[OWASP-TESTING] Updated Pen Test Check List

Mark Curphey mark at curphey.com
Sat Apr 10 09:57:57 EDT 2004


I am assuming apart from Jeff's additions, everyone else if happy with
Release 1 of the Check List ?

  _____  

From: owasp-testing-admin at lists.sourceforge.net
[mailto:owasp-testing-admin at lists.sourceforge.net] On Behalf Of Mark Curphey
Sent: Friday, April 09, 2004 4:29 PM
To: Daniel; owasp-testing at lists.sourceforge.net
Subject: RE: [OWASP-TESTING] Updated Pen Test Check List


No problem...already got those and a few others. We can always add issues
after release 1. Thanks Dan, it was your work that got it to this stage. I
just tidied up a bit.
 
 

  _____  

From: Daniel [mailto:Daniel at deeper.co.za] 
Sent: Friday, April 09, 2004 3:32 PM
To: owasp-testing at lists.sourceforge.net
Subject: Re: [OWASP-TESTING] Updated Pen Test Check List



Sorry just woke up :0) 

Looks brilliant imho, Mark do you want me to add Jeff's updates to the doc
or have you already done it? 



On 9 Apr 2004, at 20:06, Mark Curphey wrote: 


Any other updates or feedback ? 



From: Jeff Williams [mailto:jeff.williams at aspectsecurity.com] 

Sent: Thursday, April 08, 2004 5:11 PM 

To: Mark Curphey; owasp-testing at lists.sourceforge.net 

Subject: Re: [OWASP-TESTING] Updated Pen Test Check List 


Mark, 

Here are a few more items to beef up the access control section. 


Ensure that the application allows users to access only those functions and
assets they are specifically authorized for. 

Verifiy that users are allowed to access assets and functions as described
in the matrix.  Also verify that users cannot access assets and functions
outside their authorization. Because this set is generally quite large,
choose a set of specific tests to exercise the access control mechanism. For
example, the least privileged user should attempt to access resources and
functions of more privileged users. 


Ensure that the access control mechanism is implemented in a centralized
fashion, not distributed throughout the application. 

Ensure that the access control mechanism behaves consistently across the
entire application. Distributed mechanisms are impossible to implement and
configure correctly. 


Verify that all accesses to the application are subject to the access
control check. 

Attempt to access the application in a variety of ways that are outside the
normal user's path. A proxy can be helpful here in generating communications
that would not ordinarily be expected. 


Evaluate whether the application relies on any external information to make
access control decisions. 

Examine all information that enters the application and manipulate it to
attempt to subvert the access control decision. A proxy can be useful here
to manipulate these values. 


Ensure that the application uses only the identity determined by the
identification and authentication mechanism to make access control
decisions. 

Verify that the application does not use any identifiers or names as a proxy
for the authenticated identity. 


Assets and functions shall be clearly associated with the information
required to make access control decisions. 

Examine the assets and functions to be accessed by the application. It
should be clear what part of the access control matrix they belong to. 


Verify that both coarse-grained URL based access control and fine-grained
access control to specific functions and assets is properly implemented. 

Attempt to access the application in a variety of ways that are outside the
normal user's path. A proxy can be helpful here in generating communications
that would not ordinarily be expected. 


Verify that users have been assigned the minimum privileges and
authorizations necessary to perform their tasks. 

Verify that users do not have privilege to perform functions that they do
not need. 


Ensure that administrators have been assigned the minimum privileges and
authorizations necessary to perform their tasks. 

Verify that administrative users do not have privilege to perform
unnecessary functions. 


Verify that only the authorized types or modes of access to assets and
functions are granted to users. 

If the application requires specific privileges, such as read, write,
execute, etc., verify that these privileges are accurately enforced. Be sure
that there is no way a user with read access can cause the system to perform
a write function. 



--Jeff 


----- Original Message ----- 

From: "Mark Curphey" <mark.curphey at foundstone.com> 

To: <owasp-testing at lists.sourceforge.net> 

Sent: Thursday, April 08, 2004 4:18 PM 

Subject: [OWASP-TESTING] Updated Pen Test Check List 



OK, sorry for the delay in this. I thought I would get to it last night 

but it took a little longer than I thought and some other things got in 

the way. 


I have tried to make everything as an "issue" that should be checked for 

and not a consequence or a technique. I have aligned this with OASIS WAS 

Vuln Types although there are a few issues I would like to still add. I 

have also removed the things that were techniques or consequences. 


Let me know what you think. I know we will need to add more issues etc 

but I hope the formatting and style is now consistent. 


If you like it I suggest we use this as a template, and send updates via 

email to the list. If you update the doc even with tracking turned on it 

winds up with having to merge different versions and I end up being 

secretary and I don't look food in a skirt. Drunken pictures of a 

Montreal bachelor party out there will validate that! 


If we can make changes very quick I would be happy to release it this 

weekend and the Testing Part One next weekend although that depends on 

how much work you all think this still needs. 


Please take a look and think of issues that are not covered and send 

them to the list. 


Cheers 


Mark 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.owasp.org/pipermail/owasp-testing/attachments/20040410/60abecc9/attachment.html 


More information about the Owasp-testing mailing list