Testing an application built with MS Access

tedjamestedjames Member Posts: 1,182 ■■■■■■■■□□
in Pentesting
Has anybody tested an application built with MS Access? If so, which tools did you use? What did you test for?

· Share on FacebookShare on Twitter

Comments

  • DatabaseHeadDatabaseHead Member Posts: 2,754 ■■■■■■■■■■
    edited May 2020
    Depends what type of testing?  In VB, you can test the code using the watch feature or stop points / step through to test the code.  That's assuming the application has VB embedded into it.  

    Is the Database stand alone or does it connect to external databases using DAO or ODBC?  

    It's hard to say until the scope of the application is known.  

    Does the application have VB in it or is it primarily designed and built with the features provided by MS Access?
    Does it connect to an external data source?
    Is this a new application or have enhancement been applied to this database?

    What type of testing?
    Unit testing the code?
    Regression testing the previous features?
    Stress Testing with current user on it?
    UAT, interface, bugs, correct functionality?
    · Share on FacebookShare on Twitter
  • tedjamestedjames Member Posts: 1,182 ■■■■■■■■□□
    Sorry, I should've been more clear. It's security/penetration testing.

    Re: your other questions, You've given me a lot to research. Thank you! Until now, I've only tested traditional web apps with a standard set of tools (e.g., Tenable, ZAP, Burp, etc.). This is an internal-only app that connects to an internal server. I'm looking for ways to attack it.

    Thanks for your help!
    · Share on FacebookShare on Twitter
  • DatabaseHeadDatabaseHead Member Posts: 2,754 ■■■■■■■■■■
    tedjames said:
    Sorry, I should've been more clear. It's security/penetration testing.

    Re: your other questions, You've given me a lot to research. Thank you! Until now, I've only tested traditional web apps with a standard set of tools (e.g., Tenable, ZAP, Burp, etc.). This is an internal-only app that connects to an internal server. I'm looking for ways to attack it.

    Thanks for your help!
    Look at the password tables, see if they are hashed out.  Also look at the VBA code in the editor, how they are passing credentials back and forth.  Is there hard coded passwords in the VBA that can be exploited?  

    The ODBC drivers are sometimes programmed into the modules which can have service accounts with passwords, I've seen it before.  

    GL man
    · Share on FacebookShare on Twitter
  • JDMurrayJDMurray Admin Posts: 13,090 Admin
    Scan all the fields looking for unencrypted PII and financial info, such as SSN and CCN. Plain-text exposure of such info in a database is a violation of PCI-DSS and a few other data privacy standards. Look at comment fields for free-form text that contains info about the internals of the software, database, or network (e.g., passwords).
    Forum Admin at www.techexams.net
    --
    Credly
    LinkedIn
    Twitter
    · Share on FacebookShare on Twitter
  • tedjamestedjames Member Posts: 1,182 ■■■■■■■■□□
    Thanks to both of you for your great advice! This is going to be a real learning experience. Luckily, I have a few months in which to test.


    He suggested I use sqlmap. I'll definitely be testing for Blind SQL Injection.

    · Share on FacebookShare on Twitter
Sign In or Register to comment.