OWASP Testing a cura di Francesco Iovine Università degli Studi di Roma "Tor Vergata" Facoltà di Ingegneria Corso di Sicurezza Informatica e Internet 14 Giugno 2012 http://www.flickr.com/photos/purpleslog/2880224058/
Manual Inspections & Reviews - Analyzing documentation - Performing interviews with the designers or system owners - Reviewing the documentation, secure coding policies, security requirements, and architectural designs
Manual Inspections & Reviews Advantages - Requires no supporting technology - Can be applied to a variety of situations - Flexible - Promotes teamwork - Early in the SDLC
Manual Inspections & Reviews Disadvantages - Can be time consuming - Supporting material not always available - Requires signiﬁcant human thought and skill to be effective!
Threat Modeling - Decomposing the application - Deﬁning and classifying the assets - Exploring potential vulnerabilities - Exploring potential threats - Creating mitigation strategies
Threat Modeling Advantages - Practical attackers view of the system - Flexible - Early in the SDLC Disadvantages - Relatively new technique - Good threat models don’t automatically mean good software
Code Review “if you want to know what’s really going on, go straight to the source."
Code Review Advantages - Completeness and effectiveness - Accuracy - Fast (for competent reviewers)
Code Review Disadvantages - Requires highly skilled security developers - Can miss issues in compiled libraries - Cannot detect run-time errors easily - The source code actually deployed might differ from the one being analyzed
Penetration Testing - Also commonly known as black box testing or ethical hacking. - Testing a running application remotely to ﬁnd security vulnerabilities - No need to know the inner workings of the application itself
Penetration Testing Advantages - Can be fast (and therefore cheap) - Requires a relatively lower skill-set than source code review - Tests the code that is actually being exposed Disadvantages - Too late in the SDLC - Front impact testing only!
3 - Determine countermeasures and mitigation Authentication Authorization Conﬁguration management Data Protection in Storage and Transit Data Validation / Parameter Validation Error Handling and Exception Management User and Session Management Auditing and Logging
3 - Determine countermeasures and mitigation Mitigation strategies 1. Do nothing 2. Inform about the risk 3. Mitigate the risk 4. Accept the risk 5. Transfer the risk
Information GatheringTesting: Spiders, robots, and Crawlers (OWASP-IG-001)Search engine discovery/Reconnaissance (OWASP-IG-002)Identify application entry points (OWASP-IG-003)Testing for Web Application Fingerprint (OWASP-IG-004)Application Discovery (OWASP-IG-005)Analysis of Error Codes (OWASP-IG-006)
Conﬁguration ManagementSSL/TLS Testing (OWASP-CM-001)DB Listener Testing (OWASP-CM-002)Infrastructure conﬁguration management testing (OWASP-CM-003)Application conﬁguration management testing (OWASP-CM-004)Testing for File extensions handling (OWASP-CM-005)Old, backup and unreferenced ﬁles (OWASP-CM-006)Infrastructure and Application Admin Interfaces (OWASP-CM-007)Testing for HTTP Methods and XST (OWASP-CM-008)
Authentication Testing Credentials transport over an encrypted channel (OWASP-AT-001)Testing for user enumeration (OWASP-AT-002)Default or guessable (dictionary) user account (OWASP-AT-003)Testing For Brute Force (OWASP-AT-004Testing for Bypassing authentication schema (OWASP-AT-005)Testing for Vulnerable remember password and pwd reset (OWASP-AT-006)Testing for Logout and Browser Cache Management (OWASP-AT-007)Testing for Captcha (OWASP-AT-008) Testing for Multiple factors Authentication (OWASP-AT-009)Testing for Race Conditions (OWASP-AT-010)
Session Management Testing Testing for Session Management Schema (OWASP-SM-001) .Testing for Cookies attributes (OWASP-SM-002)Testing for Session Fixation (OWASP-SM_003)Testing for Exposed Session Variables (OWASP-SM-004)Testing for CSRF (OWASP-SM-005)
Authorization testing Testing for path traversal (OWASP-AZ-001)Testing for bypassing authorization schema (OWASP-AZ-002)Testing for Privilege Escalation (OWASP-AZ-003)Business logic testing (OWASP-BL-001)
Data Validation testing Testing for Reﬂected Cross Site Scripting (OWASP-DV-001)Testing for Stored Cross Site Scripting (OWASP-DV-002) .Testing for DOM based Cross Site Scripting (OWASP-DV-003)Testing for Cross Site Flashing (OWASP-DV-004)
Data Validation testing OS Commanding (OWASP-DV-013)Buffer overﬂow Testing (OWASP-DV-014)Testing for HTTP Splitting/Smuggling (OWASP-DV-016)
Denial of Service Testing Testing for SQL Wildcard Attacks (OWASP-DS-001)Locking Customer Accounts (OWASP-DS-002)Buffer Overﬂows (OWASP-DS-003)User Speciﬁed Object Allocation (OWASP-DS-004)User Input as a Loop Counter (OWASP-DS-005)Writing User Provided Data to Disk (OWASP-DS-006)Failure to Release Resources (OWASP-DS-007)Storing too Much Data in Session (OWASP-DS-008)
Web Services Testing WS Information Gathering (OWASP-WS-001)Testing WSDL (OWASP-WS-002)XML Structural Testing (OWASP-WS-003)XML Content-level Testing (OWASP-WS-004)HTTP GET parameters/REST Testing (OWASP-WS-005)Naughty SOAP attachments (OWASP-WS-006)Replay Testing (OWASP-WS-007)
AJAX Testing AJAX Vulnerabilities (OWASP-AJ-001)Testing For AJAX (OWASP-AJ-002)
Progetto 1 http://www.flickr.com/photos/purpleslog/2880224058/
Web Application SecurityViene richiesto di fornire un assessment della sicurezza di unapplicazione webutilizzando le tecniche indicateQuale linguaggio/framework per il codice?- Il più congeniale al gruppo di lavoroChe tipo di assessment?- focus sul testing- focus sul rischio- focus sullo sviluppo secondo le linee guida OWASP
Web Application SecurityQuale applicazione?- OWASP Broken Web Application Projecthttps://www.owasp.org/index.php/OWASP_Broken_Web_Applications_Project- Vulnerable Web Applications for Learninghttp://securitythoughts.wordpress.com/2010/03/22/vulnerable-web-applications-for-learning/- Una propria applicazione web sviluppata per altri progetti o scritta ad-hoc. - Nel caso si scelga unapplicazione web che abbia un front-end mobile, fornireun assessment di sicurezza per lintero sistema seguendo le linee guidadellOWASP Mobile Security Project.
Riferimenti OWASP Top 10 Project" https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project OWASP Testing Guide" https://www.owasp.org/index.php/OWASP_Testing_Project OWASP Development Guide" https://www.owasp.org/index.php/OWASP_Guide_Project OWASP Mobile Security Project" https://www.owasp.org/index.php/OWASP_Mobile_Security_Project
Credits Simone Onofri Marco Ramilli Cinzia Querques