[OWASP-TESTING] web application penetration testing checklist
jfernandez at germinus.com
Mon Mar 22 06:36:36 EST 2004
> Comments would be appreciated on the structure and design as well as the sections
> (remember this isn’t the how do they
> fix the problem, its how do we test and find the problem)
Would it be appropiate (in Input Validation) an specific section
regarding test of encoding?
I.e. OWASP-IV-XXXX: Input encoding testing. Test if input validation
is done regardless of enconding.
I've found a number of applications that filter appropiate input if
it's ASCII encoded (i.e. %25 = %) but not if using unicode encoding
(i.e %u0025 = % or variants) or UTF-8 encoding.
The paper "URL Encoded Attacks. Attacks using the common web browser"
by Gunter Ollmann summarises many of these
I'm not sure if the "OWASP-IV-006" test covers this, applications
might not accept URL encoded input (i.e. in a GET request) but accept
it just as fine in a POST request (in the data)
Notice that the above paper also mentions the use of different
formatting schemes for IP addresses (using IPv6) which might merit a
Also, on the "Data Storage" section I would include an
"OWASP-DSC-005. Minimum privilege access to storage areas. Does the
application use reduced privileges to access storage areas such as
databases? Can the application run code (stored procedures) in
different database sections or access databases which are not
neccesary for the application?"
This type of testing is usually quite important when doing SQL
inyection. It's quite different when the application is accesing the
database as, for example, 'sa' user (in SQL Server) than if using a
limited user/role than can only read the tables used by the
application. Even if SQL inyection is possible, the risk is reduced.
More information about the Owasp-testing