Web Application Penetration Testing?

Message Topic Search Topic Options Post Reply Create New Topic Printable Version Translate Topic

   Greetings! Has anyone used a third party auditing or security firm to perform web application penetration testing against a fully patched version of 3.x? We've performed and mitigated issues related to network penetration testing from a QSA, now I need to kick the testing into the application. If you've done this, who did you use and were you pleased with the service? What can I expect in terms of cost? Anything you would like to share about the experience would be great!

Thx!

Bryan

Author	Message Topic Search Topic Options Post Reply Create New Topic Printable Version Translate Topic
bryanb Members Profile Send Private Message Find Members Posts Add to Buddy List Newbie Joined: 25-November-2009 Status: Offline Points: 0	Post Options Post Reply Quote bryanb Report Post Thanks(0) Quote Reply Topic: Web Application Penetration Testing? Posted: 25-November-2009 at 3:58pm
	Greetings! Has anyone used a third party auditing or security firm to perform web application penetration testing against a fully patched version of 3.x? We've performed and mitigated issues related to network penetration testing from a QSA, now I need to kick the testing into the application. If you've done this, who did you use and were you pleased with the service? What can I expect in terms of cost? Anything you would like to share about the experience would be great! Thx! Bryan

ProductCart Members Profile Send Private Message Find Members Posts Add to Buddy List Admin Group ProductCart Team Joined: 01-October-2003 Status: Offline Points: 135	Post Options Post Reply Quote ProductCart Report Post Thanks(0) Quote Reply Posted: 25-November-2009 at 8:02pm
	We know of several customers using McAfee Secure. We use it ourselves at Early Impact. You can sign up for free PCI compliance testing from McAfee and then upgrade to McAfee Secure here.
	The ProductCart Team Home of ProductCart shopping cart software

loracady Members Profile Send Private Message Find Members Posts Add to Buddy List Newbie Joined: 28-December-2007 Location: United States Status: Offline Points: 2	Post Options Post Reply Quote loracady Report Post Thanks(0) Quote Reply Posted: 21-December-2009 at 11:40am
	Speaking of McAfee Secure: We recently signed up for it. I keep getting notifications of vulnerabilities: 1. Login is not over a secure connection. I fixed that one (or so I thought, but I keep getting the notifications anyway.) What else can I do to fix this vulnerability? 2. Today I received one that is really over my head: Potentially Exploitable SQL Injection on *****.asp. I am using Product Cart 3.51a. I don't have a clue how to fix this one. Any ideas? (Edited by Hamish - Sorry Lorcady, See following post in a moment) Edited by Hamish - 21-December-2009 at 11:42am
	www.TheSleepShop.com

Hamish Members Profile Send Private Message Find Members Posts Add to Buddy List Admin Group Joined: 12-October-2006 Location: United Kingdom Status: Offline Points: 56	Post Options Post Reply Quote Hamish Report Post Thanks(0) Quote Reply Posted: 21-December-2009 at 11:48am
	Hi Lorcady, Sorry, edited your post to remove the name of the page, just in case it's a real vulnerability as it's not a good idea to indicate to the bad guys where to go and attack stores ! Please raise a support ticket so that we can investigate the issue in detail. Most of the time vulnerabilities are due to false alarms or site specific edits, although the latter seems unlikely on this page.
	Editing ProductCart Code? See WIKI Guidelines for Editing ProductCart's ASP Source Code

loracady Members Profile Send Private Message Find Members Posts Add to Buddy List Newbie Joined: 28-December-2007 Location: United States Status: Offline Points: 2	Post Options Post Reply Quote loracady Report Post Thanks(0) Quote Reply Posted: 21-December-2009 at 12:09pm
	Hi Hamish-- Thanks for your response and your edit of my post! I didn't buy my version of PC from Early Impact, so I can't raise a support ticket. (At least I don't think I can.)
	www.TheSleepShop.com

loracady Members Profile Send Private Message Find Members Posts Add to Buddy List Newbie Joined: 28-December-2007 Location: United States Status: Offline Points: 2	Post Options Post Reply Quote loracady Report Post Thanks(0) Quote Reply Posted: 21-December-2009 at 12:19pm
	I'm buying the support plan in a minute.
	www.TheSleepShop.com

Greg Dinger Members Profile Send Private Message Find Members Posts Add to Buddy List Certified ProductCart Developers Joined: 23-September-2006 Location: United States Status: Offline Points: 238	Post Options Post Reply Quote Greg Dinger Report Post Thanks(0) Quote Reply Posted: 21-December-2009 at 12:22pm
	I discussed the urgency of this matter with Lora and she is making arrangements to submit a ticket right away.

Hamish Members Profile Send Private Message Find Members Posts Add to Buddy List Admin Group Joined: 12-October-2006 Location: United Kingdom Status: Offline Points: 56	Post Options Post Reply Quote Hamish Report Post Thanks(0) Quote Reply Posted: 21-December-2009 at 3:23pm
	Hi, For those following this thread, who may be concerned, we can confirm there is not a security issue.
	Editing ProductCart Code? See WIKI Guidelines for Editing ProductCart's ASP Source Code