BASELINE SECURITY TEST PLAN FOR EDUCATIONAL WEB AND MOBILE APPLICATIONS



Similar documents
Criteria for web application security check. Version

Using Foundstone CookieDigger to Analyze Web Session Management

Web Application Security

Magento Security and Vulnerabilities. Roman Stepanov

Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security

Check list for web developers

FINAL DoIT v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

Kentico CMS security facts

EVALUATING COMMERCIAL WEB APPLICATION SECURITY. By Aaron Parke

Attack and Penetration Testing 101

SECURING SELF-SERVICE PASSWORD RESET

Sitefinity Security and Best Practices

Introduction:... 1 Security in SDLC:... 2 Penetration Testing Methodology: Case Study... 3

External Network & Web Application Assessment. For The XXX Group LLC October 2012

Application Security Testing. Generic Test Strategy

Where every interaction matters.

How to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering

ArcGIS Server Security Threats & Best Practices David Cordes Michael Young

An Insight into Cookie Security

A Server and Browser-Transparent CSRF Defense for Web 2.0 Applications. Slides by Connor Schnaith

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

Conducting Web Application Pentests. From Scoping to Report For Education Purposes Only

Lecture 11 Web Application Security (part 1)

Secure development and the SDLC. Presented By Jerry

APPLICATION SECURITY AND ITS IMPORTANCE

The Top Web Application Attacks: Are you vulnerable?

Cyber Security Challenge Australia 2014

Semantic based Web Application Firewall (SWAF V 1.6) Operations and User Manual. Document Version 1.0

SESSION IDENTIFIER ARE FOR NOW, PASSWORDS ARE FOREVER

Bug Report. Date: March 19, 2011 Reporter: Chris Jarabek

Security vulnerabilities in new web applications. Ing. Pavol Lupták, CISSP, CEH Lead Security Consultant

FINAL DoIT v.8 APPLICATION SECURITY PROCEDURE

Secure Web Development Teaching Modules 1. Threat Assessment

Essential IT Security Testing

Gateway Apps - Security Summary SECURITY SUMMARY

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management

(WAPT) Web Application Penetration Testing

The purpose of this report is to educate our prospective clients about capabilities of Hackers Locked.

Web Application Guidelines

CSE598i - Web 2.0 Security OWASP Top 10: The Ten Most Critical Web Application Security Vulnerabilities

OWASP Top Ten Tools and Tactics

Enterprise Application Security Workshop Series

Cross Site Scripting in Joomla Acajoom Component

External Vulnerability Assessment. -Technical Summary- ABC ORGANIZATION

Detecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008

Architectural Design Patterns. Design and Use Cases for OWASP. Wei Zhang & Marco Morana OWASP Cincinnati, U.S.A.

OWASP Secure Coding Practices Quick Reference Guide

Sichere Software- Entwicklung für Java Entwickler

What is Web Security? Motivation

Hack Yourself First. Troy troyhunt.com

OWASP TOP 10 ILIA

OWASP AND APPLICATION SECURITY

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY

Table of Contents. Open-Xchange Authentication & Session Handling. 1.Introduction...3

SECURITY ADVISORY. December 2008 Barracuda Load Balancer admin login Cross-site Scripting

Passing PCI Compliance How to Address the Application Security Mandates

Web Application Security Considerations

Thick Client Application Security

Tableau Server Security. Version 8.0

Web Application Penetration Testing

Workday Mobile Security FAQ

White Paper BMC Remedy Action Request System Security

Online Data Services. Security Guidelines. Online Data Services by Esri UK. Security Best Practice

STABLE & SECURE BANK lab writeup. Page 1 of 21

Last update: February 23, 2004

Validation Procedure. ANNEX 4. Security Testing Basis

ABC LTD EXTERNAL WEBSITE AND INFRASTRUCTURE IT HEALTH CHECK (ITHC) / PENETRATION TEST

Rational AppScan & Ounce Products

Recon and Mapping Tools and Exploitation Tools in SamuraiWTF Report section Nick Robbins

WHITE PAPER FORTIWEB WEB APPLICATION FIREWALL. Ensuring Compliance for PCI DSS 6.5 and 6.6

Web Application Security. Vulnerabilities, Weakness and Countermeasures. Massimo Cotelli CISSP. Secure

<Insert Picture Here> Oracle Web Cache 11g Overview

Testing the OWASP Top 10 Security Issues

Chapter 1 Web Application (In)security 1

Client Side Filter Enhancement using Web Proxy

Columbia University Web Security Standards and Practices. Objective and Scope

elearning for Secure Application Development

Acunetix Website Audit. 5 November, Developer Report. Generated by Acunetix WVS Reporter (v8.0 Build )

Hack Proof Your Webapps

WHITE PAPER. FortiWeb Web Application Firewall Ensuring Compliance for PCI DSS 6.5 and 6.6

Penetration Testing with Kali Linux

Guidelines for Web applications protection with dedicated Web Application Firewall

Web application security

Intro to Firewalls. Summary

State of The Art: Automated Black Box Web Application Vulnerability Testing. Jason Bau, Elie Bursztein, Divij Gupta, John Mitchell

Intrusion detection for web applications

05.0 Application Development

Security features of ZK Framework

Secure Web Application Coding Team Introductory Meeting December 1, :00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda

NetBrain Security Guidance

BUILDING AN OFFENSIVE SECURITY PROGRAM BUILDING AN OFFENSIVE SECURITY PROGRAM

Web Engineering Web Application Security Issues

Top Ten Web Application Vulnerabilities in J2EE. Vincent Partington and Eelco Klaver Xebia

SENSE Security overview 2014

Application Security Policy

Contemporary Web Application Attacks. Ivan Pang Senior Consultant Edvance Limited

Transcription:

BASELINE SECURITY TEST PLAN FOR EDUCATIONAL WEB AND MOBILE APPLICATIONS Published by Tony Porterfield Feb 1, 2015. Overview The intent of this test plan is to evaluate a baseline set of data security practices that are straightforward for end users to observe from an authenticated session of the web service. Quantifying observable security practices of online services can give a metric for comparison and evaluation of the services. Furthermore, a measure of the rigor of the security practices that an end user can observe (and an intruder can exploit) provides insight in to the rigor of the overall security practices of the web service. The tests defined in this document are focused on data security of browser- based web applications, and mobile apps that use HTTP. Most of the tests are based on the OWASP Application Security Verification Standard, 2014 (ASVS) and are a subset of the Opportunistic verification level defined in the ASVS. The ASVS is available at: https://www.owasp.org/index.php/asvs The tests are divided in to two sections: Objective Tests and Subjective Tests. Note that this testing will require a valid user account for the web service under test. Objective tests are straightforward to perform using a browser or app, proxy and cookie editor. Compliance to these requirements can be evaluated without much ambiguity or subjectivity. For 3 rd party apps running within a host web app, a subset of these tests can be performed based on the functionality of the interface between the host web app and 3 rd party web app. Subjective tests require more complex or free form analysis, and evaluating compliance may be subjective. These are listed in rough order of importance. The scoring or rating system is not defined here and will be added in later versions of the test plan. Scoring for vulnerabilities should be weighted based on the severity of the vulnerability and the sensitivity of the information that would be exposed if exploited. The Common Vulnerability Scoring System (CVSS) may provide a starting point for rating severity.

Summary of objective test sections 1. Login and authentication: Problems here can lead to passwords or sensitive information being snooped or logged, or session authentication tokens stolen. 2. Password reset: Sending the old or new password after a lost password request can expose the account s password to attackers. Furthermore, a site that can send the current password to a user is not properly hashing the password at the server. 3. Username enumeration: This tests how easy it is for potential attacker to test potential usernames for validity. This would be the first step in a brute- force password attack. 4. Auth. token/session ID and cookie handling: Incorrect protection or handling of authentication tokens could lead to an attacker stealing them and hijacking the session. 5. Sensitive information outside of message body: Sensitive information in URLs can be stored in browser histories and caches, and server logs, where they could be viewed by potential attackers and possibly leveraged to get more access. 6. Verify pages with sensitive information disable caching: Sensitive information left in browser disk caches could be viewed by others who use the same browser. Shared use computers are commonly used by students and teachers at schools. Students may also log in on shared computers in public places such as libraries. 7. Check for clickjacking protection: Clickjack attacks superimpose an attacker s page in an iframe over the original page. This is a low risk in educational applications but a straightforward protection to add. 8. Single access code grants access to sensitive data: many educational sites generate classroom codes that students can use to enter class groups on the site. If these allow access without a secondary check such as teacher approval, an attacker who gets or enumerates valid codes could enter and gather sensitive information about the other students in the class. 9. Password complexity: Though younger children may have trouble remembering long passwords, extremely short passwords increase the chance of a brute force password attack. 10. Excessive headers: Server and platform details in response headers can reveal information that could be useful to an attacker attempting to compromise the system.

Summary of subjective test sections 1. Direct object reference: can allow an attacker to access data without authorization by enumerating or otherwise constructing the URL for the page. 2. Session timeout: Protects a user against forgetting to log out on a shared computer, and against an attacker getting a session authentication token and using it indefinitely to access the account 3. Error messages: Error messages can reveal important details about a system to an attacker 4. XSS: Cross Site Scripting/Injection: An attacker can inject malicious scripts or HTML code to a user s browser. 5. Unsecured APIs: APIs that allow queries without proper authentication can allow attackers to extract significant amounts of information from the system by crafting API requests. 6. Brute- force login check: If login attempts are not rate limited, an attacker can brute force the passwords at a much higher rate. It s worth noting that passwords used by young students or assigned by schools are often simple or formulaic. Notations: ASVS requirements are enclosed in (parens) Testing tools are enclosed in [brackets] o Client: web browser or mobile app o Cookie editor: allows viewing and modification of cookies, such as Edit this cookie for Chrome o Proxy: Allows inspection and modification of HTTP traffic generated by the client. OWASP ZAP, Burp Suite Proxy and Fiddler2 are examples of proxy programs. o Asafaweb: www.asafaweb.com: automated test for some security practices Copyright and License This document is released under the Creative Commons Attribution ShareAlike License. For any reuse or distribution you must make clear to others the license terms of this work. This document relies upon content contained in the OWASP Application Security Verification Standard, also released under the the Creative Commons Attribution ShareAlike license.

TEST PLAN test date & notes Web application name and URL: Personal information that can be collected: SSL Labs SSL score (https://www.ssllabs.com/ssltest/index.html) Objective tests 1. Login and authentication: 1.1. Verify that password is not echoed to screen, and autocomplete is not enabled for password (V2.2) [Client] 1.2. Verify that login form is served using HTTPS (V2.16) [Client, Proxy] 1.3. Verify that login credentials posted using HTTPS (V2.16) [Client, Proxy] 1.4. Verify that authenticated sessions continue to serve pages using HTTPS. (V2.16)[Client] 1.5. Verify that all login checks (authentication controls) are enforced on server side (V2.4)[Client, Proxy] 1.6. Notes: 2. Lost password: 2.1. Request password reset, verify that old or new password is not sent in plain text to user (V2.17) [Client] 2.2. Notes: 3. Username enumeration (V2.18) [Client] 3.1. Attempt login with {valid username,invalid password} and {invalid username,invalid password}. Verify that responses are different for valid usernames and invalid usernames 3.2. Request lost- password reset for valid username and invalid username. Verify that responses are not different 3.3. Request lost username help and verify valid usernames can not be enumerated (if applicable) 3.4. Notes: 4. Authentication token/session ID and cookie handling Authentication cookie name: 4.1. Auth/session cookie(s): httpsonly flag (V3.14) [Client, Cookie editor] 4.2. Auth/session cookie(s): secure flag (V3.15) [Client,Cookie editor] 4.3. Verify that strict transport security headers are present (V3.15) [Proxy] 4.4. Verify auth/session is not sent in url (V3.6)[Client,Proxy] 4.5. Log out, restore auth/session cookie and verify it does not allow access (V3.2)[Client,Cookie Editor] 4.6. Verify that all pages that require authentication have logout links (V3.4) [Client] 4.7. Notes:

5. Sensitive information sent outside of message body 5.1. Examine URLs of HTTP requests for sensitive information (V9.3) [Client,Proxy] 5.2. Notes: 6. Verify that forms and other pages containing sensitive information have disabled client- side (disk) caching using Cache- Control directives (V9.1) [Proxy] 6.1. no- cache, no- store to prevent disk caching of sensitive information 6.2. Notes: 7. Check for X- Frame- Option header to protect against clickjacking 7.1. Examine response headers for XFO option (V11.8) [Client, Proxy, asafaweb.com] 7.2. Notes: 8. Check whether access to sensitive information can be gained with a single access code, and no other form of authentication 8.1. Examine how classroom groups or other user groups are formed does a single class code provide access to sensitive information without further verification by teacher or other mechanism? [Client] 8.2. Are there other ways were an individual s or group s information can be accessed with a single authentication code. [Client] 8.3. Notes: 9. Check minimum password length and complexity requirements 9.1. Attempt to set password of length 1 character, if rejected record minimum length required. [Client] 9.1.1. Perform test during account creation (if possible) 9.1.2. Perform test for password reset 9.2. Notes 10. Excessive headers 10.1. Check for unnecessary information about server platform in response headers. [asafaweb.com] 10.2. Notes:

Subjective or more complex tests Test specifics will be added to this section in future revisions 1. Access control/direct object reference/enumeration (V4.1- V4.5) [Client,Proxy] 1.1. Look for numeric user IDs in URLs, then change them to see if information beyond the scope of the account is provided, such as other users information. [Client] 1.2. Look for other names, IDs or fields that can be changed to provide unauthorized access to information or resources [Browser] 2. Authenticated sessions time out (V2.3) [Client] 2.1. Verify that session will time out 3. Error messages (V6.1) [Client, asafaweb.com does some checking for this] 3.1. Verify that error messages do not reveal system internals 4. XSS and Injection testing (Multiple ASVS requirements) [Client] 4.1. Look for instances where user input is served to the client without input verification. For example, enter a short script to raise an alert in a user name field when setting up a test account. 5. APIs that can be used for unauthorized data access (more common in moble apps) [Client, Proxy] 5.1. Examine client requests, look for API calls that can be used with other parameters or without authentication to retrieve sensitive information. 6. Brute- force check for login [Proxy] Present a sequence of invalid passwords for a user account 6.1. Check for rate limiting

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information