4.0

More documents

Recommendations

Info

216 Appendix jsp/products/soatest.jsp?itemId=101 • MatriXay - http:/www.dbappsecurity.com/webscan.html • N-Stalker Web Application Security Scanner - http:/www.nstalker. com • HP WebInspect - http:/www.hpenterprisesecurity.com/products/ hp-fortify-software-security-center/hp-webinspect • SoapUI (Web Service security testing) - http:/www.soapui.org/ Security/getting-started.html • Netsparker - http:/www.mavitunasecurity.com/netsparker/ • SAINT - http:/www.saintcorporation.com/ • QualysGuard WAS - http:/www.qualys.com/enterprises/ qualysguard/web-application-scanning/ • Retina Web - http:/www.eeye.com/Products/Retina/Web- Security-Scanner.aspx • Cenzic Hailstorm - http:/www.cenzic.com/downloads/datasheets/ Cenzic-datasheet-Hailstorm-Technology.pdf Source Code Analyzers Open Source / Freeware • Owasp Orizon • OWASP LAPSE • OWASP O2 Platform • Google CodeSearchDiggity - http:/www.stachliu.com/resources/ tools/google-hacking-diggity-project/attack-tools/ • PMD - http:/pmd.sourceforge.net/ • FlawFinder - http:/www.dwheeler.com/flawfinder • Microsoft’s FxCop • Splint - http:/splint.org • Boon - http:/www.cs.berkeley.edu/~daw/boon • FindBugs - http:/findbugs.sourceforge.net • Find Security Bugs - http:/h3xstream.github.io/find-sec-bugs/ • Oedipus - http:/www.darknet.org.uk/2006/06/oedipus-opensource-web-application-security-analysis/ • W3af - http:/w3af.sourceforge.net/ • phpcs-security-audit - https:/github.com/Pheromone/phpcssecurity-audit Commercial • Armorize CodeSecure - http:/www.armorize.com/index.php?link_ id=codesecure • Parasoft C/C++ test - http:/www.parasoft.com/jsp/products/ cpptest.jsp/index.htm • Checkmarx CxSuite - http:/www.checkmarx.com • HP Fortify - http:/www.hpenterprisesecurity.com/products/hpfortify-software-security-center/hp-fortify-static-code-analyzer • GrammaTech - http:/www.grammatech.com • ITS4 - http:/seclab.cs.ucdavis.edu/projects/testing/tools/its4.html • Appscan - http:/www-01.ibm.com/software/rational/products/ appscan/source/ • ParaSoft - http:/www.parasoft.com • Virtual Forge CodeProfiler for ABAP - http:/www.virtualforge.de • Veracode - http:/www.veracode.com • Armorize CodeSecure - http:/www.armorize.com/codesecure/ Acceptance Testing Tools Acceptance testing tools are used to validate the functionality of web applications. Some follow a scripted approach and typically make use of a Unit Testing framework to construct test suites and test cases. Most, if not all, can be adapted to perform security specific tests in addition to functional tests. Open Source Tools • WATIR - http:/wtr.rubyforge.org • A Ruby based web testing framework that provides an interface into Internet Explorer. • Windows only. • HtmlUnit - http:/htmlunit.sourceforge.net • A Java and JUnit based framework that uses the Apache HttpClient as the transport. • Very robust and configurable and is used as the engine for a number of other testing tools. • jWebUnit - http:/jwebunit.sourceforge.net • A Java based meta-framework that uses htmlunit or selenium as the testing engine. • Canoo Webtest - http:/webtest.canoo.com • An XML based testing tool that provides a facade on top of htmlunit. • No coding is necessary as the tests are completely specified in XML. • There is the option of scripting some elements in Groovy if XML does not suffice. • Very actively maintained. • HttpUnit - http:/httpunit.sourceforge.net • One of the first web testing frameworks, suffers from using the native JDK provided HTTP transport, which can be a bit limiting for security testing. • Watij - http:/watij.com • A Java implementation of WATIR. • Windows only because it uses IE for its tests (Mozilla integration is in the works). • Solex - http:/solex.sourceforge.net • An Eclipse plugin that provides a graphical tool to record HTTP sessions and make assertions based on the results. • Selenium - http:/seleniumhq.org/ • JavaScript based testing framework, cross-platform and provides a GUI for creating tests. • Mature and popular tool, but the use of JavaScript could hamper certain security tests. Other Tools Runtime Analysis • Rational PurifyPlus - http:/www-01.ibm.com/software/awdtools/ purify/ • Seeker by Quotium - http:/www.quotium.com/prod/security.php Binary Analysis • BugScam IDC Package - http:/sourceforge.net/projects/bugscam • Veracode - http:/www.veracode.com Requirements Management • Rational Requisite Pro - http:/www-306.ibm.com/software/ awdtools/reqpro Site Mirroring • wget - http:/www.gnu.org/software/wget, http:/www.interlog. com/~tcharron/wgetwin.html • curl - http:/curl.haxx.se • Sam Spade - http:/www.samspade.org • Xenu’s Link Sleuth - http:/home.snafu.de/tilman/xenulink.html OWASP Testing Guide Appendix B: Suggested Reading Whitepapers • The Economic Impacts of Inadequate Infrastructure for Software
217 Appendix Testing - http:/www.nist.gov/director/planning/upload/report02-3. pdf • Improving Web Application Security: Threats and Countermeasures- http:/msdn.microsoft.com/en-us/library/ff649874.aspx • NIST Publications - http:/csrc.nist.gov/publications/PubsSPs.html • The Open Web Application Security Project (OWASP) Guide Project - https:/www.owasp.org/index.php/Category:OWASP_Guide_Project • Security Considerations in the System Development Life Cycle (NIST) - http:/www.nist.gov/customcf/get_pdf.cfm?pub_id=890097 • The Security of Applications: Not All Are Created Equal - http:/www. securitymanagement.com/archive/library/atstake_tech0502.pdf • Software Assurance: An Overview of Current Practices - http:/ www.safecode.org/publications/SAFECode_BestPractices0208.pdf • Software Security Testing: Software Assurance Pocket guide Series: Development, Volume III - https:/buildsecurityin.us-cert. gov/swa/downloads/SoftwareSecurityTesting_PocketGuide_1%20 0_05182012_PostOnline.pdf • Use Cases: Just the FAQs and Answers – http:/www.ibm.com/ developerworks/rational/library/content/RationalEdge/jan03/Use- CaseFAQS_TheRationalEdge_Jan2003.pdf Books • The Art of Software Security Testing: Identifying Software Security Flaws, by Chris Wysopal, Lucas Nelson, Dino Dai Zovi, Elfriede Dustin, published by Addison-Wesley, ISBN 0321304861 (2006) • Building Secure Software: How to Avoid Security Problems the Right Way, by Gary McGraw and John Viega, published by Addison-Wesley Pub Co, ISBN 020172152X (2002) - http:/www.buildingsecuresoftware.com • The Ethical Hack: A Framework for Business Value Penetration Testing, By James S. Tiller, Auerbach Publications, ISBN 084931609X (2005) • + Online version available at: http:/books.google.com/books?id=fwASXKXOolEC&printsec=frontcover&source=gbs_ge_summary_r&cad=0#v=onepage&q&f=false • Exploiting Software: How to Break Code, by Gary McGraw and Greg Hoglund, published by Addison-Wesley Pub Co, ISBN 0201786958 (2004) -http:/www.exploitingsoftware.com • The Hacker’s Handbook: The Strategy behind Breaking into and Defending Networks, By Susan Young, Dave Aitel, Auerbach Publications, ISBN: 0849308887 (2005) • + Online version available at: http:/books.google.com/ books?id=AO2fsAPVC34C&printsec=frontcover&source=gbs_ge_ summary_r&cad=0#v=onepage&q&f=false • Hacking Exposed: Web Applications 3, by Joel Scambray, Vinvent Liu, Caleb Sima, published by McGraw-Hill Osborne Media, ISBN 007222438X (2010) - http:/www.webhackingexposed.com/ • The Web Application Hacker’s Handbook: Finding and Exploiting Security Flaws, 2nd Edition - published by Dafydd Stuttard, Marcus Pinto, ISBN 9781118026472 (2011) • How to Break Software Security, by James Whittaker, Herbert H. Thompson, published by Addison Wesley, ISBN 0321194330 (2003) • How to Break Software: Functional and Security Testing of Web Applications and Web Services, by Make Andrews, James A. Whittaker, published by Pearson Education Inc., ISBN 0321369440 (2006) • Innocent Code: A Security Wake-Up Call for Web Programmers, by Sverre Huseby, published by John Wiley & Sons, ISBN 0470857447(2004) - http:/innocentcode.thathost.com • + Online version available at: http:/books.google.com/books?id=R- jVjgPQsKogC&printsec=frontcover&source=gbs_ge_summary_r&- cad=0#v=onepage&q&f=false • Mastering the Requirements Process, by Suzanne Robertson and James Robertson, published by Addison-Wesley Professional, ISBN 0201360462 • + Online version available at: http:/books.google.com/ books?id=SN4WegDHVCcC&printsec=frontcover&source=gbs_ge_ summary_r&cad=0#v=onepage&q&f=false • Secure Coding: Principles and Practices, by Mark Graff and Kenneth R. Van Wyk, published by O’Reilly, ISBN 0596002424 (2003) - http:/ www.securecoding.org • Secure Programming for Linux and Unix HOWTO, David Wheeler (2004) http:/www.dwheeler.com/secure-programs • + Online version: http:/www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/index.html • Securing Java, by Gary McGraw, Edward W. Felten, published by Wiley, ISBN 047131952X (1999) - http:/www.securingjava.com • Software Security: Building Security In, by Gary McGraw, published by Addison-Wesley Professional, ISBN 0321356705 (2006) • Software Testing In The Real World (Acm Press Books) by Edward Kit, published by Addison-Wesley Professional, ISBN 0201877562 (1995) • Software Testing Techniques, 2nd Edition, By Boris Beizer, International Thomson Computer Press, ISBN 0442206720 (1990) The Tangled Web: A Guide to Securing Modern Web Applications, by Michael Zalewski, published by No Starch Press Inc., ISBN 047131952X (2011) The Unified Modeling Language – A User Guide – by Grady Booch, James Rumbaugh, Ivar Jacobson, published by Addison-Wesley Professional, ISBN 0321267974 (2005) • The Unified Modeling Language User Guide, by Grady Booch, James Rumbaugh, Ivar Jacobson, Ivar published by Addison-Wesley Professional, ISBN 0-201-57168-4 (1998) Web Security Testing Cookbook: Systematic Techniques to Find Problems Fast, by Paco Hope, Ben Walther, published by O’Reilly, ISBN 0596514832 (2008) • Writing Secure Code, by Mike Howard and David LeBlanc, published by Microsoft Press, ISBN 0735617228 (2004) http:/www.microsoft. com/learning/en/us/book.aspx?ID=5957&locale=en-us Useful Websites • Build Security In - https:/buildsecurityin.us-cert.gov/bsi/home.html • Build Security In – Security-Specific Bibliography - https:/ buildsecurityin.us-cert.gov/bsi/articles/best-practices/measurement/1070-BSI.html • CERT Secure Coding - http:/www.cert.org/secure-coding/ • CERT Secure Coding Standards- https:/www.securecoding.cert. org/confluence/display/seccode/CERT+Secure+Coding+Standards • Exploit and Vulnerability Databases - https:/buildsecurityin.us-cert. gov/swa/database.html • Google Code University – Web Security - http:/code.google.com/ edu/security/index.html • McAfee Foundstone Publications - http:/www.mcafee.com/apps/ view-all/publications.aspx?tf=foundstone&sz=10 • McAfee – Resources Library - http:/www.mcafee.com/apps/resource-library-search.aspx?region=us • McAfee Free Tools - http:/www.mcafee.com/us/downloads/freetools/index.aspx • OASIS Web Application Security (WAS) TC - http:/www.oasis-open.org/committees/tc_home.php?wg_abbrev=was • Open Source Software Testing Tools - http:/www.opensourcetesting.org/security.php
Page 1 and 2:
1 Testing Guide 4.0 Project Leaders
Page 3 and 4:
Testing Guide Foreword - Table of c
Page 5 and 6:
3 Testing Guide Foreword - Table of
Page 7 and 8:
5 Testing Guide Foreword - By Eoin
Page 9 and 10:
7 Testing Guide Frontispiece 1 Test
Page 11 and 12:
9 Testing Guide Introduction 2 The
Page 13 and 14:
11 Testing Guide Introduction vide
Page 15 and 16:
13 Testing Guide Introduction Testi
Page 17 and 18:
15 Testing Guide Introduction laid
Page 19 and 20:
17 Testing Guide Introduction valid
Page 21 and 22:
19 Testing Guide Introduction USER
Page 23 and 24:
21 Testing Guide Introduction ment
Page 25 and 26:
23 Testing Guide Introduction offen
Page 27 and 28:
25 The OWASP Testing Framework sect
Page 29 and 30:
27 Web Application Penetration Test
Page 31 and 32:
Page 33 and 34:
Page 35 and 36:
Page 37 and 38:
Page 39 and 40:
Page 41 and 42:
Page 43 and 44:
Page 45 and 46:
Page 47 and 48:
Page 49 and 50:
Page 51 and 52:
Page 53 and 54:
Page 55 and 56:
Page 57 and 58:
Page 59 and 60:
Page 61 and 62:
Page 63 and 64:
Page 65 and 66:
Page 67 and 68:
Page 69 and 70:
Page 71 and 72:
Page 73 and 74:
Page 75 and 76:
Page 77 and 78:
Page 79 and 80:
Page 81 and 82:
Page 83 and 84:
Page 85 and 86:
Page 87 and 88:
Page 89 and 90:
Page 91 and 92:
Page 93 and 94:
Page 95 and 96:
Page 97 and 98:
Page 99 and 100:
Page 101 and 102:
Page 103 and 104:
101 Web Application Penetration Tes
Page 105 and 106:
Page 107 and 108:
Page 109 and 110:
Page 111 and 112:
Page 113 and 114:
Page 115 and 116:
Page 117 and 118:
Page 119 and 120:
Page 121 and 122:
Page 123 and 124:
Page 125 and 126:
Page 127 and 128:
Page 129 and 130:
Page 131 and 132:
Page 133 and 134:
Page 135 and 136:
Page 137 and 138:
Page 139 and 140:
Page 141 and 142:
Page 143 and 144:
Page 145 and 146:
Page 147 and 148:
Page 149 and 150:
Page 151 and 152:
Page 153 and 154:
Page 155 and 156:
Page 157 and 158:
Page 159 and 160:
Page 161 and 162:
Page 163 and 164:
Page 165 and 166:
Page 167 and 168: 165 Web Application Penetration Tes
Page 211 and 212: 209 same code can be applied to ses
Page 213 and 214: 211 Reporting Test ID Lowest versio
Page 215 and 216: 213 Reporting Test ID Business Logi
Page 217: 215 Appendix kajfghlhfkcocafkcjlajl
Page 221 and 222: 219 Cross Site Scripting (XSS) For
Page 223 and 224: 221 LDAP Injection For details on L
show all

4.0

Create successful ePaper yourself

Delete template?

Save as template?