I'm asked by my company to test it security because it got hacked a week ago. I have no security experience whatsoever, only know a bit of networking and 2 years of web programming. Anyway, my boss asked me to check the security. So it means I need to learn about it.
At first, I tried to clear the basic missions first. But after a week, my boss got impatient and want me to test the website. He even threaten me to find at least one security hole in one month or he will cut my year end bonus.
I can't posted the url here because of a security reason and company policy.
Here's what i have done:
1. Use ZAP scanner to find holes but to no avail.
2. Running skipfish(still running) so no results yet.
What I know:
1. All user input and parameter steralized using sql prepared statement
2. use java and jsp language
3. use windows server and mysql database
How it hacked the first time: Someone using windows command to delete all the data. Damn Cracker
What i want to ask, can you point me to the right direction to hack my company website?
Any method you can think of is fine. I'll do the hacking myself.
PS: using backtrack right now because of it's enormous of tools.