OWASP methodology and Testing Framework Presentation, Study notes of Information Systems

Very good methodology, must read

Typology: Study notes

2017/2018

Uploaded on 10/27/2018

kaushikera064
kaushikera064 🇮🇳

1 document

1 / 62

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
Austin OWASP - 8/28/2007 1
The OWASP
The OWASP
Testing
Testing
Framework
Framework
(Based on the “new OWASP Testing Guide” presentation by Matteo Meucci
(Based on the “new OWASP Testing Guide” presentation by Matteo Meucci
and Alberto Revelli)
and Alberto Revelli)
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f
pf20
pf21
pf22
pf23
pf24
pf25
pf26
pf27
pf28
pf29
pf2a
pf2b
pf2c
pf2d
pf2e
pf2f
pf30
pf31
pf32
pf33
pf34
pf35
pf36
pf37
pf38
pf39
pf3a
pf3b
pf3c
pf3d
pf3e

Partial preview of the text

Download OWASP methodology and Testing Framework Presentation and more Study notes Information Systems in PDF only on Docsity!

The OWASP The OWASP

Testing Testing

Framework Framework

(Based on the “new OWASP Testing Guide” presentation by Matteo Meucci(Based on the “new OWASP Testing Guide” presentation by Matteo Meucci and Alberto Revelli) and Alberto Revelli)

Introduction Introduction

Who is Josh Sokol? Who is Josh Sokol?

On the Web Systems Team at NationalOn the Web Systems Team at National

Instruments Instruments

UNIX/Linux System Administrator ~10 yearsUNIX/Linux System Administrator ~10 years

 Cisco Certified Network AssociateCisco Certified Network Associate

SANS GIAC in Web Application Security (GWAS)SANS GIAC in Web Application Security (GWAS)

Working on an initiative to bring a moreWorking on an initiative to bring a more

security oriented mindset to the developers at security oriented mindset to the developers at

NI. NI.

[email protected]@ni.com

The OWASP Testing The OWASP Testing

Framework Framework

 The problem of insecure software: companies nextThe problem of insecure software: companies next
challenge challenge
 Why OWASP?Why OWASP?

 (^) ““It's impossible to underestimate the importance of having thisIt's impossible to underestimate the importance of having this guide available in a completely free and open way”–guide available in a completely free and open way”– JeffJeff Williams (OWASP Chair)Williams (OWASP Chair)

 Principles of Testing: comparing the state of somethingPrinciples of Testing: comparing the state of something
against a set of criteria defined and complete. against a set of criteria defined and complete.

 (^) We want security testing not be a black artWe want security testing not be a black art

 Testing Techniques:Testing Techniques:

 (^) Manual Inspections & ReviewsManual Inspections & Reviews  (^) Threat ModelingThreat Modeling  (^) Code ReviewCode Review  (^) Penetration TestingPenetration Testing

The OWASP Testing The OWASP Testing

Framework Framework

Phase 1: Before Development Begins Phase 1: Before Development Begins Before application development has started: Before application development has started:  Test to ensure that there is an adequate SDLCTest to ensure that there is an adequate SDLC where security is inherent. where security is inherent.  Test to ensure that the appropriate policy andTest to ensure that the appropriate policy and standards are in place for the development team. standards are in place for the development team.  (^) Develop Measurement and Metrics CriteriaDevelop Measurement and Metrics Criteria (Ensure Traceability) (Ensure Traceability)

The OWASP Testing The OWASP Testing

Framework Framework

Phase 3: During Development Phase 3: During Development  Code Walkthroughs:Code Walkthroughs:

 high-level walkthrough of the code where thehigh-level walkthrough of the code where the
developers can explain the logic and flow. developers can explain the logic and flow.

 Code Reviews:Code Reviews:

 Static code reviews validate the code against a set ofStatic code reviews validate the code against a set of
checklists: checklists:

 (^) CIA TriadCIA Triad  (^) OWASP Top10, OWASP Code ReviewOWASP Top10, OWASP Code Review  (^) Sox, ISO 17799, etc…Sox, ISO 17799, etc…

The OWASP Testing The OWASP Testing

Framework Framework

Phase 4: During Deployment Phase 4: During Deployment  (^) Application Penetration TestingApplication Penetration Testing  (^) Focus of the OWASP Testing Framework GuideFocus of the OWASP Testing Framework Guide  (^) Configuration Management TestingConfiguration Management Testing  (^) The application penetration test should include the checkingThe application penetration test should include the checking of how the infrastructure was deployed and secured.of how the infrastructure was deployed and secured. Phase 5: Maintenance and Operations Phase 5: Maintenance and Operations  (^) Conduct operational management reviewsConduct operational management reviews  (^) Conduct periodic health checksConduct periodic health checks  (^) Ensure change verificationEnsure change verification

Testing Paragraph Testing Paragraph

Template Template

 (^) Brief SummaryBrief Summary Describe in "natural language" what we want to test. The target Describe in "natural language" what we want to test. The target of this section is non-technical people (e.g.: client executive) of this section is non-technical people (e.g.: client executive)  (^) Description of the IssueDescription of the Issue Short Description of the Issue: Topic and Explanation Short Description of the Issue: Topic and Explanation  (^) Black Box testing and exampleBlack Box testing and example  (^) How to test for vulnerabilities:How to test for vulnerabilities:  (^) Result Expected:Result Expected: ... ...  (^) Gray Box testing and exampleGray Box testing and example  (^) How to test for vulnerabilities:How to test for vulnerabilities:  (^) Result Expected:Result Expected: ... ...  (^) ReferencesReferences  (^) WhitepapersWhitepapers  (^) ToolsTools

Black Box vs. Gray Box Black Box vs. Gray Box

Black Box Gray Box  (^) The penetration tester does not have any information about the structure of the application, its components and internals  (^) The penetration tester has partial information about the application internals. E.g.: platform vendor, sessionID generation algorithm White box testing, defined as complete knowledge of the application internals, is beyond the scope of the Testing Guide and is covered by the OWASP Code Review Project

Testing Model Testing Model

The test is divided into 2 phases: Passive mode : in the passive mode the tester tries to understand the application's logic, plays with the application; a tool can be used for information gathering such as an HTTP proxy to observe all the HTTP requests and responses. At the end of this phase the tester should understand all the access points (gates) of the application (e.g. Header HTTP, parameters, cookies). A spreadsheet with the directory tree of the application and all the access points is created for use with the second phase. Active mode : in this phase the tester begins to test using eight distinct sub-phases of security assessment.

Passive Mode: Example Passive Mode: Example

Use an HTTP proxy to observe all the Use an HTTP proxy to observe all the HTTP HTTP requests and responses. requests and responses.  WebScarab (OWASP)WebScarab (OWASP)  TamperData (Firefox Extension)TamperData (Firefox Extension)

Information Gathering Information Gathering

 The first phase in security assessment is of course focusedThe first phase in security assessment is of course focused
on collecting all the information about a target application. on collecting all the information about a target application.
 Using public tools it is possible to force the application toUsing public tools it is possible to force the application to
leak information by sending messages that reveal the leak information by sending messages that reveal the
versions and technologies used by the application versions and technologies used by the application
 Available techniques include:Available techniques include:
 Raw HTTP Connections (netcat)Raw HTTP Connections (netcat)
 The good ol' tools: nmap, amap, ...The good ol' tools: nmap, amap, ...
 Web SpidersWeb Spiders
 Search engines (“Google Dorking”)Search engines (“Google Dorking”)
 SSL fingerprintingSSL fingerprinting
 File extensions handlingFile extensions handling
 Backups and unreferenced filesBackups and unreferenced files

Information Gathering: Information Gathering:

Example Example

 (^) Application Fingerprint Knowing the version and type of a running web server allows testers to determine known vulnerabilities and the appropriate exploits to use along the tests. Netcat is the tool of choice for this very well known technique $ nc demo.testfire.net 80 HEAD / HTTP/1. HTTP/1.1 200 OK Connection: close Date: Mon, 27 Aug 2007 22:36:11 GMT Server: Microsoft-IIS/6. X-Powered-By: ASP.NET X-AspNet-Version: 2.0. Set-Cookie: ASP.NET_SessionId=atu011455ailys3tuk2hasqh; path=/; HttpOnly Set-Cookie: amSessionId=17361177068; path=/ Cache-Control: no-cache Pragma: no-cache Expires: - Content-Type: text/html; charset=utf- Content-Length: 9550 ...But what if the “Server:” header is obfuscated?

Information Gathering: Information Gathering:

Example Example

The good news is that each server has a favorite way to order
headers!
Here are the results for some common web servers when
responding to a “HEAD / HTTP/1.0” command:

Apache 1.3.23 IIS 5.0 Netscape Enterprise 4.1 SunONE 6. Date Server Server Server Server Content-Location Date Date Last-Modified Date Content-Type Content-Length ETag Content-Type Last-Modified Content-Type Accept-Ranges Accept-Ranges Content-Length Last-Modified Content-Length Last-Modified Accept-Ranges Connection: ETag Connection Content-Type Content-Length

Business Logic Testing Business Logic Testing

In this phase, we look for flaws in the application business logic rather than in the technical implementation. Areas of testing include:  Rules that express the business policy (such as channels, location,Rules that express the business policy (such as channels, location, logistics, prices, and products) logistics, prices, and products)  Workflows that are the ordered tasks of passing documents or dataWorkflows that are the ordered tasks of passing documents or data from one participant (a person or a software system) to another from one participant (a person or a software system) to another One of the most common results in this step of the analysis are flawsOne of the most common results in this step of the analysis are flaws in the order of actions that a user has to follow: an attacker could in the order of actions that a user has to follow: an attacker could perform them in a different order to get some sort of advantage perform them in a different order to get some sort of advantage This step is the most difficult to perform with automated tools, as it requires the penetration tester to perfectly understand the business logic that is (or should be) implemented by the application