Testing an application built with MS Access

tedjamestedjames Scruffy-looking nerfherdrMember Posts: 1,159 ■■■■■■■■□□
Has anybody tested an application built with MS Access? If so, which tools did you use? What did you test for?

Comments

  • DatabaseHeadDatabaseHead Teradata Assc 16, CSM, MS Access 2016, 2019 Member Posts: 2,566 ■■■■■■■■■□
    edited May 4
    Depends what type of testing?  In VB, you can test the code using the watch feature or stop points / step through to test the code.  That's assuming the application has VB embedded into it.  

    Is the Database stand alone or does it connect to external databases using DAO or ODBC?  

    It's hard to say until the scope of the application is known.  

    Does the application have VB in it or is it primarily designed and built with the features provided by MS Access?
    Does it connect to an external data source?
    Is this a new application or have enhancement been applied to this database?

    What type of testing?
    Unit testing the code?
    Regression testing the previous features?
    Stress Testing with current user on it?
    UAT, interface, bugs, correct functionality?
  • tedjamestedjames Scruffy-looking nerfherdr Member Posts: 1,159 ■■■■■■■■□□
    Sorry, I should've been more clear. It's security/penetration testing.

    Re: your other questions, You've given me a lot to research. Thank you! Until now, I've only tested traditional web apps with a standard set of tools (e.g., Tenable, ZAP, Burp, etc.). This is an internal-only app that connects to an internal server. I'm looking for ways to attack it.

    Thanks for your help!
  • DatabaseHeadDatabaseHead Teradata Assc 16, CSM, MS Access 2016, 2019 Member Posts: 2,566 ■■■■■■■■■□
    tedjames said:
    Sorry, I should've been more clear. It's security/penetration testing.

    Re: your other questions, You've given me a lot to research. Thank you! Until now, I've only tested traditional web apps with a standard set of tools (e.g., Tenable, ZAP, Burp, etc.). This is an internal-only app that connects to an internal server. I'm looking for ways to attack it.

    Thanks for your help!
    Look at the password tables, see if they are hashed out.  Also look at the VBA code in the editor, how they are passing credentials back and forth.  Is there hard coded passwords in the VBA that can be exploited?  

    The ODBC drivers are sometimes programmed into the modules which can have service accounts with passwords, I've seen it before.  

    GL man
  • JDMurrayJDMurray MSIT InfoSec, CISSP, SSCP, GSEC, EnCE, C|EH, CySA+, PenTest+, CASP+, Security+ Surf City, USAAdmin Posts: 11,767 Admin
    Scan all the fields looking for unencrypted PII and financial info, such as SSN and CCN. Plain-text exposure of such info in a database is a violation of PCI-DSS and a few other data privacy standards. Look at comment fields for free-form text that contains info about the internals of the software, database, or network (e.g., passwords).
  • tedjamestedjames Scruffy-looking nerfherdr Member Posts: 1,159 ■■■■■■■■□□
    Thanks to both of you for your great advice! This is going to be a real learning experience. Luckily, I have a few months in which to test.


    He suggested I use sqlmap. I'll definitely be testing for Blind SQL Injection.

Sign In or Register to comment.