8

We are a company that has many web applications developed in ASP.NET. Our Internet service provider (Telefonica) wants to test our web sites looking for vulnerabilities. For that, they are asking us to provide them credentials (read-only access) for each web site.

It's the first time that I have heard that for testing vulnerabilities in websites you need to provide such information to an ISP. I always thought that for testing vulnerabilities you should try to break or hack websites without knowing that precious info? Maybe I'm wrong.

EDIT :

Finally, I know what kind of vulnerabilities testing are they going to perform. They are going to use Qualys Guard Scan and perform "authenticated scans". First time I've heard about that. According to Qualys company, they are very helpful to find security vulnerabilities:

https://community.qualys.com/thread/11562

Any experience with that kind of scans?

Delmonte
  • 423
  • 1
  • 4
  • 7
  • Just an add-on to the answers you've had so far. You might want to get them to test on a test/dev site (with the same codebase of course). There's always a risk with testing (especially if they're using automated scanners) that it could impact the site... – Rory McCune Jan 23 '14 at 21:43

2 Answers2

16

Yes, it's normal for a pen tester to ask for credentials (but not so much an ISP).

The application as a whole can't really be tested without access to credentials. Someone without credentials should only be able to interact with one interface - the login screen. Given test credentials, however, every form, every upload, every data entry point in the application can be tested. You do want to know if your users can perform SQL insertion or command shell invocation, right?

In fact, pen testers will often ask for multiple accounts, and if the site supports different privilege levels ("admin" versus "user") they'll ask for one of each. This allows them to test the different levels of application access, and also to test for the ability of one account to do something that will impact another.

Now, if your ISP is doing this, I'd expect a vulnerability scan without credentials; I doubt they're actually spending the money required to do a proper pen test. I'd probably decline if this is regular, automated testing - that's not a pen test. But there's probably lots more to know about your situation which might clarify it one way or another.

gowenfawr
  • 71,975
  • 17
  • 161
  • 198
8

While, as @gowenfawr has answered, it is normal for a professional pentester to ask for user-password you should ask them the following questions:

  1. What tests are you going to perform with these users? (so you know exactly what they are doing).
  2. How are you going to manage the credentials I give you? (so you can know if they are going to protect the credentials properly.
  3. What kind of privileges do you need for these credentials? (so you can give them the minimum privileges possible).

Then you should be aware of what are you giving to them:

  1. You should create NEW users for the pentesters and you should monitor these users properly (so you can know what is going on).
  2. You should make the user available right when the test begin, you need to coordinate with them.
  3. You should delete the accounts as soon as you have been reported the end of the tests.
  4. others?

Also, let me add a clarification about the penetration tests, these tests, among others, try to, as you say, find vulnerabilities so they can get some users or access to your services without them. But also they should try to perform operations that should be forbidden for different kind of users, ie: a normal user should not be able to gain administration privileges. So you really need to test every different user profile in your web application.

kiBytes
  • 3,450
  • 15
  • 26