Thursday, April 30, 2009

Using AppDetective to audit a MySQL database

I'm still in the middle of a big project testing web applications. Most of the databases have been SQL Server or Oracle. Believe it or not, we've run into some Access databases as well. And I'll admit, I did not know that Access could be used as a back-end to a web application. Yesterday, I had to test a MySQL database. The DoD has not put out a specific checklist for MySQL, and there are not SRR Scripts for MySQL either.

We did have AppDetective, though. We've run into many issues with getting AppDetective to audit LotusNotes databases, so I was a little worried. But, I'm happy to say that it was pretty straight forward and I got good results back.

To do this:

Fire up AppDetective
Add an application
  • Fill out the DNS Name / IP Address
  • On the Port tab, pick MySQL (and the correct version.) For my test I was able to leave the default port, but you could add the port if it is not on the default.
  • On the platform tab, select the platform that the application is running on.
  • On the Miscellaneous tab, I added the version of MySQL.
Once the application is added to the right pane in AppDetective,
Expand the + signs until you reach your application.
Right-mouse click on the app, and pick Audit with....
then choose your audit policy

(Of course, you could run a Pen Test, or pick any number of audit policies.)

I chose Strict.

The AppDetectivePro - Run Audit window will pop up.
Right-mouse click in the username/password frame.
At this point, you can fill in the username and password combination that will grant you the access you need. I always test the DB connection, just to make sure every thing connects and works.
Click OK.
Then, click the Run Audit button to start the test.

If I've left anything out, leave it for me in the comments, and I'll update the post.

1 comment:

  1. Hi, recently I've been requested to scan internal MySQL database and got an issue before run audit in AppDetective. Actually I do varous Oracle, MS SQL and Domino database audits for past 2 years and never tried to audit MySQL. My issue is related to ODBC driver, after discovering server I decide to check user credentials. I entered information and clicked to Test connection and I got message "Unable to find valid MySQL ODBC driver". I did not find info regarding it in your post and if you faced such message please share you experience.

    Thanks in advance.