1BO4r2U
1BO4r2U
1BO4r2U
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
211 212<br />
Reporting<br />
Appendix<br />
Test ID<br />
Business Logic Testing<br />
OTG-BUSLOGIC-001<br />
OTG-BUSLOGIC-002<br />
OTG-BUSLOGIC-003<br />
OTG-BUSLOGIC-004<br />
OTG-BUSLOGIC-005<br />
OTG-BUSLOGIC-006<br />
OTG-BUSLOGIC-007<br />
OTG-BUSLOGIC-008<br />
OTG-BUSLOGIC-009<br />
Client Side Testing<br />
OTG-CLIENT-001<br />
OTG-CLIENT-002<br />
OTG-CLIENT-003<br />
OTG-CLIENT-004<br />
OTG-CLIENT-005<br />
OTG-CLIENT-006<br />
OTG-CLIENT-007<br />
OTG-CLIENT-008<br />
OTG-CLIENT-009<br />
OTG-CLIENT-010<br />
OTG-CLIENT-011<br />
OTG-CLIENT-012<br />
Lowest version<br />
Test Business Logic Data Validation<br />
Test Ability to Forge Requests<br />
Test Integrity Checks<br />
Test for Process Timing<br />
Test Number of Times a Function Can be Used Limits<br />
Testing for the Circumvention of Work Flows<br />
Test Defenses Against Application Mis-use<br />
Test Upload of Unexpected File Types<br />
Test Upload of Malicious Files<br />
Testing for DOM based Cross Site Scripting<br />
Testing for JavaScript Execution<br />
Testing for HTML Injection<br />
Testing for Client Side URL Redirect<br />
Testing for CSS Injection<br />
Testing for Client Side Resource Manipulation<br />
Test Cross Origin Resource Sharing<br />
Testing for Cross Site Flashing<br />
Testing for Clickjacking<br />
Testing WebSockets<br />
Test Web Messaging<br />
Test Local Storage<br />
Appendix<br />
This section is often used to describe the commercial and opensource<br />
tools that were used in conducting the assessment. When<br />
custom scripts or code are utilized during the assessment, it should<br />
be disclosed in this section or noted as attachment. Customers appreciate<br />
when the methodology used by the consultants is included. It<br />
gives them an idea of the thoroughness of the assessment and what<br />
areas were included.<br />
References Industry standard vulnerability severity and risk rankings<br />
(CVSS) [1] – http:/www.first.org/cvss<br />
Appendix A: Testing Tools<br />
Open Source Black Box Testing tools<br />
General Testing<br />
OWASP ZAP<br />
• The Zed Attack Proxy (ZAP) is an easy to use integrated penetration<br />
testing tool for finding vulnerabilities in web applications. It is designed<br />
to be used by people with a wide range of security experience and as<br />
such is ideal for developers and functional testers who are new to<br />
penetration testing.<br />
• ZAP provides automated scanners as well as a set of tools that allow<br />
you to find security vulnerabilities manually.<br />
OWASP WebScarab<br />
• WebScarab is a framework for analysing applications that communicate<br />
using the HTTP and HTTPS protocols. It is written in Java, and is<br />
portable to many platforms. WebScarab has several modes of operation<br />
that are implemented by a number of plugins.<br />
OWASP CAL9000<br />
• CAL9000 is a collection of browser-based tools that enable more effective<br />
and efficient manual testing efforts.<br />
• Includes an XSS Attack Library, Character Encoder/Decoder, HTTP<br />
Request Generator and Response Evaluator, Testing Checklist, Automated<br />
Attack Editor and much more.<br />
OWASP Pantera Web Assessment Studio Project<br />
• Pantera uses an improved version of SpikeProxy to provide a powerful<br />
web application analysis engine. The primary goal of Pantera is to<br />
combine automated capabilities with complete manual testing to get<br />
the best penetration testing results.<br />
OWASP Mantra - Security Framework<br />
• Mantra is a web application security testing framework built on top<br />
of a browser. It supports Windows, Linux(both 32 and 64 bit) and Macintosh.<br />
In addition, it can work with other software like ZAP using built<br />
in proxy management function which makes it much more convenient.<br />
Mantra is available in 9 languages: Arabic, Chinese - Simplified,<br />
Chinese - Traditional, English, French, Portuguese, Russian, Spanish<br />
and Turkish.<br />
SPIKE - http:/www.immunitysec.com/resources-freesoftware.shtml<br />
• SPIKE designed to analyze new network protocols for buffer overflows<br />
or similar weaknesses. It requires a strong knowledge of C to<br />
use and only available for the Linux platform.<br />
Burp Proxy - http:/www.portswigger.net/Burp/<br />
• Burp Proxy is an intercepting proxy server for security testing of web<br />
applications it allows Intercepting and modifying all HTTP(S) traffic<br />
passing in both directions, it can work with custom SSL certificates<br />
and non-proxy-aware clients.<br />
Odysseus Proxy - http:/www.wastelands.gen.nz/odysseus/<br />
• Odysseus is a proxy server, which acts as a man-in-the-middle<br />
during an HTTP session. A typical HTTP proxy will relay packets to and<br />
from a client browser and a web server. It will intercept an HTTP session’s<br />
data in either direction.<br />
Webstretch Proxy - http:/sourceforge.net/projects/webstretch<br />
• Webstretch Proxy enable users to view and alter all aspects of communications<br />
with a web site via a proxy. It can also be used for debugging<br />
during development.<br />
WATOBO - http:/sourceforge.net/apps/mediawiki/watobo/index.<br />
php?title=Main_Page<br />
• WATOBO works like a local proxy, similar to Webscarab, ZAP or<br />
BurpSuite and it supports passive and active checks.<br />
Firefox LiveHTTPHeaders - https:/addons.mozilla.org/en-US/firefox/addon/live-http-headers/<br />
• View HTTP headers of a page and while browsing.<br />
Firefox Tamper Data - https:/addons.mozilla.org/en-US/firefox/addon/tamper-data/<br />
• Use tamperdata to view and modify HTTP/HTTPS headers and post<br />
parameters<br />
Firefox Web Developer Tools - https:/addons.mozilla.org/en-US/<br />
firefox/addon/web-developer/<br />
• The Web Developer extension adds various web developer tools to<br />
the browser.<br />
DOM Inspector - https:/developer.mozilla.org/en/docs/DOM_Inspector<br />
• DOM Inspector is a developer tool used to inspect, browse, and edit<br />
the Document Object Model (DOM)<br />
Firefox Firebug - http:/getfirebug.com/<br />
• Firebug integrates with Firefox to edit, debug, and monitor CSS,<br />
HTML, and JavaScript.<br />
Grendel-Scan - http:/securitytube-tools.net/index.php?title=Grendel_Scan<br />
• Grendel-Scan is an automated security scanning of web applications<br />
and also supports manual penetration testing.<br />
OWASP SWFIntruder - http:/www.mindedsecurity.com/swfintruder.<br />
html<br />
• SWFIntruder (pronounced Swiff Intruder) is the first tool specifically<br />
developed for analyzing and testing security of Flash applications at<br />
runtime.<br />
SWFScan - http:/h30499.www3.hp.com/t5/Following-the-Wh1t3-Rabbit/SWFScan-FREE-Flash-decompiler/bap/5440167<br />
• Flash decompiler<br />
Wikto - http:/www.sensepost.com/labs/tools/pentest/wikto<br />
• Wikto features including fuzzy logic error code checking, a back-end<br />
miner, Google-assisted directory mining and real time HTTP request/<br />
response monitoring.<br />
w3af - http:/w3af.org<br />
• w3af is a Web Application Attack and Audit Framework. The project’s<br />
goal is finding and exploiting web application vulnerabilities.<br />
skipfish - http:/code.google.com/p/skipfish/<br />
• Skipfish is an active web application security reconnaissance tool.<br />
Web Developer toolbar - https:/chrome.google.com/webstore/detail/bfbameneiokkgbdmiekhjnmfkcnldhhm<br />
• The Web Developer extension adds a toolbar button to the browser<br />
with various web developer tools. This is the official port of the Web<br />
Developer extension for Firefox.<br />
HTTP Request Maker - https:/chrome.google.com/webstore/detail/