[OWASP-TESTING] finally!

Javier Fernandez-Sanguino jfernandez at germinus.com
Wed Apr 13 05:07:51 EDT 2005


Daniel Cuthbert wrote:


> If you can all review the current outline and give me feedback, we can 
> get this project going again

Some comments:

- "Authentication":
	* Session token generation (are they generated by the web server 
software or by the application itself?)
	* Token storage? (if not marked as 'secure' a cookie will be stored 
on hard disk...)
	* Control for automated attacks? (i.e. does the authentication 
mechanism block remote systems that try a brute force attack against a 
simple user/password form?)
	* Authentication logging (i.e. is information stored of the number of 
failed attempts of a given user?_)
	* Authentication restrictions (i.e. same user cannot be logged on 
twice, no user can log on from a given location - using a restricted 
IP address space)

- Application Dos:
	* Misuse of CPU-intensive operations? (imagine a SQL query that draws 
from million of records and any user can execute it as whim, it might 
be legitimate, there's no flooding, but the web server cannot cope 
with say, 5 parallel requests)

- "Configuration Management Infrastructure":
	* Authentication back-ends (LDAP, DBMS, text files...)

- "Data protection":
	* Privileges granted from the web server to data backends (CMS or 
DBMS, many people use the admin users to connect both, i.e. 'sa' in MsSQL)

- Language-specific testing:
	* Related to SOAP services I wrote a while back some tests associated 
with XML-powered web services (for the OSSTM), it might be a little 
bit dated, but might be useful. It is attached.

	* Flash testing and applet analysis might involve de-compilation of 
the objects in order to determine what requests do they make or how do 
they store information.

- Analyzing Results
	* Maybe use CVSS to rate vulnerabilities? In order to classify 
threats it might be best to take into account the vulnerability itself 
(SQL injection) and the expertise need to make a successful attack (do 
you need internal information of the application or is it easy to 
determine what the application is doing through its errors?)

Regards

Javier
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: xml-tests.txt
Url: http://lists.owasp.org/pipermail/owasp-testing/attachments/20050413/195974c4/attachment.txt 


More information about the Owasp-testing mailing list