It happens time to time that I need to do penetration test on a production system because the costumer doesn’t have any test environment. That is always a bad start. The explanation is usually that the target system is not a separate application or appliance but it is tightly integrated in the company’s infrastructure. Nevertheless it is very unfortunate from the penetration tester’s point of view. This brings the following limitations in the pentest:
- no insertion in the database that cannot be removed
- no agressive tests
- careful with business logic
For example in a production system it is difficult to decide whether clicking on a submit button will immediately order something for €1000, send out 10000 e-mails or first pop up a confirmation window which might be vulnerable to Cross Site Scripting.