[OWASP-TESTING] web application penetration testing checklist

Javier Fernandez-Sanguino jfernandez at germinus.com
Mon Mar 22 06:36:36 EST 2004


> Comments would be appreciated on the structure and design as well as the sections
> (remember this isn’t the how do they
> fix the problem, its how do we test and find the problem)

Would it be appropiate (in Input Validation) an specific section 
regarding test of encoding?

I.e. OWASP-IV-XXXX: Input encoding testing. Test if input validation 
is done regardless of enconding.

I've found a number of applications that filter appropiate input if 
it's ASCII encoded (i.e. %25 = %) but not if using unicode encoding 
(i.e %u0025 = % or variants) or UTF-8 encoding.

The paper "URL Encoded Attacks. Attacks using the common web browser"
by Gunter Ollmann summarises many of these
http://www.cgisecurity.com/lib/URLEmbeddedAttacks.html

I'm not sure if the "OWASP-IV-006" test covers this, applications 
might not accept URL encoded input (i.e. in a GET request) but accept 
it just as fine in a POST request (in the data)

Notice that the above paper also mentions the use of different 
formatting schemes for IP addresses (using IPv6) which might merit a 
different test.

Also, on the "Data Storage" section I would include an

"OWASP-DSC-005. Minimum privilege access to storage areas. Does the 
application use reduced privileges to access storage areas such as 
databases? Can the application run code (stored procedures) in 
different database sections or access databases which are not 
neccesary for the application?"

This type of testing is usually quite important when doing SQL 
inyection. It's quite different when the application is accesing the 
database as, for example, 'sa' user (in SQL Server) than if using a 
limited user/role than can only read the tables used by the 
application. Even if SQL inyection is possible, the risk is reduced.

Regards

Javier






More information about the Owasp-testing mailing list