How to write a penetration testing script?

D

DVoropaev2017-05-21 13:11:24

Software testing

DVoropaev, 2017-05-21 13:11:24

Comrades, could you throw some good material on testing web applications?
There is an educational project (an online store) written in Java EE and using Oracle DB. There is access to the source, so it is possible to test using white and black box methods.
The option "at random to poke and say here sql injection, and here xss" disappears, right away. It is required to create a test script, and then a detailed report that lists the vulnerabilities found, their classification, and recommendations for their elimination.
Please share examples of such scenarios and reports.
Since I am new to this, fully automated testing is not suitable for me.

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

D

Daemon23RUS, 2017-05-21
@Daemon23RUS

You cannot use the white box method until you have completed the black box penetration tests and written the report.

So I need to cook in this topic, if I press a button in the program, it will scan and throw out a list of vulnerabilities, my knowledge will not increase

You yourself perfectly understand that you also will not gain knowledge if you write a list of vulnerabilities of the listed systems. But if "religion" does not allow you to click on the button, you can arm yourself with a list of all vulnerabilities (for example, cve) and pens to pile a payload for each. And do not forget that at first you work with a black box, you need to get as much information about the system as possible, and based on your assumptions, try to find a vulnerability. Each piece of information received will just be one of the following points in the scenario. I think it would be appropriate to first click on the autotest button.

V

Valera Figol, 2017-06-09
@Kamrit

Black box testing method + Kali linux which has many goodies for security testing