[OWASP-TESTING] web application penetration testing checklist

daniel at deeper.co.za daniel at deeper.co.za
Mon Mar 22 06:27:09 EST 2004

doh, i forgot about Gunter's paper!
I agree on the input encoding part, ill add a new bit to that section and include the data

cheers Javier

> > Comments would be appreciated on the structure and design as well as the sections
> > (remember this isn’t the how do they
> > fix the problem, its how do we test and find the problem)
> Would it be appropiate (in Input Validation) an specific section 
> regarding test of encoding?
> I.e. OWASP-IV-XXXX: Input encoding testing. Test if input validation 
> is done regardless of enconding.
> I've found a number of applications that filter appropiate input if 
> it's ASCII encoded (i.e. %25 = %) but not if using unicode encoding 
> (i.e %u0025 = % or variants) or UTF-8 encoding.
> The paper "URL Encoded Attacks. Attacks using the common web browser"
> by Gunter Ollmann summarises many of these
> http://www.cgisecurity.com/lib/URLEmbeddedAttacks.html
> I'm not sure if the "OWASP-IV-006" test covers this, applications 
> might not accept URL encoded input (i.e. in a GET request) but accept 
> it just as fine in a POST request (in the data)
> Notice that the above paper also mentions the use of different 
> formatting schemes for IP addresses (using IPv6) which might merit a 
> different test.
> Also, on the "Data Storage" section I would include an
> "OWASP-DSC-005. Minimum privilege access to storage areas. Does the 
> application use reduced privileges to access storage areas such as 
> databases? Can the application run code (stored procedures) in 
> different database sections or access databases which are not 
> neccesary for the application?"
> This type of testing is usually quite important when doing SQL 
> inyection. It's quite different when the application is accesing the 
> database as, for example, 'sa' user (in SQL Server) than if using a 
> limited user/role than can only read the tables used by the 
> application. Even if SQL inyection is possible, the risk is reduced.
> Regards
> Javier

More information about the Owasp-testing mailing list