Suppose we have been ordered to check for the security of the BFH-TI web site.
Draw a map
Use Web Scarab NG to draw a map of the application used by the site www.ti.bfh.ch.
See the content of the different directories (in case some former source code where still available)
Check which application is used
Use the view source function of your browser to see which application is used to generate the pages.
Use google to gather information
Use information to find the "install" page and the Back End user page.
Try with default password and/or users.
Check if a brute force protection exists.
Find which pages are not "standard"
Search in the site map for "extensions". Write all the entry points of the different extensions. Try to fake input to all those entries.
Copyright Emmanuel Benoist 2008-2013