Testing an application built with MS Access

Has anybody tested an application built with MS Access? If so, which tools did you use? What did you test for?

Find more posts tagged with

Comments

Depends what type of testing? In VB, you can test the code using the watch feature or stop points / step through to test the code. That's assuming the application has VB embedded into it.

Is the Database stand alone or does it connect to external databases using DAO or ODBC?

It's hard to say until the scope of the application is known.

Does the application have VB in it or is it primarily designed and built with the features provided by MS Access?
Does it connect to an external data source?
Is this a new application or have enhancement been applied to this database?

What type of testing?
Unit testing the code?
Regression testing the previous features?
Stress Testing with current user on it?
UAT, interface, bugs, correct functionality?

tedjames

Sorry, I should've been more clear. It's security/penetration testing.

Re: your other questions, You've given me a lot to research. Thank you! Until now, I've only tested traditional web apps with a standard set of tools (e.g., Tenable, ZAP, Burp, etc.). This is an internal-only app that connects to an internal server. I'm looking for ways to attack it.

Thanks for your help!

DatabaseHead

tedjames said:

Sorry, I should've been more clear. It's security/penetration testing.

Re: your other questions, You've given me a lot to research. Thank you! Until now, I've only tested traditional web apps with a standard set of tools (e.g., Tenable, ZAP, Burp, etc.). This is an internal-only app that connects to an internal server. I'm looking for ways to attack it.

Thanks for your help!

Look at the password tables, see if they are hashed out. Also look at the VBA code in the editor, how they are passing credentials back and forth. Is there hard coded passwords in the VBA that can be exploited?

The ODBC drivers are sometimes programmed into the modules which can have service accounts with passwords, I've seen it before.

GL man

JDMurray

Scan all the fields looking for unencrypted PII and financial info, such as SSN and CCN. Plain-text exposure of such info in a database is a violation of PCI-DSS and a few other data privacy standards. Look at comment fields for free-form text that contains info about the internals of the software, database, or network (e.g., passwords).

tedjames

Thanks to both of you for your great advice! This is going to be a real learning experience. Luckily, I have a few months in which to test.

A friend just pointed me here: https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/05.5-Testing_for_MS_Access

He suggested I use sqlmap. I'll definitely be testing for Blind SQL Injection.