1BO4r2U
1BO4r2U
1BO4r2U
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
215 216<br />
Appendix<br />
Appendix<br />
Testing - http:/www.nist.gov/director/planning/upload/report02-3.<br />
pdf<br />
• Improving Web Application Security: Threats and Countermeasures-<br />
http:/msdn.microsoft.com/en-us/library/ff649874.aspx<br />
• NIST Publications - http:/csrc.nist.gov/publications/PubsSPs.html<br />
• The Open Web Application Security Project (OWASP) Guide Project -<br />
https:/www.owasp.org/index.php/Category:OWASP_Guide_Project<br />
• Security Considerations in the System Development Life Cycle<br />
(NIST) - http:/www.nist.gov/customcf/get_pdf.cfm?pub_id=890097<br />
• The Security of Applications: Not All Are Created Equal - http:/www.<br />
securitymanagement.com/archive/library/atstake_tech0502.pdf<br />
• Software Assurance: An Overview of Current Practices - http:/<br />
www.safecode.org/publications/SAFECode_BestPractices0208.pdf<br />
• Software Security Testing: Software Assurance Pocket guide<br />
Series: Development, Volume III - https:/buildsecurityin.us-cert.<br />
gov/swa/downloads/SoftwareSecurityTesting_PocketGuide_1%20<br />
0_05182012_PostOnline.pdf<br />
• Use Cases: Just the FAQs and Answers – http:/www.ibm.com/<br />
developerworks/rational/library/content/RationalEdge/jan03/Use-<br />
CaseFAQS_TheRationalEdge_Jan2003.pdf<br />
Books<br />
• The Art of Software Security Testing: Identifying Software Security<br />
Flaws, by Chris Wysopal, Lucas Nelson, Dino Dai Zovi, Elfriede Dustin,<br />
published by Addison-Wesley, ISBN 0321304861 (2006)<br />
• Building Secure Software: How to Avoid Security Problems the<br />
Right Way, by Gary McGraw and John Viega, published by Addison-Wesley<br />
Pub Co, ISBN 020172152X (2002) - http:/www.buildingsecuresoftware.com<br />
• The Ethical Hack: A Framework for Business Value Penetration<br />
Testing, By James S. Tiller, Auerbach Publications, ISBN 084931609X<br />
(2005)<br />
• + Online version available at: http:/books.google.com/books?id=fwASXKXOolEC&printsec=frontcover&source=gbs_ge_summary_r&cad=0#v=onepage&q&f=false<br />
• Exploiting Software: How to Break Code, by Gary McGraw and Greg<br />
Hoglund, published by Addison-Wesley Pub Co, ISBN 0201786958<br />
(2004) -http:/www.exploitingsoftware.com<br />
• The Hacker’s Handbook: The Strategy behind Breaking into and<br />
Defending Networks, By Susan Young, Dave Aitel, Auerbach Publications,<br />
ISBN: 0849308887 (2005)<br />
• + Online version available at: http:/books.google.com/<br />
books?id=AO2fsAPVC34C&printsec=frontcover&source=gbs_ge_<br />
summary_r&cad=0#v=onepage&q&f=false<br />
• Hacking Exposed: Web Applications 3, by Joel Scambray, Vinvent<br />
Liu, Caleb Sima, published by McGraw-Hill Osborne Media, ISBN<br />
007222438X (2010) - http:/www.webhackingexposed.com/<br />
• The Web Application Hacker’s Handbook: Finding and Exploiting<br />
Security Flaws, 2nd Edition - published by Dafydd Stuttard, Marcus<br />
Pinto, ISBN 9781118026472 (2011)<br />
• How to Break Software Security, by James Whittaker, Herbert H.<br />
Thompson, published by Addison Wesley, ISBN 0321194330 (2003)<br />
• How to Break Software: Functional and Security Testing of Web<br />
Applications and Web Services, by Make Andrews, James A. Whittaker,<br />
published by Pearson Education Inc., ISBN 0321369440 (2006)<br />
• Innocent Code: A Security Wake-Up Call for Web Programmers,<br />
by Sverre Huseby, published by John Wiley & Sons, ISBN<br />
0470857447(2004) - http:/innocentcode.thathost.com<br />
• + Online version available at: http:/books.google.com/books?id=R-<br />
jVjgPQsKogC&printsec=frontcover&source=gbs_ge_summary_r&-<br />
cad=0#v=onepage&q&f=false<br />
• Mastering the Requirements Process, by Suzanne Robertson and<br />
James Robertson, published by Addison-Wesley Professional, ISBN<br />
0201360462<br />
• + Online version available at: http:/books.google.com/<br />
books?id=SN4WegDHVCcC&printsec=frontcover&source=gbs_ge_<br />
summary_r&cad=0#v=onepage&q&f=false<br />
• Secure Coding: Principles and Practices, by Mark Graff and Kenneth<br />
R. Van Wyk, published by O’Reilly, ISBN 0596002424 (2003) - http:/<br />
www.securecoding.org<br />
• Secure Programming for Linux and Unix HOWTO, David Wheeler<br />
(2004) http:/www.dwheeler.com/secure-programs<br />
• + Online version: http:/www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/index.html<br />
• Securing Java, by Gary McGraw, Edward W. Felten, published by<br />
Wiley, ISBN 047131952X (1999) - http:/www.securingjava.com<br />
• Software Security: Building Security In, by Gary McGraw, published<br />
by Addison-Wesley Professional, ISBN 0321356705 (2006)<br />
• Software Testing In The Real World (Acm Press Books) by Edward<br />
Kit, published by Addison-Wesley Professional, ISBN 0201877562<br />
(1995)<br />
• Software Testing Techniques, 2nd Edition, By Boris Beizer, International<br />
Thomson Computer Press, ISBN 0442206720 (1990)<br />
The Tangled Web: A Guide to Securing Modern Web Applications,<br />
by Michael Zalewski, published by No Starch Press Inc., ISBN<br />
047131952X (2011)<br />
The Unified Modeling Language – A User Guide – by Grady Booch,<br />
James Rumbaugh, Ivar Jacobson, published by Addison-Wesley Professional,<br />
ISBN 0321267974 (2005)<br />
• The Unified Modeling Language User Guide, by Grady Booch, James<br />
Rumbaugh, Ivar Jacobson, Ivar published by Addison-Wesley Professional,<br />
ISBN 0-201-57168-4 (1998)<br />
Web Security Testing Cookbook: Systematic Techniques to Find Problems<br />
Fast, by Paco Hope, Ben Walther, published by O’Reilly, ISBN<br />
0596514832 (2008)<br />
• Writing Secure Code, by Mike Howard and David LeBlanc, published<br />
by Microsoft Press, ISBN 0735617228 (2004) http:/www.microsoft.<br />
com/learning/en/us/book.aspx?ID=5957&locale=en-us<br />
Useful Websites<br />
• Build Security In - https:/buildsecurityin.us-cert.gov/bsi/home.html<br />
• Build Security In – Security-Specific Bibliography - https:/<br />
buildsecurityin.us-cert.gov/bsi/articles/best-practices/measurement/1070-BSI.html<br />
• CERT Secure Coding - http:/www.cert.org/secure-coding/<br />
• CERT Secure Coding Standards- https:/www.securecoding.cert.<br />
org/confluence/display/seccode/CERT+Secure+Coding+Standards<br />
• Exploit and Vulnerability Databases - https:/buildsecurityin.us-cert.<br />
gov/swa/database.html<br />
• Google Code University – Web Security - http:/code.google.com/<br />
edu/security/index.html<br />
• McAfee Foundstone Publications - http:/www.mcafee.com/apps/<br />
view-all/publications.aspx?tf=foundstone&sz=10<br />
• McAfee – Resources Library - http:/www.mcafee.com/apps/resource-library-search.aspx?region=us<br />
• McAfee Free Tools - http:/www.mcafee.com/us/downloads/freetools/index.aspx<br />
• OASIS Web Application Security (WAS) TC - http:/www.oasis-open.org/committees/tc_home.php?wg_abbrev=was<br />
• Open Source Software Testing Tools - http:/www.opensourcetesting.org/security.php<br />
• OWASP Security Blitz - https:/www.owasp.org/index.php/<br />
OWASP_Security_Blitz<br />
• OWASP Phoenix/Tool - https:/www.owasp.org/index.php/Phoenix/Tools<br />
• SANS Internet Storm Center (ISC) - https:/www.isc.sans.edu<br />
• The Open Web Application Application Security Project (OWASP)<br />
- http:/www.owasp.org<br />
• Pentestmonkey - Pen Testing Cheat Sheets - http:/pentestmonkey.<br />
net/cheat-sheet<br />
• Secure Coding Guidelines for the .NET Framework 4.5 - http:/msdn.<br />
microsoft.com/en-us/library/8a3x2b7f.aspx<br />
• Security in the Java platform - http:/docs.oracle.com/javase/6/<br />
docs/technotes/guides/security/overview/jsoverview.html<br />
• System Administration, Networking, and Security Institute (SANS) -<br />
http:/www.sans.org<br />
• Technical INFO – Making Sense of Security - http:/www.<br />
technicalinfo.net/index.html<br />
• Web Application Security Consortium - http:/www.webappsec.org/<br />
projects/<br />
• Web Application Security Scanner List - http:/projects.webappsec.<br />
org/w/page/13246988/Web%20Application%20Security%20<br />
Scanner%20List<br />
• Web Security – Articles - http:/www.acunetix.com/<br />
websitesecurity/articles/<br />
Videos<br />
• OWASP Appsec Tutorial Series - https:/www.owasp.org/index.php/<br />
OWASP_Appsec_Tutorial_Series<br />
• SecurityTube - http:/www.securitytube.net/<br />
• Videos by Imperva - http:/www.imperva.com/resources/videos.<br />
asp<br />
Deliberately Insecure Web Applications<br />
• OWASP Vulnerable Web Applications Directory Project - https:/<br />
www.owasp.org/index.php/OWASP_Vulnerable_Web_<br />
Applications_Directory_Project#tab=Main<br />
• BadStore - http:/www.badstore.net/<br />
• Damn Vulnerable Web App - http:/www.ethicalhack3r.co.uk/damnvulnerable-web-app/<br />
• Hacme Series from McAfee:<br />
• + Hacme Travel - http:/www.mcafee.com/us/downloads/freetools/hacmetravel.aspx<br />
• + Hacme Bank - http:/www.mcafee.com/us/downloads/freetools/hacme-bank.aspx<br />
• + Hacme Shipping - http:/www.mcafee.com/us/downloads/freetools/hacmeshipping.aspx<br />
• + Hacme Casino - http:/www.mcafee.com/us/downloads/freetools/hacme-casino.aspx<br />
• + Hacme Books - http:/www.mcafee.com/us/downloads/freetools/hacmebooks.aspx<br />
• Moth - http:/www.bonsai-sec.com/en/research/moth.php<br />
• Mutillidae - http:/www.irongeek.com/i.php?page=mutillidae/<br />
mutillidae-deliberately-vulnerable-php-owasp-top-10<br />
• Stanford SecuriBench - http:/suif.stanford.edu/~livshits/<br />
securibench/<br />
• Vicnum - http:/vicnum.sourceforge.net/ and http:/www.owasp.<br />
org/index.php/Category:OWASP_Vicnum_Project<br />
• WebGoat - http:/www.owasp.org/index.php/Category:OWASP_<br />
WebGoat_Project<br />
• WebMaven (better known as Buggy Bank) - http:/www.<br />
mavensecurity.com/WebMaven.php<br />
OWASP Testing Guide Appendix C: Fuzz Vectors<br />
The following are fuzzing vectors which can be used with WebScarab,<br />
JBroFuzz, WSFuzzer, ZAP or another fuzzer. Fuzzing is the “kitchen<br />
sink” approach to testing the response of an application to parameter<br />
manipulation. Generally one looks for error conditions that are generated<br />
in an application as a result of fuzzing. This is the simple part<br />
of the discovery phase. Once an error has been discovered identifying<br />
and exploiting a potential vulnerability is where skill is required.<br />
Fuzz Categories<br />
In the case of stateless network protocol fuzzing (like HTTP(S)) two<br />
broad categories exist:<br />
• Recursive fuzzing<br />
• Replacive fuzzing<br />
We examine and define each category in the sub-sections that follow.<br />
Recursive fuzzing<br />
Recursive fuzzing can be defined as the process of fuzzing a part of<br />
a request by iterating through all the possible combinations of a set<br />
alphabet. Consider the case of:<br />
http:/www.example.com/8302fa3b<br />
Selecting “8302fa3b” as a part of the request to be fuzzed against<br />
the set hexadecimal alphabet (i.e. {0,1,2,3,4,5,6,7,8,9,a,b,c,d,e,f}) falls<br />
under the category of recursive fuzzing. This would generate a total<br />
of 16^8 requests of the form:<br />
http:/www.example.com/00000000<br />
...<br />
http:/www.example.com/11000fff<br />
...<br />
http:/www.example.com/ffffffff<br />
Replacive fuzzing<br />
Replacive fuzzing can be defined as the process of fuzzing part of a<br />
request by means of replacing it with a set value. This value is known<br />
as a fuzz vector. In the case of:<br />
http:/www.example.com/8302fa3b<br />
Testing against Cross Site Scripting (XSS) by sending the following<br />
fuzz vectors:<br />
http:/www.example.com/>”>alert(“XSS”)&<br />
http:/www.example.com/’’;!--”=&{()}<br />
This is a form of replacive fuzzing. In this category, the total number<br />
of requests is dependent on the number of fuzz vectors specified.<br />
The remainder of this appendix presents a number of fuzz vector categories.