1BO4r2U
1BO4r2U
1BO4r2U
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
207 208<br />
Web Application Penetration Testing<br />
Web Application Penetration Testing<br />
<br />
<br />
<br />
<br />
5 Reporting<br />
Performing the technical side of the assessment is only half<br />
of the overall assessment process. The final product is the<br />
production of a well written and informative report. A report<br />
should be easy to understand and should highlight all the<br />
risks found during the assessment phase.<br />
http:/server/StoragePOC.html#<br />
URL PoC:<br />
Tools<br />
• Firebug - http://getfirebug.com/<br />
• Google Chrome Developer Tools - https://developers.google.com/<br />
chrome-developer-tools/<br />
• OWASP Zed Attack Proxy (ZAP) - https://www.owasp.org/index.<br />
php/OWASP_Zed_Attack_Proxy_Project<br />
ZAP is an easy to use integrated penetration testing tool for finding<br />
vulnerabilities in web applications. It is designed to be used by people<br />
with a wide range of security experience and as such is ideal for developers<br />
and functional testers who are new to penetration testing.<br />
ZAP provides automated scanners as well as a set of tools that allow<br />
you to find security vulnerabilities manually.<br />
References<br />
OWASP Resources<br />
• OWASP HTML5 Security Cheat Sheet: https://www.owasp.org/<br />
index.php/HTML5_Security_Cheat_Sheet<br />
Whitepapers<br />
• Web Storage Specification: http://www.w3.org/TR/webstorage/<br />
Performing the technical side of the assessment is only half of the<br />
overall assessment process. The final product is the production<br />
of a well written and informative report. A report should be easy<br />
to understand and should highlight all the risks found during the<br />
assessment phase. The report should appeal to both executive<br />
management and technical staff.<br />
The report needs to have three major sections. It should be created<br />
in a manner that allows each separate section to be printed and<br />
given to the appropriate teams, such as the developers or system<br />
managers. The recommended sections are outlined below.<br />
1. Executive Summary<br />
The executive summary sums up the overall findings of the assessment<br />
and gives business managers and system owners a<br />
high level view of the vulnerabilities discovered. The language<br />
used should be more suited to people who are not technically<br />
aware and should include graphs or other charts which show the<br />
risk level. Keep in mind that executives will likely only have time to<br />
read this summary and will want two questions answered in plain<br />
language: 1) What’s wrong? 2) How do I fix it? You have one page<br />
to answer these questions.<br />
The executive summary should plainly state that the vulnerabilities<br />
and their severity is an input to their organizational risk management<br />
process, not an outcome or remediation. It is safest to<br />
explain that tester does not understand the threats faced by the<br />
organization or business consequences if the vulnerabilities are<br />
exploited. This is the job of the risk professional who calculates<br />
risk levels based on this and other information. Risk management<br />
will typically be part of the organization’s IT Security Governance,<br />
Risk and Compliance (GRC) regime and this report will simply provide<br />
an input to that process.<br />
2. Test Parameters<br />
The Introduction should outline the parameters of the security<br />
testing, the findings and remediation. Some suggested section<br />
headings include:<br />
2.1 Project Objective: This section outlines the project objectives<br />
and the expected outcome of the assessment.<br />
2.2 Project Scope: This section outlines the agreed scope.<br />
2.3 Project Schedule This section outlines when the testing commenced<br />
and when it was completed.<br />
2.4 Targets: This section lists the number of applications or targeted<br />
systems.<br />
2.5 Limitations: This section outlines every limitation which was<br />
faced throughout the assessment. For example, limitations of<br />
project-focused tests, limitation in the security testing methods,<br />
performance or technical issues that the tester come across<br />
during the course of assessment, etc.<br />
2.6 Findings Summary This section outlines the vulnerabilities<br />
that were discovered during testing.<br />
2.7 Remediation Summary This section outlines the action plan<br />
for fixing the vulnerabilities that were discovered during testing.<br />
3. Findings<br />
The last section of the report includes detailed technical information<br />
about the vulnerabilities found and the actions needed to<br />
resolve them. This section is aimed at a technical level and should<br />
include all the necessary information for the technical teams to<br />
understand the issue and resolve it. Each finding should be clear<br />
and concise and give the reader of the report a full understanding<br />
of the issue at hand.<br />
The findings section should include:<br />
• Screenshots and command lines to indicate what tasks were<br />
undertaken during the execution of the test case<br />
• The affected item<br />
• A technical description of the issue and the affected function<br />
or object<br />
• A section on resolving the issue<br />
• The severity rating [1], with vector notation if using CVSS<br />
The following is the list of controls that were tested during the<br />
assessment: