[OWASP-TESTING] Updated Pen Test Check List

Mark Curphey mark.curphey at foundstone.com
Fri Apr 9 15:06:30 EDT 2004


Any other updates or feedback ?

  _____  

From: Jeff Williams [mailto:jeff.williams at aspectsecurity.com] 
Sent: Thursday, April 08, 2004 5:11 PM
To: Mark Curphey; owasp-testing at lists.sourceforge.net
Subject: Re: [OWASP-TESTING] Updated Pen Test Check List


Mark,
 
Here are a few more items to beef up the access control section.
 
Ensure that the application allows users to access only those functions
and assets they are specifically authorized for.	 Verifiy that
users are allowed to access assets and functions as described in the
matrix.  Also verify that users cannot access assets and functions
outside their authorization. Because this set is generally quite large,
choose a set of specific tests to exercise the access control mechanism.
For example, the least privileged user should attempt to access
resources and functions of more privileged users.	
Ensure that the access control mechanism is implemented in a centralized
fashion, not distributed throughout the application.	 Ensure that the
access control mechanism behaves consistently across the entire
application. Distributed mechanisms are impossible to implement and
configure correctly.	
Verify that all accesses to the application are subject to the access
control check.	 Attempt to access the application in a variety of ways
that are outside the normal user's path. A proxy can be helpful here in
generating communications that would not ordinarily be expected.	
Evaluate whether the application relies on any external information to
make access control decisions.	 Examine all information that enters the
application and manipulate it to attempt to subvert the access control
decision. A proxy can be useful here to manipulate these values.	
Ensure that the application uses only the identity determined by the
identification and authentication mechanism to make access control
decisions.	 Verify that the application does not use any
identifiers or names as a proxy for the authenticated identity.	
Assets and functions shall be clearly associated with the information
required to make access control decisions.	 Examine the assets and
functions to be accessed by the application. It should be clear what
part of the access control matrix they belong to.	
Verify that both coarse-grained URL based access control and
fine-grained access control to specific functions and assets is properly
implemented.	 Attempt to access the application in a variety of ways
that are outside the normal user's path. A proxy can be helpful here in
generating communications that would not ordinarily be expected.	
Verify that users have been assigned the minimum privileges and
authorizations necessary to perform their tasks.	 Verify that
users do not have privilege to perform functions that they do not need.	
Ensure that administrators have been assigned the minimum privileges and
authorizations necessary to perform their tasks.	 Verify that
administrative users do not have privilege to perform unnecessary
functions.	
Verify that only the authorized types or modes of access to assets and
functions are granted to users.	 If the application requires specific
privileges, such as read, write, execute, etc..., verify that these
privileges are accurately enforced. Be sure that there is no way a user
with read access can cause the system to perform a write function.	


--Jeff

----- Original Message ----- 
From: "Mark Curphey" <mark.curphey at foundstone.com>
To: <owasp-testing at lists.sourceforge.net>
Sent: Thursday, April 08, 2004 4:18 PM
Subject: [OWASP-TESTING] Updated Pen Test Check List


OK, sorry for the delay in this. I thought I would get to it last night
but it took a little longer than I thought and some other things got in
the way. 

I have tried to make everything as an "issue" that should be checked for
and not a consequence or a technique. I have aligned this with OASIS WAS
Vuln Types although there are a few issues I would like to still add. I
have also removed the things that were techniques or consequences. 

Let me know what you think. I know we will need to add more issues etc
but I hope the formatting and style is now consistent. 

If you like it I suggest we use this as a template, and send updates via
email to the list. If you update the doc even with tracking turned on it
winds up with having to merge different versions and I end up being
secretary and I don't look food in a skirt. Drunken pictures of a
Montreal bachelor party out there will validate that!

If we can make changes very quick I would be happy to release it this
weekend and the Testing Part One next weekend although that depends on
how much work you all think this still needs. 

Please take a look and think of issues that are not covered and send
them to the list. 

Cheers

Mark
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.owasp.org/pipermail/owasp-testing/attachments/20040409/809e4754/attachment.html 


More information about the Owasp-testing mailing list