[OWASP-TESTING] Updated Pen Test Check List

Mark Curphey mark.curphey at foundstone.com
Fri Apr 9 16:28:39 EDT 2004


No problem...already got those and a few others. We can always add
issues after release 1. Thanks Dan, it was your work that got it to this
stage. I just tidied up a bit.
 
 

  _____  

From: Daniel [mailto:Daniel at deeper.co.za] 
Sent: Friday, April 09, 2004 3:32 PM
To: owasp-testing at lists.sourceforge.net
Subject: Re: [OWASP-TESTING] Updated Pen Test Check List



Sorry just woke up :0) 

Looks brilliant imho, Mark do you want me to add Jeff's updates to the
doc or have you already done it? 



On 9 Apr 2004, at 20:06, Mark Curphey wrote: 


Any other updates or feedback ? 



From: Jeff Williams [mailto:jeff.williams at aspectsecurity.com] 

Sent: Thursday, April 08, 2004 5:11 PM 

To: Mark Curphey; owasp-testing at lists.sourceforge.net 

Subject: Re: [OWASP-TESTING] Updated Pen Test Check List 


Mark, 

Here are a few more items to beef up the access control section. 


Ensure that the application allows users to access only those functions
and assets they are specifically authorized for. 

Verifiy that users are allowed to access assets and functions as
described in the matrix.  Also verify that users cannot access assets
and functions outside their authorization. Because this set is generally
quite large, choose a set of specific tests to exercise the access
control mechanism. For example, the least privileged user should attempt
to access resources and functions of more privileged users. 


Ensure that the access control mechanism is implemented in a centralized
fashion, not distributed throughout the application. 

Ensure that the access control mechanism behaves consistently across the
entire application. Distributed mechanisms are impossible to implement
and configure correctly. 


Verify that all accesses to the application are subject to the access
control check. 

Attempt to access the application in a variety of ways that are outside
the normal user's path. A proxy can be helpful here in generating
communications that would not ordinarily be expected. 


Evaluate whether the application relies on any external information to
make access control decisions. 

Examine all information that enters the application and manipulate it to
attempt to subvert the access control decision. A proxy can be useful
here to manipulate these values. 


Ensure that the application uses only the identity determined by the
identification and authentication mechanism to make access control
decisions. 

Verify that the application does not use any identifiers or names as a
proxy for the authenticated identity. 


Assets and functions shall be clearly associated with the information
required to make access control decisions. 

Examine the assets and functions to be accessed by the application. It
should be clear what part of the access control matrix they belong to. 


Verify that both coarse-grained URL based access control and
fine-grained access control to specific functions and assets is properly
implemented. 

Attempt to access the application in a variety of ways that are outside
the normal user's path. A proxy can be helpful here in generating
communications that would not ordinarily be expected. 


Verify that users have been assigned the minimum privileges and
authorizations necessary to perform their tasks. 

Verify that users do not have privilege to perform functions that they
do not need. 


Ensure that administrators have been assigned the minimum privileges and
authorizations necessary to perform their tasks. 

Verify that administrative users do not have privilege to perform
unnecessary functions. 


Verify that only the authorized types or modes of access to assets and
functions are granted to users. 

If the application requires specific privileges, such as read, write,
execute, etc..., verify that these privileges are accurately enforced.
Be sure that there is no way a user with read access can cause the
system to perform a write function. 



--Jeff 


----- Original Message ----- 

From: "Mark Curphey" <mark.curphey at foundstone.com> 

To: <owasp-testing at lists.sourceforge.net> 

Sent: Thursday, April 08, 2004 4:18 PM 

Subject: [OWASP-TESTING] Updated Pen Test Check List 



OK, sorry for the delay in this. I thought I would get to it last night 

but it took a little longer than I thought and some other things got in 

the way. 


I have tried to make everything as an "issue" that should be checked for


and not a consequence or a technique. I have aligned this with OASIS WAS


Vuln Types although there are a few issues I would like to still add. I 

have also removed the things that were techniques or consequences. 


Let me know what you think. I know we will need to add more issues etc 

but I hope the formatting and style is now consistent. 


If you like it I suggest we use this as a template, and send updates via


email to the list. If you update the doc even with tracking turned on it


winds up with having to merge different versions and I end up being 

secretary and I don't look food in a skirt. Drunken pictures of a 

Montreal bachelor party out there will validate that! 


If we can make changes very quick I would be happy to release it this 

weekend and the Testing Part One next weekend although that depends on 

how much work you all think this still needs. 


Please take a look and think of issues that are not covered and send 

them to the list. 


Cheers 


Mark 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.owasp.org/pipermail/owasp-testing/attachments/20040409/a9e7213a/attachment.html 


More information about the Owasp-testing mailing list