This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "4.12.1 Test Business Logic Data Validation (OTG-BUSLOGIC-001)"

From OWASP
Jump to: navigation, search
(Created page with "== Brief Description == The application must ensure that only valid data can be entered at the front end as well as directly to the server side. Only verifying data on the fr...")
 
Line 19: Line 19:
 
== Test Tools ==
 
== Test Tools ==
  
* '''OWASP Zed Attack Proxy (ZAP)''' - https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
+
'''OWASP Zed Attack Proxy (ZAP)''' - https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
 
ZAP is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing. ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.
 
ZAP is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing. ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.
  

Revision as of 15:52, 11 October 2013

Brief Description

The application must ensure that only valid data can be entered at the front end as well as directly to the server side. Only verifying data on the front end may leave applications vulnerable to server injections through proxies.

Issue

The front end and the backend of the application should be verifying and validating that the data it has, is using and is passing along is valid.

Example

NEED

Testing Method

• Perform front end GUI testing to ensure that the only acceptable values are accepted. • Using an intercepting proxy observe the HTTP POST/GET looking for the place that variables such as cost and quality are passed. • Once variables are found start interrogating the field with negative and extra-large values testing that the server functions properly and does not accept them.

Test Tools

OWASP Zed Attack Proxy (ZAP) - https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project ZAP is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing. ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.

Related Test Cases

TBD once the section is complete

References

Remediation