Time
4 hours 20 minutes
Difficulty
Intermediate
CEU/CPE
5

Video Description

In this second video on web app pentesting best practices, we discuss the important issue of when to test. This is important since the customer's operations can be negatively impacted as a result of your testing. In the agreement discussed in the previous video about gaining permission, you will also need to specify when you will be testing. Testing that places a large load on a system should be performed off-hours, most typically at night. However, certain types of tests will need to be performed during normal operating hours in order to identify if the customer is capable of detecting various kinds of attacks by way of their intrusion detection system.

Video Transcription

00:04
when the test is an important consideration as well. For when your pen testing this should be placed in the agreement that was made prior to testing. Because when the test is just a CZ important
00:17
as what to test for
00:20
for a few reasons, testing that place is a large later on, a system should be done at night. If the system goes down, it gives a customer time to bring it back up before normal operating hours. This helps reduce the risk of the individual or or customer who you're testing for
00:39
from losing money.
00:41
If you take down a system
00:44
or a website that is used to generate revenue for what application has developed correctly, it could take a beating. However, not all Web applications were developed. A handle large amounts of malicious traffic. However, there are certain types of test that should be done during normal operating hours,
01:00
and this can be used to identify if the customers can catch the attack itself.
01:06
So if they don't have a lockout policy, for example, for passwords, the time that you would want to do a brute force attack would be during operating hours. It's not gonna place a large load on the system. This is something you will want to know if they can identify with their intrusion detection system
01:25
that they should have in place for their Web application.
01:29
Setting up times to reduce the load and to help prevent a system from going down makes a customer view you as somebody who is going to be very careful in their network.
01:45
One of the things that you're gonna come across when you were working with individuals is
01:51
their lack of understanding of exactly what you will be doing on their network,
01:56
and this will cause them to be very apprehensive. However, if you place things like specific testing times for different forms of tests
02:05
and the agreement,
02:07
it causes people to view you as someone who is going to be safe
02:13
on their network.
02:15
Many times you will have to work with systems there utilized and maintained by multiple departments
02:21
is important to develop relations with all departments that you're testing will effect
02:25
if you fail to do so and something happens, such as the Web application, crashing departments they're unsure of. You may become aggressive and tried to blame you, even if you haven't
02:36
begun testing yet. So this is something I've seen myself when going in to perform a Web application test.
02:44
You will go to the organization and start performing your tests,
02:47
and you'll start getting individuals from other departments whose
02:54
systems interact with the Web application who start becoming very aggressive and watching everything you d'oh
03:02
developing relationships weeks prior or in some cases you may not have weeks, days or a week prior with these other departments is very critical to your success and very critical
03:16
to your
03:20
Web pen tests going
03:22
smoothly
03:23
and with
03:24
less headaches. So
03:27
organize some kind of conference, call with them all, or call a person or two from the different departments who you may be affecting. Give them an understanding of exactly what you will be doing.
03:39
Tell them what your tests will d'oh to that network or to that system and ask them if they have any concerns. Answer any questions that they may want answered. Put their minds at ease because when you go into that network, if you don't have
03:57
good relationships with all of the departments that you may be affecting,
04:00
it's going to be a very aggressive environment When you go in there, then we may be very hard for you to get access to an area
04:09
of that system
04:11
that you may need access to. So if you need to get into a certain part of the building that houses a server
04:18
and
04:19
your contact who
04:23
initially hired you isn't
04:25
available at that moment,
04:28
but there is somebody who was able to get you into that area. If you don't have a good relationship with them,
04:33
then
04:35
you're testing is effectively, effectively going to be on hold at that point.
04:41
And for the customer, you sitting around and doing nothing is just gonna look really bad on you.
04:47
So developing those relationships is going to make things very easy for you when you go to test somewhere
04:55
what was covered, we discussed gaining permission and the kind of stuff that you're gonna need to put into the agreement. We also discussed building reports.
05:01
We talked about
05:03
the items that are critical for the customer to know. We also discussed window test and talked about how you want
05:13
put less of a load on the network as possible, and we also discuss working with other departments and establishing good relationships with them prior to going in testing
05:25
this portion of Web pen testing can keep you safe and make things go very easy for you to remember this stuff prior to young in testing,
05:34
happy acting, everyone.

Up Next

Web Application Penetration Testing

In this web application penetration testing course, SME, Raymond Evans, takes you on a wild and fascinating journey into the cyber security discipline of web application pentesting. This is a very hands-on course that will require you to set up your own pentesting environment.

Instructed By

Instructor Profile Image
Raymond Evans
Instructor