Penetration Testing

LegacyForum

Webking and Penetration Testing

How could one go about using Webking to perform penetration testing? With the new regulations requiring penetration testing on all sites that transact using Visa or Mastercard by June 30, I'd like to know how to go about using Webking to do it for me.

Thanks!

PJM

LegacyForum

Within the next few weeks we will release a new version of WebKing that will contain penetration testing capabilities (with the correct license features enabled). At that time we will provide documentation and other resources to show users how to perform penetration testing using WebKing.

LegacyForum

Security testing is now available in WebKing 5.0. It requires WebKing Security edition as well as an optional security license.

Using WebKing's security testing functionality, you can automate security static analysis and penetration testing to determine whether your Web application is vulnerable to the most common and devastating types of Web security attacks (including SQL injection, cross-site scripting [HTML injection], buffer overflow, improper error handling, parameter manipulation, caching problems, and "Web bugs") and to verify whether the organization?s security policy is implemented and operating properly. Once you have identified vulnerabilities or other security problems, you can diagnose and correct the root causes.

While spidering a site or recording a path, WebKing can automatically generate a suite of security penetration tests. WebKing?s available security tests attempt to exploit the following vulnerabilities:

• SQL Injections: When SQL statements are dynamically created as software executes, there is an opportunity for a security breach by passing fixed inputs into the SQL statement, making them a part of the SQL statement. This could allow an attacker to gain access to privileged data, login to password-protected areas without a proper login, remove database tables, add new entries to the database, or even login to an application with admin privileges.
  
• Cross-Site Scripting: Cross-site scripting problems occur when user-modifiable data is output verbatim to HTML. Subsequently, an attacker can submit script tags with malicious code, which is then executed on the client browser. This allows an attacker to deface a site, steal credentials of legitimate users, and gain access to private data.
  
• Parameter Manipulation: When input parameters to a Web application are not properly validated, it can lead to vulnerabilities in the underlying system. In native applications, buffer overflow attacks can occur when input parameter data sizes go unchecked. These vulnerabilities could cause system crashes or could even lead to unauthorized information being returned to the client application.
  
• HTML-Level Vulnerabilities: The HTML of the Web application's pages can make the application vulnerable to security issues such as interceptable passwords, Web bugs (Web page images designed to monitor who is reading the Web page). Active X controls, caching issues that can allow unauthorized users to access sensitive information, and comments that may divulge excessive information.
  

WebKing can automatically create the following tests at the project or path level: SQL Injection Tests, Cross Site Scripting Tests, Parameter Fuzzing Tests, and Security Static Analysis. These tests are described in the WebKing User?s Guide.

Additionally, the automatically-generated security test suite can be customized to verify that your organization?s unique security policy requirements are implemented and operating correctly. For details, contact a Parasoft representative.

LegacyForum

I thought it requires WebKing Entreprise Edition plus the optional license .

***********
I didn't check the post date befor submit this.