[OWASP-TESTING] Updated Pen Test Check List

Jeff Williams jeff.williams at aspectsecurity.com
Thu Apr 8 17:10:45 EDT 2004


Mark,

Here are a few more items to beef up the access control section.

      Ensure that the application allows users to access only those functions and assets they are specifically authorized for. Verifiy that users are allowed to access assets and functions as described in the matrix.  Also verify that users cannot access assets and functions outside their authorization. Because this set is generally quite large, choose a set of specific tests to exercise the access control mechanism. For example, the least privileged user should attempt to access resources and functions of more privileged users. 
      Ensure that the access control mechanism is implemented in a centralized fashion, not distributed throughout the application. Ensure that the access control mechanism behaves consistently across the entire application. Distributed mechanisms are impossible to implement and configure correctly. 
      Verify that all accesses to the application are subject to the access control check. Attempt to access the application in a variety of ways that are outside the normal user's path. A proxy can be helpful here in generating communications that would not ordinarily be expected. 
      Evaluate whether the application relies on any external information to make access control decisions. Examine all information that enters the application and manipulate it to attempt to subvert the access control decision. A proxy can be useful here to manipulate these values. 
      Ensure that the application uses only the identity determined by the identification and authentication mechanism to make access control decisions. Verify that the application does not use any identifiers or names as a proxy for the authenticated identity. 
      Assets and functions shall be clearly associated with the information required to make access control decisions. Examine the assets and functions to be accessed by the application. It should be clear what part of the access control matrix they belong to. 
      Verify that both coarse-grained URL based access control and fine-grained access control to specific functions and assets is properly implemented. Attempt to access the application in a variety of ways that are outside the normal user's path. A proxy can be helpful here in generating communications that would not ordinarily be expected. 
      Verify that users have been assigned the minimum privileges and authorizations necessary to perform their tasks. Verify that users do not have privilege to perform functions that they do not need. 
      Ensure that administrators have been assigned the minimum privileges and authorizations necessary to perform their tasks. Verify that administrative users do not have privilege to perform unnecessary functions. 
      Verify that only the authorized types or modes of access to assets and functions are granted to users. If the application requires specific privileges, such as read, write, execute, etc., verify that these privileges are accurately enforced. Be sure that there is no way a user with read access can cause the system to perform a write function. 


--Jeff

----- Original Message ----- 
From: "Mark Curphey" <mark.curphey at foundstone.com>
To: <owasp-testing at lists.sourceforge.net>
Sent: Thursday, April 08, 2004 4:18 PM
Subject: [OWASP-TESTING] Updated Pen Test Check List


OK, sorry for the delay in this. I thought I would get to it last night
but it took a little longer than I thought and some other things got in
the way. 

I have tried to make everything as an "issue" that should be checked for
and not a consequence or a technique. I have aligned this with OASIS WAS
Vuln Types although there are a few issues I would like to still add. I
have also removed the things that were techniques or consequences. 

Let me know what you think. I know we will need to add more issues etc
but I hope the formatting and style is now consistent. 

If you like it I suggest we use this as a template, and send updates via
email to the list. If you update the doc even with tracking turned on it
winds up with having to merge different versions and I end up being
secretary and I don't look food in a skirt. Drunken pictures of a
Montreal bachelor party out there will validate that!

If we can make changes very quick I would be happy to release it this
weekend and the Testing Part One next weekend although that depends on
how much work you all think this still needs. 

Please take a look and think of issues that are not covered and send
them to the list. 

Cheers

Mark
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.owasp.org/pipermail/owasp-testing/attachments/20040408/b2fb28fa/attachment.html 


More information about the Owasp-testing mailing list