4.0

More documents

Recommendations

Info

26The OWASP Testing FrameworkPhase 5: Maintenance and OperationsPhase 5.1: Conduct Operational Management ReviewsThere needs to be a process in place which details how the operationalside of both the application and infrastructure is managed.Phase 5.2: Conduct Periodic Health ChecksMonthly or quarterly health checks should be performed on boththe application and infrastructure to ensure no new security riskshave been introduced and that the level of security is still intact.Phase 5.3: Ensure Change VerificationAfter every change has been approved and tested in the QA environmentand deployed into the production environment, it is vitalthat the change is checked to ensure that the level of security hasnot been affected by the change. This should be integrated into thechange management process.A Typical SDLC Testing WorkflowThe following figure shows a typical SDLC Testing Workflow.OWASP TESTING FRAMEWORK WORK FLOWBeforeDevelopmentPolicy ReviewReview SDLCProcessStandardsReviewMetricsCriteriaMeasurementTraceabilityDefinitionand DesignRequirementsReviewDesign andArchitectureReviewCreate /Review UMLmodelsCreate /Review ThreatModelsDevelopmentCode ReviewCodeWalkthroughsUnit andSystem testsDeploymentPenetrationTestingConfigurationManagementReviewsUnit andSystem testsAcceptanceTestsMaintenanceChanceverificationHealth ChecksOperationalManagementreviewsRegressionTests
27Web Application Penetration Testing4WebApplicationSecurity TestingThe following sections describe the 12subcategories of the Web ApplicationPenetration Testing Methodology:Testing: Introduction and objectivesThis section describes the OWASP web application security testingmethodology and explains how to test for evidence of vulnerabilitieswithin the application due to deficiencies with identified security controls.What is Web Application Security Testing?A security test is a method of evaluating the security of a computersystem or network by methodically validating and verifying the effectivenessof application security controls. A web application securitytest focuses only on evaluating the security of a web application. Theprocess involves an active analysis of the application for any weaknesses,technical flaws, or vulnerabilities. Any security issues that arefound will be presented to the system owner, together with an assessmentof the impact, a proposal for mitigation or a technical solution.What is a Vulnerability?A vulnerability is a flaw or weakness in a system’s design, implementation,operation or management that could be exploited to compromisethe system’s security objectives.What is a Threat?A threat is anything (a malicious external attacker, an internal user, asystem instability, etc) that may harm the assets owned by an application(resources of value, such as the data in a database or in the filesystem) by exploiting a vulnerability.What is a Test?A test is an action to demonstrate that an application meets the securityrequirements of its stakeholders.The Approach in Writing this GuideThe OWASP approach is open and collaborative:• Open: every security expert can participate with his or her experiencein the project. Everything is free.• Collaborative: brainstorming is performed before the articles arewritten so the team can share ideas and develop a collective visionof the project. That means rough consensus, a wider audience andincreased participation.This approach tends to create a defined Testing Methodology thatwill be:• Consistent• Reproducible• Rigorous• Under quality controlThe problems to be addressed are fully documented and tested. It isimportant to use a method to test all known vulnerabilities and documentall the security test activities.What is the OWASP testing methodology?Security testing will never be an exact science where a complete listof all possible issues that should be tested can be defined. Indeed,security testing is only an appropriate technique for testing the securityof web applications under certain circumstances. The goal of thisproject is to collect all the possible testing techniques, explain thesetechniques, and keep the guide updated. The OWASP Web ApplicationSecurity Testing method is based on the black box approach. The testerknows nothing or has very little information about the applicationto be tested.The testing model consists of:• Tester: Who performs the testing activities• Tools and methodology: The core of this Testing Guide project• Application: The black box to testThe test is divided into 2 phases:• Phase 1 Passive mode:In the passive mode the tester tries to understand the application’slogic and plays with the application. Tools can be used for informationgathering. For example, an HTTP proxy can be used to observe allthe HTTP requests and responses. At the end of this phase, the testershould understand all the access points (gates) of the application (e.g.,HTTP headers, parameters, and cookies). The Information Gatheringsection explains how to perform a passive mode test.For example the tester could find the following:https:/www.example.com/login/Authentic_Form.htmlThis may indicate an authentication form where the application requestsa username and a password.The following parameters represent two access points (gates) to theapplication:http:/www.example.com/Appx.jsp?a=1&b=1In this case, the application shows two gates (parameters a and b). Allthe gates found in this phase represent a point of testing. A spreadsheetwith the directory tree of the application and all the accesspoints would be useful for the second phase.
Page 1 and 2: 1Testing Guide4.0Project Leaders: M
Page 3 and 4: Testing Guide Foreword - Table of c
Page 5 and 6: 3Testing Guide Foreword - Table of
Page 7 and 8: 5Testing Guide Foreword - By Eoin K
Page 9 and 10: 7Testing Guide Frontispiece1Testing
Page 11 and 12: 9Testing Guide Introduction2The OWA
Page 13 and 14: 11Testing Guide Introductionvide en
Page 15 and 16: 13Testing Guide IntroductionTesting
Page 17 and 18: 15Testing Guide Introductionlaid on
Page 19 and 20: 17Testing Guide Introductionvalidat
Page 21 and 22: 19Testing Guide IntroductionUSERthe
Page 23 and 24: 21Testing Guide Introductionment wh
Page 25 and 26: 23Testing Guide Introductionoffendi
Page 27: 25The OWASP Testing Frameworksectio
Page 31 and 32: 29Web Application Penetration Testi
Page 79 and 80:
77Web Application Penetration Testi
Page 81 and 82:
Page 83 and 84:
Page 85 and 86:
Page 87 and 88:
Page 89 and 90:
Page 91 and 92:
Page 93 and 94:
Page 95 and 96:
Page 97 and 98:
Page 99 and 100:
Page 101 and 102:
Page 103 and 104:
101Web Application Penetration Test
Page 105 and 106:
Page 107 and 108:
Page 109 and 110:
Page 111 and 112:
Page 113 and 114:
Page 115 and 116:
Page 117 and 118:
Page 119 and 120:
Page 121 and 122:
Page 123 and 124:
Page 125 and 126:
Page 127 and 128:
Page 129 and 130:
Page 131 and 132:
Page 133 and 134:
Page 135 and 136:
Page 137 and 138:
Page 139 and 140:
Page 141 and 142:
Page 143 and 144:
Page 145 and 146:
Page 147 and 148:
Page 149 and 150:
Page 151 and 152:
Page 153 and 154:
Page 155 and 156:
Page 157 and 158:
Page 159 and 160:
Page 161 and 162:
Page 163 and 164:
Page 165 and 166:
Page 167 and 168:
Page 169 and 170:
Page 171 and 172:
Page 173 and 174:
Page 175 and 176:
Page 177 and 178:
Page 179 and 180:
Page 181 and 182:
Page 183 and 184:
Page 185 and 186:
Page 187 and 188:
Page 189 and 190:
Page 191 and 192:
Page 193 and 194:
Page 195 and 196:
Page 197 and 198:
Page 199 and 200:
Page 201 and 202:
Page 203 and 204:
Page 205 and 206:
Page 207 and 208:
Page 209 and 210:
Page 211 and 212:
209same code can be applied to sess
Page 213 and 214:
211ReportingTest IDLowest versionIn
Page 215 and 216:
213ReportingTest IDBusiness Logic T
Page 217 and 218:
215Appendixkajfghlhfkcocafkcjlajldi
Page 219 and 220:
217AppendixTesting - http:/www.nist
Page 221 and 222:
219Cross Site Scripting (XSS)For de
Page 223 and 224:
221LDAP InjectionFor details on LDA
show all

4.0

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?