Web Application Security Testing Resources

[Nytro]

Web Application Security Testing Resources

Stiu ca nu e tocmai un tutorial, dar contine informatii utile.

Table of Contents

Web Application Security Testing Methodologies

Web Application Hacker's Handbook Testing Checklist

Web Application Hacker's Handbook Chapter 20 Methodology

The OWASP Testing Checklist

Suites and Frameworks

Standalone Scanning Tools

Vulnerable Test Websites

Utilities

Browser Extensions

Additional Resources

Web Application Security Testing Methodologies

Security assessments in general, and certainly web security assessments, are nearly as much art as science, so everyone has their own favorite method. Below are a few of the main methodologies that are out there.

Web Application Hacker's Handbook Testing Checklist

Web Application Hacker's Handbook Chapter 20 Methodology

The OWASP Testing Checklist

Web Application Hacker's Handbook Checklist (Content Moved)

[ **Reproduced with permission from authors; copyright Dafydd Stuttard and Marcus Pinto ]

Recon and Analysis

Map visible content

Discover hidden and default content

Test for debug parameters

Identify the technologies used

Map the attack surface

Test Handling of Access

Authentication

Test password quality rules

Test for username enumeration

Test resilience to password guessing

Test any account recovery function

Test any "remember me" function

Test any impersonation function

Test username uniqueness

Check for unsafe distribution of credentials

Test for fail-open conditions

Test any multi-stage mechanisms

Session Handling

Test tokens for meaning

Test tokens for predictability

Check for insecure transmission of tokens

Check for disclosure of tokens in logs

Check mapping of tokens to sessions

Check session termination

Check for session fixation

Check for cross-site request forgery

Test for fail-open conditions

Check cookie scope

Access Controls

Understand the access control requirements

Test effectiveness of controls, using multiple accounts if possible

Test for insecure access control methods (request parameters, Referer header, etc)

Test the Handling of Input

Fuzz all request parameters

Test for SQL injection

Identify all reflected data

Test for reflected XSS

Test for HTTP header injection

Test for arbitrary redirection

Test for stored attacks

Test for OS command injection

Test for path traversal

Test for script injection

Test for file inclusion

Test for SMTP injection

Test for native software flaws (buffer overflow, integer bugs, format strings)

Test for SOAP injection

Test for LDAP injection

Test for XPath injection

Test Application Logic

Identify the logic attack surface

Test transmission of data by the client

Test for reliance on client-side input validation

Test any thick-client components (Java, ActiveX, Flash)

Test multi-stage processes for logic flaws

Test handling of incomplete input

Test trust boundaries

Test transaction logic

Assess Application Hosting

Test segregation in shared infrastructures

Test segregation between ASP-hosted applications

Test for web server vulnerabilities

Default credentials

Default content

Proxy functionality

Virtual hosting mis-configuration

Bugs in web server software

Miscellaneous Tests

Check for DOM-based attacks

Check for frame injection

Check for local privacy vulnerabilities

Persistent cookies

Caching

Sensitive data in URL parameters

Forms with autocomplete enabled

Follow up any information leakage

Check for weak SSL ciphers

Web Application Hacker's Handbook Testing Methodology [From Chapter 20 of the WAHH]

[ **Reproduced with permission from authors; copyright Dafydd Stuttard and Marcus Pinto ]

Notice that this methodology is quite different from the checklist provided above. Also keep in mind that the book itself provides additional detailed steps in each of the sections listed. This is meant to help one compare methodology approaches, not to provide the actual content.

Map the Application's Content

Explore Visible Content

Consult Public Resources

Discover Hidden Content

Discover Default Content

Enumerate Identifier-Specified Functions

Test for Debug Parameters

Analyze the Application

Identify Functionality

Identify Data Entry Points

Identify the Technologies Used

Map the Attack Surface

Test Client-side Controls

Test Transmission of Data via the Client

Test Client-side Control Over User Input

Test Thick-client Components

Test the Authentication Mechanism

Understand the Mechanism

Test Password Quality

Test for Username Enumeration

Test Resilience to Password Guessing

Test Any Account Recovery Function

Test Any Remember Me Function

Test Any Impersonation Function

Test Username Uniqueness

Test Predictability of Auto-Generated Credentials

Check for Unsafe Transmission of Credentials

Test for Logic Flaws

Exploit Any Vulnerabilities to Gain Unauthorized Access

Test the Session Management Mechanism

Understand the Mechanism

Test Tokens for Meaning

Test Tokens for Predictability

Check for Insecure Transmission of Tokens

Check for Disclosure of Tokens in Logs

Check Mapping of Tokens to Sessions

Test Session Termination

Check for Session Fixation

Check for XSRF

Check Cookie Scope

Test Access Controls

Understand the Access Control Requirements

Testing with Multiple Accounts

Testing with Limited Access

Test for Insecure Access Control Methods

Test for Input-Based Vulnerabilities

Fuzz All Request Parameters

Test for SQL Injection

Test for XSS and Other Response Injection

Test for OS Command Injection

Test for Path Traversal

Test for Script Injection

Test for File Inclusion

Test for Function-Specific Input Vulnerabilities

Test for SMTP Injection

Test for Native Software Vulnerabilities

Test for SOAP Injection

Test for LDAP Injection

Test for XPath Injection

Test for Script Injection

Test for File Inclusion

Test for Logic Flaws

Identify the Key Attack Surface

Test Multistage Processes

Test Handling of Incomplete Input

Test Trust Boundaries

Test Transaction Logic

Test for Shared Hosting Vulnerabilities

Test Segregation in Shared Infrastructures

Test Segregation between ASP-Hosted Applications

Test for Web Server Vulnerabilities

Test for Default Credentials

Test for Default Content

Test for Dangerous HTTP Methods

Test for Proxy Functionality

Test for Virtual Hosting Misconfiguration

Test for Web Server Software Bugs

Miscellaneous Checks

Check for DOM-based Attacks

Check for Frame Injection

Check for Local Privacy Vulnerabilities

Follow Up Any Information Leakage

Check for Weak SSL Ciphers

The OWASP Testing Methodology Checklist (https://www.owasp.org/index.php/Testing_Checklist)

Information Gathering

Spiders, Robots, and Crawlers

Search Engine Discovery/Reconnaissance

Identify application entry points

Testing for Web Application Fingerprint

Application Discovery

Analysis of Error Codes

Configuration Management Testing

SSL/TLS Testing (SSL Version, Algorithms, Key length, Digital Cert. Validity)

DB Listener Testing

Infrastructure Configuration Management Testing

Application Configuration Management Testing

Testing for File Extensions Handling

Old, backup and unreferenced files

Infrastructure and Application Admin Interfaces

Testing for HTTP Methods and XST

Authentication Testing

Credentials transport over an encrypted channel

Testing for user enumeration

Testing for Guessable (Dictionary) User Account

Brute Force Testing

Testing for bypassing authentication schema

Testing for vulnerable remember password and pwd reset

Testing for Logout and Browser Cache Management

Testing for CAPTCHA

Testing Multiple Factors Authentication

Testing for Race Conditions

Session Management

Testing for Session Management Schema

Testing for Cookies attributes

Testing for Session Fixation

Testing for Exposed Session Variables

Testing for CSRF

Authorization Testing

Testing for Business Logic

Business Logic Testing

Testing for Business Logic

Data Validation Testing

Testing for Reflected Cross Site Scripting

Testing for Stored Cross Site Scripting

Testing for DOM based Cross Site Scripting

Testing for Cross Site Flashing

SQL Injection

LDAP Injection

ORM Injection

XML Injection

SSI Injection

XPath Injection

IMAP/SMTP Injection

Code Injection

OS Commanding

Buffer overflow

Incubated vulnerability

Testing for HTTP Splitting/Smuggling

Denial of Service Testing

Testing for SQL Wildcard Attacks

Locking Customer Accounts

Testing for DoS Buffer Overflows

User Specified Object Allocation

User Input as a Loop Counter

Writing User Provided Data to Disk

Failure to Release Resources

Storing too Much Data in Session

Web Services Testing

WS Information Gathering

Testing WSDL

XML Structural Testing

XML content-level Testing

HTTP GET parameters/REST Testing

Naughty SOAP attachments

Replay Testing

Web Services Testing

WS Information Gathering

Testing WSDL

XML Structural Testing

XML content-level Testing

HTTP GET parameters/REST Testing

Naughty SOAP attachments

Replay Testing

Web Services Testing

AJAX Vulnerabilities

AJAX Testing

-----------------------------------------

Suites / Frameworks

Burp Suite

The premier tool for performing manual web application vulnerability assessments and penetration tests. The pro version includes a scanner, and the Intruder tool makes the offering stand out amongst its peers.

HP WebInspect

An enterprise-focused tool suite that includes a scanner, proxy, and assorted other tools.

WebScarabNG

The latest version of this famous suite from OWASP. Includes a web services module that allows you to parse WSDLs and interact with their associated functions.

IBM AppScan

IBM's enterprise-focused suite.

Acunetix

Acunetix's enterprise-focused suite.

NTOSpider

NTObjectives's enterprise-focused suite.

W3af

w3af is a Web Application Attack and Audit Framework. The project's goal is to create a framework to find and exploit web application vulnerabilities that is easy to use and extend.

Websecurify

Websecurify is a powerful web application security testing environment designed from the ground up to provide the best combination of automatic and manual vulnerability testing technologies.

Samurai

Websecurify is a powerful web application security testing environment designed from the ground up to provide the best combination of automatic and manual vulnerability testing technologies.

Skipfish

A fully automated, active web application security reconnaissance tool written by Michal Zalewski of Google.

RAFT (Response Analysis and Further Testing Tool)

RAFT is a testing tool for the identification of vulnerabilities in web

applications. RAFT is a suite of tools that utilize common shared elements to make testing and analysis easier. The tool provides visibility in to areas that other tools do not such as various client side storage.

Zed Attack Proxy (ZAP)

The Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing. ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.

Standalone Web Assessment Tools

Nikto

Nikto is an command line Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 6400 potentially dangerous files/CGIs, checks for outdated versions of over 1000 servers, and version specific problems on over 270 servers.

Wikto

Wikto is Nikto for Windows - but with a couple of fancy extra features including Fuzzy logic error code checking, a back-end miner, Google assisted directory mining and real time HTTP request/response monitoring. Wikto is coded in C# and requires the .NET framework.

Web Assessment Utilities

Yehg.net Charset Encoder / String Encrypter

A online, feature-rich tool for changing the encoding of input.

Browser Extensions

Websecurify Chrome Extension

The Chrome Extension version of the Websecurify tool. Performs a scan and tells you the results summary, but there's no authentication or detailed view of findings. It's more of a quick-touch option before you run a real tool.

XSS Me

The Firefox Extension.

SQL Inject Me

The Firefox Extension.

Vulnerable Test Websites

These sites are purposely vulnerable for the purpose of testing web app security scanners. They are designed for this purpose, but I'd check to make sure it's ok before scanning them (just to be sure).

Internet-accessible

Google Gruyere

This one is from Google and you can do it both online and as a local install.

zero.webappsecurity.com (HP)

I happen to know this one is o.k. to scan.

demo.testfire.net (IBM)

test.acunetix.com (Acunetix)

testphp.vulnweb.com (Acunetix)

testasp.acunetix.com (Acunetix)

testaspnet.acunetix.com (Acunetix)

Cenzic's Crack Me Bank

Hacker Test

This one is not like the others; it's not a full website you'd scan, but rather more like a puzzle where you proceed through various levels.

Hax.tor

Another challenge, similar to Hacker Test.

Download and Configure

Broken Web Apps Project (OWASP)

This is the one you want first; it has over a dozen broken web apps to play with.

Web Security Dojo (Maven)

Similar to OWASP's Broken Web Apps project, i.e. multiple broken web apps in one place.

Webgoat (OWASP)

This is the grand pubah of the testing sites because it includes training with it. Note that it's on the Broken Web Apps image listed above.

Damn Vulnerable Web App

BadStore

Hackme Bank (McAfee)

Hackme Casino (McAfee)

Hackme Books (McAfee)

Hackme Shipping (McAfee)

Hackme Travel (McAfee)

Moth (Bonsai)

SecuriBench (Stanford)

Vicnum (ipsaplus)

Google Gruyere

This one is from Google and you can do it both online and as a local install.

Additional Resources

Hack This Site Community

Hellbound Hackers

Sursa: WebAppSec Testing Resources | danielmiessler.com