Web Application Security Test

  • Published on
    13-Apr-2017

  • View
    71

  • Download
    12

Embed Size (px)

Transcript

<ul><li><p>1</p></li><li><p>Open Web Application Security Protocol Project(OWASP)</p><p> . </p><p> (Open Source)</p><p>OWASP baseline </p><p>2</p></li><li><p>Source Code Review</p><p> .</p><p> Black box </p><p>concurrency , backdoor </p><p>3</p></li><li><p>Penetration Testing</p><p> black box ethical hacking </p><p>Penetration test vulnerabilities</p><p> Source review</p><p>4</p></li><li><p> Developer </p><p>5</p></li><li><p>6</p><p> Developer </p></li><li><p>7</p><p>Testing for Configuration and Deployment management</p><p> ServerhostWeb application</p><p>oTest Network/Infrastructure Configuration </p><p> DB CDN Main Server temp partition</p></li><li><p>8</p><p>oTest Application Platform Configuration</p><p> default webserver.</p><p>Directory traversal vulnerability in CodeBrws.asp in Microsoft IIS 5.0</p><p>Use of sendmail.jsp in Oracle 9iAS</p><p>Directory traversal in the view-source sample in Apaches Cocoon</p></li><li><p>9</p><p>oTest File Extensions Handling for Sensitive Information </p></li><li><p>10</p><p>connection.inc</p><p>mysql_connect("127.0.0.1", "root", "")</p><p>or die("Could not connect");</p><p> . </p><p> Extensionfailed .asa .inc</p><p> .zip, .tar, .gz, .tgz, .rar, ...: (Compressed) archive files </p><p> .java: No reason to provide access to Java source files </p><p> .txt: Text files </p><p> .pdf: PDF documents </p><p> .doc, .rtf, .xls, .ppt, ...: Office documents </p><p> .bak, .old and other extensions indicative of backup files (for example: ~ for Emacs backup files) </p></li><li><p>11</p><p>oTest HTTP Methods (OTG-CONFIG-006)</p><p> http HEAD </p><p> GET </p><p> POST </p><p> PUT </p><p> DELETE </p><p> TRACE </p><p> OPTIONS </p><p> CONNECT </p><p> web application .put , delete , connect </p><p> Rest web service disable</p></li><li><p>12</p><p>oTest RIA cross domain policy (OTG-CONFIG-008)</p><p> Silverlight, Adobe Flash</p><p>. Sockets permissions </p><p> Header permissions </p><p> HTTP/HTTPS access permissions</p><p> Sockets permissions </p><p> Header permissions </p><p> HTTP/HTTPS access permissions</p></li><li><p>13</p><p>exploit </p><p>. attack </p><p>Authentication Testing</p><p>Testing for Weak password policy </p><p>Testing for User Enumeration and Guessable User Account </p><p> Login for User foo: invalid password</p><p> Login failed for User foo: invalid Account</p><p> http://www.foo.com/err.jsp?User=gooduser&amp;Error=2</p><p> http://www.foo.com/err.jsp?User=baduser&amp;Error=0</p></li><li><p>14</p><p>Testing for Bypassing Authentication Schema </p><p>Direct page request (forced browsing)</p><p>Session ID prediction </p><p>SQL injection </p></li><li><p>15</p><p>Testing for Brute Force</p><p> HTTP Authentication; </p><p> Basic Access Authentication </p><p> HTML Form-based Authentication</p></li><li><p>16</p><p>Session Management Testing</p><p>Check session tokens for cookie flags (httpOnly and secure, domain)</p><p>Authorization Testing</p><p>Directory Traversal</p></li><li><p>17</p><p>Input Validation Testing</p><p>SQL Injection (SQLi)</p><p>Blind SQL Injection </p><p>Testing for Command Injection</p></li><li><p>18</p><p>Testing for Local File Inclusion</p><p>Testing for Remote File Inclusion</p></li><li><p>19</p><p>Cross-site Scripting (XSS)</p></li><li><p>19</p><p>CSRF Cross-Site Request Forgery</p></li><li><p>20</p><p>WAF(Web Application Firewall)</p></li><li><p>21</p><p>WAF(Web Application Firewall)</p></li></ul>