https://wiki.owasp.org/api.php?action=feedcontributions&feedformat=atom&user=ManioncOWASP - User contributions [en]2026-04-18T10:18:44ZUser contributionsMediaWiki 1.27.2https://wiki.owasp.org/index.php?title=Social_Engineering&diff=17945Social Engineering2007-04-19T18:58:59Z<p>Manionc: /* References */</p>
<hr />
<div>==Definition ==<br />
An attack based on deceiving end users or administrators at a target site. Social engineering attacks are are typically carried out by email or by contacting users by phone and impersonating an authorized user, in an attempt to gain unauthorized access to a system or application.<br />
<br />
== Examples ==<br />
'''Example #1:''' <br />
*An attacker, posing an a system administrator, sends an email to several users on a large network (like a college campus network) and asks them to, “Please change your password to ‘xyz123’ and then notify me when you've completed this.”<br />
*The attacker then logs in as one of the users from over the network. <br />
*System bugs are then exploited to gain complete control of the system.<br />
<br />
== Countermeasures ==<br />
* Educate staff<br />
* Establish mechanisms for problem reporting and handling and make sure users know what those mechanisms are<br />
* Identify security-related transactions that must be done in person<br />
<br />
<br />
== Related Attacks ==<br />
<br />
<br />
<br />
== References ==<br />
Social Engineering [http://en.wikipedia.org/wiki/Social_engineering_(computer_security)#Quid_pro_quo]</div>Manionchttps://wiki.owasp.org/index.php?title=Social_Engineering&diff=17944Social Engineering2007-04-19T18:58:12Z<p>Manionc: /* References */</p>
<hr />
<div>==Definition ==<br />
An attack based on deceiving end users or administrators at a target site. Social engineering attacks are are typically carried out by email or by contacting users by phone and impersonating an authorized user, in an attempt to gain unauthorized access to a system or application.<br />
<br />
== Examples ==<br />
'''Example #1:''' <br />
*An attacker, posing an a system administrator, sends an email to several users on a large network (like a college campus network) and asks them to, “Please change your password to ‘xyz123’ and then notify me when you've completed this.”<br />
*The attacker then logs in as one of the users from over the network. <br />
*System bugs are then exploited to gain complete control of the system.<br />
<br />
== Countermeasures ==<br />
* Educate staff<br />
* Establish mechanisms for problem reporting and handling and make sure users know what those mechanisms are<br />
* Identify security-related transactions that must be done in person<br />
<br />
<br />
== Related Attacks ==<br />
<br />
<br />
<br />
== References ==<br />
[http://en.wikipedia.org/wiki/Social_engineering_(computer_security)#Quid_pro_quo]</div>Manionchttps://wiki.owasp.org/index.php?title=Social_Engineering&diff=17943Social Engineering2007-04-19T18:56:46Z<p>Manionc: </p>
<hr />
<div>==Definition ==<br />
An attack based on deceiving end users or administrators at a target site. Social engineering attacks are are typically carried out by email or by contacting users by phone and impersonating an authorized user, in an attempt to gain unauthorized access to a system or application.<br />
<br />
== Examples ==<br />
'''Example #1:''' <br />
*An attacker, posing an a system administrator, sends an email to several users on a large network (like a college campus network) and asks them to, “Please change your password to ‘xyz123’ and then notify me when you've completed this.”<br />
*The attacker then logs in as one of the users from over the network. <br />
*System bugs are then exploited to gain complete control of the system.<br />
<br />
== Countermeasures ==<br />
* Educate staff<br />
* Establish mechanisms for problem reporting and handling and make sure users know what those mechanisms are<br />
* Identify security-related transactions that must be done in person<br />
<br />
<br />
== Related Attacks ==<br />
<br />
<br />
<br />
== References ==</div>Manionchttps://wiki.owasp.org/index.php?title=Social_Engineering&diff=17942Social Engineering2007-04-19T18:54:12Z<p>Manionc: /* Examples */</p>
<hr />
<div>==Definition ==<br />
An attack based on deceiving end users or administrators at a target site. Social engineering attacks are are typically carried out by email or by contacting users by phone and impersonating an authorized user, in an attempt to gain unauthorized access to a system or application.<br />
<br />
== Examples ==<br />
'''Example #1:''' <br />
*An attacker, posing an a system administrator, sends an email to several users on a large network (like a college campus network) and asks them to, “Please change your password to ‘xyz123’ and then notify me when you've completed this.”<br />
*The attacker then logs in as one of the users from over the network. <br />
*System bugs are then exploited to gain complete control of the system.<br />
<br />
== Countermeasures ==<br />
* Educate staff<br />
* Establish mechanisms for problem reporting and handling and make sure users know what those mechanisms are<br />
* Identify security-related transactions that must be done in person</div>Manionchttps://wiki.owasp.org/index.php?title=Social_Engineering&diff=17941Social Engineering2007-04-19T18:53:36Z<p>Manionc: /* Definition */</p>
<hr />
<div>==Definition ==<br />
An attack based on deceiving end users or administrators at a target site. Social engineering attacks are are typically carried out by email or by contacting users by phone and impersonating an authorized user, in an attempt to gain unauthorized access to a system or application.<br />
<br />
== Examples ==<br />
Example #1: (Believe it or not, this has worked for some attackers!)<br />
*An attacker, posing an a system administrator, sends an email to several users on a large network (like a college campus network) and asks them to, “Please change your password to ‘xyz123’ and then notify me when you've completed this.”<br />
*The attacker then logs in as one of the users from over the network. <br />
*System bugs are then exploited to gain complete control of the system.<br />
<br />
== Countermeasures ==<br />
* Educate staff<br />
* Establish mechanisms for problem reporting and handling and make sure users know what those mechanisms are<br />
* Identify security-related transactions that must be done in person</div>Manionchttps://wiki.owasp.org/index.php?title=Social_Engineering&diff=17940Social Engineering2007-04-19T18:51:46Z<p>Manionc: </p>
<hr />
<div>==Definition ==<br />
An attack based on deceiving users or administrators at the target site. Social engineering attacks are typically carried out by telephoning users or operators and pretending to be an authorized user, to attempt to gain illicit access to systems.<br />
<br />
== Examples ==<br />
Example #1: (Believe it or not, this has worked for some attackers!)<br />
*An attacker, posing an a system administrator, sends an email to several users on a large network (like a college campus network) and asks them to, “Please change your password to ‘xyz123’ and then notify me when you've completed this.”<br />
*The attacker then logs in as one of the users from over the network. <br />
*System bugs are then exploited to gain complete control of the system.<br />
<br />
== Countermeasures ==<br />
* Educate staff<br />
* Establish mechanisms for problem reporting and handling and make sure users know what those mechanisms are<br />
* Identify security-related transactions that must be done in person</div>Manionchttps://wiki.owasp.org/index.php?title=Social_Engineering&diff=17939Social Engineering2007-04-19T18:50:53Z<p>Manionc: /* Countermeasures */</p>
<hr />
<div>'''Social Engineering'''<br />
<br />
==Definition ==<br />
An attack based on deceiving users or administrators at the target site. Social engineering attacks are typically carried out by telephoning users or operators and pretending to be an authorized user, to attempt to gain illicit access to systems.<br />
<br />
<br />
== Examples ==<br />
Example #1: (Believe it or not, this has worked for some attackers!)<br />
1. An attacker, posing an a system administrator, sends an email to several users on a large network (like a college campus network) and asks them to, “Please change your password to ‘xyz123’ and then notify me when you've completed this.”<br />
3. The attacker then logs in as one of the users from over the network. <br />
4. System bugs are then exploited to gain complete control of the system.<br />
<br />
== Countermeasures ==<br />
* Educate staff<br />
* Establish mechanisms for problem reporting and handling and make sure users know what those mechanisms are<br />
* Identify security-related transactions that must be done in person</div>Manionchttps://wiki.owasp.org/index.php?title=Social_Engineering&diff=17938Social Engineering2007-04-19T18:49:56Z<p>Manionc: </p>
<hr />
<div>'''Social Engineering'''<br />
<br />
==Definition ==<br />
An attack based on deceiving users or administrators at the target site. Social engineering attacks are typically carried out by telephoning users or operators and pretending to be an authorized user, to attempt to gain illicit access to systems.<br />
<br />
<br />
== Examples ==<br />
Example #1: (Believe it or not, this has worked for some attackers!)<br />
1. An attacker, posing an a system administrator, sends an email to several users on a large network (like a college campus network) and asks them to, “Please change your password to ‘xyz123’ and then notify me when you've completed this.”<br />
3. The attacker then logs in as one of the users from over the network. <br />
4. System bugs are then exploited to gain complete control of the system.<br />
<br />
== Countermeasures ==<br />
– Educate staff<br />
– Establish mechanisms for problem reporting and handling and make sure users know what those mechanisms are<br />
– Identify security-related transactions that must be done in person</div>Manionchttps://wiki.owasp.org/index.php?title=Social_Engineering&diff=17937Social Engineering2007-04-19T18:48:19Z<p>Manionc: New page: '''Social Engineering''' '''Definition''' An attack based on deceiving users or administrators at the target site. Social engineering attacks are typically carried out by telephoning user...</p>
<hr />
<div>'''Social Engineering'''<br />
<br />
'''Definition'''<br />
An attack based on deceiving users or administrators at the target site. Social engineering attacks are typically carried out by telephoning users or operators and pretending to be an authorized user, to attempt to gain illicit access to systems.<br />
<br />
'''Examples'''<br />
Example #1: (Believe it or not, this has worked for some attackers!)<br />
1. An attacker, posing an a system administrator, sends an email to several users on a large network (like a college campus network) and asks them to, “Please change your password to ‘xyz123’ and then notify me when you've completed this.”<br />
3. The attacker then logs in as one of the users from over the network. <br />
4. System bugs are then exploited to gain complete control of the system.<br />
<br />
<br />
'''Countermeasures'''<br />
– Educate staff<br />
– Establish mechanisms for problem reporting and handling and make sure users know what those mechanisms are<br />
– Identify security-related transactions that must be done in person</div>Manionchttps://wiki.owasp.org/index.php?title=OWASP_Testing_Guide_Table_of_Contents&diff=10304OWASP Testing Guide Table of Contents2006-10-09T13:39:53Z<p>Manionc: /* The OWASP Testing Framework */</p>
<hr />
<div>==[[Testing Guide Frontispiece|Frontispiece]]==<br />
#Copyright and License<br />
#Endorsements<br />
#Trademarks<br />
<br />
==[[Testing Guide Introduction|Introduction]]==<br />
#Performing An Application Security Review <br />
#Principles of Testing <br />
#Testing Techniques Explained<br />
<br />
==[[Methodologies Used]]== <br />
#Secure application design <br />
#Code Review (See the code review project) <br />
#*Overview <br />
#*Advantages and Disadvantages <br />
#Penetration Testing <br />
#*Overview <br />
#*Advantages and Disadvantages <br />
#The Need for a Balanced Approach <br />
#A Note about Web Application Scanners <br />
#A Note about Static Source Code Review Tools<br />
<br />
==[[Finding Specific Issues In a Non-Technical Manner]]==<br />
#Threat Modeling Introduction <br />
#Design Reviews <br />
#Threat Modeling the Application <br />
#Policy Reviews <br />
#Requirements Analysis <br />
#Developer Interviews and Interaction <br />
<br />
==[[:Category:OWASP Code Review Project|Finding Specific Vulnerabilities Using Source Code Review]]==<br />
<br />
''For code review please see the [[:Category:OWASP_Code_Review_Project|OWASP Code Review Project]]<br />
<br />
==[[Manual testing techniques]]==<br />
#[[Business logic testing]] <br />
#[[Authentication Testing Guide|Authentication]] <br />
#[[How to perform cookie manipulation test|Cookie manipulation]]<br />
#[[How to test for weak session tokens|Weak session tokens]]<br />
#[[How to perform session riding test|Session riding test]]<br />
#[[Testing for Cross site scripting vulnerabilities]] <br />
#[[Testing for vulnerable remember password implementation]]<br />
#[[Weak Password Self-Reset Testing]]<br />
#[[Testing for default or guessable user accounts and empty passwords]] <br />
#[[Testing for application layer Denial of Service (DoS) attacks]] <br />
#*[[DoS Testing: Locking Customer Accounts]] <br />
#*[[DoS Testing: Buffer Overflows]] <br />
#*[[DoS Testing: User Specified Object Allocation]] <br />
#*[[DoS Testing: User Input as a Loop Counter]] <br />
#*[[DoS Testing: Writing User Provided Data to Disk]] <br />
#*[[DoS Testing: Failure to Release Resources]] <br />
#*[[DoS Testing: Storing too Much Data in Session]] <br />
#[[Testing for buffer overflow]] <br />
#*[[Testing for heap overflow vulnerability]]<br />
#*[[Testing for stack overflow vulnerability]]<br />
#*[[Testing for format string vulnerability]]<br />
#[[Testing for test and debug files]] <br />
#[[Testing file extensions handling]] <br />
#[[Testing for Old, backup and unreferenced files]] <br />
#[[Testing defense from Automatic Attacks]] <br />
#[[Infrastructure configuration management testing]]<br />
#[[Application configuration management testing]] <br />
#[[SSL/TLS Testing: support of weak ciphers]]<br />
#[[SSL Testing: certificate validity]]<br />
#[[Web Services Security Testing]]<br />
#[[Analysis about error codes]]<br />
#[[Web services Testing]]<br />
#*[[XML Structural Attacks]]<br />
#*[[XML content-level attacks]]<br />
#*[[HTTP GET parameters/REST attacks]]<br />
#*[[Naughty SOAP attachments]]<br />
#*[[Brute force attacks]]<br />
<br />
==[[The OWASP Testing Framework]]==<br />
#Overview <br />
#Phase 1 — Before Development Begins <br />
#*Phase 1A: Policies and Standards Review <br />
#*Phase 1B: Develop Measurement and Metrics Criteria (Ensure Traceability) <br />
#Phase 2: During Definition and Design <br />
#*Phase 2A: Security Requirements Review <br />
#*Phase 2B: Design and Architecture Review <br />
#*Phase 2C: Create and Review UML Models <br />
#*Phase 2D: Create and Review Threat Models <br />
#Phase 3: During Development <br />
#*Phase 3A: Code Walkthroughs <br />
#*Phase 3B: Code Reviews <br />
#Phase 4: During Deployment <br />
#*Phase 4A: Application Penetration Testing <br />
#*Phase 4B: Configuration Management Testing <br />
#Phase 5: Maintenance and Operations <br />
#*Phase 5A: Conduct Operational Management Reviews <br />
#*Phase 5B: Conduct Periodic Health Checks <br />
#*Phase 5C: Ensure Change Verification <br />
#A Typical SDLC Testing Workflow <br />
#* Figure 3: Typical SDLC Testing Workflow.<br />
<br />
==[[Appendix A: Testing Tools]]== <br />
#Source Code Analyzers <br />
#*Open Source / Freeware <br />
#*Commercial <br />
#Black Box Scanners <br />
#*Open Source <br />
#*Commercial <br />
#Other Tools <br />
#*Runtime Analysis <br />
#*Binary Analysis <br />
#*Requirements Management<br />
<br />
==[[OWASP Testing Guide Appendix B: Suggested Reading | Appendix B: Suggested Reading]]==<br />
#Whitepapers <br />
#Books <br />
#Articles <br />
#Useful Websites <br />
#OWASP — http://www.owasp.org<br />
<br />
[[Category:OWASP Testing Project]]<br />
[[Category:Test]]<br />
<br />
==[[OWASP Testing Guide Appendix C: Fuzz Vectors| Appendix C: Fuzz Vectors]]==</div>Manionchttps://wiki.owasp.org/index.php?title=Definition_for_Security_Assessment_Techniques&diff=10197Definition for Security Assessment Techniques2006-10-05T21:22:47Z<p>Manionc: /* Techniques */</p>
<hr />
<div>==Overview==<br />
<br />
This article’s focus is to define, where practical, nomenclature and definitions of the differing security '''Assessment Techniques'''. Agreement and establishment of these definitions are foundational to establishing the '''Assessment Levels''' later within this project.<br />
<br />
==Techniques==<br />
<br />
The following assessment techniques are proposed:<br />
<br />
* Application Security Threat Assessment<br />
* Application Security Architecture Review<br />
* Manual Security-Focused Code Review (Software Security Specialist)<br />
* Automated Source Code Aanalysis (Tool-Based Static Code Analysis)<br />
* Automated External Application Scanning (Tool Based) <br />
* Manual Penetration Testing (Security Test Specialist)<br />
<br />
NOTE: these should probably link to full articles on each subject<br />
<br />
==Application Security Threat Assessment==<br />
<br />
Analyzes application architectural information to develop a threat profile for the application components. <br />
<br />
* Identify the nature of the threats – the likely vulnerabilities of the given application and business.<br />
<br />
* Estimate the probability that those vulnerabilities might lead to a disruption and the type of impact – both expected and worst case – that might arise.<br />
<br />
* Analyze the different consequences and their likelihood of occurrence and determine which should be dealt with and what priority should be attached to mitigate.<br />
<br />
While the threats to each asset within the Application can be individually developed and mapped, a more efficient approach is to develop a master list of threat types and identify how these can be used to launch an attack on the Application and/or its components and potentially in turn the business itself. A single threat may exploit a vulnerability to damage different types of assets. Conversely, several threat types may exploit disparate vulnerabilities in order to attack a single critical asset. Given the many-to-many relationships between threats and assets, it is best to use a simple representation of threat to asset mapping by listing threat types by each critical asset identified.<br />
<br />
A threat assessment should categorize threat types and threat agents but should focus on malicious threats and will not cover accidental and natural threats. The source of Malicious Threats (the attacker or perpetrator, in this context) can be classified as unauthorized and authorized. Threat vectors and operating environment more fully define how and why a particular “user” falls into one of these categories:<br />
<br />
Unauthorized: <br />
* An attacker who does not have credentials to legitimately access the application<br />
<br />
Authorized:<br />
* A legitimate user of the application<br />
* A malicious insider<br />
* A previously unauthorized user who has gained authorized access through compromise of a valid account or user session<br />
<br />
While the threat agents may have similar intent, varying reasons for engaging in illegal activities motivates them. Some authorized employees may willfully commit fraud for financial gain or engage in sabotage in order to disrupt routine operations. Theft, vandalism, intentional corruptions and alteration of information are also categorized as malicious threats.<br />
<br />
''Advantages:''<br />
* Aids in focusing testing activities and defining true targets in large scale enterprise level applications.<br />
* By using results from a threat assessment, the end-client is able to focus assessment (testing) activities based on business requirements and operational reality. <br />
* Allows vulnerabilities discovered in other assessment types to be weighted and prioritized based on threat probability vs. raw vulnerability finding.<br />
<br />
''Disadvantages:''<br />
* Cannot guarantee that all possible security threats will be uncovered. <br />
* End-client must evaluate analysis and determine responses(s).<br />
* Requires existence of application architecture documentation.<br />
* Often confused with Risk Assessments, which weigh asset value, threat, and vulnerability in order to determine business risk. Threat assessments focus on identifying only the threat component (vector(s) and probability).<br />
<br />
Recommended use:<br />
* Best as a precursor to development activities allowing best use of security resources (i.e., “bake in” security during application development begets higher return on investment vs. “bolting on” application security fixes post production).<br />
* Best utilized to determine the need and extent for further assessment (testing) activities (e.g., automated testing, expert testing, code review, etc.).<br />
<br />
<br />
<br />
==Application Security Architecture Review==<br />
<br />
Typically a table-top design level review and analysis of the application to identify critical assets, sensitive data stores and business critical interconnections. The purpose of architecture reviews is to also aid in determining potential attack vectors, which could be used in testing. Thus many organizations will blend this activity with Threat Assessment. The review of the application and its interconnections should include both a network- and application-level evaluation. Evaluation should identify areas of potential and actual vulnerability from these levels. This includes areas of vulnerability in the network and application architecture, in addition to a high-level measure of risk of each of those areas.<br />
<br />
''Advantages:''<br />
* Aids in focusing testing activities and defining true targets in large scale enterprise level applications.<br />
* Provides more depth to the development rationale of various functionality in the application life cycle. <br />
* By using results from Architecture Review, the assessment (testing) team is able to follow development logic in the “how” and “why” business and security requirements were integrated into application behavior and security controls/constraints. <br />
<br />
''Disadvantages:''<br />
* Cannot guarantee identification of all possible security threats. <br />
* Because the scope of an architectural assessment is far more complex than the limited perspective of an application layer assessment, recommendations are similarly complex, sometimes involving “political” changes (i.e., security department’s level of involvement in the SDLC). <br />
* Requires on-site discussions with application principals.<br />
<br />
Recommended use:<br />
* Best as a precursor to development activities allowing best use of security dollars (i.e., incorporate security in beginning begets higher return on investment vs. fixing applications post production). <br />
* Best utilized to determine the need and extent for further assessment (testing) activities (e.g., automated testing, expert testing, code review, etc.).<br />
<br />
<br />
<br />
==Manual Security-Focused Code Review==<br />
<br />
Review of the software source code to identify source code-level issues, which may enable an attacker to compromise an application, system, or business functionality. Web applications in particular are likely to have these vulnerabilities, as they are frequently developed quickly in an environment that does not allow for much security planning and testing. This should not be viewed as simply a generic software audit. Security-focused code reviews should be specifically tailored to find common vulnerabilities in applications. <br />
<br />
''Advantages:''<br />
* If integrated into the [http://en.wikipedia.org/wiki/Software_development_life_cycle Software Development Life Cycle (SDLC)], coding issues can be resolved earlier in the development process. (which is much less expensive to fix than a post-production revision of the code).<br />
* Provides the ability to identify and address serious coding issues (e.g., input validation, hard-coded credentials, debugging features, etc.) prior to production.<br />
* Enables development teams to identify and correct insecure coding techniques that could lead to security vulnerabilities or possible incidents.<br />
* Helps developers learn from each other and share knowledge on secure coding techniques, best practices and common solutions.<br />
<br />
<br />
''Disadvantages:''<br />
* can be very time consuming and costly if automated tools are not available to help augment the review process<br />
* If conducted solely by tools, results will be mostly static signature matching though some tools claim to walk codepath (follow nested loops and other regression through objects).<br />
* Even applications that exhibit strong and thorough software development practices (e.g., documentation, seamless modularity, string checking to prevent buffer overflows, etc.) can fall victim to attack if the underlying business logic doesn’t follow security requirements.<br />
* Requires specific programming expertise (e.g., Java, .NET, PHP, etc.) that many application testers do not have.<br />
<br />
Recommended use:<br />
* Security-focused code reviews should be conducted as part of the normal SDLC. Reviews may also be needed during or after security testing, prior to implementing system upgrades, prior to making system configuration changes, when new security bulletins are released, or immediately following any reported security incidents.<br />
<br />
<br />
<br />
==Automated Source Code Analysis==<br />
<br />
Automated source code analysis involves the use of special software "tools" to conduct [http://en.wikipedia.org/wiki/Static_code_analysis Static Code Analysis] on software source code to identify potential vulnerabilities within the code. <br />
<br />
''Advantages:''<br />
* can be very effective method for identifying defects in code functionality and syntax errors<br />
* most automated source code analysis tools are highly scalable<br />
* expedites code review process (can review 400-500 LOC/hr via manual review vs. up to 10,000 LOC/hr using automated source code scanning tools)<br />
* helps teams focus their manual code review activities on flagged, high-risk areas <br />
<br />
''Disadvantages:''<br />
* most automated source code analysis tools generate false positives <br />
* some automated source code analysis tools have a significant learning curve<br />
* some coding languages (such as ASP) are not supported by the tools<br />
* results of automated scans are basically "blueprints" of source code vulnerabilities, so they must be properly protected<br />
* Most of the automated source code analysis tools available on the market today can not identify logic errors, timing errors, resource conflicts, data errors and configuration errors.<br />
<br />
Recommended use:<br />
* Automated source code analysis tools can be used to enhance and improve an organization’s overall efforts to find and eliminate security vulnerabilities within software applications. However, they should not be viewed as a "silver bullet". Manual code reviews must still be conducted to identify false positives and security-related defects that tools can not identify.<br />
<br />
<br />
<br />
==Automated External Application Scanning==<br />
<br />
Utilizing automated open source or commercial software to discover known application layer vulnerabilities.<br />
<br />
''Advantages:''<br />
* Able to quickly identify default content, misconfigurations and error conditions resulting from improper input.<br />
* Ability to be run on automated, regular basis to provide baseline and ongoing vulnerability management metrics.<br />
* Can reduce the time required to assess large applications.<br />
* Lower cost to operate/execute (excluding initial capital cost if using commercial testing software).<br />
<br />
''Disadvantages:''<br />
* Not designed to determine the extent to which the vulnerabilities can be exploited to compromise the data the application handles.<br />
* Requires appropriate skills/knowledge to use, configure, and interpret results (despite “point and click” vendor marketing claims). <br />
* Requires extensive configuration and customization to emulate a user session.<br />
* Limited ability to correlate events and correlate minor issues that may lead to larger exposure. <br />
* Inability to adapt to dynamic responses in business logic flows.<br />
* Unable to find vulnerabilities that only become apparent after performing a sequence of steps (e.g., business logic flow bypass, session state compromise, etc.).<br />
* Unable to figure out “how deep the rabbit hole goes” – No means to interpret security implications, express extent of potential compromise, or identify seriousness of business and information exposure. <br />
* Tools will often be confused by some aspect of an application's behavior, causing a particular class of test to generate a false positive. Because most tools lack intelligence and cannot adapt to such conditions, test results include a large number of identical false positives. <br />
** For valid findings, the tools will often find dozens or hundreds of nearly identical findings, each with the same root cause. <br />
* Tool based findings are only indications of problems. Manual review (by someone well versed in web application testing) is usually necessary to draw the necessary parallels between different findings, and determine which findings identify unique problems, and which represent repetition.<br />
<br />
Recommended use:<br />
* Handling routine, manually intensive steps (e.g., input validation, field “fuzzing”, etc.) in an assessment is useful, particularly in large applications. However, scanner-based results can be used as the starting point from which expert testing can take over.<br />
* Testing less critical applications (i.e., applications that do not contain/handle business sensitive data and/or are not critical to business operation) where the perceived lower risk does not warrant performing hands-on testing.<br />
* Testing critical applications as a prelude to expert testing or code reviews.<br />
<br />
If a tool is used, it is important to define the technical limitations of the tool when the findings are presented. An example of this may involve noting the potential for SQL injection attacks based upon verbose SQL error messages, but also the tool’s inability to produce the correct syntax needed to extract specific information from the vulnerable database. A failure to convey the differences between automated and expert testing increases the risk that the application assessment results will be interpreted (particularly by management) as being more “secure” than they actually are. <br />
<br />
<br />
<br />
==Manual Penetration Testing==<br />
<br />
Manual Penetration Testing involves application analysis performed by an experienced analyst, usually using a combination of open source automated utilities (either self created or through security community) for performing task-specific functions and hands-on analysis to attempt to further ‘hack’ the application as an attacker.<br />
<br />
''Advantages:''<br />
* Open source tools utilized by the expert tester are developed usually for specific purposes rather than wrapping multiple functionality into a GUI. Typically are one of many components in the testers toolkit.<br />
* “Expert testing” is an intuitive approach (Business logic analysis), with the ability to identify flaws in business logic that automated scanners are usually incapable of finding.<br />
* Addresses many of the disadvantages noted in Automated Testing.<br />
* Ability to correlate events and minor issues that may lead to larger exposure. This is a critical advantage of hands-on testing and simulates how a real attacker would operate. <br />
* Ability to communicate complex technical findings in a manner that all can understand. The job is not done until the assessment end-client understands the nature of the vulnerability discovered and its security implications. <br />
** The analysis phase of expert testing provides “root cause” identification and recommendations based upon the unique, developmental characteristics of an application. Results from an automated tool cannot provide customized, specific recommendations tailored for each application and the end-client’s requirements. <br />
<br />
''Disadvantages:''<br />
* Often confused with Automated Testing – Marketing of commercial tools uses terms such as “expert” and “intuitive”, normally associated with an assessment performed by an experienced analyst.<br />
* Inability of most end-client organizations to determine if tester has appropriate application security skills required. There are no community accepted credentials/certifications established for this area of security.<br />
* Cost to conduct will be higher though there is no upfront capital cost.<br />
* Without establishing clear metrics up front, ongoing testing to determine trends within business environment or iterations of application is difficult.<br />
<br />
Recommended use:<br />
* Testing critical applications (i.e., applications that do contain/handle business sensitive data and/or are critical to business operation) where the perceived higher risk does not warrant performing automated testing.<br />
* Best suited for B2B, B2C and/or any transactional based and/or multi-level access application.<br />
<br />
<br />
<br />
==References/Sources==<br />
<br />
* Testing Taxonomy & Testing Tools Classification : http://www.owasp.org/index.php/Image:AppSec2005DC-Arian_Evans_Tools-Taxonomy.ppt<br />
<br />
<br />
<br />
[[Category:OWASP Application Security Assessment Standards Project]]<br />
{{Template:Stub}}</div>Manionchttps://wiki.owasp.org/index.php?title=Definition_for_Security_Assessment_Techniques&diff=10196Definition for Security Assessment Techniques2006-10-05T21:21:10Z<p>Manionc: </p>
<hr />
<div>==Overview==<br />
<br />
This article’s focus is to define, where practical, nomenclature and definitions of the differing security '''Assessment Techniques'''. Agreement and establishment of these definitions are foundational to establishing the '''Assessment Levels''' later within this project.<br />
<br />
==Techniques==<br />
<br />
The following assessment techniques are proposed:<br />
<br />
* Application Security Threat Assessment<br />
* Application Security Architecture Review<br />
* Automated Security Code Scanning (Tool Based Static Analysis)<br />
* Automated External Application Scanning (Tool Based) <br />
* Manual Penetration Testing (Security Test Specialist)<br />
* Manual Application Security Code Review (Software Security Specialist)<br />
<br />
NOTE: these should probably link to full articles on each subject<br />
<br />
<br />
==Application Security Threat Assessment==<br />
<br />
Analyzes application architectural information to develop a threat profile for the application components. <br />
<br />
* Identify the nature of the threats – the likely vulnerabilities of the given application and business.<br />
<br />
* Estimate the probability that those vulnerabilities might lead to a disruption and the type of impact – both expected and worst case – that might arise.<br />
<br />
* Analyze the different consequences and their likelihood of occurrence and determine which should be dealt with and what priority should be attached to mitigate.<br />
<br />
While the threats to each asset within the Application can be individually developed and mapped, a more efficient approach is to develop a master list of threat types and identify how these can be used to launch an attack on the Application and/or its components and potentially in turn the business itself. A single threat may exploit a vulnerability to damage different types of assets. Conversely, several threat types may exploit disparate vulnerabilities in order to attack a single critical asset. Given the many-to-many relationships between threats and assets, it is best to use a simple representation of threat to asset mapping by listing threat types by each critical asset identified.<br />
<br />
A threat assessment should categorize threat types and threat agents but should focus on malicious threats and will not cover accidental and natural threats. The source of Malicious Threats (the attacker or perpetrator, in this context) can be classified as unauthorized and authorized. Threat vectors and operating environment more fully define how and why a particular “user” falls into one of these categories:<br />
<br />
Unauthorized: <br />
* An attacker who does not have credentials to legitimately access the application<br />
<br />
Authorized:<br />
* A legitimate user of the application<br />
* A malicious insider<br />
* A previously unauthorized user who has gained authorized access through compromise of a valid account or user session<br />
<br />
While the threat agents may have similar intent, varying reasons for engaging in illegal activities motivates them. Some authorized employees may willfully commit fraud for financial gain or engage in sabotage in order to disrupt routine operations. Theft, vandalism, intentional corruptions and alteration of information are also categorized as malicious threats.<br />
<br />
''Advantages:''<br />
* Aids in focusing testing activities and defining true targets in large scale enterprise level applications.<br />
* By using results from a threat assessment, the end-client is able to focus assessment (testing) activities based on business requirements and operational reality. <br />
* Allows vulnerabilities discovered in other assessment types to be weighted and prioritized based on threat probability vs. raw vulnerability finding.<br />
<br />
''Disadvantages:''<br />
* Cannot guarantee that all possible security threats will be uncovered. <br />
* End-client must evaluate analysis and determine responses(s).<br />
* Requires existence of application architecture documentation.<br />
* Often confused with Risk Assessments, which weigh asset value, threat, and vulnerability in order to determine business risk. Threat assessments focus on identifying only the threat component (vector(s) and probability).<br />
<br />
Recommended use:<br />
* Best as a precursor to development activities allowing best use of security resources (i.e., “bake in” security during application development begets higher return on investment vs. “bolting on” application security fixes post production).<br />
* Best utilized to determine the need and extent for further assessment (testing) activities (e.g., automated testing, expert testing, code review, etc.).<br />
<br />
<br />
<br />
==Application Security Architecture Review==<br />
<br />
Typically a table-top design level review and analysis of the application to identify critical assets, sensitive data stores and business critical interconnections. The purpose of architecture reviews is to also aid in determining potential attack vectors, which could be used in testing. Thus many organizations will blend this activity with Threat Assessment. The review of the application and its interconnections should include both a network- and application-level evaluation. Evaluation should identify areas of potential and actual vulnerability from these levels. This includes areas of vulnerability in the network and application architecture, in addition to a high-level measure of risk of each of those areas.<br />
<br />
''Advantages:''<br />
* Aids in focusing testing activities and defining true targets in large scale enterprise level applications.<br />
* Provides more depth to the development rationale of various functionality in the application life cycle. <br />
* By using results from Architecture Review, the assessment (testing) team is able to follow development logic in the “how” and “why” business and security requirements were integrated into application behavior and security controls/constraints. <br />
<br />
''Disadvantages:''<br />
* Cannot guarantee identification of all possible security threats. <br />
* Because the scope of an architectural assessment is far more complex than the limited perspective of an application layer assessment, recommendations are similarly complex, sometimes involving “political” changes (i.e., security department’s level of involvement in the SDLC). <br />
* Requires on-site discussions with application principals.<br />
<br />
Recommended use:<br />
* Best as a precursor to development activities allowing best use of security dollars (i.e., incorporate security in beginning begets higher return on investment vs. fixing applications post production). <br />
* Best utilized to determine the need and extent for further assessment (testing) activities (e.g., automated testing, expert testing, code review, etc.).<br />
<br />
<br />
<br />
==Manual Security-Focused Code Review==<br />
<br />
Review of the software source code to identify source code-level issues, which may enable an attacker to compromise an application, system, or business functionality. Web applications in particular are likely to have these vulnerabilities, as they are frequently developed quickly in an environment that does not allow for much security planning and testing. This should not be viewed as simply a generic software audit. Security-focused code reviews should be specifically tailored to find common vulnerabilities in applications. <br />
<br />
''Advantages:''<br />
* If integrated into the [http://en.wikipedia.org/wiki/Software_development_life_cycle Software Development Life Cycle (SDLC)], coding issues can be resolved earlier in the development process. (which is much less expensive to fix than a post-production revision of the code).<br />
* Provides the ability to identify and address serious coding issues (e.g., input validation, hard-coded credentials, debugging features, etc.) prior to production.<br />
* Enables development teams to identify and correct insecure coding techniques that could lead to security vulnerabilities or possible incidents.<br />
* Helps developers learn from each other and share knowledge on secure coding techniques, best practices and common solutions.<br />
<br />
<br />
''Disadvantages:''<br />
* can be very time consuming and costly if automated tools are not available to help augment the review process<br />
* If conducted solely by tools, results will be mostly static signature matching though some tools claim to walk codepath (follow nested loops and other regression through objects).<br />
* Even applications that exhibit strong and thorough software development practices (e.g., documentation, seamless modularity, string checking to prevent buffer overflows, etc.) can fall victim to attack if the underlying business logic doesn’t follow security requirements.<br />
* Requires specific programming expertise (e.g., Java, .NET, PHP, etc.) that many application testers do not have.<br />
<br />
Recommended use:<br />
* Security-focused code reviews should be conducted as part of the normal SDLC. Reviews may also be needed during or after security testing, prior to implementing system upgrades, prior to making system configuration changes, when new security bulletins are released, or immediately following any reported security incidents.<br />
<br />
<br />
<br />
==Automated Source Code Analysis==<br />
<br />
Automated source code analysis involves the use of special software "tools" to conduct [http://en.wikipedia.org/wiki/Static_code_analysis Static Code Analysis] on software source code to identify potential vulnerabilities within the code. <br />
<br />
''Advantages:''<br />
* can be very effective method for identifying defects in code functionality and syntax errors<br />
* most automated source code analysis tools are highly scalable<br />
* expedites code review process (can review 400-500 LOC/hr via manual review vs. up to 10,000 LOC/hr using automated source code scanning tools)<br />
* helps teams focus their manual code review activities on flagged, high-risk areas <br />
<br />
''Disadvantages:''<br />
* most automated source code analysis tools generate false positives <br />
* some automated source code analysis tools have a significant learning curve<br />
* some coding languages (such as ASP) are not supported by the tools<br />
* results of automated scans are basically "blueprints" of source code vulnerabilities, so they must be properly protected<br />
* Most of the automated source code analysis tools available on the market today can not identify logic errors, timing errors, resource conflicts, data errors and configuration errors.<br />
<br />
Recommended use:<br />
* Automated source code analysis tools can be used to enhance and improve an organization’s overall efforts to find and eliminate security vulnerabilities within software applications. However, they should not be viewed as a "silver bullet". Manual code reviews must still be conducted to identify false positives and security-related defects that tools can not identify.<br />
<br />
<br />
<br />
==Automated External Application Scanning==<br />
<br />
Utilizing automated open source or commercial software to discover known application layer vulnerabilities.<br />
<br />
''Advantages:''<br />
* Able to quickly identify default content, misconfigurations and error conditions resulting from improper input.<br />
* Ability to be run on automated, regular basis to provide baseline and ongoing vulnerability management metrics.<br />
* Can reduce the time required to assess large applications.<br />
* Lower cost to operate/execute (excluding initial capital cost if using commercial testing software).<br />
<br />
''Disadvantages:''<br />
* Not designed to determine the extent to which the vulnerabilities can be exploited to compromise the data the application handles.<br />
* Requires appropriate skills/knowledge to use, configure, and interpret results (despite “point and click” vendor marketing claims). <br />
* Requires extensive configuration and customization to emulate a user session.<br />
* Limited ability to correlate events and correlate minor issues that may lead to larger exposure. <br />
* Inability to adapt to dynamic responses in business logic flows.<br />
* Unable to find vulnerabilities that only become apparent after performing a sequence of steps (e.g., business logic flow bypass, session state compromise, etc.).<br />
* Unable to figure out “how deep the rabbit hole goes” – No means to interpret security implications, express extent of potential compromise, or identify seriousness of business and information exposure. <br />
* Tools will often be confused by some aspect of an application's behavior, causing a particular class of test to generate a false positive. Because most tools lack intelligence and cannot adapt to such conditions, test results include a large number of identical false positives. <br />
** For valid findings, the tools will often find dozens or hundreds of nearly identical findings, each with the same root cause. <br />
* Tool based findings are only indications of problems. Manual review (by someone well versed in web application testing) is usually necessary to draw the necessary parallels between different findings, and determine which findings identify unique problems, and which represent repetition.<br />
<br />
Recommended use:<br />
* Handling routine, manually intensive steps (e.g., input validation, field “fuzzing”, etc.) in an assessment is useful, particularly in large applications. However, scanner-based results can be used as the starting point from which expert testing can take over.<br />
* Testing less critical applications (i.e., applications that do not contain/handle business sensitive data and/or are not critical to business operation) where the perceived lower risk does not warrant performing hands-on testing.<br />
* Testing critical applications as a prelude to expert testing or code reviews.<br />
<br />
If a tool is used, it is important to define the technical limitations of the tool when the findings are presented. An example of this may involve noting the potential for SQL injection attacks based upon verbose SQL error messages, but also the tool’s inability to produce the correct syntax needed to extract specific information from the vulnerable database. A failure to convey the differences between automated and expert testing increases the risk that the application assessment results will be interpreted (particularly by management) as being more “secure” than they actually are. <br />
<br />
<br />
<br />
==Manual Penetration Testing==<br />
<br />
Manual Penetration Testing involves application analysis performed by an experienced analyst, usually using a combination of open source automated utilities (either self created or through security community) for performing task-specific functions and hands-on analysis to attempt to further ‘hack’ the application as an attacker.<br />
<br />
''Advantages:''<br />
* Open source tools utilized by the expert tester are developed usually for specific purposes rather than wrapping multiple functionality into a GUI. Typically are one of many components in the testers toolkit.<br />
* “Expert testing” is an intuitive approach (Business logic analysis), with the ability to identify flaws in business logic that automated scanners are usually incapable of finding.<br />
* Addresses many of the disadvantages noted in Automated Testing.<br />
* Ability to correlate events and minor issues that may lead to larger exposure. This is a critical advantage of hands-on testing and simulates how a real attacker would operate. <br />
* Ability to communicate complex technical findings in a manner that all can understand. The job is not done until the assessment end-client understands the nature of the vulnerability discovered and its security implications. <br />
** The analysis phase of expert testing provides “root cause” identification and recommendations based upon the unique, developmental characteristics of an application. Results from an automated tool cannot provide customized, specific recommendations tailored for each application and the end-client’s requirements. <br />
<br />
''Disadvantages:''<br />
* Often confused with Automated Testing – Marketing of commercial tools uses terms such as “expert” and “intuitive”, normally associated with an assessment performed by an experienced analyst.<br />
* Inability of most end-client organizations to determine if tester has appropriate application security skills required. There are no community accepted credentials/certifications established for this area of security.<br />
* Cost to conduct will be higher though there is no upfront capital cost.<br />
* Without establishing clear metrics up front, ongoing testing to determine trends within business environment or iterations of application is difficult.<br />
<br />
Recommended use:<br />
* Testing critical applications (i.e., applications that do contain/handle business sensitive data and/or are critical to business operation) where the perceived higher risk does not warrant performing automated testing.<br />
* Best suited for B2B, B2C and/or any transactional based and/or multi-level access application.<br />
<br />
<br />
<br />
==References/Sources==<br />
<br />
* Testing Taxonomy & Testing Tools Classification : http://www.owasp.org/index.php/Image:AppSec2005DC-Arian_Evans_Tools-Taxonomy.ppt<br />
<br />
<br />
<br />
[[Category:OWASP Application Security Assessment Standards Project]]<br />
{{Template:Stub}}</div>Manionchttps://wiki.owasp.org/index.php?title=Definition_for_Security_Assessment_Techniques&diff=10195Definition for Security Assessment Techniques2006-10-05T21:20:18Z<p>Manionc: /* Manual Security-Focused Code Review */</p>
<hr />
<div>==Overview==<br />
<br />
This article’s focus is to define, where practical, nomenclature and definitions of the differing security '''Assessment Techniques'''. Agreement and establishment of these definitions are foundational to establishing the '''Assessment Levels''' later within this project.<br />
<br />
==Techniques==<br />
<br />
The following assessment techniques are proposed:<br />
<br />
* Application Security Threat Assessment<br />
* Application Security Architecture Review<br />
* Automated Security Code Scanning (Tool Based Static Analysis)<br />
* Automated External Application Scanning (Tool Based) <br />
* Manual Penetration Testing (Security Test Specialist)<br />
* Manual Application Security Code Review (Software Security Specialist)<br />
<br />
NOTE: these should probably link to full articles on each subject<br />
<br />
<br />
==Application Security Threat Assessment==<br />
<br />
Analyzes application architectural information to develop a threat profile for the application components. <br />
<br />
* Identify the nature of the threats – the likely vulnerabilities of the given application and business.<br />
<br />
* Estimate the probability that those vulnerabilities might lead to a disruption and the type of impact – both expected and worst case – that might arise.<br />
<br />
* Analyze the different consequences and their likelihood of occurrence and determine which should be dealt with and what priority should be attached to mitigate.<br />
<br />
While the threats to each asset within the Application can be individually developed and mapped, a more efficient approach is to develop a master list of threat types and identify how these can be used to launch an attack on the Application and/or its components and potentially in turn the business itself. A single threat may exploit a vulnerability to damage different types of assets. Conversely, several threat types may exploit disparate vulnerabilities in order to attack a single critical asset. Given the many-to-many relationships between threats and assets, it is best to use a simple representation of threat to asset mapping by listing threat types by each critical asset identified.<br />
<br />
A threat assessment should categorize threat types and threat agents but should focus on malicious threats and will not cover accidental and natural threats. The source of Malicious Threats (the attacker or perpetrator, in this context) can be classified as unauthorized and authorized. Threat vectors and operating environment more fully define how and why a particular “user” falls into one of these categories:<br />
<br />
Unauthorized: <br />
* An attacker who does not have credentials to legitimately access the application<br />
<br />
Authorized:<br />
* A legitimate user of the application<br />
* A malicious insider<br />
* A previously unauthorized user who has gained authorized access through compromise of a valid account or user session<br />
<br />
While the threat agents may have similar intent, varying reasons for engaging in illegal activities motivates them. Some authorized employees may willfully commit fraud for financial gain or engage in sabotage in order to disrupt routine operations. Theft, vandalism, intentional corruptions and alteration of information are also categorized as malicious threats.<br />
<br />
''Advantages:''<br />
* Aids in focusing testing activities and defining true targets in large scale enterprise level applications.<br />
* By using results from a threat assessment, the end-client is able to focus assessment (testing) activities based on business requirements and operational reality. <br />
* Allows vulnerabilities discovered in other assessment types to be weighted and prioritized based on threat probability vs. raw vulnerability finding.<br />
<br />
''Disadvantages:''<br />
* Cannot guarantee that all possible security threats will be uncovered. <br />
* End-client must evaluate analysis and determine responses(s).<br />
* Requires existence of application architecture documentation.<br />
* Often confused with Risk Assessments, which weigh asset value, threat, and vulnerability in order to determine business risk. Threat assessments focus on identifying only the threat component (vector(s) and probability).<br />
<br />
Recommended use:<br />
* Best as a precursor to development activities allowing best use of security resources (i.e., “bake in” security during application development begets higher return on investment vs. “bolting on” application security fixes post production).<br />
* Best utilized to determine the need and extent for further assessment (testing) activities (e.g., automated testing, expert testing, code review, etc.).<br />
<br />
<br />
<br />
==Application Security Architecture Review==<br />
<br />
Typically a table-top design level review and analysis of the application to identify critical assets, sensitive data stores and business critical interconnections. The purpose of architecture reviews is to also aid in determining potential attack vectors, which could be used in testing. Thus many organizations will blend this activity with Threat Assessment. The review of the application and its interconnections should include both a network- and application-level evaluation. Evaluation should identify areas of potential and actual vulnerability from these levels. This includes areas of vulnerability in the network and application architecture, in addition to a high-level measure of risk of each of those areas.<br />
<br />
''Advantages:''<br />
* Aids in focusing testing activities and defining true targets in large scale enterprise level applications.<br />
* Provides more depth to the development rationale of various functionality in the application life cycle. <br />
* By using results from Architecture Review, the assessment (testing) team is able to follow development logic in the “how” and “why” business and security requirements were integrated into application behavior and security controls/constraints. <br />
<br />
''Disadvantages:''<br />
* Cannot guarantee identification of all possible security threats. <br />
* Because the scope of an architectural assessment is far more complex than the limited perspective of an application layer assessment, recommendations are similarly complex, sometimes involving “political” changes (i.e., security department’s level of involvement in the SDLC). <br />
* Requires on-site discussions with application principals.<br />
<br />
Recommended use:<br />
* Best as a precursor to development activities allowing best use of security dollars (i.e., incorporate security in beginning begets higher return on investment vs. fixing applications post production). <br />
* Best utilized to determine the need and extent for further assessment (testing) activities (e.g., automated testing, expert testing, code review, etc.).<br />
<br />
<br />
<br />
==Manual Security-Focused Code Review==<br />
<br />
Review of the software source code to identify source code-level issues, which may enable an attacker to compromise an application, system, or business functionality. Web applications in particular are likely to have these vulnerabilities, as they are frequently developed quickly in an environment that does not allow for much security planning and testing. This should not be viewed as simply a generic software audit. Security-focused code reviews should be specifically tailored to find common vulnerabilities in applications. <br />
<br />
''Advantages:''<br />
* If integrated into the [http://en.wikipedia.org/wiki/Software_development_life_cycle Software Development Life Cycle (SDLC)], coding issues can be resolved earlier in the development process. (which is much less expensive to fix than a post-production revision of the code).<br />
* Provides the ability to identify and address serious coding issues (e.g., input validation, hard-coded credentials, debugging features, etc.) prior to production.<br />
* Enables development teams to identify and correct insecure coding techniques that could lead to security vulnerabilities or possible incidents.<br />
* Helps developers learn from each other and share knowledge on secure coding techniques, best practices and common solutions.<br />
<br />
<br />
''Disadvantages:''<br />
* can be very time consuming and costly if automated tools are not available to help augment the review process<br />
* If conducted solely by tools, results will be mostly static signature matching though some tools claim to walk codepath (follow nested loops and other regression through objects).<br />
* Even applications that exhibit strong and thorough software development practices (e.g., documentation, seamless modularity, string checking to prevent buffer overflows, etc.) can fall victim to attack if the underlying business logic doesn’t follow security requirements.<br />
* Requires specific programming expertise (e.g., Java, .NET, PHP, etc.) that many application testers do not have.<br />
<br />
Recommended use:<br />
* Security-focused code reviews should be conducted as part of the normal SDLC. Reviews may also be needed during or after security testing, prior to implementing system upgrades, prior to making system configuration changes, when new security bulletins are released, or immediately following any reported security incidents.<br />
<br />
==Automated Source Code Analysis==<br />
<br />
Automated source code analysis involves the use of special software "tools" to conduct [http://en.wikipedia.org/wiki/Static_code_analysis Static Code Analysis] on software source code to identify potential vulnerabilities within the code. <br />
<br />
''Advantages:''<br />
* can be very effective method for identifying defects in code functionality and syntax errors<br />
* most automated source code analysis tools are highly scalable<br />
* expedites code review process (can review 400-500 LOC/hr via manual review vs. up to 10,000 LOC/hr using automated source code scanning tools)<br />
* helps teams focus their manual code review activities on flagged, high-risk areas <br />
<br />
''Disadvantages:''<br />
* most automated source code analysis tools generate false positives <br />
* some automated source code analysis tools have a significant learning curve<br />
* some coding languages (such as ASP) are not supported by the tools<br />
* results of automated scans are basically "blueprints" of source code vulnerabilities, so they must be properly protected<br />
* Most of the automated source code analysis tools available on the market today can not identify logic errors, timing errors, resource conflicts, data errors and configuration errors.<br />
<br />
Recommended use:<br />
* Automated source code analysis tools can be used to enhance and improve an organization’s overall efforts to find and eliminate security vulnerabilities within software applications. However, they should not be viewed as a "silver bullet". Manual code reviews must still be conducted to identify false positives and security-related defects that tools can not identify.<br />
<br />
==Automated External Application Scanning==<br />
<br />
Utilizing automated open source or commercial software to discover known application layer vulnerabilities.<br />
<br />
''Advantages:''<br />
* Able to quickly identify default content, misconfigurations and error conditions resulting from improper input.<br />
* Ability to be run on automated, regular basis to provide baseline and ongoing vulnerability management metrics.<br />
* Can reduce the time required to assess large applications.<br />
* Lower cost to operate/execute (excluding initial capital cost if using commercial testing software).<br />
<br />
''Disadvantages:''<br />
* Not designed to determine the extent to which the vulnerabilities can be exploited to compromise the data the application handles.<br />
* Requires appropriate skills/knowledge to use, configure, and interpret results (despite “point and click” vendor marketing claims). <br />
* Requires extensive configuration and customization to emulate a user session.<br />
* Limited ability to correlate events and correlate minor issues that may lead to larger exposure. <br />
* Inability to adapt to dynamic responses in business logic flows.<br />
* Unable to find vulnerabilities that only become apparent after performing a sequence of steps (e.g., business logic flow bypass, session state compromise, etc.).<br />
* Unable to figure out “how deep the rabbit hole goes” – No means to interpret security implications, express extent of potential compromise, or identify seriousness of business and information exposure. <br />
* Tools will often be confused by some aspect of an application's behavior, causing a particular class of test to generate a false positive. Because most tools lack intelligence and cannot adapt to such conditions, test results include a large number of identical false positives. <br />
** For valid findings, the tools will often find dozens or hundreds of nearly identical findings, each with the same root cause. <br />
* Tool based findings are only indications of problems. Manual review (by someone well versed in web application testing) is usually necessary to draw the necessary parallels between different findings, and determine which findings identify unique problems, and which represent repetition.<br />
<br />
Recommended use:<br />
* Handling routine, manually intensive steps (e.g., input validation, field “fuzzing”, etc.) in an assessment is useful, particularly in large applications. However, scanner-based results can be used as the starting point from which expert testing can take over.<br />
* Testing less critical applications (i.e., applications that do not contain/handle business sensitive data and/or are not critical to business operation) where the perceived lower risk does not warrant performing hands-on testing.<br />
* Testing critical applications as a prelude to expert testing or code reviews.<br />
<br />
If a tool is used, it is important to define the technical limitations of the tool when the findings are presented. An example of this may involve noting the potential for SQL injection attacks based upon verbose SQL error messages, but also the tool’s inability to produce the correct syntax needed to extract specific information from the vulnerable database. A failure to convey the differences between automated and expert testing increases the risk that the application assessment results will be interpreted (particularly by management) as being more “secure” than they actually are. <br />
<br />
<br />
==Manual Penetration Testing==<br />
<br />
Manual Penetration Testing involves application analysis performed by an experienced analyst, usually using a combination of open source automated utilities (either self created or through security community) for performing task-specific functions and hands-on analysis to attempt to further ‘hack’ the application as an attacker.<br />
<br />
''Advantages:''<br />
* Open source tools utilized by the expert tester are developed usually for specific purposes rather than wrapping multiple functionality into a GUI. Typically are one of many components in the testers toolkit.<br />
* “Expert testing” is an intuitive approach (Business logic analysis), with the ability to identify flaws in business logic that automated scanners are usually incapable of finding.<br />
* Addresses many of the disadvantages noted in Automated Testing.<br />
* Ability to correlate events and minor issues that may lead to larger exposure. This is a critical advantage of hands-on testing and simulates how a real attacker would operate. <br />
* Ability to communicate complex technical findings in a manner that all can understand. The job is not done until the assessment end-client understands the nature of the vulnerability discovered and its security implications. <br />
** The analysis phase of expert testing provides “root cause” identification and recommendations based upon the unique, developmental characteristics of an application. Results from an automated tool cannot provide customized, specific recommendations tailored for each application and the end-client’s requirements. <br />
<br />
''Disadvantages:''<br />
* Often confused with Automated Testing – Marketing of commercial tools uses terms such as “expert” and “intuitive”, normally associated with an assessment performed by an experienced analyst.<br />
* Inability of most end-client organizations to determine if tester has appropriate application security skills required. There are no community accepted credentials/certifications established for this area of security.<br />
* Cost to conduct will be higher though there is no upfront capital cost.<br />
* Without establishing clear metrics up front, ongoing testing to determine trends within business environment or iterations of application is difficult.<br />
<br />
Recommended use:<br />
* Testing critical applications (i.e., applications that do contain/handle business sensitive data and/or are critical to business operation) where the perceived higher risk does not warrant performing automated testing.<br />
* Best suited for B2B, B2C and/or any transactional based and/or multi-level access application.<br />
<br />
<br />
<br />
==References/Sources==<br />
<br />
* Testing Taxonomy & Testing Tools Classification : http://www.owasp.org/index.php/Image:AppSec2005DC-Arian_Evans_Tools-Taxonomy.ppt<br />
<br />
<br />
<br />
[[Category:OWASP Application Security Assessment Standards Project]]<br />
{{Template:Stub}}</div>Manionchttps://wiki.owasp.org/index.php?title=Definition_for_Security_Assessment_Techniques&diff=10194Definition for Security Assessment Techniques2006-10-05T21:20:01Z<p>Manionc: /* Application Security Architecture Review */</p>
<hr />
<div>==Overview==<br />
<br />
This article’s focus is to define, where practical, nomenclature and definitions of the differing security '''Assessment Techniques'''. Agreement and establishment of these definitions are foundational to establishing the '''Assessment Levels''' later within this project.<br />
<br />
==Techniques==<br />
<br />
The following assessment techniques are proposed:<br />
<br />
* Application Security Threat Assessment<br />
* Application Security Architecture Review<br />
* Automated Security Code Scanning (Tool Based Static Analysis)<br />
* Automated External Application Scanning (Tool Based) <br />
* Manual Penetration Testing (Security Test Specialist)<br />
* Manual Application Security Code Review (Software Security Specialist)<br />
<br />
NOTE: these should probably link to full articles on each subject<br />
<br />
<br />
==Application Security Threat Assessment==<br />
<br />
Analyzes application architectural information to develop a threat profile for the application components. <br />
<br />
* Identify the nature of the threats – the likely vulnerabilities of the given application and business.<br />
<br />
* Estimate the probability that those vulnerabilities might lead to a disruption and the type of impact – both expected and worst case – that might arise.<br />
<br />
* Analyze the different consequences and their likelihood of occurrence and determine which should be dealt with and what priority should be attached to mitigate.<br />
<br />
While the threats to each asset within the Application can be individually developed and mapped, a more efficient approach is to develop a master list of threat types and identify how these can be used to launch an attack on the Application and/or its components and potentially in turn the business itself. A single threat may exploit a vulnerability to damage different types of assets. Conversely, several threat types may exploit disparate vulnerabilities in order to attack a single critical asset. Given the many-to-many relationships between threats and assets, it is best to use a simple representation of threat to asset mapping by listing threat types by each critical asset identified.<br />
<br />
A threat assessment should categorize threat types and threat agents but should focus on malicious threats and will not cover accidental and natural threats. The source of Malicious Threats (the attacker or perpetrator, in this context) can be classified as unauthorized and authorized. Threat vectors and operating environment more fully define how and why a particular “user” falls into one of these categories:<br />
<br />
Unauthorized: <br />
* An attacker who does not have credentials to legitimately access the application<br />
<br />
Authorized:<br />
* A legitimate user of the application<br />
* A malicious insider<br />
* A previously unauthorized user who has gained authorized access through compromise of a valid account or user session<br />
<br />
While the threat agents may have similar intent, varying reasons for engaging in illegal activities motivates them. Some authorized employees may willfully commit fraud for financial gain or engage in sabotage in order to disrupt routine operations. Theft, vandalism, intentional corruptions and alteration of information are also categorized as malicious threats.<br />
<br />
''Advantages:''<br />
* Aids in focusing testing activities and defining true targets in large scale enterprise level applications.<br />
* By using results from a threat assessment, the end-client is able to focus assessment (testing) activities based on business requirements and operational reality. <br />
* Allows vulnerabilities discovered in other assessment types to be weighted and prioritized based on threat probability vs. raw vulnerability finding.<br />
<br />
''Disadvantages:''<br />
* Cannot guarantee that all possible security threats will be uncovered. <br />
* End-client must evaluate analysis and determine responses(s).<br />
* Requires existence of application architecture documentation.<br />
* Often confused with Risk Assessments, which weigh asset value, threat, and vulnerability in order to determine business risk. Threat assessments focus on identifying only the threat component (vector(s) and probability).<br />
<br />
Recommended use:<br />
* Best as a precursor to development activities allowing best use of security resources (i.e., “bake in” security during application development begets higher return on investment vs. “bolting on” application security fixes post production).<br />
* Best utilized to determine the need and extent for further assessment (testing) activities (e.g., automated testing, expert testing, code review, etc.).<br />
<br />
<br />
<br />
==Application Security Architecture Review==<br />
<br />
Typically a table-top design level review and analysis of the application to identify critical assets, sensitive data stores and business critical interconnections. The purpose of architecture reviews is to also aid in determining potential attack vectors, which could be used in testing. Thus many organizations will blend this activity with Threat Assessment. The review of the application and its interconnections should include both a network- and application-level evaluation. Evaluation should identify areas of potential and actual vulnerability from these levels. This includes areas of vulnerability in the network and application architecture, in addition to a high-level measure of risk of each of those areas.<br />
<br />
''Advantages:''<br />
* Aids in focusing testing activities and defining true targets in large scale enterprise level applications.<br />
* Provides more depth to the development rationale of various functionality in the application life cycle. <br />
* By using results from Architecture Review, the assessment (testing) team is able to follow development logic in the “how” and “why” business and security requirements were integrated into application behavior and security controls/constraints. <br />
<br />
''Disadvantages:''<br />
* Cannot guarantee identification of all possible security threats. <br />
* Because the scope of an architectural assessment is far more complex than the limited perspective of an application layer assessment, recommendations are similarly complex, sometimes involving “political” changes (i.e., security department’s level of involvement in the SDLC). <br />
* Requires on-site discussions with application principals.<br />
<br />
Recommended use:<br />
* Best as a precursor to development activities allowing best use of security dollars (i.e., incorporate security in beginning begets higher return on investment vs. fixing applications post production). <br />
* Best utilized to determine the need and extent for further assessment (testing) activities (e.g., automated testing, expert testing, code review, etc.).<br />
<br />
==Manual Security-Focused Code Review==<br />
<br />
Review of the software source code to identify source code-level issues, which may enable an attacker to compromise an application, system, or business functionality. Web applications in particular are likely to have these vulnerabilities, as they are frequently developed quickly in an environment that does not allow for much security planning and testing. This should not be viewed as simply a generic software audit. Security-focused code reviews should be specifically tailored to find common vulnerabilities in applications. <br />
<br />
''Advantages:''<br />
* If integrated into the [http://en.wikipedia.org/wiki/Software_development_life_cycle Software Development Life Cycle (SDLC)], coding issues can be resolved earlier in the development process. (which is much less expensive to fix than a post-production revision of the code).<br />
* Provides the ability to identify and address serious coding issues (e.g., input validation, hard-coded credentials, debugging features, etc.) prior to production.<br />
* Enables development teams to identify and correct insecure coding techniques that could lead to security vulnerabilities or possible incidents.<br />
* Helps developers learn from each other and share knowledge on secure coding techniques, best practices and common solutions.<br />
<br />
<br />
''Disadvantages:''<br />
* can be very time consuming and costly if automated tools are not available to help augment the review process<br />
* If conducted solely by tools, results will be mostly static signature matching though some tools claim to walk codepath (follow nested loops and other regression through objects).<br />
* Even applications that exhibit strong and thorough software development practices (e.g., documentation, seamless modularity, string checking to prevent buffer overflows, etc.) can fall victim to attack if the underlying business logic doesn’t follow security requirements.<br />
* Requires specific programming expertise (e.g., Java, .NET, PHP, etc.) that many application testers do not have.<br />
<br />
Recommended use:<br />
* Security-focused code reviews should be conducted as part of the normal SDLC. Reviews may also be needed during or after security testing, prior to implementing system upgrades, prior to making system configuration changes, when new security bulletins are released, or immediately following any reported security incidents.<br />
<br />
==Automated Source Code Analysis==<br />
<br />
Automated source code analysis involves the use of special software "tools" to conduct [http://en.wikipedia.org/wiki/Static_code_analysis Static Code Analysis] on software source code to identify potential vulnerabilities within the code. <br />
<br />
''Advantages:''<br />
* can be very effective method for identifying defects in code functionality and syntax errors<br />
* most automated source code analysis tools are highly scalable<br />
* expedites code review process (can review 400-500 LOC/hr via manual review vs. up to 10,000 LOC/hr using automated source code scanning tools)<br />
* helps teams focus their manual code review activities on flagged, high-risk areas <br />
<br />
''Disadvantages:''<br />
* most automated source code analysis tools generate false positives <br />
* some automated source code analysis tools have a significant learning curve<br />
* some coding languages (such as ASP) are not supported by the tools<br />
* results of automated scans are basically "blueprints" of source code vulnerabilities, so they must be properly protected<br />
* Most of the automated source code analysis tools available on the market today can not identify logic errors, timing errors, resource conflicts, data errors and configuration errors.<br />
<br />
Recommended use:<br />
* Automated source code analysis tools can be used to enhance and improve an organization’s overall efforts to find and eliminate security vulnerabilities within software applications. However, they should not be viewed as a "silver bullet". Manual code reviews must still be conducted to identify false positives and security-related defects that tools can not identify.<br />
<br />
==Automated External Application Scanning==<br />
<br />
Utilizing automated open source or commercial software to discover known application layer vulnerabilities.<br />
<br />
''Advantages:''<br />
* Able to quickly identify default content, misconfigurations and error conditions resulting from improper input.<br />
* Ability to be run on automated, regular basis to provide baseline and ongoing vulnerability management metrics.<br />
* Can reduce the time required to assess large applications.<br />
* Lower cost to operate/execute (excluding initial capital cost if using commercial testing software).<br />
<br />
''Disadvantages:''<br />
* Not designed to determine the extent to which the vulnerabilities can be exploited to compromise the data the application handles.<br />
* Requires appropriate skills/knowledge to use, configure, and interpret results (despite “point and click” vendor marketing claims). <br />
* Requires extensive configuration and customization to emulate a user session.<br />
* Limited ability to correlate events and correlate minor issues that may lead to larger exposure. <br />
* Inability to adapt to dynamic responses in business logic flows.<br />
* Unable to find vulnerabilities that only become apparent after performing a sequence of steps (e.g., business logic flow bypass, session state compromise, etc.).<br />
* Unable to figure out “how deep the rabbit hole goes” – No means to interpret security implications, express extent of potential compromise, or identify seriousness of business and information exposure. <br />
* Tools will often be confused by some aspect of an application's behavior, causing a particular class of test to generate a false positive. Because most tools lack intelligence and cannot adapt to such conditions, test results include a large number of identical false positives. <br />
** For valid findings, the tools will often find dozens or hundreds of nearly identical findings, each with the same root cause. <br />
* Tool based findings are only indications of problems. Manual review (by someone well versed in web application testing) is usually necessary to draw the necessary parallels between different findings, and determine which findings identify unique problems, and which represent repetition.<br />
<br />
Recommended use:<br />
* Handling routine, manually intensive steps (e.g., input validation, field “fuzzing”, etc.) in an assessment is useful, particularly in large applications. However, scanner-based results can be used as the starting point from which expert testing can take over.<br />
* Testing less critical applications (i.e., applications that do not contain/handle business sensitive data and/or are not critical to business operation) where the perceived lower risk does not warrant performing hands-on testing.<br />
* Testing critical applications as a prelude to expert testing or code reviews.<br />
<br />
If a tool is used, it is important to define the technical limitations of the tool when the findings are presented. An example of this may involve noting the potential for SQL injection attacks based upon verbose SQL error messages, but also the tool’s inability to produce the correct syntax needed to extract specific information from the vulnerable database. A failure to convey the differences between automated and expert testing increases the risk that the application assessment results will be interpreted (particularly by management) as being more “secure” than they actually are. <br />
<br />
<br />
==Manual Penetration Testing==<br />
<br />
Manual Penetration Testing involves application analysis performed by an experienced analyst, usually using a combination of open source automated utilities (either self created or through security community) for performing task-specific functions and hands-on analysis to attempt to further ‘hack’ the application as an attacker.<br />
<br />
''Advantages:''<br />
* Open source tools utilized by the expert tester are developed usually for specific purposes rather than wrapping multiple functionality into a GUI. Typically are one of many components in the testers toolkit.<br />
* “Expert testing” is an intuitive approach (Business logic analysis), with the ability to identify flaws in business logic that automated scanners are usually incapable of finding.<br />
* Addresses many of the disadvantages noted in Automated Testing.<br />
* Ability to correlate events and minor issues that may lead to larger exposure. This is a critical advantage of hands-on testing and simulates how a real attacker would operate. <br />
* Ability to communicate complex technical findings in a manner that all can understand. The job is not done until the assessment end-client understands the nature of the vulnerability discovered and its security implications. <br />
** The analysis phase of expert testing provides “root cause” identification and recommendations based upon the unique, developmental characteristics of an application. Results from an automated tool cannot provide customized, specific recommendations tailored for each application and the end-client’s requirements. <br />
<br />
''Disadvantages:''<br />
* Often confused with Automated Testing – Marketing of commercial tools uses terms such as “expert” and “intuitive”, normally associated with an assessment performed by an experienced analyst.<br />
* Inability of most end-client organizations to determine if tester has appropriate application security skills required. There are no community accepted credentials/certifications established for this area of security.<br />
* Cost to conduct will be higher though there is no upfront capital cost.<br />
* Without establishing clear metrics up front, ongoing testing to determine trends within business environment or iterations of application is difficult.<br />
<br />
Recommended use:<br />
* Testing critical applications (i.e., applications that do contain/handle business sensitive data and/or are critical to business operation) where the perceived higher risk does not warrant performing automated testing.<br />
* Best suited for B2B, B2C and/or any transactional based and/or multi-level access application.<br />
<br />
<br />
<br />
==References/Sources==<br />
<br />
* Testing Taxonomy & Testing Tools Classification : http://www.owasp.org/index.php/Image:AppSec2005DC-Arian_Evans_Tools-Taxonomy.ppt<br />
<br />
<br />
<br />
[[Category:OWASP Application Security Assessment Standards Project]]<br />
{{Template:Stub}}</div>Manionchttps://wiki.owasp.org/index.php?title=Definition_for_Security_Assessment_Techniques&diff=10193Definition for Security Assessment Techniques2006-10-05T21:19:36Z<p>Manionc: /* Manual Security-Focused Code Review */</p>
<hr />
<div>==Overview==<br />
<br />
This article’s focus is to define, where practical, nomenclature and definitions of the differing security '''Assessment Techniques'''. Agreement and establishment of these definitions are foundational to establishing the '''Assessment Levels''' later within this project.<br />
<br />
==Techniques==<br />
<br />
The following assessment techniques are proposed:<br />
<br />
* Application Security Threat Assessment<br />
* Application Security Architecture Review<br />
* Automated Security Code Scanning (Tool Based Static Analysis)<br />
* Automated External Application Scanning (Tool Based) <br />
* Manual Penetration Testing (Security Test Specialist)<br />
* Manual Application Security Code Review (Software Security Specialist)<br />
<br />
NOTE: these should probably link to full articles on each subject<br />
<br />
<br />
==Application Security Threat Assessment==<br />
<br />
Analyzes application architectural information to develop a threat profile for the application components. <br />
<br />
* Identify the nature of the threats – the likely vulnerabilities of the given application and business.<br />
<br />
* Estimate the probability that those vulnerabilities might lead to a disruption and the type of impact – both expected and worst case – that might arise.<br />
<br />
* Analyze the different consequences and their likelihood of occurrence and determine which should be dealt with and what priority should be attached to mitigate.<br />
<br />
While the threats to each asset within the Application can be individually developed and mapped, a more efficient approach is to develop a master list of threat types and identify how these can be used to launch an attack on the Application and/or its components and potentially in turn the business itself. A single threat may exploit a vulnerability to damage different types of assets. Conversely, several threat types may exploit disparate vulnerabilities in order to attack a single critical asset. Given the many-to-many relationships between threats and assets, it is best to use a simple representation of threat to asset mapping by listing threat types by each critical asset identified.<br />
<br />
A threat assessment should categorize threat types and threat agents but should focus on malicious threats and will not cover accidental and natural threats. The source of Malicious Threats (the attacker or perpetrator, in this context) can be classified as unauthorized and authorized. Threat vectors and operating environment more fully define how and why a particular “user” falls into one of these categories:<br />
<br />
Unauthorized: <br />
* An attacker who does not have credentials to legitimately access the application<br />
<br />
Authorized:<br />
* A legitimate user of the application<br />
* A malicious insider<br />
* A previously unauthorized user who has gained authorized access through compromise of a valid account or user session<br />
<br />
While the threat agents may have similar intent, varying reasons for engaging in illegal activities motivates them. Some authorized employees may willfully commit fraud for financial gain or engage in sabotage in order to disrupt routine operations. Theft, vandalism, intentional corruptions and alteration of information are also categorized as malicious threats.<br />
<br />
''Advantages:''<br />
* Aids in focusing testing activities and defining true targets in large scale enterprise level applications.<br />
* By using results from a threat assessment, the end-client is able to focus assessment (testing) activities based on business requirements and operational reality. <br />
* Allows vulnerabilities discovered in other assessment types to be weighted and prioritized based on threat probability vs. raw vulnerability finding.<br />
<br />
''Disadvantages:''<br />
* Cannot guarantee that all possible security threats will be uncovered. <br />
* End-client must evaluate analysis and determine responses(s).<br />
* Requires existence of application architecture documentation.<br />
* Often confused with Risk Assessments, which weigh asset value, threat, and vulnerability in order to determine business risk. Threat assessments focus on identifying only the threat component (vector(s) and probability).<br />
<br />
Recommended use:<br />
* Best as a precursor to development activities allowing best use of security resources (i.e., “bake in” security during application development begets higher return on investment vs. “bolting on” application security fixes post production).<br />
* Best utilized to determine the need and extent for further assessment (testing) activities (e.g., automated testing, expert testing, code review, etc.).<br />
<br />
==Application Security Architecture Review==<br />
<br />
Typically a table-top design level review and analysis of the application to identify critical assets, sensitive data stores and business critical interconnections. The purpose of architecture reviews is to also aid in determining potential attack vectors, which could be used in testing. Thus many organizations will blend this activity with Threat Assessment. The review of the application and its interconnections should include both a network- and application-level evaluation. Evaluation should identify areas of potential and actual vulnerability from these levels. This includes areas of vulnerability in the network and application architecture, in addition to a high-level measure of risk of each of those areas.<br />
<br />
''Advantages:''<br />
* Aids in focusing testing activities and defining true targets in large scale enterprise level applications.<br />
* Provides more depth to the development rationale of various functionality in the application life cycle. <br />
* By using results from Architecture Review, the assessment (testing) team is able to follow development logic in the “how” and “why” business and security requirements were integrated into application behavior and security controls/constraints. <br />
<br />
''Disadvantages:''<br />
* Cannot guarantee identification of all possible security threats. <br />
* Because the scope of an architectural assessment is far more complex than the limited perspective of an application layer assessment, recommendations are similarly complex, sometimes involving “political” changes (i.e., security department’s level of involvement in the SDLC). <br />
* Requires on-site discussions with application principals.<br />
<br />
Recommended use:<br />
* Best as a precursor to development activities allowing best use of security dollars (i.e., incorporate security in beginning begets higher return on investment vs. fixing applications post production). <br />
* Best utilized to determine the need and extent for further assessment (testing) activities (e.g., automated testing, expert testing, code review, etc.).<br />
<br />
<br />
<br />
==Manual Security-Focused Code Review==<br />
<br />
Review of the software source code to identify source code-level issues, which may enable an attacker to compromise an application, system, or business functionality. Web applications in particular are likely to have these vulnerabilities, as they are frequently developed quickly in an environment that does not allow for much security planning and testing. This should not be viewed as simply a generic software audit. Security-focused code reviews should be specifically tailored to find common vulnerabilities in applications. <br />
<br />
''Advantages:''<br />
* If integrated into the [http://en.wikipedia.org/wiki/Software_development_life_cycle Software Development Life Cycle (SDLC)], coding issues can be resolved earlier in the development process. (which is much less expensive to fix than a post-production revision of the code).<br />
* Provides the ability to identify and address serious coding issues (e.g., input validation, hard-coded credentials, debugging features, etc.) prior to production.<br />
* Enables development teams to identify and correct insecure coding techniques that could lead to security vulnerabilities or possible incidents.<br />
* Helps developers learn from each other and share knowledge on secure coding techniques, best practices and common solutions.<br />
<br />
<br />
''Disadvantages:''<br />
* can be very time consuming and costly if automated tools are not available to help augment the review process<br />
* If conducted solely by tools, results will be mostly static signature matching though some tools claim to walk codepath (follow nested loops and other regression through objects).<br />
* Even applications that exhibit strong and thorough software development practices (e.g., documentation, seamless modularity, string checking to prevent buffer overflows, etc.) can fall victim to attack if the underlying business logic doesn’t follow security requirements.<br />
* Requires specific programming expertise (e.g., Java, .NET, PHP, etc.) that many application testers do not have.<br />
<br />
Recommended use:<br />
* Security-focused code reviews should be conducted as part of the normal SDLC. Reviews may also be needed during or after security testing, prior to implementing system upgrades, prior to making system configuration changes, when new security bulletins are released, or immediately following any reported security incidents.<br />
<br />
==Automated Source Code Analysis==<br />
<br />
Automated source code analysis involves the use of special software "tools" to conduct [http://en.wikipedia.org/wiki/Static_code_analysis Static Code Analysis] on software source code to identify potential vulnerabilities within the code. <br />
<br />
''Advantages:''<br />
* can be very effective method for identifying defects in code functionality and syntax errors<br />
* most automated source code analysis tools are highly scalable<br />
* expedites code review process (can review 400-500 LOC/hr via manual review vs. up to 10,000 LOC/hr using automated source code scanning tools)<br />
* helps teams focus their manual code review activities on flagged, high-risk areas <br />
<br />
''Disadvantages:''<br />
* most automated source code analysis tools generate false positives <br />
* some automated source code analysis tools have a significant learning curve<br />
* some coding languages (such as ASP) are not supported by the tools<br />
* results of automated scans are basically "blueprints" of source code vulnerabilities, so they must be properly protected<br />
* Most of the automated source code analysis tools available on the market today can not identify logic errors, timing errors, resource conflicts, data errors and configuration errors.<br />
<br />
Recommended use:<br />
* Automated source code analysis tools can be used to enhance and improve an organization’s overall efforts to find and eliminate security vulnerabilities within software applications. However, they should not be viewed as a "silver bullet". Manual code reviews must still be conducted to identify false positives and security-related defects that tools can not identify.<br />
<br />
==Automated External Application Scanning==<br />
<br />
Utilizing automated open source or commercial software to discover known application layer vulnerabilities.<br />
<br />
''Advantages:''<br />
* Able to quickly identify default content, misconfigurations and error conditions resulting from improper input.<br />
* Ability to be run on automated, regular basis to provide baseline and ongoing vulnerability management metrics.<br />
* Can reduce the time required to assess large applications.<br />
* Lower cost to operate/execute (excluding initial capital cost if using commercial testing software).<br />
<br />
''Disadvantages:''<br />
* Not designed to determine the extent to which the vulnerabilities can be exploited to compromise the data the application handles.<br />
* Requires appropriate skills/knowledge to use, configure, and interpret results (despite “point and click” vendor marketing claims). <br />
* Requires extensive configuration and customization to emulate a user session.<br />
* Limited ability to correlate events and correlate minor issues that may lead to larger exposure. <br />
* Inability to adapt to dynamic responses in business logic flows.<br />
* Unable to find vulnerabilities that only become apparent after performing a sequence of steps (e.g., business logic flow bypass, session state compromise, etc.).<br />
* Unable to figure out “how deep the rabbit hole goes” – No means to interpret security implications, express extent of potential compromise, or identify seriousness of business and information exposure. <br />
* Tools will often be confused by some aspect of an application's behavior, causing a particular class of test to generate a false positive. Because most tools lack intelligence and cannot adapt to such conditions, test results include a large number of identical false positives. <br />
** For valid findings, the tools will often find dozens or hundreds of nearly identical findings, each with the same root cause. <br />
* Tool based findings are only indications of problems. Manual review (by someone well versed in web application testing) is usually necessary to draw the necessary parallels between different findings, and determine which findings identify unique problems, and which represent repetition.<br />
<br />
Recommended use:<br />
* Handling routine, manually intensive steps (e.g., input validation, field “fuzzing”, etc.) in an assessment is useful, particularly in large applications. However, scanner-based results can be used as the starting point from which expert testing can take over.<br />
* Testing less critical applications (i.e., applications that do not contain/handle business sensitive data and/or are not critical to business operation) where the perceived lower risk does not warrant performing hands-on testing.<br />
* Testing critical applications as a prelude to expert testing or code reviews.<br />
<br />
If a tool is used, it is important to define the technical limitations of the tool when the findings are presented. An example of this may involve noting the potential for SQL injection attacks based upon verbose SQL error messages, but also the tool’s inability to produce the correct syntax needed to extract specific information from the vulnerable database. A failure to convey the differences between automated and expert testing increases the risk that the application assessment results will be interpreted (particularly by management) as being more “secure” than they actually are. <br />
<br />
<br />
==Manual Penetration Testing==<br />
<br />
Manual Penetration Testing involves application analysis performed by an experienced analyst, usually using a combination of open source automated utilities (either self created or through security community) for performing task-specific functions and hands-on analysis to attempt to further ‘hack’ the application as an attacker.<br />
<br />
''Advantages:''<br />
* Open source tools utilized by the expert tester are developed usually for specific purposes rather than wrapping multiple functionality into a GUI. Typically are one of many components in the testers toolkit.<br />
* “Expert testing” is an intuitive approach (Business logic analysis), with the ability to identify flaws in business logic that automated scanners are usually incapable of finding.<br />
* Addresses many of the disadvantages noted in Automated Testing.<br />
* Ability to correlate events and minor issues that may lead to larger exposure. This is a critical advantage of hands-on testing and simulates how a real attacker would operate. <br />
* Ability to communicate complex technical findings in a manner that all can understand. The job is not done until the assessment end-client understands the nature of the vulnerability discovered and its security implications. <br />
** The analysis phase of expert testing provides “root cause” identification and recommendations based upon the unique, developmental characteristics of an application. Results from an automated tool cannot provide customized, specific recommendations tailored for each application and the end-client’s requirements. <br />
<br />
''Disadvantages:''<br />
* Often confused with Automated Testing – Marketing of commercial tools uses terms such as “expert” and “intuitive”, normally associated with an assessment performed by an experienced analyst.<br />
* Inability of most end-client organizations to determine if tester has appropriate application security skills required. There are no community accepted credentials/certifications established for this area of security.<br />
* Cost to conduct will be higher though there is no upfront capital cost.<br />
* Without establishing clear metrics up front, ongoing testing to determine trends within business environment or iterations of application is difficult.<br />
<br />
Recommended use:<br />
* Testing critical applications (i.e., applications that do contain/handle business sensitive data and/or are critical to business operation) where the perceived higher risk does not warrant performing automated testing.<br />
* Best suited for B2B, B2C and/or any transactional based and/or multi-level access application.<br />
<br />
<br />
<br />
==References/Sources==<br />
<br />
* Testing Taxonomy & Testing Tools Classification : http://www.owasp.org/index.php/Image:AppSec2005DC-Arian_Evans_Tools-Taxonomy.ppt<br />
<br />
<br />
<br />
[[Category:OWASP Application Security Assessment Standards Project]]<br />
{{Template:Stub}}</div>Manionchttps://wiki.owasp.org/index.php?title=Definition_for_Security_Assessment_Techniques&diff=10192Definition for Security Assessment Techniques2006-10-05T21:18:58Z<p>Manionc: </p>
<hr />
<div>==Overview==<br />
<br />
This article’s focus is to define, where practical, nomenclature and definitions of the differing security '''Assessment Techniques'''. Agreement and establishment of these definitions are foundational to establishing the '''Assessment Levels''' later within this project.<br />
<br />
==Techniques==<br />
<br />
The following assessment techniques are proposed:<br />
<br />
* Application Security Threat Assessment<br />
* Application Security Architecture Review<br />
* Automated Security Code Scanning (Tool Based Static Analysis)<br />
* Automated External Application Scanning (Tool Based) <br />
* Manual Penetration Testing (Security Test Specialist)<br />
* Manual Application Security Code Review (Software Security Specialist)<br />
<br />
NOTE: these should probably link to full articles on each subject<br />
<br />
<br />
==Application Security Threat Assessment==<br />
<br />
Analyzes application architectural information to develop a threat profile for the application components. <br />
<br />
* Identify the nature of the threats – the likely vulnerabilities of the given application and business.<br />
<br />
* Estimate the probability that those vulnerabilities might lead to a disruption and the type of impact – both expected and worst case – that might arise.<br />
<br />
* Analyze the different consequences and their likelihood of occurrence and determine which should be dealt with and what priority should be attached to mitigate.<br />
<br />
While the threats to each asset within the Application can be individually developed and mapped, a more efficient approach is to develop a master list of threat types and identify how these can be used to launch an attack on the Application and/or its components and potentially in turn the business itself. A single threat may exploit a vulnerability to damage different types of assets. Conversely, several threat types may exploit disparate vulnerabilities in order to attack a single critical asset. Given the many-to-many relationships between threats and assets, it is best to use a simple representation of threat to asset mapping by listing threat types by each critical asset identified.<br />
<br />
A threat assessment should categorize threat types and threat agents but should focus on malicious threats and will not cover accidental and natural threats. The source of Malicious Threats (the attacker or perpetrator, in this context) can be classified as unauthorized and authorized. Threat vectors and operating environment more fully define how and why a particular “user” falls into one of these categories:<br />
<br />
Unauthorized: <br />
* An attacker who does not have credentials to legitimately access the application<br />
<br />
Authorized:<br />
* A legitimate user of the application<br />
* A malicious insider<br />
* A previously unauthorized user who has gained authorized access through compromise of a valid account or user session<br />
<br />
While the threat agents may have similar intent, varying reasons for engaging in illegal activities motivates them. Some authorized employees may willfully commit fraud for financial gain or engage in sabotage in order to disrupt routine operations. Theft, vandalism, intentional corruptions and alteration of information are also categorized as malicious threats.<br />
<br />
''Advantages:''<br />
* Aids in focusing testing activities and defining true targets in large scale enterprise level applications.<br />
* By using results from a threat assessment, the end-client is able to focus assessment (testing) activities based on business requirements and operational reality. <br />
* Allows vulnerabilities discovered in other assessment types to be weighted and prioritized based on threat probability vs. raw vulnerability finding.<br />
<br />
''Disadvantages:''<br />
* Cannot guarantee that all possible security threats will be uncovered. <br />
* End-client must evaluate analysis and determine responses(s).<br />
* Requires existence of application architecture documentation.<br />
* Often confused with Risk Assessments, which weigh asset value, threat, and vulnerability in order to determine business risk. Threat assessments focus on identifying only the threat component (vector(s) and probability).<br />
<br />
Recommended use:<br />
* Best as a precursor to development activities allowing best use of security resources (i.e., “bake in” security during application development begets higher return on investment vs. “bolting on” application security fixes post production).<br />
* Best utilized to determine the need and extent for further assessment (testing) activities (e.g., automated testing, expert testing, code review, etc.).<br />
<br />
==Application Security Architecture Review==<br />
<br />
Typically a table-top design level review and analysis of the application to identify critical assets, sensitive data stores and business critical interconnections. The purpose of architecture reviews is to also aid in determining potential attack vectors, which could be used in testing. Thus many organizations will blend this activity with Threat Assessment. The review of the application and its interconnections should include both a network- and application-level evaluation. Evaluation should identify areas of potential and actual vulnerability from these levels. This includes areas of vulnerability in the network and application architecture, in addition to a high-level measure of risk of each of those areas.<br />
<br />
''Advantages:''<br />
* Aids in focusing testing activities and defining true targets in large scale enterprise level applications.<br />
* Provides more depth to the development rationale of various functionality in the application life cycle. <br />
* By using results from Architecture Review, the assessment (testing) team is able to follow development logic in the “how” and “why” business and security requirements were integrated into application behavior and security controls/constraints. <br />
<br />
''Disadvantages:''<br />
* Cannot guarantee identification of all possible security threats. <br />
* Because the scope of an architectural assessment is far more complex than the limited perspective of an application layer assessment, recommendations are similarly complex, sometimes involving “political” changes (i.e., security department’s level of involvement in the SDLC). <br />
* Requires on-site discussions with application principals.<br />
<br />
Recommended use:<br />
* Best as a precursor to development activities allowing best use of security dollars (i.e., incorporate security in beginning begets higher return on investment vs. fixing applications post production). <br />
* Best utilized to determine the need and extent for further assessment (testing) activities (e.g., automated testing, expert testing, code review, etc.).<br />
<br />
==Manual Security-Focused Code Review==<br />
<br />
Review of the software source code to identify source code-level issues, which may enable an attacker to compromise an application, system, or business functionality. Web applications in particular are likely to have these vulnerabilities, as they are frequently developed quickly in an environment that does not allow for much security planning and testing. This should not be viewed as simply a generic software audit. Security-focused code reviews should be specifically tailored to find common vulnerabilities in applications. <br />
<br />
''Advantages:''<br />
* If integrated into the [http://en.wikipedia.org/wiki/Software_development_life_cycle Software Development Life Cycle (SDLC)], coding issues can be resolved earlier in the development process. (which is much less expensive to fix than a post-production revision of the code).<br />
* Provides the ability to identify and address serious coding issues (e.g., input validation, hard-coded credentials, debugging features, etc.) prior to production.<br />
* Enables development teams to identify and correct insecure coding techniques that could lead to security vulnerabilities or possible incidents.<br />
* Helps developers learn from each other and share knowledge on secure coding techniques, best practices and common solutions.<br />
<br />
<br />
''Disadvantages:''<br />
* can be very time consuming and costly if automated tools are not available to help augment the review process<br />
* If conducted solely by tools, results will be mostly static signature matching though some tools claim to walk codepath (follow nested loops and other regression through objects).<br />
* Even applications that exhibit strong and thorough software development practices (e.g., documentation, seamless modularity, string checking to prevent buffer overflows, etc.) can fall victim to attack if the underlying business logic doesn’t follow security requirements.<br />
* Requires specific programming expertise (e.g., Java, .NET, PHP, etc.) that many application testers do not have.<br />
<br />
Recommended use:<br />
* Security-focused code reviews should be conducted as part of the normal SDLC. Reviews may also be needed during or after security testing, prior to implementing system upgrades, prior to making system configuration changes, when new security bulletins are released, or immediately following any reported security incidents.<br />
<br />
<br />
<br />
==Automated Source Code Analysis==<br />
<br />
Automated source code analysis involves the use of special software "tools" to conduct [http://en.wikipedia.org/wiki/Static_code_analysis Static Code Analysis] on software source code to identify potential vulnerabilities within the code. <br />
<br />
''Advantages:''<br />
* can be very effective method for identifying defects in code functionality and syntax errors<br />
* most automated source code analysis tools are highly scalable<br />
* expedites code review process (can review 400-500 LOC/hr via manual review vs. up to 10,000 LOC/hr using automated source code scanning tools)<br />
* helps teams focus their manual code review activities on flagged, high-risk areas <br />
<br />
''Disadvantages:''<br />
* most automated source code analysis tools generate false positives <br />
* some automated source code analysis tools have a significant learning curve<br />
* some coding languages (such as ASP) are not supported by the tools<br />
* results of automated scans are basically "blueprints" of source code vulnerabilities, so they must be properly protected<br />
* Most of the automated source code analysis tools available on the market today can not identify logic errors, timing errors, resource conflicts, data errors and configuration errors.<br />
<br />
Recommended use:<br />
* Automated source code analysis tools can be used to enhance and improve an organization’s overall efforts to find and eliminate security vulnerabilities within software applications. However, they should not be viewed as a "silver bullet". Manual code reviews must still be conducted to identify false positives and security-related defects that tools can not identify.<br />
<br />
==Automated External Application Scanning==<br />
<br />
Utilizing automated open source or commercial software to discover known application layer vulnerabilities.<br />
<br />
''Advantages:''<br />
* Able to quickly identify default content, misconfigurations and error conditions resulting from improper input.<br />
* Ability to be run on automated, regular basis to provide baseline and ongoing vulnerability management metrics.<br />
* Can reduce the time required to assess large applications.<br />
* Lower cost to operate/execute (excluding initial capital cost if using commercial testing software).<br />
<br />
''Disadvantages:''<br />
* Not designed to determine the extent to which the vulnerabilities can be exploited to compromise the data the application handles.<br />
* Requires appropriate skills/knowledge to use, configure, and interpret results (despite “point and click” vendor marketing claims). <br />
* Requires extensive configuration and customization to emulate a user session.<br />
* Limited ability to correlate events and correlate minor issues that may lead to larger exposure. <br />
* Inability to adapt to dynamic responses in business logic flows.<br />
* Unable to find vulnerabilities that only become apparent after performing a sequence of steps (e.g., business logic flow bypass, session state compromise, etc.).<br />
* Unable to figure out “how deep the rabbit hole goes” – No means to interpret security implications, express extent of potential compromise, or identify seriousness of business and information exposure. <br />
* Tools will often be confused by some aspect of an application's behavior, causing a particular class of test to generate a false positive. Because most tools lack intelligence and cannot adapt to such conditions, test results include a large number of identical false positives. <br />
** For valid findings, the tools will often find dozens or hundreds of nearly identical findings, each with the same root cause. <br />
* Tool based findings are only indications of problems. Manual review (by someone well versed in web application testing) is usually necessary to draw the necessary parallels between different findings, and determine which findings identify unique problems, and which represent repetition.<br />
<br />
Recommended use:<br />
* Handling routine, manually intensive steps (e.g., input validation, field “fuzzing”, etc.) in an assessment is useful, particularly in large applications. However, scanner-based results can be used as the starting point from which expert testing can take over.<br />
* Testing less critical applications (i.e., applications that do not contain/handle business sensitive data and/or are not critical to business operation) where the perceived lower risk does not warrant performing hands-on testing.<br />
* Testing critical applications as a prelude to expert testing or code reviews.<br />
<br />
If a tool is used, it is important to define the technical limitations of the tool when the findings are presented. An example of this may involve noting the potential for SQL injection attacks based upon verbose SQL error messages, but also the tool’s inability to produce the correct syntax needed to extract specific information from the vulnerable database. A failure to convey the differences between automated and expert testing increases the risk that the application assessment results will be interpreted (particularly by management) as being more “secure” than they actually are. <br />
<br />
<br />
==Manual Penetration Testing==<br />
<br />
Manual Penetration Testing involves application analysis performed by an experienced analyst, usually using a combination of open source automated utilities (either self created or through security community) for performing task-specific functions and hands-on analysis to attempt to further ‘hack’ the application as an attacker.<br />
<br />
''Advantages:''<br />
* Open source tools utilized by the expert tester are developed usually for specific purposes rather than wrapping multiple functionality into a GUI. Typically are one of many components in the testers toolkit.<br />
* “Expert testing” is an intuitive approach (Business logic analysis), with the ability to identify flaws in business logic that automated scanners are usually incapable of finding.<br />
* Addresses many of the disadvantages noted in Automated Testing.<br />
* Ability to correlate events and minor issues that may lead to larger exposure. This is a critical advantage of hands-on testing and simulates how a real attacker would operate. <br />
* Ability to communicate complex technical findings in a manner that all can understand. The job is not done until the assessment end-client understands the nature of the vulnerability discovered and its security implications. <br />
** The analysis phase of expert testing provides “root cause” identification and recommendations based upon the unique, developmental characteristics of an application. Results from an automated tool cannot provide customized, specific recommendations tailored for each application and the end-client’s requirements. <br />
<br />
''Disadvantages:''<br />
* Often confused with Automated Testing – Marketing of commercial tools uses terms such as “expert” and “intuitive”, normally associated with an assessment performed by an experienced analyst.<br />
* Inability of most end-client organizations to determine if tester has appropriate application security skills required. There are no community accepted credentials/certifications established for this area of security.<br />
* Cost to conduct will be higher though there is no upfront capital cost.<br />
* Without establishing clear metrics up front, ongoing testing to determine trends within business environment or iterations of application is difficult.<br />
<br />
Recommended use:<br />
* Testing critical applications (i.e., applications that do contain/handle business sensitive data and/or are critical to business operation) where the perceived higher risk does not warrant performing automated testing.<br />
* Best suited for B2B, B2C and/or any transactional based and/or multi-level access application.<br />
<br />
<br />
<br />
==References/Sources==<br />
<br />
* Testing Taxonomy & Testing Tools Classification : http://www.owasp.org/index.php/Image:AppSec2005DC-Arian_Evans_Tools-Taxonomy.ppt<br />
<br />
<br />
<br />
[[Category:OWASP Application Security Assessment Standards Project]]<br />
{{Template:Stub}}</div>Manionchttps://wiki.owasp.org/index.php?title=Definition_for_Security_Assessment_Techniques&diff=10191Definition for Security Assessment Techniques2006-10-05T21:06:02Z<p>Manionc: /* Automated Source Code Analysis */</p>
<hr />
<div>==Overview==<br />
<br />
This article’s focus is to define, where practical, nomenclature and definitions of the differing security '''Assessment Techniques'''. Agreement and establishment of these definitions are foundational to establishing the '''Assessment Levels''' later within this project.<br />
<br />
==Techniques==<br />
<br />
The following assessment techniques are proposed:<br />
<br />
* Application Security Threat Assessment<br />
* Application Security Architecture Review<br />
* Automated Security Code Scanning (Tool Based Static Analysis)<br />
* Automated External Application Scanning (Tool Based) <br />
* Manual Penetration Testing (Security Test Specialist)<br />
* Manual Application Security Code Review (Software Security Specialist)<br />
<br />
NOTE: these should probably link to full articles on each subject<br />
<br />
<br />
==Application Security Threat Assessment==<br />
<br />
Analyzes application architectural information to develop a threat profile for the application components. <br />
<br />
* Identify the nature of the threats – the likely vulnerabilities of the given application and business.<br />
<br />
* Estimate the probability that those vulnerabilities might lead to a disruption and the type of impact – both expected and worst case – that might arise.<br />
<br />
* Analyze the different consequences and their likelihood of occurrence and determine which should be dealt with and what priority should be attached to mitigate.<br />
<br />
While the threats to each asset within the Application can be individually developed and mapped, a more efficient approach is to develop a master list of threat types and identify how these can be used to launch an attack on the Application and/or its components and potentially in turn the business itself. A single threat may exploit a vulnerability to damage different types of assets. Conversely, several threat types may exploit disparate vulnerabilities in order to attack a single critical asset. Given the many-to-many relationships between threats and assets, it is best to use a simple representation of threat to asset mapping by listing threat types by each critical asset identified.<br />
<br />
A threat assessment should categorize threat types and threat agents but should focus on malicious threats and will not cover accidental and natural threats. The source of Malicious Threats (the attacker or perpetrator, in this context) can be classified as unauthorized and authorized. Threat vectors and operating environment more fully define how and why a particular “user” falls into one of these categories:<br />
<br />
Unauthorized: <br />
* An attacker who does not have credentials to legitimately access the application<br />
<br />
Authorized:<br />
* A legitimate user of the application<br />
* A malicious insider<br />
* A previously unauthorized user who has gained authorized access through compromise of a valid account or user session<br />
<br />
While the threat agents may have similar intent, varying reasons for engaging in illegal activities motivates them. Some authorized employees may willfully commit fraud for financial gain or engage in sabotage in order to disrupt routine operations. Theft, vandalism, intentional corruptions and alteration of information are also categorized as malicious threats.<br />
<br />
''Advantages:''<br />
* Aids in focusing testing activities and defining true targets in large scale enterprise level applications.<br />
* By using results from a threat assessment, the end-client is able to focus assessment (testing) activities based on business requirements and operational reality. <br />
* Allows vulnerabilities discovered in other assessment types to be weighted and prioritized based on threat probability vs. raw vulnerability finding.<br />
<br />
''Disadvantages:''<br />
* Cannot guarantee that all possible security threats will be uncovered. <br />
* End-client must evaluate analysis and determine responses(s).<br />
* Requires existence of application architecture documentation.<br />
* Often confused with Risk Assessments, which weigh asset value, threat, and vulnerability in order to determine business risk. Threat assessments focus on identifying only the threat component (vector(s) and probability).<br />
<br />
Recommended use:<br />
* Best as a precursor to development activities allowing best use of security resources (i.e., “bake in” security during application development begets higher return on investment vs. “bolting on” application security fixes post production).<br />
* Best utilized to determine the need and extent for further assessment (testing) activities (e.g., automated testing, expert testing, code review, etc.).<br />
<br />
==Application Security Architecture Review==<br />
<br />
Typically a table-top design level review and analysis of the application to identify critical assets, sensitive data stores and business critical interconnections. The purpose of architecture reviews is to also aid in determining potential attack vectors, which could be used in testing. Thus many organizations will blend this activity with Threat Assessment. The review of the application and its interconnections should include both a network- and application-level evaluation. Evaluation should identify areas of potential and actual vulnerability from these levels. This includes areas of vulnerability in the network and application architecture, in addition to a high-level measure of risk of each of those areas.<br />
<br />
''Advantages:''<br />
* Aids in focusing testing activities and defining true targets in large scale enterprise level applications.<br />
* Provides more depth to the development rationale of various functionality in the application life cycle. <br />
* By using results from Architecture Review, the assessment (testing) team is able to follow development logic in the “how” and “why” business and security requirements were integrated into application behavior and security controls/constraints. <br />
<br />
''Disadvantages:''<br />
* Cannot guarantee identification of all possible security threats. <br />
* Because the scope of an architectural assessment is far more complex than the limited perspective of an application layer assessment, recommendations are similarly complex, sometimes involving “political” changes (i.e., security department’s level of involvement in the SDLC). <br />
* Requires on-site discussions with application principals.<br />
<br />
Recommended use:<br />
* Best as a precursor to development activities allowing best use of security dollars (i.e., incorporate security in beginning begets higher return on investment vs. fixing applications post production). <br />
* Best utilized to determine the need and extent for further assessment (testing) activities (e.g., automated testing, expert testing, code review, etc.).<br />
<br />
<br />
<br />
==Automated Source Code Analysis==<br />
<br />
Automated source code analysis involves the use of special software "tools" to conduct [http://en.wikipedia.org/wiki/Static_code_analysis Static Code Analysis] on software source code to identify potential vulnerabilities within the code. <br />
<br />
''Advantages:''<br />
* can be very effective method for identifying defects in code functionality and syntax errors<br />
* most automated source code analysis tools are highly scalable<br />
* expedites code review process (can review 400-500 LOC/hr via manual review vs. up to 10,000 LOC/hr using automated source code scanning tools)<br />
* helps teams focus their manual code review activities on flagged, high-risk areas <br />
<br />
''Disadvantages:''<br />
* most automated source code analysis tools generate false positives <br />
* some automated source code analysis tools have a significant learning curve<br />
* some coding languages (such as ASP) are not supported by the tools<br />
* results of automated scans are basically "blueprints" of source code vulnerabilities, so they must be properly protected<br />
* Most of the automated source code analysis tools available on the market today can not identify logic errors, timing errors, resource conflicts, data errors and configuration errors.<br />
<br />
Recommended use:<br />
* Automated source code analysis tools can be used to enhance and improve an organization’s overall efforts to find and eliminate security vulnerabilities within software applications. However, they should not be viewed as a "silver bullet". Manual code reviews must still be conducted to identify false positives and security-related defects that tools can not identify.<br />
<br />
==Automated External Application Scanning==<br />
<br />
Utilizing automated open source or commercial software to discover known application layer vulnerabilities.<br />
<br />
''Advantages:''<br />
* Able to quickly identify default content, misconfigurations and error conditions resulting from improper input.<br />
* Ability to be run on automated, regular basis to provide baseline and ongoing vulnerability management metrics.<br />
* Can reduce the time required to assess large applications.<br />
* Lower cost to operate/execute (excluding initial capital cost if using commercial testing software).<br />
<br />
''Disadvantages:''<br />
* Not designed to determine the extent to which the vulnerabilities can be exploited to compromise the data the application handles.<br />
* Requires appropriate skills/knowledge to use, configure, and interpret results (despite “point and click” vendor marketing claims). <br />
* Requires extensive configuration and customization to emulate a user session.<br />
* Limited ability to correlate events and correlate minor issues that may lead to larger exposure. <br />
* Inability to adapt to dynamic responses in business logic flows.<br />
* Unable to find vulnerabilities that only become apparent after performing a sequence of steps (e.g., business logic flow bypass, session state compromise, etc.).<br />
* Unable to figure out “how deep the rabbit hole goes” – No means to interpret security implications, express extent of potential compromise, or identify seriousness of business and information exposure. <br />
* Tools will often be confused by some aspect of an application's behavior, causing a particular class of test to generate a false positive. Because most tools lack intelligence and cannot adapt to such conditions, test results include a large number of identical false positives. <br />
** For valid findings, the tools will often find dozens or hundreds of nearly identical findings, each with the same root cause. <br />
* Tool based findings are only indications of problems. Manual review (by someone well versed in web application testing) is usually necessary to draw the necessary parallels between different findings, and determine which findings identify unique problems, and which represent repetition.<br />
<br />
Recommended use:<br />
* Handling routine, manually intensive steps (e.g., input validation, field “fuzzing”, etc.) in an assessment is useful, particularly in large applications. However, scanner-based results can be used as the starting point from which expert testing can take over.<br />
* Testing less critical applications (i.e., applications that do not contain/handle business sensitive data and/or are not critical to business operation) where the perceived lower risk does not warrant performing hands-on testing.<br />
* Testing critical applications as a prelude to expert testing or code reviews.<br />
<br />
If a tool is used, it is important to define the technical limitations of the tool when the findings are presented. An example of this may involve noting the potential for SQL injection attacks based upon verbose SQL error messages, but also the tool’s inability to produce the correct syntax needed to extract specific information from the vulnerable database. A failure to convey the differences between automated and expert testing increases the risk that the application assessment results will be interpreted (particularly by management) as being more “secure” than they actually are. <br />
<br />
<br />
<br />
<br />
==Manual Penetration Testing==<br />
<br />
Manual Penetration Testing involves application analysis performed by an experienced analyst, usually using a combination of open source automated utilities (either self created or through security community) for performing task-specific functions and hands-on analysis to attempt to further ‘hack’ the application as an attacker.<br />
<br />
''Advantages:''<br />
* Open source tools utilized by the expert tester are developed usually for specific purposes rather than wrapping multiple functionality into a GUI. Typically are one of many components in the testers toolkit.<br />
* “Expert testing” is an intuitive approach (Business logic analysis), with the ability to identify flaws in business logic that automated scanners are usually incapable of finding.<br />
* Addresses many of the disadvantages noted in Automated Testing.<br />
* Ability to correlate events and minor issues that may lead to larger exposure. This is a critical advantage of hands-on testing and simulates how a real attacker would operate. <br />
* Ability to communicate complex technical findings in a manner that all can understand. The job is not done until the assessment end-client understands the nature of the vulnerability discovered and its security implications. <br />
** The analysis phase of expert testing provides “root cause” identification and recommendations based upon the unique, developmental characteristics of an application. Results from an automated tool cannot provide customized, specific recommendations tailored for each application and the end-client’s requirements. <br />
<br />
''Disadvantages:''<br />
* Often confused with Automated Testing – Marketing of commercial tools uses terms such as “expert” and “intuitive”, normally associated with an assessment performed by an experienced analyst.<br />
* Inability of most end-client organizations to determine if tester has appropriate application security skills required. There are no community accepted credentials/certifications established for this area of security.<br />
* Cost to conduct will be higher though there is no upfront capital cost.<br />
* Without establishing clear metrics up front, ongoing testing to determine trends within business environment or iterations of application is difficult.<br />
<br />
Recommended use:<br />
* Testing critical applications (i.e., applications that do contain/handle business sensitive data and/or are critical to business operation) where the perceived higher risk does not warrant performing automated testing.<br />
* Best suited for B2B, B2C and/or any transactional based and/or multi-level access application.<br />
<br />
<br />
<br />
<br />
<br />
==Manual Application Security Code Review==<br />
<br />
Reviews the underlying foundational level to identify coding issues, which may create/enable an attacker to compromise an applications systems and/or business functionality. Web applications in particular are likely to have these vulnerabilities, as they are frequently developed quickly in an environment that does not allow for much security planning and testing. This should not be viewed as simply a generic software audit. Code reviews should be specifically tailored to find vulnerabilities common in applications. <br />
<br />
''Advantages:''<br />
* If integrated into application SDLC, coding issues can be resolved early in the development and functional testing process. (which is much less expensive to fix than a post-production revision of the code).<br />
* Provides the ability to identify and address serious coding issues (e.g., input validation, hard-coded credentials, debugging features, etc.) prior to production.<br />
* …<br />
<br />
''Disadvantages:''<br />
* …<br />
* If conducted solely by tools, results will be mostly static signature matching though some tools claim to walk codepath (follow nested loops and other regression through objects).<br />
* Even applications that exhibit strong and thorough software development practices (e.g., documentation, seamless modularity, string checking to prevent buffer overflows, etc.) can fall victim to attack if the underlying business logic doesn’t follow security requirements.<br />
* Requires specific programming expertise (e.g., Java, .NET, PHP, etc.) that many application testers do not have.<br />
<br />
Recommended use:<br />
* …<br />
<br />
<br />
<br />
==References/Sources==<br />
<br />
* Testing Taxonomy & Testing Tools Classification : http://www.owasp.org/index.php/Image:AppSec2005DC-Arian_Evans_Tools-Taxonomy.ppt<br />
<br />
<br />
<br />
[[Category:OWASP Application Security Assessment Standards Project]]<br />
{{Template:Stub}}</div>Manionchttps://wiki.owasp.org/index.php?title=Definition_for_Security_Assessment_Techniques&diff=10190Definition for Security Assessment Techniques2006-10-05T20:26:33Z<p>Manionc: /* Automated Security Code Scanning */</p>
<hr />
<div>==Overview==<br />
<br />
This article’s focus is to define, where practical, nomenclature and definitions of the differing security '''Assessment Techniques'''. Agreement and establishment of these definitions are foundational to establishing the '''Assessment Levels''' later within this project.<br />
<br />
==Techniques==<br />
<br />
The following assessment techniques are proposed:<br />
<br />
* Application Security Threat Assessment<br />
* Application Security Architecture Review<br />
* Automated Security Code Scanning (Tool Based Static Analysis)<br />
* Automated External Application Scanning (Tool Based) <br />
* Manual Penetration Testing (Security Test Specialist)<br />
* Manual Application Security Code Review (Software Security Specialist)<br />
<br />
NOTE: these should probably link to full articles on each subject<br />
<br />
<br />
==Application Security Threat Assessment==<br />
<br />
Analyzes application architectural information to develop a threat profile for the application components. <br />
<br />
* Identify the nature of the threats – the likely vulnerabilities of the given application and business.<br />
<br />
* Estimate the probability that those vulnerabilities might lead to a disruption and the type of impact – both expected and worst case – that might arise.<br />
<br />
* Analyze the different consequences and their likelihood of occurrence and determine which should be dealt with and what priority should be attached to mitigate.<br />
<br />
While the threats to each asset within the Application can be individually developed and mapped, a more efficient approach is to develop a master list of threat types and identify how these can be used to launch an attack on the Application and/or its components and potentially in turn the business itself. A single threat may exploit a vulnerability to damage different types of assets. Conversely, several threat types may exploit disparate vulnerabilities in order to attack a single critical asset. Given the many-to-many relationships between threats and assets, it is best to use a simple representation of threat to asset mapping by listing threat types by each critical asset identified.<br />
<br />
A threat assessment should categorize threat types and threat agents but should focus on malicious threats and will not cover accidental and natural threats. The source of Malicious Threats (the attacker or perpetrator, in this context) can be classified as unauthorized and authorized. Threat vectors and operating environment more fully define how and why a particular “user” falls into one of these categories:<br />
<br />
Unauthorized: <br />
* An attacker who does not have credentials to legitimately access the application<br />
<br />
Authorized:<br />
* A legitimate user of the application<br />
* A malicious insider<br />
* A previously unauthorized user who has gained authorized access through compromise of a valid account or user session<br />
<br />
While the threat agents may have similar intent, varying reasons for engaging in illegal activities motivates them. Some authorized employees may willfully commit fraud for financial gain or engage in sabotage in order to disrupt routine operations. Theft, vandalism, intentional corruptions and alteration of information are also categorized as malicious threats.<br />
<br />
''Advantages:''<br />
* Aids in focusing testing activities and defining true targets in large scale enterprise level applications.<br />
* By using results from a threat assessment, the end-client is able to focus assessment (testing) activities based on business requirements and operational reality. <br />
* Allows vulnerabilities discovered in other assessment types to be weighted and prioritized based on threat probability vs. raw vulnerability finding.<br />
<br />
''Disadvantages:''<br />
* Cannot guarantee that all possible security threats will be uncovered. <br />
* End-client must evaluate analysis and determine responses(s).<br />
* Requires existence of application architecture documentation.<br />
* Often confused with Risk Assessments, which weigh asset value, threat, and vulnerability in order to determine business risk. Threat assessments focus on identifying only the threat component (vector(s) and probability).<br />
<br />
Recommended use:<br />
* Best as a precursor to development activities allowing best use of security resources (i.e., “bake in” security during application development begets higher return on investment vs. “bolting on” application security fixes post production).<br />
* Best utilized to determine the need and extent for further assessment (testing) activities (e.g., automated testing, expert testing, code review, etc.).<br />
<br />
==Application Security Architecture Review==<br />
<br />
Typically a table-top design level review and analysis of the application to identify critical assets, sensitive data stores and business critical interconnections. The purpose of architecture reviews is to also aid in determining potential attack vectors, which could be used in testing. Thus many organizations will blend this activity with Threat Assessment. The review of the application and its interconnections should include both a network- and application-level evaluation. Evaluation should identify areas of potential and actual vulnerability from these levels. This includes areas of vulnerability in the network and application architecture, in addition to a high-level measure of risk of each of those areas.<br />
<br />
''Advantages:''<br />
* Aids in focusing testing activities and defining true targets in large scale enterprise level applications.<br />
* Provides more depth to the development rationale of various functionality in the application life cycle. <br />
* By using results from Architecture Review, the assessment (testing) team is able to follow development logic in the “how” and “why” business and security requirements were integrated into application behavior and security controls/constraints. <br />
<br />
''Disadvantages:''<br />
* Cannot guarantee identification of all possible security threats. <br />
* Because the scope of an architectural assessment is far more complex than the limited perspective of an application layer assessment, recommendations are similarly complex, sometimes involving “political” changes (i.e., security department’s level of involvement in the SDLC). <br />
* Requires on-site discussions with application principals.<br />
<br />
Recommended use:<br />
* Best as a precursor to development activities allowing best use of security dollars (i.e., incorporate security in beginning begets higher return on investment vs. fixing applications post production). <br />
* Best utilized to determine the need and extent for further assessment (testing) activities (e.g., automated testing, expert testing, code review, etc.).<br />
<br />
<br />
<br />
==Automated Security Code Scanning==<br />
<br />
Involves the use of one or more software tools to conduct automated [Static_code_analysis]<br />
<br />
''Advantages:''<br />
* <br />
<br />
''Disadvantages:''<br />
* <br />
<br />
Recommended use:<br />
*<br />
<br />
==Automated External Application Scanning==<br />
<br />
Utilizing automated open source or commercial software to discover known application layer vulnerabilities.<br />
<br />
''Advantages:''<br />
* Able to quickly identify default content, misconfigurations and error conditions resulting from improper input.<br />
* Ability to be run on automated, regular basis to provide baseline and ongoing vulnerability management metrics.<br />
* Can reduce the time required to assess large applications.<br />
* Lower cost to operate/execute (excluding initial capital cost if using commercial testing software).<br />
<br />
''Disadvantages:''<br />
* Not designed to determine the extent to which the vulnerabilities can be exploited to compromise the data the application handles.<br />
* Requires appropriate skills/knowledge to use, configure, and interpret results (despite “point and click” vendor marketing claims). <br />
* Requires extensive configuration and customization to emulate a user session.<br />
* Limited ability to correlate events and correlate minor issues that may lead to larger exposure. <br />
* Inability to adapt to dynamic responses in business logic flows.<br />
* Unable to find vulnerabilities that only become apparent after performing a sequence of steps (e.g., business logic flow bypass, session state compromise, etc.).<br />
* Unable to figure out “how deep the rabbit hole goes” – No means to interpret security implications, express extent of potential compromise, or identify seriousness of business and information exposure. <br />
* Tools will often be confused by some aspect of an application's behavior, causing a particular class of test to generate a false positive. Because most tools lack intelligence and cannot adapt to such conditions, test results include a large number of identical false positives. <br />
** For valid findings, the tools will often find dozens or hundreds of nearly identical findings, each with the same root cause. <br />
* Tool based findings are only indications of problems. Manual review (by someone well versed in web application testing) is usually necessary to draw the necessary parallels between different findings, and determine which findings identify unique problems, and which represent repetition.<br />
<br />
Recommended use:<br />
* Handling routine, manually intensive steps (e.g., input validation, field “fuzzing”, etc.) in an assessment is useful, particularly in large applications. However, scanner-based results can be used as the starting point from which expert testing can take over.<br />
* Testing less critical applications (i.e., applications that do not contain/handle business sensitive data and/or are not critical to business operation) where the perceived lower risk does not warrant performing hands-on testing.<br />
* Testing critical applications as a prelude to expert testing or code reviews.<br />
<br />
If a tool is used, it is important to define the technical limitations of the tool when the findings are presented. An example of this may involve noting the potential for SQL injection attacks based upon verbose SQL error messages, but also the tool’s inability to produce the correct syntax needed to extract specific information from the vulnerable database. A failure to convey the differences between automated and expert testing increases the risk that the application assessment results will be interpreted (particularly by management) as being more “secure” than they actually are. <br />
<br />
<br />
<br />
<br />
==Manual Penetration Testing==<br />
<br />
Manual Penetration Testing involves application analysis performed by an experienced analyst, usually using a combination of open source automated utilities (either self created or through security community) for performing task-specific functions and hands-on analysis to attempt to further ‘hack’ the application as an attacker.<br />
<br />
''Advantages:''<br />
* Open source tools utilized by the expert tester are developed usually for specific purposes rather than wrapping multiple functionality into a GUI. Typically are one of many components in the testers toolkit.<br />
* “Expert testing” is an intuitive approach (Business logic analysis), with the ability to identify flaws in business logic that automated scanners are usually incapable of finding.<br />
* Addresses many of the disadvantages noted in Automated Testing.<br />
* Ability to correlate events and minor issues that may lead to larger exposure. This is a critical advantage of hands-on testing and simulates how a real attacker would operate. <br />
* Ability to communicate complex technical findings in a manner that all can understand. The job is not done until the assessment end-client understands the nature of the vulnerability discovered and its security implications. <br />
** The analysis phase of expert testing provides “root cause” identification and recommendations based upon the unique, developmental characteristics of an application. Results from an automated tool cannot provide customized, specific recommendations tailored for each application and the end-client’s requirements. <br />
<br />
''Disadvantages:''<br />
* Often confused with Automated Testing – Marketing of commercial tools uses terms such as “expert” and “intuitive”, normally associated with an assessment performed by an experienced analyst.<br />
* Inability of most end-client organizations to determine if tester has appropriate application security skills required. There are no community accepted credentials/certifications established for this area of security.<br />
* Cost to conduct will be higher though there is no upfront capital cost.<br />
* Without establishing clear metrics up front, ongoing testing to determine trends within business environment or iterations of application is difficult.<br />
<br />
Recommended use:<br />
* Testing critical applications (i.e., applications that do contain/handle business sensitive data and/or are critical to business operation) where the perceived higher risk does not warrant performing automated testing.<br />
* Best suited for B2B, B2C and/or any transactional based and/or multi-level access application.<br />
<br />
<br />
<br />
<br />
<br />
==Manual Application Security Code Review==<br />
<br />
Reviews the underlying foundational level to identify coding issues, which may create/enable an attacker to compromise an applications systems and/or business functionality. Web applications in particular are likely to have these vulnerabilities, as they are frequently developed quickly in an environment that does not allow for much security planning and testing. This should not be viewed as simply a generic software audit. Code reviews should be specifically tailored to find vulnerabilities common in applications. <br />
<br />
''Advantages:''<br />
* If integrated into application SDLC, coding issues can be resolved early in the development and functional testing process. (which is much less expensive to fix than a post-production revision of the code).<br />
* Provides the ability to identify and address serious coding issues (e.g., input validation, hard-coded credentials, debugging features, etc.) prior to production.<br />
* …<br />
<br />
''Disadvantages:''<br />
* …<br />
* If conducted solely by tools, results will be mostly static signature matching though some tools claim to walk codepath (follow nested loops and other regression through objects).<br />
* Even applications that exhibit strong and thorough software development practices (e.g., documentation, seamless modularity, string checking to prevent buffer overflows, etc.) can fall victim to attack if the underlying business logic doesn’t follow security requirements.<br />
* Requires specific programming expertise (e.g., Java, .NET, PHP, etc.) that many application testers do not have.<br />
<br />
Recommended use:<br />
* …<br />
<br />
<br />
<br />
==References/Sources==<br />
<br />
* Testing Taxonomy & Testing Tools Classification : http://www.owasp.org/index.php/Image:AppSec2005DC-Arian_Evans_Tools-Taxonomy.ppt<br />
<br />
<br />
<br />
[[Category:OWASP Application Security Assessment Standards Project]]<br />
{{Template:Stub}}</div>Manionchttps://wiki.owasp.org/index.php?title=Blind_XPath_Injection&diff=9579Blind XPath Injection2006-09-08T20:27:31Z<p>Manionc: /* Blind XPath Injection */</p>
<hr />
<div>{{Template:Attack}}<br />
<br />
{{Template:Stub}}<br />
<br />
==Description==<br />
<br />
===About XPath===<br />
XPath is a sort of query language that describes how to locate specific elements (including attributes, processing instructions, etc.) in an XML document. Since it is a query language, XPath is somewhat similar to Structured Query Language (SQL). However, XPath can be used to reference almost any part of any XML document without access control restrictions, whereas with SQL, a "user" (which is a term undefined in the XPath/XML context) may be restricted to certain tables, columns or queries. [http://www.w3.org/TR/xpath]<br />
<br />
===Simple XPath Injection===<br />
Before you can understand what Blind XPath Injection is, you must first have a basic understanding of Simple XPath Injection. So, lets suppose an application includes the following ASP.NET and C# source code:<br />
...<br />
XmlDocument XmlDoc = new XmlDocument();<br />
XmlDoc.Load("...");<br />
...<br />
XPathNavigator nav = XmlDoc.CreateNavigator();<br />
XPathExpression expr = nav.Compile("string(//user[name/text()='"+UserID.Text+<br />
"' and password/text()='"+Password.Text+<br />
"']/account/text())");<br />
String account=Convert.ToString(nav.Evaluate(expr));<br />
if (account=="")<br />
{<br />
// Login failed - UserUD and password pair could not be found in the XML document <br />
...<br />
}<br />
else<br />
{<br />
// Login succeeded - UserID and Password validated<br />
...<br />
}<br />
<br />
Based on the way this sample code is written, an attacker could try to inject an XPath expression into the UserID text field. For example, the attacker could enter the following text into the UserID text field (just like with SQL injection):<br />
<br />
' or 1=1 or ''='<br />
<br />
If this entry is not handled properly by the application, then the application will return the first account number in the XML document. If that occurs, the attacker will be logged in as the first user listed in the XML document.<br />
<br />
===Blind XPath Injection===<br />
<br />
==Examples ==<br />
<br />
==Related Threats==<br />
<br />
==Related Attacks==<br />
<br />
==Related Vulnerabilities==<br />
<br />
==Related Countermeasures==<br />
<br />
[[Category:Attack]]</div>Manionchttps://wiki.owasp.org/index.php?title=Blind_XPath_Injection&diff=9578Blind XPath Injection2006-09-08T20:26:06Z<p>Manionc: /* Simple XPath Injection */</p>
<hr />
<div>{{Template:Attack}}<br />
<br />
{{Template:Stub}}<br />
<br />
==Description==<br />
<br />
===About XPath===<br />
XPath is a sort of query language that describes how to locate specific elements (including attributes, processing instructions, etc.) in an XML document. Since it is a query language, XPath is somewhat similar to Structured Query Language (SQL). However, XPath can be used to reference almost any part of any XML document without access control restrictions, whereas with SQL, a "user" (which is a term undefined in the XPath/XML context) may be restricted to certain tables, columns or queries. [http://www.w3.org/TR/xpath]<br />
<br />
===Simple XPath Injection===<br />
Before you can understand what Blind XPath Injection is, you must first have a basic understanding of Simple XPath Injection. So, lets suppose an application includes the following ASP.NET and C# source code:<br />
...<br />
XmlDocument XmlDoc = new XmlDocument();<br />
XmlDoc.Load("...");<br />
...<br />
XPathNavigator nav = XmlDoc.CreateNavigator();<br />
XPathExpression expr = nav.Compile("string(//user[name/text()='"+UserID.Text+<br />
"' and password/text()='"+Password.Text+<br />
"']/account/text())");<br />
String account=Convert.ToString(nav.Evaluate(expr));<br />
if (account=="")<br />
{<br />
// Login failed - UserUD and password pair could not be found in the XML document <br />
...<br />
}<br />
else<br />
{<br />
// Login succeeded - UserID and Password validated<br />
...<br />
}<br />
<br />
Based on the way this sample code is written, an attacker could try to inject an XPath expression into the UserID text field. For example, the attacker could enter the following text into the UserID text field (just like with SQL injection):<br />
<br />
' or 1=1 or ''='<br />
<br />
If this entry is not handled properly by the application, then the application will return the first account number in the XML document. If that occurs, the attacker will be logged in as the first user listed in the XML document.<br />
<br />
===Blind XPath Injection===<br />
Using Blind XPath Injection, an attacker can extract a complete XML document for XPath querying without prior knowledge of the query. The attacker can access the entire XML "database" used in the XPath query which can be powerful against sites that use XPath queries (and XML "databases") for authentication, searching and other uses.<br />
<br />
==Examples ==<br />
<br />
==Related Threats==<br />
<br />
==Related Attacks==<br />
<br />
==Related Vulnerabilities==<br />
<br />
==Related Countermeasures==<br />
<br />
[[Category:Attack]]</div>Manionchttps://wiki.owasp.org/index.php?title=Blind_XPath_Injection&diff=9577Blind XPath Injection2006-09-08T20:21:05Z<p>Manionc: /* Simple XPath Injection */</p>
<hr />
<div>{{Template:Attack}}<br />
<br />
{{Template:Stub}}<br />
<br />
==Description==<br />
<br />
===About XPath===<br />
XPath is a sort of query language that describes how to locate specific elements (including attributes, processing instructions, etc.) in an XML document. Since it is a query language, XPath is somewhat similar to Structured Query Language (SQL). However, XPath can be used to reference almost any part of any XML document without access control restrictions, whereas with SQL, a "user" (which is a term undefined in the XPath/XML context) may be restricted to certain tables, columns or queries. [http://www.w3.org/TR/xpath]<br />
<br />
===Simple XPath Injection===<br />
Suppose an application includes the following ASP.NET and C# source code:<br />
...<br />
XmlDocument XmlDoc = new XmlDocument();<br />
XmlDoc.Load("...");<br />
...<br />
XPathNavigator nav = XmlDoc.CreateNavigator();<br />
XPathExpression expr = nav.Compile("string(//user[name/text()='"+UserID.Text+<br />
"' and password/text()='"+Password.Text+<br />
"']/account/text())");<br />
String account=Convert.ToString(nav.Evaluate(expr));<br />
if (account=="")<br />
{<br />
// Login failed - UserUD and password pair could not be found in the XML document <br />
...<br />
}<br />
else<br />
{<br />
// Login succeeded - UserID and Password validated<br />
...<br />
}<br />
<br />
Based on the way this code is written, an attacker could easily inject an XPath expression into the UserID text field and then submit the query. For example, the attacker could enter the following text into the UserID field (just like with SQL injection):<br />
<br />
' or 1=1 or ''='<br />
<br />
If not handled properly by the application, this data entry will always returns the first account number in the XML document. Such an attack is called “Xpath Injection”, which is an basically the same as a “SQL injection” attack. This can result in having the attacker logged in (as the first user listed in the XML document), although the attacker did not provide any valid user name or password.<br />
<br />
===Blind XPath Injection===<br />
Using Blind XPath Injection, an attacker can extract a complete XML document for XPath querying without prior knowledge of the query. The attacker can access the entire XML "database" used in the XPath query which can be powerful against sites that use XPath queries (and XML "databases") for authentication, searching and other uses.<br />
<br />
==Examples ==<br />
<br />
==Related Threats==<br />
<br />
==Related Attacks==<br />
<br />
==Related Vulnerabilities==<br />
<br />
==Related Countermeasures==<br />
<br />
[[Category:Attack]]</div>Manionchttps://wiki.owasp.org/index.php?title=Blind_XPath_Injection&diff=9576Blind XPath Injection2006-09-08T20:17:08Z<p>Manionc: /* Simple XPath Injection */</p>
<hr />
<div>{{Template:Attack}}<br />
<br />
{{Template:Stub}}<br />
<br />
==Description==<br />
<br />
===About XPath===<br />
XPath is a sort of query language that describes how to locate specific elements (including attributes, processing instructions, etc.) in an XML document. Since it is a query language, XPath is somewhat similar to Structured Query Language (SQL). However, XPath can be used to reference almost any part of any XML document without access control restrictions, whereas with SQL, a "user" (which is a term undefined in the XPath/XML context) may be restricted to certain tables, columns or queries. [http://www.w3.org/TR/xpath]<br />
<br />
===Simple XPath Injection===<br />
Suppose an application includes the following ASP.NET and C# source code:<br />
<br />
...<br />
XmlDocument XmlDoc = new XmlDocument();<br />
XmlDoc.Load("...");<br />
...<br />
XPathNavigator nav = XmlDoc.CreateNavigator();<br />
XPathExpression expr =<br />
nav.Compile("string(//user[name/text()='"+UserID.Text+<br />
"' and password/text()='"+Password.Text+<br />
"']/account/text())");<br />
String account=Convert.ToString(nav.Evaluate(expr));<br />
if (account=="")<br />
{<br />
// Login failed - UserUD and password pair could not be found in the XML document <br />
...<br />
}<br />
else<br />
{<br />
// Login succeeded - UserID and Password validated<br />
...<br />
}<br />
<br />
Based on the way this code is written, an attacker could easily inject an XPath expression into the UserID text field and then submit the query. For example, the attacker could enter the following text into the UserID field (just like with SQL injection):<br />
<br />
' or 1=1 or ''='<br />
<br />
If not handled properly by the application, this data entry will always returns the first account number in the XML document. Such an attack is called “Xpath Injection”, which is an basically the same as a “SQL injection” attack. This can result in having the attacker logged in (as the first user listed in the XML document), although the attacker did not provide any valid user name or password.<br />
<br />
===Blind XPath Injection===<br />
Using Blind XPath Injection, an attacker can extract a complete XML document for XPath querying without prior knowledge of the query. The attacker can access the entire XML "database" used in the XPath query which can be powerful against sites that use XPath queries (and XML "databases") for authentication, searching and other uses.<br />
<br />
==Examples ==<br />
<br />
==Related Threats==<br />
<br />
==Related Attacks==<br />
<br />
==Related Vulnerabilities==<br />
<br />
==Related Countermeasures==<br />
<br />
[[Category:Attack]]</div>Manionchttps://wiki.owasp.org/index.php?title=Blind_XPath_Injection&diff=9575Blind XPath Injection2006-09-08T20:16:12Z<p>Manionc: </p>
<hr />
<div>{{Template:Attack}}<br />
<br />
{{Template:Stub}}<br />
<br />
==Description==<br />
<br />
===About XPath===<br />
XPath is a sort of query language that describes how to locate specific elements (including attributes, processing instructions, etc.) in an XML document. Since it is a query language, XPath is somewhat similar to Structured Query Language (SQL). However, XPath can be used to reference almost any part of any XML document without access control restrictions, whereas with SQL, a "user" (which is a term undefined in the XPath/XML context) may be restricted to certain tables, columns or queries. [http://www.w3.org/TR/xpath]<br />
<br />
===Simple XPath Injection===<br />
'''Example 1 (Using ASP.NET with C#):'''<br />
<br />
Suppose an application includes the following code:<br />
<br />
...<br />
XmlDocument XmlDoc = new XmlDocument();<br />
XmlDoc.Load("...");<br />
...<br />
XPathNavigator nav = XmlDoc.CreateNavigator();<br />
XPathExpression expr =<br />
nav.Compile("string(//user[name/text()='"+UserID.Text+<br />
"' and password/text()='"+Password.Text+<br />
"']/account/text())");<br />
String account=Convert.ToString(nav.Evaluate(expr));<br />
if (account=="")<br />
{<br />
// Login failed - UserUD and password pair could not be found in the XML document <br />
...<br />
}<br />
else<br />
{<br />
// Login succeeded - UserID and Password validated<br />
...<br />
}<br />
<br />
Based on the way this code is written, an attacker could easily inject an XPath expression into the UserID text field and then submit the query. For example, the attacker could enter the following text into the UserID field (just like with SQL injection):<br />
<br />
' or 1=1 or ''='<br />
<br />
If not handled properly by the application, this data entry will always returns the first account number in the XML document. Such an attack is called “Xpath Injection”, which is an basically the same as a “SQL injection” attack. This can result in having the attacker logged in (as the first user listed in the XML document), although the attacker did not provide any valid user name or password.<br />
<br />
===Blind XPath Injection===<br />
Using Blind XPath Injection, an attacker can extract a complete XML document for XPath querying without prior knowledge of the query. The attacker can access the entire XML "database" used in the XPath query which can be powerful against sites that use XPath queries (and XML "databases") for authentication, searching and other uses.<br />
<br />
==Examples ==<br />
<br />
==Related Threats==<br />
<br />
==Related Attacks==<br />
<br />
==Related Vulnerabilities==<br />
<br />
==Related Countermeasures==<br />
<br />
[[Category:Attack]]</div>Manionchttps://wiki.owasp.org/index.php?title=Blind_XPath_Injection&diff=9574Blind XPath Injection2006-09-08T20:14:57Z<p>Manionc: /* Examples */</p>
<hr />
<div>{{Template:Attack}}<br />
<br />
{{Template:Stub}}<br />
<br />
==Description==<br />
<br />
===About XPath===<br />
XPath is a sort of query language that describes how to locate specific elements (including attributes, processing instructions, etc.) in an XML document. Since it is a query language, XPath is somewhat similar to Structured Query Language (SQL). However, XPath can be used to reference almost any part of any XML document without access control restrictions, whereas with SQL, a "user" (which is a term undefined in the XPath/XML context) may be restricted to certain tables, columns or queries. [http://www.w3.org/TR/xpath]<br />
<br />
===Blind XPath Injection===<br />
Using Blind XPath Injection, an attacker can extract a complete XML document for XPath querying without prior knowledge of the query. The attacker can access the entire XML "database" used in the XPath query which can be powerful against sites that use XPath queries (and XML "databases") for authentication, searching and other uses.<br />
<br />
==Examples ==<br />
<br />
===Basic XPath Injection===<br />
'''Example 1 (Using ASP.NET with C#):'''<br />
<br />
Suppose an application includes the following code:<br />
<br />
...<br />
XmlDocument XmlDoc = new XmlDocument();<br />
XmlDoc.Load("...");<br />
...<br />
XPathNavigator nav = XmlDoc.CreateNavigator();<br />
XPathExpression expr =<br />
nav.Compile("string(//user[name/text()='"+UserID.Text+<br />
"' and password/text()='"+Password.Text+<br />
"']/account/text())");<br />
String account=Convert.ToString(nav.Evaluate(expr));<br />
if (account=="")<br />
{<br />
// Login failed - UserUD and password pair could not be found in the XML document <br />
...<br />
}<br />
else<br />
{<br />
// Login succeeded - UserID and Password validated<br />
...<br />
}<br />
<br />
Based on the way this code is written, an attacker could easily inject an XPath expression into the UserID text field and then submit the query. For example, the attacker could enter the following text into the UserID field (just like with SQL injection):<br />
<br />
' or 1=1 or ''='<br />
<br />
If not handled properly by the application, this data entry will always returns the first account number in the XML document. Such an attack is called “Xpath Injection”, which is an basically the same as a “SQL injection” attack. This can result in having the attacker logged in (as the first user listed in the XML document), although the attacker did not provide any valid user name or password.<br />
<br />
==Related Threats==<br />
<br />
==Related Attacks==<br />
<br />
==Related Vulnerabilities==<br />
<br />
==Related Countermeasures==<br />
<br />
[[Category:Attack]]</div>Manionchttps://wiki.owasp.org/index.php?title=Blind_XPath_Injection&diff=9569Blind XPath Injection2006-09-08T20:00:53Z<p>Manionc: /* Description */</p>
<hr />
<div>{{Template:Attack}}<br />
<br />
{{Template:Stub}}<br />
<br />
==Description==<br />
<br />
===About XPath===<br />
XPath is a sort of query language that describes how to locate specific elements (including attributes, processing instructions, etc.) in an XML document. Since it is a query language, XPath is somewhat similar to Structured Query Language (SQL). However, XPath can be used to reference almost any part of any XML document without access control restrictions, whereas with SQL, a "user" (which is a term undefined in the XPath/XML context) may be restricted to certain tables, columns or queries. [http://www.w3.org/TR/xpath]<br />
<br />
===Blind XPath Injection===<br />
Using Blind XPath Injection, an attacker can extract a complete XML document for XPath querying without prior knowledge of the query. The attacker can access the entire XML "database" used in the XPath query which can be powerful against sites that use XPath queries (and XML "databases") for authentication, searching and other uses.<br />
<br />
==Examples ==<br />
<br />
==Related Threats==<br />
<br />
==Related Attacks==<br />
<br />
==Related Vulnerabilities==<br />
<br />
==Related Countermeasures==<br />
<br />
[[Category:Attack]]</div>Manionc