5

First thing first; this is something I have never done before.

I have a web application written in Java (JSP and Servlet) and use MySQL as the database. Application is deployed in Amazon EC2, an Ubuntu instance configured all by my self.

Now I have a very critical "must" perform requirement to see the security holes of this application. I have been asked to do Penetration test on this.

I have below questions.

  1. When performing this test, do I have to do in my live application or in the application running in my local machine (localhost) ?

  2. I found bunch of online tools which only accepts an URL and do the test. These tools are recommended and professional ?

  3. What are the recommended tools available for Java web application penetration test? Are they "software" or kind of "API" where I have to program the entire test spending lot of time?

Improve this question
5
  • 4
    You can run some tools (e.g. Zap, Skipfish, XSSer) against your site. However, you should not claim this is a penetration test. If you need a pen test, you should hire a professional pen tester. Commented Oct 9, 2015 at 9:11
  • @paj28: Thank you. Seems like some of the applications you mentioned are developed for Kali Linux. Anything that works on windows? Commented Oct 9, 2015 at 9:41
  • OWASP ZAP is available for Windows btw. ZAP and the other tools that @paj28 mentions are called Dynamic Application Security Testing tools - they are not Penetration Testing tools. Commented Oct 9, 2015 at 10:20
  • @whoami true but the scope of the asssessment doesn't sound like a pen test anyway, sounds more like an app. security review. Problem is that people call things pen. tests when they are not... Commented Oct 9, 2015 at 10:48
  • Not sure if this is an option for you, but you could run a program on Bugcrowd or Hacker1, I think they both still offer a free tier. You will get a lot of noise, but some of the folks on there are pretty good at what they do. Commented Oct 16, 2015 at 6:57

2 Answers 2

Reset to default
8

You should get a professional to perform the test.

I however get the feeling that this not an option for you - so communicate to the person who hired you what you can do:

  1. You can use Static Analysis tools - There is a whole list of Open Source and Commercial tools available on the OWASP Secure Code analysis page.

  2. You can use Dynamic Analysis tools (or Vulnerability scanners) - See a list of Open Source / Free and commercial tools available on the OWASP Vulnerability Scanning Tools page.

  3. (You / they can hire a Penetration Testing company to perform a penetration test).

It should be noted that running Static and Dynamic analysis is not the same a professional penetration test, but it should catch some of the low hanging fruit.

To answer the question of the location/environment of the Penetration Test - I advise that you do a Penetration test in an environment which mirrors your production environment - especially if you already have clients using your application.

Improve this answer
1
  • Thank you for this answer and the comment about ZAP's availability for windows Commented Oct 10, 2015 at 16:41
2

I would recommend to get the free version of Nessus to scan the The server and fix the issues reported by it, you then need to analyze the application for OWASP top10 and WASC guideline, this could be done by utilizing some of the tools mentioned by @whoami.

you should also perform manual analysis of the application utilizing web application proxy like burp. OWASP has a guideline on how to perform the tests

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.