This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Testing for configuration management"

From OWASP
Jump to: navigation, search
m (Amend Configuration and Deployment Management links)
Line 1: Line 1:
 
{{Template:OWASP Testing Guide v4}}
 
{{Template:OWASP Testing Guide v4}}
  
''' 4.3 Testing for configuration management '''
+
''' 4.3 Testing for Configuration and Deployment management '''
 
----
 
----
  
Testing for configuration management includes the following sections: <br>
+
Understanding the deployed configuration of the server hosting the web application is almost as important as the application security testing itself. After all, an application chain is only as strong as its weakest link. Application platforms are wide and varied, but some key platform configuration errors can compromise the application in the same way an unsecured application can compromise the server.
  
[[Testing for infrastructure configuration management (OWASP-CM-003)|4.3.1 Test Network and Infrastructure Configuration (OTG-CONFIG-001) ]]
+
In order to evaluate the readiness of the application platform, testing for configuration management includes the following sections: <br>
  
[[Testing for application configuration management (OWASP-CM-004)|4.3.2 Test Application Platform Configuration (OTG-CONFIG-002) ]]
+
[[Test Network/Infrastructure Configuration (OTG-CONFIG-001)|4.3.1 Test Network/Infrastructure Configuration (OTG-CONFIG-001) ]]  
  
[[Testing for file extensions handling  (OWASP-CM-005)|4.3.3 Test File Extensions Handling for Sensitive Information (OTG-CONFIG-003) ]]
+
[[Test Application Platform Configuration (OTG-CONFIG-002)|4.3.2 Test Application Platform Configuration (OTG-CONFIG-002) ]]
  
[[Review Old, Backup and Unreferenced Files for Sensitive Information (OTG-CONFIG-004)|4.3.4 Review Old, Backup and Unreferenced Files for Sensitive Information (OTG-CONFIG-004) ]]
+
[[Test File Extensions Handling for Sensitive Information (OTG-CONFIG-003)|4.3.3 Test File Extensions Handling for Sensitive Information (OTG-CONFIG-003) ]]  
  
[[Testing for Admin Interfaces  (OWASP-CM-007)|4.3.5 Enumerate Infrastructure and Application Admin Interfaces (OTG-CONFIG-005) ]]
+
[[Review Old, Backup and Unreferenced Files for Sensitive Information (OTG-CONFIG-004)|4.3.4 Review Old, Backup and Unreferenced Files for Sensitive Information (OTG-CONFIG-004) ]]  
  
[[Testing for HTTP Methods and XST  (OWASP-CM-008)|4.3.6 Test HTTP Methods (OTG-CONFIG-006) ]]
+
[[Enumerate Infrastructure and Application Admin Interfaces (OTG-CONFIG-005)|4.3.5 Enumerate Infrastructure and Application Admin Interfaces (OTG-CONFIG-005) ]]  
  
[[Testing for Missing HSTS header|4.3.7 Test HTTP Strict Transport Security (OTG-CONFIG-009) ]]
+
[[Test HTTP Methods (OTG-CONFIG-006)|4.3.6 Test HTTP Methods (OTG-CONFIG-006) ]]  
  
[[Testing for RIA policy files weakness|4.3.8 Test RIA cross domain policy (OTG-CONFIG-011) ]]
+
[[Test HTTP Strict Transport Security (OTG-CONFIG-009)|4.3.7 Test HTTP Strict Transport Security (OTG-CONFIG-009) ]]
 +
 
 +
[[Test RIA cross domain policy (OTG-CONFIG-011)|4.3.8 Test RIA cross domain policy (OTG-CONFIG-011) ]]

Revision as of 13:56, 5 August 2014

This article is part of the new OWASP Testing Guide v4.
Back to the OWASP Testing Guide v4 ToC: https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents Back to the OWASP Testing Guide Project: https://www.owasp.org/index.php/OWASP_Testing_Project


4.3 Testing for Configuration and Deployment management


Understanding the deployed configuration of the server hosting the web application is almost as important as the application security testing itself. After all, an application chain is only as strong as its weakest link. Application platforms are wide and varied, but some key platform configuration errors can compromise the application in the same way an unsecured application can compromise the server.

In order to evaluate the readiness of the application platform, testing for configuration management includes the following sections:

4.3.1 Test Network/Infrastructure Configuration (OTG-CONFIG-001)

4.3.2 Test Application Platform Configuration (OTG-CONFIG-002)

4.3.3 Test File Extensions Handling for Sensitive Information (OTG-CONFIG-003)

4.3.4 Review Old, Backup and Unreferenced Files for Sensitive Information (OTG-CONFIG-004)

4.3.5 Enumerate Infrastructure and Application Admin Interfaces (OTG-CONFIG-005)

4.3.6 Test HTTP Methods (OTG-CONFIG-006)

4.3.7 Test HTTP Strict Transport Security (OTG-CONFIG-009)

4.3.8 Test RIA cross domain policy (OTG-CONFIG-011)