Testing an application built with MS Access
tedjames
Member Posts: 1,182 ■■■■■■■■□□
in Pentesting
Has anybody tested an application built with MS Access? If so, which tools did you use? What did you test for?
Comments
-
DatabaseHead Member Posts: 2,760 ■■■■■■■■■■Depends what type of testing? In VB, you can test the code using the watch feature or stop points / step through to test the code. That's assuming the application has VB embedded into it.
Is the Database stand alone or does it connect to external databases using DAO or ODBC?
It's hard to say until the scope of the application is known.
Does the application have VB in it or is it primarily designed and built with the features provided by MS Access?
Does it connect to an external data source?
Is this a new application or have enhancement been applied to this database?
What type of testing?
Unit testing the code?
Regression testing the previous features?
Stress Testing with current user on it?
UAT, interface, bugs, correct functionality? -
tedjames Member Posts: 1,182 ■■■■■■■■□□Sorry, I should've been more clear. It's security/penetration testing.Re: your other questions, You've given me a lot to research. Thank you! Until now, I've only tested traditional web apps with a standard set of tools (e.g., Tenable, ZAP, Burp, etc.). This is an internal-only app that connects to an internal server. I'm looking for ways to attack it.Thanks for your help!
-
DatabaseHead Member Posts: 2,760 ■■■■■■■■■■tedjames said:Sorry, I should've been more clear. It's security/penetration testing.Re: your other questions, You've given me a lot to research. Thank you! Until now, I've only tested traditional web apps with a standard set of tools (e.g., Tenable, ZAP, Burp, etc.). This is an internal-only app that connects to an internal server. I'm looking for ways to attack it.Thanks for your help!
The ODBC drivers are sometimes programmed into the modules which can have service accounts with passwords, I've seen it before.
GL man -
JDMurray Admin Posts: 13,101 AdminScan all the fields looking for unencrypted PII and financial info, such as SSN and CCN. Plain-text exposure of such info in a database is a violation of PCI-DSS and a few other data privacy standards. Look at comment fields for free-form text that contains info about the internals of the software, database, or network (e.g., passwords).
-
tedjames Member Posts: 1,182 ■■■■■■■■□□Thanks to both of you for your great advice! This is going to be a real learning experience. Luckily, I have a few months in which to test.A friend just pointed me here: https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/05.5-Testing_for_MS_AccessHe suggested I use sqlmap. I'll definitely be testing for Blind SQL Injection.