1BO4r2U

Recommendations

Info

205 206 Web Application Penetration Testing Web Application Penetration Testing Origin Security Concept The origin is made up of a scheme, host name and port and identifies uniquely the domain sending or receiving the message, it does not include the path or the fragment part of the url. For instance, https:// example.com/ will be considered different from http://example.com because the schema in the first case is https and in the second http, same applies to web servers running in the same domain but different port. window.addEventListener(“message”, callback, true); function callback(e) { if(e.origin.indexOf(“.owasp.org”)!=-1) { /* process message (e.data) */ } } References OWASP Resources • OWASP HTML5 Security Cheat Sheet: https://www.owasp.org/ index.php/HTML5_Security_Cheat_Sheet Whitepapers • Web Messaging Specification: http://www.whatwg.org/specs/ web-apps/current-work/multipage/web-messaging.html for(var i=0; i Tools -> Developer Tools. Then under Resources you will see ‘Local Storage’ and ‘Web Storage’. Using Firefox with the Firebug add on you can easily inspect the localStorage/sessionStorage object in the DOM tab. Also, we can inspect these objects from the developer tools of our browser. Next manual testing needs to be conducted in order to determine whether the website is storing sensitive data in the storage that represents a risk and will increase dramatically the impact of a information leak. Also check the code handling the Storage to determine if it is vulnerable to injection attacks, common issue when the code does not escape the input or output. The JavaScript code has to be analyzed to evaluate these issues, so make sure you crawl the application to discover every instance of JavaScript code and note sometimes applications use third-party libraries that would need to be examined too. Here is an example of how improper use of user input and lack of validation can lead to XSS attacks. Example 2: XSS in localStorage: Insecure assignment from localStorage can lead to XSS function action(){ var resource = location.hash.substring(1); localStorage.setItem(“item”,resource); item = localStorage.getItem(“item”); document.getElementById(“div1”).innerHTML=item; }
207 208 Web Application Penetration Testing Web Application Penetration Testing 5 Reporting Performing the technical side of the assessment is only half of the overall assessment process. The final product is the production of a well written and informative report. A report should be easy to understand and should highlight all the risks found during the assessment phase. http:/server/StoragePOC.html# URL PoC: Tools • Firebug - http://getfirebug.com/ • Google Chrome Developer Tools - https://developers.google.com/ chrome-developer-tools/ • OWASP Zed Attack Proxy (ZAP) - https://www.owasp.org/index. php/OWASP_Zed_Attack_Proxy_Project ZAP is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing. ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually. References OWASP Resources • OWASP HTML5 Security Cheat Sheet: https://www.owasp.org/ index.php/HTML5_Security_Cheat_Sheet Whitepapers • Web Storage Specification: http://www.w3.org/TR/webstorage/ Performing the technical side of the assessment is only half of the overall assessment process. The final product is the production of a well written and informative report. A report should be easy to understand and should highlight all the risks found during the assessment phase. The report should appeal to both executive management and technical staff. The report needs to have three major sections. It should be created in a manner that allows each separate section to be printed and given to the appropriate teams, such as the developers or system managers. The recommended sections are outlined below. 1. Executive Summary The executive summary sums up the overall findings of the assessment and gives business managers and system owners a high level view of the vulnerabilities discovered. The language used should be more suited to people who are not technically aware and should include graphs or other charts which show the risk level. Keep in mind that executives will likely only have time to read this summary and will want two questions answered in plain language: 1) What’s wrong? 2) How do I fix it? You have one page to answer these questions. The executive summary should plainly state that the vulnerabilities and their severity is an input to their organizational risk management process, not an outcome or remediation. It is safest to explain that tester does not understand the threats faced by the organization or business consequences if the vulnerabilities are exploited. This is the job of the risk professional who calculates risk levels based on this and other information. Risk management will typically be part of the organization’s IT Security Governance, Risk and Compliance (GRC) regime and this report will simply provide an input to that process. 2. Test Parameters The Introduction should outline the parameters of the security testing, the findings and remediation. Some suggested section headings include: 2.1 Project Objective: This section outlines the project objectives and the expected outcome of the assessment. 2.2 Project Scope: This section outlines the agreed scope. 2.3 Project Schedule This section outlines when the testing commenced and when it was completed. 2.4 Targets: This section lists the number of applications or targeted systems. 2.5 Limitations: This section outlines every limitation which was faced throughout the assessment. For example, limitations of project-focused tests, limitation in the security testing methods, performance or technical issues that the tester come across during the course of assessment, etc. 2.6 Findings Summary This section outlines the vulnerabilities that were discovered during testing. 2.7 Remediation Summary This section outlines the action plan for fixing the vulnerabilities that were discovered during testing. 3. Findings The last section of the report includes detailed technical information about the vulnerabilities found and the actions needed to resolve them. This section is aimed at a technical level and should include all the necessary information for the technical teams to understand the issue and resolve it. Each finding should be clear and concise and give the reader of the report a full understanding of the issue at hand. The findings section should include: • Screenshots and command lines to indicate what tasks were undertaken during the execution of the test case • The affected item • A technical description of the issue and the affected function or object • A section on resolving the issue • The severity rating [1], with vector notation if using CVSS The following is the list of controls that were tested during the assessment:
Page 1 and 2:
1 2 THE ICONS BELOW REPRESENT WHAT
Page 3 and 4:
3 4 Testing Guide Frontispiece Test
Page 5 and 6:
7 8 Testing Guide Introduction Test
Page 7 and 8:
11 12 Testing Guide Introduction Te
Page 9 and 10:
15 16 Testing Guide Introduction Te
Page 11 and 12:
19 20 Testing Guide Introduction of
Page 13 and 14:
23 24 Web Application Penetration T
Page 15 and 16:
Page 17 and 18:
Page 19 and 20:
Page 21 and 22:
Page 23 and 24:
Page 25 and 26:
Page 27 and 28:
Page 29 and 30:
Page 31 and 32:
Page 33 and 34:
Page 35 and 36:
Page 37 and 38:
Page 39 and 40:
Page 41 and 42:
Page 43 and 44:
Page 45 and 46:
Page 47 and 48:
Page 49 and 50:
Page 51 and 52:
99 100 Web Application Penetration
Page 53 and 54: 103 104 Web Application Penetration
Page 103: 203 204 Web Application Penetration
Page 107 and 108: 211 212 Reporting Appendix Test ID
Page 109 and 110: 215 216 Appendix Appendix Testing -
Page 111: 219 220 LDAP Injection For details
show all

1BO4r2U

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?