






















































Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
Very good methodology, must read
Typology: Study notes
1 / 62
This page cannot be seen from the preview
Don't miss anything!























































(Based on the “new OWASP Testing Guide” presentation by Matteo Meucci(Based on the “new OWASP Testing Guide” presentation by Matteo Meucci and Alberto Revelli) and Alberto Revelli)
(^) ““It's impossible to underestimate the importance of having thisIt's impossible to underestimate the importance of having this guide available in a completely free and open way”–guide available in a completely free and open way”– JeffJeff Williams (OWASP Chair)Williams (OWASP Chair)
(^) We want security testing not be a black artWe want security testing not be a black art
(^) Manual Inspections & ReviewsManual Inspections & Reviews (^) Threat ModelingThreat Modeling (^) Code ReviewCode Review (^) Penetration TestingPenetration Testing
Phase 1: Before Development Begins Phase 1: Before Development Begins Before application development has started: Before application development has started: Test to ensure that there is an adequate SDLCTest to ensure that there is an adequate SDLC where security is inherent. where security is inherent. Test to ensure that the appropriate policy andTest to ensure that the appropriate policy and standards are in place for the development team. standards are in place for the development team. (^) Develop Measurement and Metrics CriteriaDevelop Measurement and Metrics Criteria (Ensure Traceability) (Ensure Traceability)
Phase 3: During Development Phase 3: During Development Code Walkthroughs:Code Walkthroughs:
Code Reviews:Code Reviews:
(^) CIA TriadCIA Triad (^) OWASP Top10, OWASP Code ReviewOWASP Top10, OWASP Code Review (^) Sox, ISO 17799, etc…Sox, ISO 17799, etc…
Phase 4: During Deployment Phase 4: During Deployment (^) Application Penetration TestingApplication Penetration Testing (^) Focus of the OWASP Testing Framework GuideFocus of the OWASP Testing Framework Guide (^) Configuration Management TestingConfiguration Management Testing (^) The application penetration test should include the checkingThe application penetration test should include the checking of how the infrastructure was deployed and secured.of how the infrastructure was deployed and secured. Phase 5: Maintenance and Operations Phase 5: Maintenance and Operations (^) Conduct operational management reviewsConduct operational management reviews (^) Conduct periodic health checksConduct periodic health checks (^) Ensure change verificationEnsure change verification
(^) Brief SummaryBrief Summary Describe in "natural language" what we want to test. The target Describe in "natural language" what we want to test. The target of this section is non-technical people (e.g.: client executive) of this section is non-technical people (e.g.: client executive) (^) Description of the IssueDescription of the Issue Short Description of the Issue: Topic and Explanation Short Description of the Issue: Topic and Explanation (^) Black Box testing and exampleBlack Box testing and example (^) How to test for vulnerabilities:How to test for vulnerabilities: (^) Result Expected:Result Expected: ... ... (^) Gray Box testing and exampleGray Box testing and example (^) How to test for vulnerabilities:How to test for vulnerabilities: (^) Result Expected:Result Expected: ... ... (^) ReferencesReferences (^) WhitepapersWhitepapers (^) ToolsTools
Black Box Gray Box (^) The penetration tester does not have any information about the structure of the application, its components and internals (^) The penetration tester has partial information about the application internals. E.g.: platform vendor, sessionID generation algorithm White box testing, defined as complete knowledge of the application internals, is beyond the scope of the Testing Guide and is covered by the OWASP Code Review Project
The test is divided into 2 phases: Passive mode : in the passive mode the tester tries to understand the application's logic, plays with the application; a tool can be used for information gathering such as an HTTP proxy to observe all the HTTP requests and responses. At the end of this phase the tester should understand all the access points (gates) of the application (e.g. Header HTTP, parameters, cookies). A spreadsheet with the directory tree of the application and all the access points is created for use with the second phase. Active mode : in this phase the tester begins to test using eight distinct sub-phases of security assessment.
Use an HTTP proxy to observe all the Use an HTTP proxy to observe all the HTTP HTTP requests and responses. requests and responses. WebScarab (OWASP)WebScarab (OWASP) TamperData (Firefox Extension)TamperData (Firefox Extension)
(^) Application Fingerprint Knowing the version and type of a running web server allows testers to determine known vulnerabilities and the appropriate exploits to use along the tests. Netcat is the tool of choice for this very well known technique $ nc demo.testfire.net 80 HEAD / HTTP/1. HTTP/1.1 200 OK Connection: close Date: Mon, 27 Aug 2007 22:36:11 GMT Server: Microsoft-IIS/6. X-Powered-By: ASP.NET X-AspNet-Version: 2.0. Set-Cookie: ASP.NET_SessionId=atu011455ailys3tuk2hasqh; path=/; HttpOnly Set-Cookie: amSessionId=17361177068; path=/ Cache-Control: no-cache Pragma: no-cache Expires: - Content-Type: text/html; charset=utf- Content-Length: 9550 ...But what if the “Server:” header is obfuscated?
Apache 1.3.23 IIS 5.0 Netscape Enterprise 4.1 SunONE 6. Date Server Server Server Server Content-Location Date Date Last-Modified Date Content-Type Content-Length ETag Content-Type Last-Modified Content-Type Accept-Ranges Accept-Ranges Content-Length Last-Modified Content-Length Last-Modified Accept-Ranges Connection: ETag Connection Content-Type Content-Length
In this phase, we look for flaws in the application business logic rather than in the technical implementation. Areas of testing include: Rules that express the business policy (such as channels, location,Rules that express the business policy (such as channels, location, logistics, prices, and products) logistics, prices, and products) Workflows that are the ordered tasks of passing documents or dataWorkflows that are the ordered tasks of passing documents or data from one participant (a person or a software system) to another from one participant (a person or a software system) to another One of the most common results in this step of the analysis are flawsOne of the most common results in this step of the analysis are flaws in the order of actions that a user has to follow: an attacker could in the order of actions that a user has to follow: an attacker could perform them in a different order to get some sort of advantage perform them in a different order to get some sort of advantage This step is the most difficult to perform with automated tools, as it requires the penetration tester to perfectly understand the business logic that is (or should be) implemented by the application