. I'll do the hacking myself.

PS: using backtrack right now because of it's enormous of tools.
zerolimit
New User
New User
 
Posts: 3
Joined: Wed Jul 17, 2013 2:53 am
Blog: View Blog (0)


Re: [Help] Web Hacking Testing

Post by fashizzlepop on Wed Jul 17, 2013 1:38 pm
([msg=76506]see Re: [Help] Web Hacking Testing[/msg])

Sounds like someone might have got into your server. Make sure it's properly configured.
The glass is neither half-full nor half-empty; it's merely twice as big as it needs to be.
User avatar
fashizzlepop
Developer
Developer
 
Posts: 2303
Joined: Sat May 24, 2008 1:20 pm
Blog: View Blog (0)


Re: [Help] Web Hacking Testing

Post by zerolimit on Wed Jul 17, 2013 9:43 pm
([msg=76518]see Re: [Help] Web Hacking Testing[/msg])

fashizzlepop wrote:Sounds like someone might have got into your server. Make sure it's properly configured.


Thx for the fast reply. Any tools or ebook you can recommend to me for exploit server misconfiguration?

-- Tue Jul 23, 2013 11:43 am --

Okay, after scan the website using skipfish, I got a few interesting reading:
10 web pages that says :"PUT Request Accepted"

Is there a way I can test is this a real hole or only a false positive results?
zerolimit
New User
New User
 
Posts: 3
Joined: Wed Jul 17, 2013 2:53 am
Blog: View Blog (0)



Return to Web

Who is online

Users browsing this forum: No registered users and 0 guests