Newbie question on basic testing: WebSphere

[ladyath]

I've been lurking as a guest for a while and finally registered in the hopes of some advice.  At work, we're putting together an IBM WebSphere solution and while still in early development, we want to do some basic security tests against our dev environment just to make sure that the right doors are bolted and silly security mistakes are avoided.  Since we're not really professionals when it comes to testing, what tool sets would be useful?  I'm currently looking at Burp Suite and of course Metasploit, but are there any others that might give useful results?

[RedBullAddicted]

Hi ladyath,

to become a part of this forum it is necessary to post an introduction in the members introduction board. If it is any good and you post informative content in addition you could become a member of our community too. Its not to bash on you just to explain how we roll. We just want to know something about the new members before we start helping.

As for your question: There are plenty of tools that could help in your testing phase. As you already bought IBM WebSphere you might want to give some more money to IBM and buy rational appscan tbh there is always something you will miss as long as you don't have a deep understanding of what you are doing there. I would recommend to have a look at OWASP (https://www.owasp.org/index.php/Main_Page) or read some books about Web Application Security testing. The ebook section should provide you with everything you need. A quick usage of the search function for example returned this:
http://evilzone.org/ebooks/hacking-web-apps-detecting-and-preventing-web-application-security-problems/msg59198/#msg59198
Don't know if it is good cause I haven't read it. I do not have any experience with websphere but I assume you will have a database backend and I am sure there are different databases that are supported by websphere. Tbh I also googled that: http://www.redbooks.ibm.com/redpapers/pdfs/redp4577.pdf . If you are going to use MS SQL Server you could maybe use sqlmap or another tool to test for sql injections. To check if the server and the running applications/services are "secure" or at least that there isn't an exploit for your used version you can use nmap / metasploit / http://www.exploit-db.com/ (or any other good site). Describe the way you want to setup your infrastructure a bit more. What is it exactly you want to test (Web Application, WAF, Server Security, Firewall ...). If it is going to be a professional Web Application you should consider paying someone to pentest it.

Now go ahead and post an introduction, come back here and give us more information and we will see how we can help

Edit: Another result from a quick google search. Maybe this is interesting for you:
http://erpscan.com/wp-content/uploads/pub/Penetration%20from%20application%20down%20to%20OS%20%28IBM%20Websphere%29.pdf
http://www.securityfocus.com/bid/30500
http://www.securitytube.net/video/3298
http://www.ibm.com/developerworks/websphere/techjournal/1005_botzum/1005_botzum.html
http://www.redbooks.ibm.com/redbooks/pdfs/sg247660.pdf

Cheers,
RBA

[ladyath]

Thank you very much for the info     I really appreciate it!  I have also been hunting down some of the architecture papers from IBM to get a better understanding of how WebSphere architecture fits together.  I might be looking at some of the extended integration where it is touching other systems too and your advice on what to look at is definitely going to be relevant.


Apologies for not posting my intro first - that has now been remedied. 


I'll take a stab at a couple of tests against our dev server and will most certainly check back here.   

[Daemon]

My main man RBA seems to have the exploitation of the software pretty well covered, but keep in mind all security tests follow the same formula for a reason:

Recon -> Scanning (like ports, nessus, etc.) -> then exploitation

So you want to check not only the software, but your network architecture to see what all is open to the world because it doesnt matter how secure your websphere box is if the next IP address on the network has telnet open and full admin permissions. Maybe this is out of scope for what your looking for, but it's definitely worth keeping in mind if you want to be as secure as possible. If it's hosted on a VPS or GoDaddy or something though, your just going to have to trust your hosting provider to take care of that.

Welcome and stuff, good luck with your testing
.

[ladyath]

Very good point!  I'll be sure not to have any testing scope end with just the web application or database vulnerabilities.  Thanks for the heads up