Results 1 to 9 of 9
  1. #1

    Is it needed userid and password for testing vulnerabilities in a website?

    We are a company that has many web application developed in ASP.NET. Our Internet Service Provider (Telefonica) wants to test our web sites looking for vulnerabilities. For that, they are asking us to provide them userid and password (read-only access) for each web site.


    It's the first time that I heard that for testing vulnerabilities in websites you need to inform userid and password to an IPS. Is it not supposed that for testing vulnerabilities you should try to break or hack websites without knowing that precious info? Maybe I'm wrong.

  2. #2
    Join Date
    Dec 2011
    Location
    Montreal
    Posts
    334
    Quote Originally Posted by jbeteta View Post
    We are a company that has many web application developed in ASP.NET. Our Internet Service Provider (Telefonica) wants to test our web sites looking for vulnerabilities. For that, they are asking us to provide them userid and password (read-only access) for each web site.
    1. If your application is like this, offering username and password to access limited area (for non subscribers, testing trying, demos etc) yes is OK.

    Quote Originally Posted by jbeteta View Post
    It's the first time that I heard that for testing vulnerabilities in websites you need to inform userid and password to an IPS. Is it not supposed that for testing vulnerabilities you should try to break or hack websites without knowing that precious info? Maybe I'm wrong.
    Yes, it is not OK if my "1" is not the case. Any test for vulnerabilities should be done without a username or password, If I have the username and password what is the purpose of the test?


    Regards
    ROWEBCA
    Server Services

  3. #3
    Thanks for your response.

    Now given a second thought, could be that the difference between Vulnerability Testing and Penetration Testing?

  4. #4
    I'm guessing they're going to look at your code and scan for malware or hacked software.

  5. #5
    Join Date
    Dec 2011
    Location
    Montreal
    Posts
    334
    Quote Originally Posted by jbeteta View Post
    Thanks for your response.

    Now given a second thought, could be that the difference between Vulnerability Testing and Penetration Testing?
    Look here:

    https://security.berkeley.edu/conten...ation=node/195

    Just an example of how others are doing this.


    Regards
    ROWEBCA
    Server Services

  6. #6
    Ya that sounds fishy, pen testing is supposed to be done without the username or password, did you try asking for a detailed explanation as to why they need those credentials?

  7. #7
    Join Date
    Feb 2005
    Location
    Australia
    Posts
    5,842
    Quote Originally Posted by jbeteta View Post
    Our Internet Service Provider (Telefonica) wants to test our web sites looking for vulnerabilities.
    Are you absolutely sure about that? My first thought would be a phish from someone pretending to be your ISP.
    Chris

    "Some problems are so complex that you have to be highly intelligent and well informed just to be undecided about them." - Laurence J. Peter

  8. #8
    Finally, I know what kind of vulnerabilities testing are they going to perform. They are going to use Qualys Guard Scan and perform "authenticated scans". First time I've heard about that. According to Qualys company, they are very helpful to find security vulnerabilities:

    https://community.qualys.com/thread/11562

    Any experience with that kind of scans?

  9. #9
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,294
    Well,
    If you have user dynamic content, a username/password can be useful to test features that are not wide open.
    In the end if you want your site tested for vulns, you don't need a automated scan. You need guys who perform input validation manually.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

Similar Threads

  1. Security Expert Needed to check for vulnerabilities
    By HD-Sam in forum Employment / Job Offers
    Replies: 5
    Last Post: 06-06-2010, 05:40 AM
  2. CPanel create accounts with wrong GroupID:UserID
    By AlexAT in forum Hosting Security and Technology
    Replies: 8
    Last Post: 03-23-2004, 12:59 PM
  3. vBulletin : UserID
    By Dark Angel in forum Programming Discussion
    Replies: 1
    Last Post: 09-10-2002, 03:05 PM
  4. Ability to change UserID?
    By peachtreewebworks in forum WHT Announcements, Feedback and Questions
    Replies: 10
    Last Post: 09-03-2002, 07:53 AM
  5. testing my website
    By Max Renn in forum Web Site Reviews
    Replies: 0
    Last Post: 12-05-2001, 04:26 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •