3 de setembro de 2012

Metodologias para Testes em Aplicações WEB

Na área de segurança da informação, mais especificamente no que diz respeito à testes de segurança, quando falamos de aplicações web temos duas grandes referências no assunto:
- OWASP (Open WEB Application Security Project)
- WAHH (livro "The Web Application Hacker's Handbook")

Ambos possuem, também, metodologias e checklists próprios para delinear os procedimentos a serem seguidos em um teste de segurança em uma aplicação web.

Como veremos mais abaixo, um não exclui o outro, e acredito que podemos até mesmo combiná-los para termos um métodos mais completo e eficaz para utilizarmos nos testes.

O mais interessante, é que no livro WAHH, além da metodologia de teste, há também uma checklist das tarefas que precisam ser feitas. O checklist podemos ver aqui:

http://mdsec.net/wahh/tasks.html


O checklist da OWASP pode ser acessado aqui:

https://www.owasp.org/index.php/Testing_Checklist

Esse checklist faz parte do OWASP Testing Guide v3, que pode ser baixado aqui:

http://www.owasp.org/images/5/56/OWASP_Testing_Guide_v3.pdf


Segue o checklist do OWASP na íntegra, abaixo:

  • Information Gathering
    • Spiders, Robots, and Crawlers
    • Search Engine Discovery/Reconnaissance
    • Identify application entry points
    • Testing for Web Application Fingerprint
    • Application Discovery
    • Analysis of Error Codes
  • Configuration Management Testing
    • SSL/TLS Testing (SSL Version, Algorithms, Key length, Digital Cert. Validity)
    • DB Listener Testing
    • Infrastructure Configuration Management Testing
    • Application Configuration Management Testing
    • Testing for File Extensions Handling
    • Old, backup and unreferenced files
    • Infrastructure and Application Admin Interfaces
    • Testing for HTTP Methods and XST
  • Authentication Testing
    • Credentials transport over an encrypted channel
    • Testing for user enumeration
    • Testing for Guessable (Dictionary) User Account
    • Brute Force Testing
    • Testing for bypassing authentication schema
    • Testing for vulnerable remember password and pwd reset
    • Testing for Logout and Browser Cache Management
    • Testing for CAPTCHA
    • Testing Multiple Factors Authentication
    • Testing for Race Conditions
  • Session Management
    • Testing for Session Management Schema
    • Testing for Cookies attributes
    • Testing for Session Fixation
    • Testing for Exposed Session Variables
    • Testing for CSRF
  • Authorization Testing
    • Testing for Business Logic
  • Business Logic Testing
    • Testing for Business Logic
  • Data Validation Testing
    • Testing for Reflected Cross Site Scripting
    • Testing for Stored Cross Site Scripting
    • Testing for DOM based Cross Site Scripting
    • Testing for Cross Site Flashing
    • SQL Injection
    • LDAP Injection
    • ORM Injection
    • XML Injection
    • SSI Injection
    • XPath Injection
    • IMAP/SMTP Injection
    • Code Injection
    • OS Commanding
    • Buffer overflow
    • Incubated vulnerability
    • Testing for HTTP Splitting/Smuggling
  • Denial of Service Testing
    • Testing for SQL Wildcard Attacks
    • Locking Customer Accounts
    • Testing for DoS Buffer Overflows
    • User Specified Object Allocation
    • User Input as a Loop Counter
    • Writing User Provided Data to Disk
    • Failure to Release Resources
    • Storing too Much Data in Session
  • Web Services Testing
    • WS Information Gathering
    • Testing WSDL
    • XML Structural Testing
    • XML content-level Testing
    • HTTP GET parameters/REST Testing
    • Naughty SOAP attachments
    • Replay Testing
  • Web Services Testing
    • WS Information Gathering
    • Testing WSDL
    • XML Structural Testing
    • XML content-level Testing
    • HTTP GET parameters/REST Testing
    • Naughty SOAP attachments
    • Replay Testing
  • Web Services Testing
    • AJAX Vulnerabilities
    • AJAX Testing


Já a metodologia apresenta no livro WAHH, em seu capítulo 21 (na 2ª edição), é um pouco mais extensa, mas podemos ver que muitos itens se repetem tanto na metodologia OWASP quanto na apresentada no livro WAHH.

Seguem abaixo os itens componentes de um teste de segurança em aplicações web:

  • Map the Application's Content
    • Explore Visible Content
    • Consult Public Resources
    • Discover Hidden Content
    • Discover Default Content
    • Enumerate Identifier-Specified Functions
    • Test for Debug Parameters
  • Analyze the Application
    • Identify Functionality
    • Identify Data Entry Points
    • Identify the Technologies Used
    • Map the Attack Surface
  • Test Client-side Controls
    • Test Transmission of Data via the Client
    • Test Client-side Control Over User Input
    • Test Thick-client Components
  • Test the Authentication Mechanism
    • Understand the Mechanism
    • Test Password Quality
    • Test for Username Enumeration
    • Test Resilience to Password Guessing
    • Test Any Account Recovery Function
    • Test Any Remember Me Function
    • Test Any Impersonation Function
    • Test Username Uniqueness
    • Test Predictability of Auto-Generated Credentials
    • Check for Unsafe Transmission of Credentials
    • Test for Logic Flaws
    • Exploit Any Vulnerabilities to Gain Unauthorized Access
  • Test the Session Management Mechanism
    • Understand the Mechanism
    • Test Tokens for Meaning
    • Test Tokens for Predictability
    • Check for Insecure Transmission of Tokens
    • Check for Disclosure of Tokens in Logs
    • Check Mapping of Tokens to Sessions
    • Test Session Termination
    • Check for Session Fixation
    • Check for XSRF
    • Check Cookie Scope
  • Test Access Controls
    • Understand the Access Control Requirements
    • Testing with Multiple Accounts
    • Testing with Limited Access
    • Test for Insecure Access Control Methods
  • Test for Input-Based Vulnerabilities
    • Fuzz All Request Parameters
    • Test for SQL Injection
    • Test for XSS and Other Response Injection
    • Test for OS Command Injection
    • Test for Path Traversal
    • Test for Script Injection
    • Test for File Inclusion
  • Test for Function-Specific Input Vulnerabilities
    • Test for SMTP Injection
    • Test for Native Software Vulnerabilities
    • Test for SOAP Injection
    • Test for LDAP Injection
    • Test for XPath Injection
    • Test for Script Injection
    • Test for File Inclusion
  • Test for Logic Flaws
    • Identify the Key Attack Surface
    • Test Multistage Processes
    • Test Handling of Incomplete Input
    • Test Trust Boundaries
    • Test Transaction Logic
  • Test for Shared Hosting Vulnerabilities
    • Test Segregation in Shared Infrastructures
    • Test Segregation between ASP-Hosted Applications
  • Test for Web Server Vulnerabilities
    • Test for Default Credentials
    • Test for Default Content
    • Test for Dangerous HTTP Methods
    • Test for Proxy Functionality
    • Test for Virtual Hosting Misconfiguration
    • Test for Web Server Software Bugs
  • Miscellaneous Checks
    • Check for DOM-based Attacks
    • Check for Frame Injection
    • Check for Local Privacy Vulnerabilities
    • Follow Up Any Information Leakage
    • Check for Weak SSL Ciphers


Um comentário:

  1. Excelente artigo. O da owasp eu ja conhecia. do Waah ainda não.

    www.websensor.com.br

    ResponderExcluir