
Introduction
As we know application layer is the closest layer to the end user, it provides hackers with the largest threat surface. Poor app layer security can lead to performance and stability issues, data theft, and in some cases the network being taken down, so Software testers and penetration testers must do aggressive testing for each function related to your system to avoid any issue may lead to successful cyber-attack.
“Weaknesses at any origination comes for their people, So we have to get the right people in the right places at the right time with the right skills and the right tools”
If we applied this recommendation, i am sure that you can deliver a product with good quality and secure, So one my engagements at a huge financial origination i could access mail server with authorized credentials so how and it could be?
Yes, and i got this from something not related to main services of this organization. My way to detect a bug or security flow at any service not depends to detect normal vulnerability i focus on logic flow and parameters that can make an error inside execution of system application that can dump critical information. so at this organization developer uses some of third party mail services so tried to pass inputs may lead to execution error and guess what! dumped message returned with people who receives this mail and credentials of mails server that will execute orders to send mail.
Recommendations
- As penetration tester focus to understand system flow and how to fail this process
- As Software tester do not every let any parameters without test validate
- Type
- Length
- Fuzz
- Malicious Payloads