This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Testing for configuration management"
m |
(Added item 4.3.9 was, which was missing.) (Tag: Visual edit) |
||
| (7 intermediate revisions by 3 users not shown) | |||
| Line 1: | Line 1: | ||
{{Template:OWASP Testing Guide v4}} | {{Template:OWASP Testing Guide v4}} | ||
| − | ''' 4.3 Testing for | + | ''' 4.3 Testing for Configuration and Deployment management ''' |
---- | ---- | ||
| − | + | Understanding the deployed configuration of the server hosting the web application is almost as important as the application security testing itself. After all, an application chain is only as strong as its weakest link. Application platforms are wide and varied, but some key platform configuration errors can compromise the application in the same way an unsecured application can compromise the server. | |
| − | + | In order to evaluate the readiness of the application platform, testing for configuration management includes the following sections: <br> | |
| − | [[ | + | [[Test Network/Infrastructure Configuration (OTG-CONFIG-001)|4.3.1 Test Network/Infrastructure Configuration (OTG-CONFIG-001)]] |
| − | [[ | + | [[Test Application Platform Configuration (OTG-CONFIG-002)|4.3.2 Test Application Platform Configuration (OTG-CONFIG-002)]] |
| − | [[ | + | [[Test File Extensions Handling for Sensitive Information (OTG-CONFIG-003)|4.3.3 Test File Extensions Handling for Sensitive Information (OTG-CONFIG-003)]] |
| − | [[ | + | [[Review Old, Backup and Unreferenced Files for Sensitive Information (OTG-CONFIG-004)|4.3.4 Review Old, Backup and Unreferenced Files for Sensitive Information (OTG-CONFIG-004)]] |
| − | [[ | + | [[Enumerate Infrastructure and Application Admin Interfaces (OTG-CONFIG-005)|4.3.5 Enumerate Infrastructure and Application Admin Interfaces (OTG-CONFIG-005)]] |
| − | [[ | + | [[Test HTTP Methods (OTG-CONFIG-006)|4.3.6 Test HTTP Methods (OTG-CONFIG-006)]] |
| − | [[ | + | [[Test HTTP Strict Transport Security (OTG-CONFIG-007)|4.3.7 Test HTTP Strict Transport Security (OTG-CONFIG-007)]] |
| + | |||
| + | [[Test RIA cross domain policy (OTG-CONFIG-008)|4.3.8 Test RIA cross domain policy (OTG-CONFIG-008)]] | ||
| + | |||
| + | [[Test File Permission (OTG-CONFIG-009)|4.3.9 Test File Permission (OTG-CONFIG-009)]] | ||
Latest revision as of 19:27, 9 June 2019
This article is part of the new OWASP Testing Guide v4.
Back to the OWASP Testing Guide v4 ToC: https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents Back to the OWASP Testing Guide Project: https://www.owasp.org/index.php/OWASP_Testing_Project
4.3 Testing for Configuration and Deployment management
Understanding the deployed configuration of the server hosting the web application is almost as important as the application security testing itself. After all, an application chain is only as strong as its weakest link. Application platforms are wide and varied, but some key platform configuration errors can compromise the application in the same way an unsecured application can compromise the server.
In order to evaluate the readiness of the application platform, testing for configuration management includes the following sections:
4.3.1 Test Network/Infrastructure Configuration (OTG-CONFIG-001)
4.3.2 Test Application Platform Configuration (OTG-CONFIG-002)
4.3.3 Test File Extensions Handling for Sensitive Information (OTG-CONFIG-003)
4.3.4 Review Old, Backup and Unreferenced Files for Sensitive Information (OTG-CONFIG-004)
4.3.5 Enumerate Infrastructure and Application Admin Interfaces (OTG-CONFIG-005)
4.3.6 Test HTTP Methods (OTG-CONFIG-006)
4.3.7 Test HTTP Strict Transport Security (OTG-CONFIG-007)
