Testing Types for Security Testing

Configuration Management Security Testing
Often analysis of the network infrastructure and web application architecture can reveal good amount of information such as source code, HTTP methods permitted, administrative functionality, authentication methods, infrastructural configurations etc.  In present scenarios, complexity of interconnected and heterogeneous web server infrastructure, which can count hundreds of servers, makes configuration management review and validation a fundamental step in testing.  The application penetration test should include the checking of how infrastructure was deployed and secured.  While the application may be secure, a small aspect of the configuration could still be at a default install stage and vulnerable to exploitation.  Testing for Configuration Management usually includes –

»        Usage of strong cipher algorithm and its proper implementation
»        Security of DB listener port and component
»        web servers, database servers, authentication servers,  software versions and its associated vulnerabilities
»        Default configuration of application and its associated vulnerabilities
»        File extension handling configuration
»        Presence of redundant, readable and downloadable files on a web server
»        Admin functionality usage by authorized users
»        Configuration of HTTP methods and its associated vulnerabilities

List of scanners tools that can identify vulnerabilities related to configurations are as follows-
Vulnerability Type
Open Source / Free Tools
Commercial Tools
Application Configuration Weakness
W3AF, Nessus, Sandcat, arachni, oedipus, iScan, N-Stalker, WSTool
IBM AppScan, WebInspect, Cenzic Hailstorm, Acunetix, Skipfish, Sandcat, Jsky, Netsparker, Grendel Scan, ParosPro, Webcruiser, Web Injection Scanner
HTTP Methods and XST
W3AF, Nessus, Sandcat, arachni, ZAP, Oedipus, Andiparos, Watobo, Jsky, N-Stalker
IBM AppScan, WebInspect, Cenzic Hailstorm, Acunetix, Skipfish, Sandcat, Jsky, Netsparker, Burpsuite, Vega, Grendel Scan, ParosPro, Paros Proxy, iScan
Old, Backup and Unreferenced files
W3AF, ZAP, Syhunt Mini, Wapiti, WATOBO, Andiparos, Paros Proxy
IBM AppScan, WebInspect, Acunetix, Burp Suite Professional, NTO Spider, Syhunt Dynamic, QualysGuard WAS, Netsparker, ScantoSecure, N-Stalker


Authentication Security Testing
Authentication is the process of attempting to verify the digital identity of the sender of a communication.  The sender could be user, process or device.  A common example of such a process is the logon process but authentication happens every time when we use our computers.  Much of the authentication that happens is transparent to the user and handled via computer.  Testing the authentication schema means understanding how the authentication process works and use that information to circumvent the authentication mechanism. As a Penetration Tester, it is valuable to be able to gain the trust of a system and bypass security as an authorized entity.  The most common method by which people confirm their identity is something they know such as a password.  Testing for Authentication usually includes -

»        Understand if data travel unencrypted from the web browser to the server
»        Collecting set of valid user names and then trying brute force testing
»        Trying default username and password of deployed application / server
»        Retrieve a valid user account and password by trying to enumerate many
»        Bypassing the authentication schema by tampering with requests and tricking the application
»        Flaw in the “Remember Password” and “Password Reset” functions
»        Flaw the logout and caching functions
»        CAPTCHA validation
»        Evaluating the strength of a “Multiple Factors Authentication System” like OTP (One Time Password)
»        Testing for race condition, a situation difficult to test for

List of scanners tools that can identify vulnerabilities related to authentication are as follows-
Vulnerability Type
Open Source / Free Tools
Commercial Tools
Bypassing Authentication Schema
Nessus, WebScarab, WebGoat
IBM AppScan, WebInspect, Cenzic Hailstorm, NTOSpider, Grendel Scan

Session Management Security Testing
Authentication and Session Management take care of all aspects of handling user authentication and managing active sessions.  HTTP is a stateless protocol and hence even simple logic requires a user’s multiple requests to be associated with each other across a ‘session’.  With regards to web applications, a session is the length of time users spend on a website.  It is always advisable to manage authorized sessions duration prudently.  The goal of penetration tester is to identify accounts that are permitted access to sessions with high-level privileges and unlimited time to access the web application.  Testing for Session Management usually includes -

»        Understand the existing Session Management schema
»        Understand if cookies are protected
»        Access another user’s account through the active session (Session Fixation)
»        Retrieving Session Tokens whilst in transit between the Client browser and the application server
»        Force an unknowing user to execute unwanted actions (Cross Site Request Forgery)

List of scanners tools that can identify vulnerabilities related to sessions are as follows-
Vulnerability Type
Open Source / Free Tools
Commercial Tools
Session Identifier Complexity Analysis
W3AF, Nessus, Sandcat, Jsky, Webscarab
Cenzic Hailstorm, NTO Spider, Sandcat, Burpsuite, Grendel Scan


Authorization Security Testing
Authorization is the concept of allowing access to resources only to those permitted to use them. While Authentication is about establishing and verifying user identity, Authorization is about permissions.  Is an user allowed to perform the operation it is invoking?  Testing for Authorization means understanding how the authorization process works and using that information to circumvent the authorization.  Testing for Authorization usually includes -

»        Execute a path traversal attack and access reserved information
»        Bypassing the authorization schema
»        User can escalate his / her privilege within the application by himself

List of scanners tools that can identify vulnerabilities related to authorization are as follows-
Vulnerability Type
Open Source / Free Tools
Commercial Tools
Path Traversal
W3AF, IronWASP, ZAP, arachni, SkipFish, Wapiti, Vega, WATOBO, safe3wvs, WebSecurify
IBM AppScan, WebInspect, Acunetix, Burp Suite Professional, NTO Spider, Syhunt Dynamic, WAS, Netsparker, ScantoSecure, Jsky, N-Stalker, Ammonite, ParosPro
Privilege Escalation
Webscarab
IBM AppScan, WebInspect, Cenzic Hailstorm, NTOSpider


Business Logic Security Testing
Business logic can have security flaws that allow a user to do something that isn't allowed by the business. For example, Can a user make a purchase for a negative amount of money? Attacks on the business logic of an application are dangerous, difficult to detect and are usually specific to the application.  This type of vulnerability cannot be detected by a vulnerability scanner and relies upon the skills and creativity of the penetration tester.

There are no scanners tools that can identify vulnerabilities related to business logic as it is more context driven.

Vulnerability Type
Open Source / Free Tools
Commercial Tools
-
No Tool
No Tool


Data Validation Security Testing
One security weakness that leads to almost all of the vulnerabilities in web application such as XSS, SQL Injection etc. is erroneous data from external entity. The data from external entity can be tampered with by an attacker or unknowingly given by user and hence it is important to filter and sanitize all input data by the application before it is trusted and processed. Data Validation testing is the task of testing all possible form of input, to understand if the application scrutinize all data correctly or not.  Data Validation testing usually includes –
»        Make victim loading the offending URI (Reflected Cross-site Scripting)
»        Store malicious code into the web page (Stored Cross-site Scripting)
»        Controlling a DOM element (DOM Cross-site Scripting)
»        Vulnerabilities like DOM based Cross-site Scripting in flawed Flash application
»        Injection of SQL query via the input data (SQL Injection)
»        Manipulating input parameters and passed to internal search, add and modify functions (LDAP Injection)
»        Inject a particular XML document into the application (XML Injection)
»        Inject code into HTML pages (SSI Injection)
»        Inject data into the application so that it executes user-controlled XPath queries (XPath Injection)
»        Inject arbitrary IMAP/SMTP commands into the mail servers (IMAP / SMTP Injection)
»        Inject into the application data that will be later executed by web server (Code Injection)
»        Inject an OS command through an HTTP request (OS Commanding)
»        Understand different types of buffer overflow vulnerabilities
»        HTTP splitting and HTTP smuggling

List of scanners tools that can identify vulnerabilities related to data input from external entities are as follows-
Vulnerability Type
Open Source / Free Tools
Commercial Tools
Buffer Overflow
W3AF, Nessus, Sandcat
IBM AppScan, WebInspect, Accunetix, Sandcat
Format String
W3AF, Nessus
IBM AppScan, WebInspect, Cenzic Hailstorm, Skipfish, Vega
Code Injection
Sandcat, arachini, Uber Web Security Scanner
IBM AppScan, Cenzic Hailstorm, Acunetix, SandcatCS, Skipfish, Netsparker
DOM Based Cross Site Scripting
W3AF, Watobo, arachini
IBM AppScan, Cenzic Hailstorm, Acunetix, NTO Spider
HTTP Splitting / Smuggling
WebGoat, W3AF, Nessus, SandcatCS, arachini, Wapiti, ZAP, PowerFuzzer, Andiparos, Paros Proxy, Web Securify, WebScarab
IBM AppScan, WebInspect, Cenzic Hailstorm Professional, Acunetix, NTOSpider, Sandcat Pro, Jsky, Netsparker, Burpsuite, Vega, Grendel Scan, ParosPro
IMAP/SMTP Injection
W3AF, Sandcat CS
IBM AppScan, Acunetix, Sandcat
LDAP Injection
W3AF, SandcatCS, arachini, Wapiti, Power Fuzzer, Uber Web Security Scanner
IBM AppScan, WebInspect, Cenzic Hailstorm Professional, Acunetix, Sandcat Pro, Jsky, Burp Suite
OS Commanding
W3AF, Nessus, Sandcat, arachni, Wapiti, PowerFuzzer, Oedipus
IBM AppScan, WebInspect, Cenzic Hailstorm, Acunetix, NTO Spider, Sandcat, Skipfish, Jsky, Netsparker, Burpsuite, Vega
Reflected Cross Site Scripting
W3AF, IronWASP, ZAP, arachni, Syhunt Mini (Sandcat Mini), SkipFish, Wapiti, Sandcat, Vega, Grendel Scan, WATOBO, Andiparos, PowerFuzzer, Paros Proxy, Oedipus, Uber Web Security Scanner, Jsky, safe3wvs, WebSecurify, Grabber, Netsparker, WebCruiser, Proxy Strike, Acunetix WVS, WebScarab, N-Stalker, XSSer, Gamja, Secubat, WSTool, XSSploit, Screaming CSS, XSSS, Crawlfish
IBM AppScan, WebInspect, Acunetix, Burp Suite Professional, NTO Spider, Syhunt Dynamic, QualysGuard WAS, Netsparker, ScantoSecure, Jsky, N-Stalker, Ammonite, ParosPro, WebCruiser
SQL Injection
W3AF, IronWASP, ZAP, arachni, Syhunt Mini (Sandcat Mini), SkipFish, Wapiti, Sandcat, Vega, Grendel Scan, WATOBO, Andiparos, PowerFuzzer, Paros Proxy, Oedipus, Uber Web Security Scanner, Jsky, safe3wvs, WebSecurify, Grabber, Netsparker, WebCruiser, Proxy Strike, SQLiX, sqlmap, Gamja, Mini Mysqlator, Secubat, WSTool, DSSS, aidSQL, Scrawlr, LoverBoy, SQLID, VulnDetector, openAcunetix, Priamos, Gamja,  Secubat, XCobra, safe3wvs, iScan
IBM AppScan, WebInspect, Acunetix, Burp Suite Professional, NTO Spider, Syhunt Dynamic, QualysGuard WAS, Netsparker, ScantoSecure, Jsky, N-Stalker, Ammonite, ParosPro, WebCruiser
SSI Injection
W3AF, Nessus, ZAP, Andiparos, Paros Proxy, Proxy Strike
IBM AppScan, WebInspect, Cenzic Hailstorm, ParosPro
Stored Cross Site Scripting
W3AF, Nessus, Wapiti, PowerFuzzer, XSSploit
IBM AppScan, WebInspect, Cenzic Hailstorm, Acunetix, NTO Spider, Skipfish, Netsparker, BurpSuite
XML Injection
Nessus, Uber Web Security Scanner
IBM AppScan, Skipfish, BurpSuite, Vega
Xpath Injection
W3AF, SandcatCS, Sandcat, arachni, Wapiti, Powerfuzzer, WebCruiser
IBM AppScan, WebInspect, Acunetix, Skipfish, Sandcat, Jsky, WebCruiser
Cross Site Scripting
W3AF, IronWASP, ZAP, arachni, Syhunt Mini (Sandcat Mini), SkipFish, Wapiti, Vega
IBM AppScan, WebInspect, Acunetix, Burp Suite Professional, NTO Spider, Syhunt Dynamic, Netsparker, ScantoSecure, Jsky, N-Stalker, Ammonite
Unvalidated Redirects and Forwards
W3AF, IronWASP, ZAP, arachni, Skipfish
IBM AppScan, WebInspect, Acunetix, Burp Suite Professional, NTO Spider, QualysGuard WAS, Netsparker, ScantoSecure, N-Stalker



Denial of Service Security Testing
One of the most common and simplest forms of attack on a system is Denial of Service (DoS) attack.  This attack does not attempt to intrude to the system or to obtain sensitive information; it simply aims to prevent legitimate users from accessing the system.  DoS attacks can be on individual machines, on the network that connects the machines or all the machines simultaneously.  It is based on the fact that any device has operational limits.  Any computer system, web server or network can handle a finite load and simply overloading the system with requests will block serving the requests of legitimate users. In this section, focus will be attacks against availability that can be launched by just one malicious user on a single machine.  Denial of Service (DoS) testing usually includes -
»        Forcing the underlying database to carry out CPU intensive queries by using several wildcards
»        Locking valid user accounts by repeatedly attempting to log in with a wrong password
»        Causing DoS attack by overflowing one or more data structure of the target application
»        Exhaust server resources by making it allocate a very high number of objects
»        Force the application to loop through a code segment that needs high computing resources
»        Fill the target disks by log data
»        Understand if application properly releases resources (memory or files) after their usage
»        Allocate big amount of data into a user session object

List of scanners tools that can identify vulnerabilities related to DoS attack are as follows-
Vulnerability Type
Open Source / Free Tools
Commercial Tools
Regular Expression Denial of Service
W3AF, Nessus, Wapiti, safe3wvs, WebSecurify
WebInspect


Web Service Security Testing
Web services are exposed to net like any other service but can be used on HTTP, FTP, SMTP and MQ among other transport protocols.  The Web Services Framework utilizes the HTTP protocol in conjunction with XML, SOAP, REST, WSDL and UDDI technologies.  The vulnerabilities in web services are similar to other vulnerabilities, such as SQL injection, information disclosure and leakage but Web Services also have unique XML / parser related vulnerabilities.  Web service security testing usually includes -

»        Understand the Web service entry point and the communication schema
»        Invoke an operation that is not used in a standard SOAP Request
»        Sending very large or malformed XML messages
»        Attack the Web service by passing malicious content on the HTTP GET string
»        Attach binary files (executables, malware etc.) to Web service if it accepts attachments
»        Conduct man-in-the-middle of the attack

List of scanners tools that can identify vulnerabilities related to web services are as follows-
Vulnerability Type
Open Source / Free Tools
Commercial Tools
XML Content Level
WebScarab, Metasploit
-
XML Structural
Webscarab
-


AJAX Security Testing
AJAX uses XMLHttpRequest object and JavaScript to make asynchronous requests to the web server, parsing the responses and then updating the page DOM and CSS.  AJAX application is more complicated because processing is done on both the client side and the server side.  This complexity is avoided by having framework but that also result in situations where developers do not fully understand where the code will execute, and can lead to a situation where it is difficult to properly assess the risk associated with particular applications or features.  AJAX applications have same vulnerabilities like SQL injection, data validation etc. that a traditional web application can have.  In addition, AJAX application can be vulnerable to new classes of attack such as Cross Site Request Forgery (XSRF).  Testing AJAX applications can be challenging due to different encoding or serialization scheme used by developers while submitting POST data and make it difficult for testing tools to reliably create automated test requests.   The use of web proxy tool is extremely helpful for analyzing the traffic.

List of scanners tools that can identify vulnerabilities related to AJAX are as follows-
Vulnerability Type
Open Source / Free Tools
Commercial Tools
AJAX Vulnerabilities
OWASP Sprajax, safe2wvs, Sandcat, W3AF
Acunetix, Hailstorm, WebInspect, Watchfire, N-Stalker, Grabber, IBM AppScan, Jsky, Netsparker, NTOSpider, ParosPro, Sandcat


Comments

Popular posts from this blog

Performance Test Run Report Template

Bugs Management in Agile Project

Understanding Blockchain