5. Yes
Filling a form
Finding the form Submit the form Authenticated
Un-authenticated
What was the
User id?
Session
management –
persist
Validation of
data? If
validation
worked
What if there
was an error?
How the
cryptography
was used?
Reflecting the
output to the
client
What are the
client side
issues?
6. WEB APPLICATION SECURITY TESTING
4.1 Information Gathering
4.2 Configuration and Deployment Management Testing
4.3 Identity Management Testing
4.4 Authentication Testing
4.5 Authorization Testing
4.6 Session Management Testing
4.7 Input Validation Testing
4.8 Testing for Error Handling
4.9 Testing for Weak Cryptography
4.10 Business Logic Testing
4.11 Client-Side Testing
12. What is Configuration Management?
What is Deployment Testing
What are we doing here?
13. CONFIGURATION AND DEPLOYMENT MANAGEMENT TESTING
4.2.1 Test Network Infrastructure Configuration
4.2.2 Test Application Platform Configuration
4.2.3 Test File Extensions Handling for Sensitive Information
4.2.4 Review Old Backup and Unreferenced Files for Sensitive Information
4.2.5 Enumerate Infrastructure and Application Admin Interfaces
4.2.6 Test HTTP Methods
4.2.7 Test HTTP Strict Transport Security
4.2.8 Test RIA Cross Domain Policy
4.2.9 Test File Permission
4.2.10 Test for Subdomain Takeover
4.2.11 Test Cloud Storage
15. 4.3 IDENTITY
MANAGEMENT
TESTING
4.3.1 Test Role Definitions
4.3.2 Test User Registration Process
4.3.3 Test Account Provisioning Process
4.3.4 Testing for Account Enumeration and Guessable User Account
4.3.5 Testing for Weak or Unenforced Username Policy
23. 4.7 INPUT VALIDATION TESTING
4.7.1 Testing for Reflected Cross Site Scripting
4.7.2 Testing for Stored Cross Site Scripting
4.7.3 Testing for HTTP Verb Tampering
4.7.4 Testing for HTTP Parameter Pollution
24. 4.7.5 TESTING FOR SQL INJECTION
4.7.5.1 Testing for Oracle
4.7.5.2 Testing for MySQL
4.7.5.3 Testing for SQL Server
4.7.5.4 Testing PostgreSQL
4.7.5.5 Testing for MS Access
4.7.5.6 Testing for NoSQL Injection
4.7.5.7 Testing for ORM Injection
4.7.5.8 Testing for Client Side
25. 4.7.6 Testing for LDAP Injection
4.7.7 Testing for XML Injection
4.7.8 Testing for SSI Injection
4.7.9 Testing for XPath Injection
4.7.10 Testing for IMAP SMTP Injection
4.7.11 Testing for Code Injection
4.7.11.1 Testing for Local File Inclusion
4.7.11.2 Testing for Remote File Inclusion
4.7.12 Testing for Command Injection
26. 4.7.13 Testing for Buffer Overflow
4.7.13.1 Testing for Heap Overflow
4.7.13.2 Testing for Stack Overflow
4.7.13.3 Testing for Format String
4.7.14 Testing for Incubated Vulnerability
4.7.15 Testing for HTTP Splitting Smuggling
4.7.16 Testing for HTTP Incoming Requests
4.7.17 Testing for Host Header Injection
4.7.18 Testing for Server Side Template Injection
30. 4.9 TESTING FOR WEAK CRYPTOGRAPHY
4.9.1 Testing for Weak SSL TLS Ciphers Insufficient Transport Layer Protection
4.9.2 Testing for Padding Oracle
4.9.3 Testing for Sensitive Information Sent via Unencrypted Channels
4.9.4 Testing for Weak Encryption
32. 4.10 BUSINESS LOGIC TESTING
4.10.0 Introduction to Business Logic
4.10.1 Test Business Logic Data Validation
4.10.2 Test Ability to Forge Requests
4.10.3 Test Integrity Checks
4.10.4 Test for Process Timing
4.10.5 Test Number of Times a Function Can Be Used Limits
4.10.6 Testing for the Circumvention of Work Flows
4.10.7 Test Defences Against Application Misuse
4.10.8 Test Upload of Unexpected File Types
4.10.9 Test Upload of Malicious Files
The OWASP Testing Guide has an important role to play in solving this serious issue. It is vitally important that our approach to testing software for security issues is based on the principles of engineering and science. We need a consistent, repeatable and defined approach to testing web applications. A world without some minimal standards in terms of engineering and technology is a world in chaos.
It goes without saying that we can’t build a secure application without performing security testing on it. Testing is part of a wider approach to build a secure system. Many software development organizations do not include security testing as part of their standard software development process.
Security testing, by itself, isn’t a particularly good stand-alone measure of how secure an application is, because there are an infinite number of ways that an attacker might be able to make an application break, and it simply isn’t possible to test them all. We can’t hack ourselves secure as we only have a limited time to test and defend where an attacker does not have such constraints.
In conjunction with other OWASP projects such as the Code Review Guide, the Development Guide and tools such as OWASP ZAP, this is a great start towards building and maintaining secure applications. This Testing Guide will show you how to verify the security of your running application. I highly recommend using these guides as part of your application security initiatives.
Developers should use this guide to ensure that they are producing secure code. These tests should be a part of normal code and unit testing procedures.
Software testers and QA should use this guide to expand the set of test cases they apply to applications. Catching these vulnerabilities early saves considerable time and effort later.
Security specialists should use this guide in combination with other techniques as one way to verify that no security holes have been missed in an application.
Project Managers should consider the reason this guide exists and that security issues are manifested via bugs in code and design.
Passive Testing
During passive testing, a tester tries to understand the application’s logic and explores the application as a user. Tools can be used for information gathering. For example, an HTTP proxy can be used to observe all the HTTP requests and responses. At the end of this phase, the tester should understand all the access points (gates) of the application (e.g., HTTP headers, parameters, and cookies). The Information Gathering section explains how to perform passive testing.
For example, a tester may find a page at the following URL:
https://www.example.com/login/Authentic_Form.html
This may indicate an authentication form where the application requests a username and a password.
The following parameters represent two access points (gates) to the application:
http://www.example.com/Appx.jsp?a=1&b=1
In this case, the application shows two gates (parameters a and b). All the gates found in this phase represent a point of testing. A spreadsheet with the directory tree of the application and all the access points may be useful during active testing.
Active Testing
During active testing, a tester begins to use the methodologies described in the follow sections.
The set of active tests have been split into 11 sub-categories for a total of 91 controls:
Configuration and Deployment Management Testing
Identity Management Testing
Authentication Testing
Authorization Testing
Session Management Testing
Input Validation Testing
Error Handling
Cryptography
Business Logic Testing
Client Side Testing
The aim of the project is to help people understand the what, why, when, where, and how of testing web applications. The project is a complete testing framework, not merely a simple checklist or prescription of issues that should be addressed.
The Testing Guide describes in detail both the general testing framework and the techniques required to implement the framework in practice.
Writing the Testing Guide has proven to be a difficult task. It was a challenge to obtain consensus and develop content that allowed people to apply the concepts described in the guide, while also enabling them to work in their own environment and culture. It was also a challenge to change the focus of web application testing from penetration testing to testing integrated in the software development life cycle.
However, the group is very satisfied with the results of the project. Many industry experts and security professionals, some of whom are responsible for software security at some of the largest companies in the world, are validating the testing framework. This framework helps organizations test their web applications in order to build reliable and secure software. The framework does not simply highlight areas of weakness, although that is certainly a by-product of many of the OWASP guides and checklists. As such, hard decisions had to be made about the appropriateness of certain testing techniques and technologies. The group fully understands that not everyone will agree with all of these decisions. However, OWASP is able to take the high ground and change culture over time through awareness and education, based on consensus and experience.
Chapter 3 presents the OWASP Testing Framework and explains its techniques and tasks in relation to the various phases of the software development life cycle.
Chapter 4 covers how to test for specific vulnerabilities (e.g., SQL Injection) by code inspection and penetration testing.
Leverages existing process (get approvals from geo and ww sales lead), megan will accept a screen shot of the portal with list price. See discount on the solution. Its deal/transaction specific. R-Set
Form submission –
How do you know a form is present
Submitted the form
Authenticated
Unauthenticated
What was the id?
Sesison management – persist?
Validation of data ? If validation worked
What if there was an error?
How was cryptography used?
Reflecting the output to the client?
What could be the client side issues?
Something which tools can help?
Testing guide has following modules which helps with information gathering
Screenshot of fingerprinting , waplyzer.
Some tools are universal, tools which are optional specific to particular use case.