[OWASP-TESTING] Updated Pen Test Check List

Daniel Daniel at deeper.co.za
Sat Apr 10 11:14:53 EDT 2004


im happy, its looking great

we gonna release it to the hungry public soon?


On 10 Apr 2004, at 14:57, Mark Curphey wrote:

> I am assuming apart from Jeff's additions, everyone else if happy with 
> Release 1 of the Check List ?
>
>
> From: owasp-testing-admin at lists.sourceforge.net 
> [mailto:owasp-testing-admin at lists.sourceforge.net] On Behalf Of Mark 
> Curphey
> Sent: Friday, April 09, 2004 4:29 PM
> To: Daniel; owasp-testing at lists.sourceforge.net
> Subject: RE: [OWASP-TESTING] Updated Pen Test Check List
>
> No problem...already got those and a few others. We can always add 
> issues after release 1. Thanks Dan, it was your work that got it to 
> this stage. I just tidied up a bit.
>  
>  
>
>
> From: Daniel [mailto:Daniel at deeper.co.za]
>  Sent: Friday, April 09, 2004 3:32 PM
> To: owasp-testing at lists.sourceforge.net
> Subject: Re: [OWASP-TESTING] Updated Pen Test Check List
>
>
> Sorry just woke up :0)
>
>  Looks brilliant imho, Mark do you want me to add Jeff's updates to 
> the doc or have you already done it?
>
>
>
>
>  On 9 Apr 2004, at 20:06, Mark Curphey wrote:
>
>
>
>  Any other updates or feedback ?
>
>
>
>
> From: Jeff Williams [mailto:jeff.williams at aspectsecurity.com]
>
> Sent: Thursday, April 08, 2004 5:11 PM
>
> To: Mark Curphey; owasp-testing at lists.sourceforge.net
>
> Subject: Re: [OWASP-TESTING] Updated Pen Test Check List
>
>
>
> Mark,
>
>  Here are a few more items to beef up the access control section.
>
>
>
>  Ensure that the application allows users to access only those 
> functions and assets they are specifically authorized for.
>
> Verifiy that users are allowed to access assets and functions as 
> described in the matrix.  Also verify that users cannot access assets 
> and functions outside their authorization. Because this set is 
> generally quite large, choose a set of specific tests to exercise the 
> access control mechanism. For example, the least privileged user 
> should attempt to access resources and functions of more privileged 
> users.
>
>
>
> Ensure that the access control mechanism is implemented in a 
> centralized fashion, not distributed throughout the application.
>
> Ensure that the access control mechanism behaves consistently across 
> the entire application. Distributed mechanisms are impossible to 
> implement and configure correctly.
>
>
>
> Verify that all accesses to the application are subject to the access 
> control check.
>
> Attempt to access the application in a variety of ways that are 
> outside the normal user's path. A proxy can be helpful here in 
> generating communications that would not ordinarily be expected.
>
>
>
> Evaluate whether the application relies on any external information to 
> make access control decisions.
>
> Examine all information that enters the application and manipulate it 
> to attempt to subvert the access control decision. A proxy can be 
> useful here to manipulate these values.
>
>
>
> Ensure that the application uses only the identity determined by the 
> identification and authentication mechanism to make access control 
> decisions.
>
> Verify that the application does not use any identifiers or names as a 
> proxy for the authenticated identity.
>
>
>
> Assets and functions shall be clearly associated with the information 
> required to make access control decisions.
>
> Examine the assets and functions to be accessed by the application. It 
> should be clear what part of the access control matrix they belong to.
>
>
>
> Verify that both coarse-grained URL based access control and 
> fine-grained access control to specific functions and assets is 
> properly implemented.
>
> Attempt to access the application in a variety of ways that are 
> outside the normal user's path. A proxy can be helpful here in 
> generating communications that would not ordinarily be expected.
>
>
>
> Verify that users have been assigned the minimum privileges and 
> authorizations necessary to perform their tasks.
>
> Verify that users do not have privilege to perform functions that they 
> do not need.
>
>
>
> Ensure that administrators have been assigned the minimum privileges 
> and authorizations necessary to perform their tasks.
>
> Verify that administrative users do not have privilege to perform 
> unnecessary functions.
>
>
>
> Verify that only the authorized types or modes of access to assets and 
> functions are granted to users.
>
> If the application requires specific privileges, such as read, write, 
> execute, etc…, verify that these privileges are accurately enforced. 
> Be sure that there is no way a user with read access can cause the 
> system to perform a write function.
>
>
>
>
> --Jeff
>
>
>
>  ----- Original Message -----
>
>  From: "Mark Curphey" <mark.curphey at foundstone.com>
>
>  To: <owasp-testing at lists.sourceforge.net>
>
>  Sent: Thursday, April 08, 2004 4:18 PM
>
>  Subject: [OWASP-TESTING] Updated Pen Test Check List
>
>
>
>
>  OK, sorry for the delay in this. I thought I would get to it last 
> night
>
>  but it took a little longer than I thought and some other things got 
> in
>
>  the way.
>
>
>
>  I have tried to make everything as an "issue" that should be checked 
> for
>
>  and not a consequence or a technique. I have aligned this with OASIS 
> WAS
>
>  Vuln Types although there are a few issues I would like to still add. 
> I
>
>  have also removed the things that were techniques or consequences.
>
>
>
>  Let me know what you think. I know we will need to add more issues etc
>
>  but I hope the formatting and style is now consistent.
>
>
>
>  If you like it I suggest we use this as a template, and send updates 
> via
>
>  email to the list. If you update the doc even with tracking turned on 
> it
>
>  winds up with having to merge different versions and I end up being
>
>  secretary and I don't look food in a skirt. Drunken pictures of a
>
>  Montreal bachelor party out there will validate that!
>
>
>
>  If we can make changes very quick I would be happy to release it this
>
>  weekend and the Testing Part One next weekend although that depends on
>
>  how much work you all think this still needs.
>
>
>
>  Please take a look and think of issues that are not covered and send
>
>  them to the list.
>
>
>
>  Cheers
>
>
>
>  Mark
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/enriched
Size: 8521 bytes
Desc: not available
Url : http://lists.owasp.org/pipermail/owasp-testing/attachments/20040410/72675efc/attachment.bin 


More information about the Owasp-testing mailing list