White Box Support Resources CompTIA Pentest – If you’re going to be conduct test in the software application space, there may be a lot of resources that you’re provided as a penetration tester. There are many support resources and one of them are:
- Architectural diagrams
- Sample application requests.
- SDK documentation
- SOAP project files
- Swagger document
The first thing we’re going to talk about is your architectural diagrams. You may be given, as a pen tester in a white box test, network diagrams, software flowcharts or physical maps of the organizational facilities. This can help you design your physical penetration test or, in the case of network diagrams, save you a lot of time in enumerating and discovering the network.
This is going to help you to map out that network much, much quicker, figure out where the switches and servers are in the physical environment and identify anywhere that there are key information security systems that you might be able to attack as part of your penetration test.
Sample Application Requests
Now when we start moving into software testing, as a pen tester, the first thing you might be given is a sample application request. And this is going to be used when you’re doing web application or software testing. And its going to be some software that’s been developed specifically by the organization you’re testing.
So it’s not like they’re going to give you some sample application requests for Microsoft Word but they may for their web applications. And they’re going to give you things like the input and the expected output. And so while you’re testing, you can see if the pattern works. If you put x in, do you get what’s expected out? If you put in y, do you get a different result? And that’s where this sample application request is going to come into play.
If the organization has built their own web apps it’s likely that they’ve used some standard software development kit or SDK. And, if they do that, it’s going to have a lot of inherent vulnerabilities that may exist in their application because of that. For example, last year in 2017, one of the big vulnerabilities that was out there, was due to Apache Struts, which is a common software development kit that was used by a lot of web applications. White Box Support Resources
And so, if you used that, you’ve imported their libraries and when somebody found a vulnerability in one it now carries forward into your software. And so you have to look at your SDK, the software development kit, because it provides a set of tools and libraries and documentation and code samples, processes and guide to allow people to make applications faster, which is great.
But it also allows reuse of libraries and if that library is vulnerable, those vulnerabilities get packed into your application. So, as a pen tester, if you identify that you’re using a particular SDK, like Apache Struts, then you can go ahead and test against that.