[OWASP-TESTING] Updated Pen Test Check List

Daniel Daniel at deeper.co.za
Fri Apr 9 15:32:03 EDT 2004


Sorry just woke up :0)
Looks brilliant imho, Mark do you want me to add Jeff's updates to the 
doc or have you already done it?


On 9 Apr 2004, at 20:06, Mark Curphey wrote:

> Any other updates or feedback ?
>
>
> From: Jeff Williams [mailto:jeff.williams at aspectsecurity.com]
>  Sent: Thursday, April 08, 2004 5:11 PM
> To: Mark Curphey; owasp-testing at lists.sourceforge.net
> Subject: Re: [OWASP-TESTING] Updated Pen Test Check List
>
> Mark,
>  
> Here are a few more items to beef up the access control section.
>  
>
> Ensure that the application allows users to access only those 
> functions and assets they are specifically authorized for.
> Verifiy that users are allowed to access assets and functions as 
> described in the matrix.  Also verify that users cannot access assets 
> and functions outside their authorization. Because this set is 
> generally quite large, choose a set of specific tests to exercise the 
> access control mechanism. For example, the least privileged user 
> should attempt to access resources and functions of more privileged 
> users.
>
> Ensure that the access control mechanism is implemented in a 
> centralized fashion, not distributed throughout the application.
> Ensure that the access control mechanism behaves consistently across 
> the entire application. Distributed mechanisms are impossible to 
> implement and configure correctly.
>
> Verify that all accesses to the application are subject to the access 
> control check.
> Attempt to access the application in a variety of ways that are 
> outside the normal user's path. A proxy can be helpful here in 
> generating communications that would not ordinarily be expected.
>
> Evaluate whether the application relies on any external information to 
> make access control decisions.
> Examine all information that enters the application and manipulate it 
> to attempt to subvert the access control decision. A proxy can be 
> useful here to manipulate these values.
>
> Ensure that the application uses only the identity determined by the 
> identification and authentication mechanism to make access control 
> decisions.
> Verify that the application does not use any identifiers or names as a 
> proxy for the authenticated identity.
>
> Assets and functions shall be clearly associated with the information 
> required to make access control decisions.
> Examine the assets and functions to be accessed by the application. It 
> should be clear what part of the access control matrix they belong to.
>
> Verify that both coarse-grained URL based access control and 
> fine-grained access control to specific functions and assets is 
> properly implemented.
> Attempt to access the application in a variety of ways that are 
> outside the normal user's path. A proxy can be helpful here in 
> generating communications that would not ordinarily be expected.
>
> Verify that users have been assigned the minimum privileges and 
> authorizations necessary to perform their tasks.
> Verify that users do not have privilege to perform functions that they 
> do not need.
>
> Ensure that administrators have been assigned the minimum privileges 
> and authorizations necessary to perform their tasks.
> Verify that administrative users do not have privilege to perform 
> unnecessary functions.
>
> Verify that only the authorized types or modes of access to assets and 
> functions are granted to users.
> If the application requires specific privileges, such as read, write, 
> execute, etc…, verify that these privileges are accurately enforced. 
> Be sure that there is no way a user with read access can cause the 
> system to perform a write function.
>
>
> --Jeff
>
> ----- Original Message -----
> From: "Mark Curphey" <mark.curphey at foundstone.com>
> To: <owasp-testing at lists.sourceforge.net>
> Sent: Thursday, April 08, 2004 4:18 PM
> Subject: [OWASP-TESTING] Updated Pen Test Check List
>
>
> OK, sorry for the delay in this. I thought I would get to it last night
> but it took a little longer than I thought and some other things got in
> the way.
>
>  I have tried to make everything as an "issue" that should be checked 
> for
> and not a consequence or a technique. I have aligned this with OASIS 
> WAS
> Vuln Types although there are a few issues I would like to still add. I
> have also removed the things that were techniques or consequences.
>
>  Let me know what you think. I know we will need to add more issues etc
> but I hope the formatting and style is now consistent.
>
> If you like it I suggest we use this as a template, and send updates 
> via
> email to the list. If you update the doc even with tracking turned on 
> it
> winds up with having to merge different versions and I end up being
> secretary and I don't look food in a skirt. Drunken pictures of a
> Montreal bachelor party out there will validate that!
>
> If we can make changes very quick I would be happy to release it this
> weekend and the Testing Part One next weekend although that depends on
> how much work you all think this still needs.
>
> Please take a look and think of issues that are not covered and send
> them to the list.
>
>  Cheers
>
> Mark
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/enriched
Size: 6160 bytes
Desc: not available
Url : http://lists.owasp.org/pipermail/owasp-testing/attachments/20040409/6bc73d26/attachment.bin 


More information about the Owasp-testing mailing list