Friday 6 May 2011

Web Attacks. Web 1.

OWASP have a 'open source project that helps you test your knowledge on web application security. You can use it to actually attack web applications in a realistic but also controllable and safe environment. On the left menu you can see all attack scenarios that are currently available.'
Wicked!

I've just completed Web 1 although I have to admit I had help.

Go have a go. http://hackademic1.teilar.gr

I'll post what I did sometime in the future.

Monday 2 May 2011

I have a idea, I'll over complicate things! Sweet.

The other week, I sent a link out to my tester colleagues. It was a link to Corkboard, I thought it'd be useful.

Alan Richardson, the Test Manager, came back a short while later to say he'd accessed somebody else's Corkboard, without being given the URL, took him 5 minutes, drop all the work I was doing and see how long it took me (well, I made up the 'the drop all the work part').

Timeboxing myself to 5 mins. I dove in.

I went straight to Firebug and Burpsuite and also looked at the source.

Had he managed to hijack a session? Work out a pattern for the URL's? Found something useful in the source code? Got onto the server?

After looking at the source code, using Burpsuite to check out the requests, using Firebug to look for clues I couldn't see anything that stood out.

I called over my colleague Adrian, or rather I stopped him on the way to the toilet, and we had a quick look together.

We used Burpsuite to intercept every request individually and look for clues, nothing stood out.

We stopped.

Spent about 10 mins.

Walked over to Alan and asked him how he did it, we tried Burpsuite, etc.

He said 'you're over complicating it, look' and he typed in 'corkboard.me/test' which brought up a Corkboard.

!$£%£$^£$^£!

Lessons learnt:

* Ask more questions before you start.
* It's very tempting to dive straight in, don't, take a minute to think.
* Keep it simple (alternatively start with the simple).
* If it's not something you're involved in creating then realise somebody else probably tested it and may have left 'evidence'.
* It's possibly to have 10 min test challenges.


NB. Not that it's overly important but when I started this post Alan was Test Manager, he now no longer is.