1BO4r2U

Recommendations

Info

209 210 Reporting Reporting Test ID Lowest version Information Gathering OTG-INFO-001 Conduct Search Engine Discovery and Reconnaissance for Information Leakage OTG-INFO-002 Fingerprint Web Server OTG-INFO-003 Review Webserver Metafiles for Information Leakage OTG-INFO-004 Enumerate Applications on Webserver OTG-INFO-005 Review Webpage Comments and Metadata for Information Leakage OTG-INFO-006 Identify application entry points OTG-INFO-007 Map execution paths through application OTG-INFO-008 Fingerprint Web Application Framework OTG-INFO-009 Fingerprint Web Application OTG-INFO-010 Map Application Architecture Configuration and Deploy Management Testing OTG-CONFIG-001 Test Network/Infrastructure Configuration OTG-CONFIG-002 Test Application Platform Configuration OTG-CONFIG-003 Test File Extensions Handling for Sensitive Information OTG-CONFIG-004 Backup and Unreferenced Files for Sensitive Information OTG-CONFIG-005 Enumerate Infrastructure and Application Admin Interfaces OTG-CONFIG-006 Test HTTP Methods OTG-CONFIG-007 Test HTTP Strict Transport Security OTG-CONFIG-008 Test RIA cross domain policy Identity Management Testing OTG-IDENT-001 Test Role Definitions OTG-IDENT-002 Test User Registration Process OTG-IDENT-003 Test Account Provisioning Process OTG-IDENT-004 Testing for Account Enumeration and Guessable User Account OTG-IDENT-005 Testing for Weak or unenforced username policy OTG-IDENT-006 Test Permissions of Guest/Training Accounts OTG-IDENT-007 Test Account Suspension/Resumption Process Authentication Testing OTG-AUTHN-001 Testing for Credentials Transported over an Encrypted Channel OTG-AUTHN-002 Testing for default credentials OTG-AUTHN-003 Testing for Weak lock out mechanism OTG-AUTHN-004 Testing for bypassing authentication schema OTG-AUTHN-005 Test remember password functionality OTG-AUTHN-006 Testing for Browser cache weakness OTG-AUTHN-007 Testing for Weak password policy OTG-AUTHN-008 Testing for Weak security question/answer OTG-AUTHN-009 Testing for weak password change or reset functionalities OTG-AUTHN-010 Testing for Weaker authentication in alternative channel Authorization Testing OTG-AUTHZ-001 Testing Directory traversal/file include OTG-AUTHZ-002 Testing for bypassing authorization schema OTG-AUTHZ-003 Testing for Privilege Escalation OTG-AUTHZ-004 Testing for Insecure Direct Object References Test ID Lowest version Session Management Testing OTG-SESS-001 Testing for Bypassing Session Management Schema OTG-SESS-002 Testing for Cookies attributes OTG-SESS-003 Testing for Session Fixation OTG-SESS-004 Testing for Exposed Session Variables OTG-SESS-005 Testing for Cross Site Request Forgery OTG-SESS-006 Testing for logout functionality OTG-SESS-007 Test Session Timeout OTG-SESS-008 Testing for Session puzzling Input Validation Testing OTG-INPVAL-001 Testing for Reflected Cross Site Scripting OTG-INPVAL-002 Testing for Stored Cross Site Scripting OTG-INPVAL-003 Testing for HTTP Verb Tampering OTG-INPVAL-004 Testing for HTTP Parameter pollution OTG-INPVAL-006 Testing for SQL Injection Oracle Testing SQL Server Testing Testing PostgreSQL MS Access Testing Testing for NoSQL injection OTG-INPVAL-007 Testing for LDAP Injection OTG-INPVAL-008 Testing for ORM Injection OTG-INPVAL-009 Testing for XML Injection OTG-INPVAL-010 Testing for SSI Injection OTG-INPVAL-011 Testing for XPath Injection OTG-INPVAL-012 IMAP/SMTP Injection OTG-INPVAL-013 Testing for Code Injection Testing for Local File Inclusion Testing for Remote File Inclusion OTG-INPVAL-014 Testing for Command Injection OTG-INPVAL-015 Testing for Buffer overflow Testing for Heap overflow Testing for Stack overflow Testing for Format string OTG-INPVAL-016 Testing for incubated vulnerabilities OTG-INPVAL-017 Testing for HTTP Splitting/Smuggling Error Handling OTG-ERR-001 Analysis of Error Codes OTG-ERR-002 Analysis of Stack Traces Cryptography OTG-CRYPST-001 Testing for Weak SSL/TSL Ciphers, Insufficient Transport Layer Protection OTG-CRYPST-002 Testing for Padding Oracle OTG-CRYPST-003 Testing for Sensitive information sent via unencrypted channels
211 212 Reporting Appendix Test ID Business Logic Testing OTG-BUSLOGIC-001 OTG-BUSLOGIC-002 OTG-BUSLOGIC-003 OTG-BUSLOGIC-004 OTG-BUSLOGIC-005 OTG-BUSLOGIC-006 OTG-BUSLOGIC-007 OTG-BUSLOGIC-008 OTG-BUSLOGIC-009 Client Side Testing OTG-CLIENT-001 OTG-CLIENT-002 OTG-CLIENT-003 OTG-CLIENT-004 OTG-CLIENT-005 OTG-CLIENT-006 OTG-CLIENT-007 OTG-CLIENT-008 OTG-CLIENT-009 OTG-CLIENT-010 OTG-CLIENT-011 OTG-CLIENT-012 Lowest version Test Business Logic Data Validation Test Ability to Forge Requests Test Integrity Checks Test for Process Timing Test Number of Times a Function Can be Used Limits Testing for the Circumvention of Work Flows Test Defenses Against Application Mis-use Test Upload of Unexpected File Types Test Upload of Malicious Files Testing for DOM based Cross Site Scripting Testing for JavaScript Execution Testing for HTML Injection Testing for Client Side URL Redirect Testing for CSS Injection Testing for Client Side Resource Manipulation Test Cross Origin Resource Sharing Testing for Cross Site Flashing Testing for Clickjacking Testing WebSockets Test Web Messaging Test Local Storage Appendix This section is often used to describe the commercial and opensource tools that were used in conducting the assessment. When custom scripts or code are utilized during the assessment, it should be disclosed in this section or noted as attachment. Customers appreciate when the methodology used by the consultants is included. It gives them an idea of the thoroughness of the assessment and what areas were included. References Industry standard vulnerability severity and risk rankings (CVSS) [1] – http:/www.first.org/cvss Appendix A: Testing Tools Open Source Black Box Testing tools General Testing OWASP ZAP • The Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing. • ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually. OWASP WebScarab • WebScarab is a framework for analysing applications that communicate using the HTTP and HTTPS protocols. It is written in Java, and is portable to many platforms. WebScarab has several modes of operation that are implemented by a number of plugins. OWASP CAL9000 • CAL9000 is a collection of browser-based tools that enable more effective and efficient manual testing efforts. • Includes an XSS Attack Library, Character Encoder/Decoder, HTTP Request Generator and Response Evaluator, Testing Checklist, Automated Attack Editor and much more. OWASP Pantera Web Assessment Studio Project • Pantera uses an improved version of SpikeProxy to provide a powerful web application analysis engine. The primary goal of Pantera is to combine automated capabilities with complete manual testing to get the best penetration testing results. OWASP Mantra - Security Framework • Mantra is a web application security testing framework built on top of a browser. It supports Windows, Linux(both 32 and 64 bit) and Macintosh. In addition, it can work with other software like ZAP using built in proxy management function which makes it much more convenient. Mantra is available in 9 languages: Arabic, Chinese - Simplified, Chinese - Traditional, English, French, Portuguese, Russian, Spanish and Turkish. SPIKE - http:/www.immunitysec.com/resources-freesoftware.shtml • SPIKE designed to analyze new network protocols for buffer overflows or similar weaknesses. It requires a strong knowledge of C to use and only available for the Linux platform. Burp Proxy - http:/www.portswigger.net/Burp/ • Burp Proxy is an intercepting proxy server for security testing of web applications it allows Intercepting and modifying all HTTP(S) traffic passing in both directions, it can work with custom SSL certificates and non-proxy-aware clients. Odysseus Proxy - http:/www.wastelands.gen.nz/odysseus/ • Odysseus is a proxy server, which acts as a man-in-the-middle during an HTTP session. A typical HTTP proxy will relay packets to and from a client browser and a web server. It will intercept an HTTP session’s data in either direction. Webstretch Proxy - http:/sourceforge.net/projects/webstretch • Webstretch Proxy enable users to view and alter all aspects of communications with a web site via a proxy. It can also be used for debugging during development. WATOBO - http:/sourceforge.net/apps/mediawiki/watobo/index. php?title=Main_Page • WATOBO works like a local proxy, similar to Webscarab, ZAP or BurpSuite and it supports passive and active checks. Firefox LiveHTTPHeaders - https:/addons.mozilla.org/en-US/firefox/addon/live-http-headers/ • View HTTP headers of a page and while browsing. Firefox Tamper Data - https:/addons.mozilla.org/en-US/firefox/addon/tamper-data/ • Use tamperdata to view and modify HTTP/HTTPS headers and post parameters Firefox Web Developer Tools - https:/addons.mozilla.org/en-US/ firefox/addon/web-developer/ • The Web Developer extension adds various web developer tools to the browser. DOM Inspector - https:/developer.mozilla.org/en/docs/DOM_Inspector • DOM Inspector is a developer tool used to inspect, browse, and edit the Document Object Model (DOM) Firefox Firebug - http:/getfirebug.com/ • Firebug integrates with Firefox to edit, debug, and monitor CSS, HTML, and JavaScript. Grendel-Scan - http:/securitytube-tools.net/index.php?title=Grendel_Scan • Grendel-Scan is an automated security scanning of web applications and also supports manual penetration testing. OWASP SWFIntruder - http:/www.mindedsecurity.com/swfintruder. html • SWFIntruder (pronounced Swiff Intruder) is the first tool specifically developed for analyzing and testing security of Flash applications at runtime. SWFScan - http:/h30499.www3.hp.com/t5/Following-the-Wh1t3-Rabbit/SWFScan-FREE-Flash-decompiler/bap/5440167 • Flash decompiler Wikto - http:/www.sensepost.com/labs/tools/pentest/wikto • Wikto features including fuzzy logic error code checking, a back-end miner, Google-assisted directory mining and real time HTTP request/ response monitoring. w3af - http:/w3af.org • w3af is a Web Application Attack and Audit Framework. The project’s goal is finding and exploiting web application vulnerabilities. skipfish - http:/code.google.com/p/skipfish/ • Skipfish is an active web application security reconnaissance tool. Web Developer toolbar - https:/chrome.google.com/webstore/detail/bfbameneiokkgbdmiekhjnmfkcnldhhm • The Web Developer extension adds a toolbar button to the browser with various web developer tools. This is the official port of the Web Developer extension for Firefox. HTTP Request Maker - https:/chrome.google.com/webstore/detail/
Page 1 and 2:
1 2 THE ICONS BELOW REPRESENT WHAT
Page 3 and 4:
3 4 Testing Guide Frontispiece Test
Page 5 and 6:
7 8 Testing Guide Introduction Test
Page 7 and 8:
11 12 Testing Guide Introduction Te
Page 9 and 10:
15 16 Testing Guide Introduction Te
Page 11 and 12:
19 20 Testing Guide Introduction of
Page 13 and 14:
23 24 Web Application Penetration T
Page 15 and 16:
Page 17 and 18:
Page 19 and 20:
Page 21 and 22:
Page 23 and 24:
Page 25 and 26:
Page 27 and 28:
Page 29 and 30:
Page 31 and 32:
Page 33 and 34:
Page 35 and 36:
Page 37 and 38:
Page 39 and 40:
Page 41 and 42:
Page 43 and 44:
Page 45 and 46:
Page 47 and 48:
Page 49 and 50:
Page 51 and 52:
99 100 Web Application Penetration
Page 53 and 54:
103 104 Web Application Penetration
Page 55 and 56: 107 108 Web Application Penetration
Page 105: 207 208 Web Application Penetration
Page 109 and 110: 215 216 Appendix Appendix Testing -
Page 111: 219 220 LDAP Injection For details
show all

1BO4r2U

Create successful ePaper yourself

Delete template?

Save as template?