This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Testing for configuration management"

From OWASP
Jump to: navigation, search
(New page: Often analysis of the infrastructure and topology architecture can reveal a great deal about a web application. Information such as source code, HTTP methods permitted, administrative func...)
 
(Added item 4.3.9 was, which was missing.)
 
(28 intermediate revisions by 5 users not shown)
Line 1: Line 1:
Often analysis of the infrastructure and topology architecture can reveal a great deal about a web application. Information such as source code, HTTP methods permitted, administrative functionality, authentication methods and infrastructural configurations can be obtained.<br>
+
{{Template:OWASP Testing Guide v4}}
  
[[Testing for SSL-TLS|4.3.1 SSL/TLS Testing]]
+
''' 4.3 Testing for Configuration and Deployment management '''
 +
----
  
SSL and TLS are two protocols that provide, with the support of cryptography, secure channels for the protection, confidentiality, and authentication of the information being transmitted.<br>
+
Understanding the deployed configuration of the server hosting the web application is almost as important as the application security testing itself. After all, an application chain is only as strong as its weakest link. Application platforms are wide and varied, but some key platform configuration errors can compromise the application in the same way an unsecured application can compromise the server.
Considering the criticality of these security implementations, it is important to verify the usage of a strong cipher algorithm and its proper implementation.
 
  
[[Testing for DB Listener|4.3.2 DB Listener Testing]]
+
In order to evaluate the readiness of the application platform, testing for configuration management includes the following sections: <br>
  
During the configuration of a database server, many DB administrators do not adequately consider the security of the DB listener component. The listener could reveal sensitive data as well as configuration settings or running database instances if insecurely configured and probed with manual or automated techniques. Information revealed will often be useful to a tester serving as input to more impacting follow-on tests.
+
[[Test Network/Infrastructure Configuration (OTG-CONFIG-001)|4.3.1 Test Network/Infrastructure Configuration (OTG-CONFIG-001)]]
  
[[Testing for application configuration management|4.3.3 Application Configuration Management Testing]]
+
[[Test Application Platform Configuration (OTG-CONFIG-002)|4.3.2 Test Application Platform Configuration (OTG-CONFIG-002)]]
  
Web applications hide some information that is usually not considered during the development or configuration of the application itself.<br>
+
[[Test File Extensions Handling for Sensitive Information (OTG-CONFIG-003)|4.3.3 Test File Extensions Handling for Sensitive Information (OTG-CONFIG-003)]]
This data can be discovered in the source code, in the log files or in the default error codes of the web servers. A correct approach to this topic is fundamental during a security assessment.
 
  
[[Testing for misconfiguration|4.3.4 Testing for misconfiguration]]
+
[[Review Old, Backup and Unreferenced Files for Sensitive Information (OTG-CONFIG-004)|4.3.4 Review Old, Backup and Unreferenced Files for Sensitive Information (OTG-CONFIG-004)]]  
  
 +
[[Enumerate Infrastructure and Application Admin Interfaces (OTG-CONFIG-005)|4.3.5 Enumerate Infrastructure and Application Admin Interfaces (OTG-CONFIG-005)]]
  
[[Testing for file extensions handling|4.3.5 Testing for File Extensions Handling]]
+
[[Test HTTP Methods (OTG-CONFIG-006)|4.3.6 Test HTTP Methods (OTG-CONFIG-006)]]  
  
The file extensions present in a web server or a web application make it possible to identify the technologies which compose the target application, e.g. jsp and asp extensions. File extensions can also expose additional systems connected to the application.
+
[[Test HTTP Strict Transport Security (OTG-CONFIG-007)|4.3.7 Test HTTP Strict Transport Security (OTG-CONFIG-007)]]
  
[[Testing for old_file|4.3.6 Old, Backup and Unreferenced Files]]
+
[[Test RIA cross domain policy (OTG-CONFIG-008)|4.3.8 Test RIA cross domain policy (OTG-CONFIG-008)]]
  
Redundant, readable and downloadable files on a web server, such as old, backup and renamed files, are a big source of information leakage. It is necessary to verify the presence of these files because they may contain parts of source code, installation paths as well as passwords for applications and/or databases.
+
[[Test File Permission (OTG-CONFIG-009)|4.3.9 Test File Permission (OTG-CONFIG-009)]]
 
 
 
 
[[Testing_for_Admin_Interfaces|4.3.7 Infrastructure and Application Admin Interfaces]]
 
 
 
[[Testing for HTTP Methods and XST|4.3.8 Testing for HTTP Methods and XST]]
 

Latest revision as of 19:27, 9 June 2019

This article is part of the new OWASP Testing Guide v4.
Back to the OWASP Testing Guide v4 ToC: https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents Back to the OWASP Testing Guide Project: https://www.owasp.org/index.php/OWASP_Testing_Project


4.3 Testing for Configuration and Deployment management


Understanding the deployed configuration of the server hosting the web application is almost as important as the application security testing itself. After all, an application chain is only as strong as its weakest link. Application platforms are wide and varied, but some key platform configuration errors can compromise the application in the same way an unsecured application can compromise the server.

In order to evaluate the readiness of the application platform, testing for configuration management includes the following sections:

4.3.1 Test Network/Infrastructure Configuration (OTG-CONFIG-001)

4.3.2 Test Application Platform Configuration (OTG-CONFIG-002)

4.3.3 Test File Extensions Handling for Sensitive Information (OTG-CONFIG-003)

4.3.4 Review Old, Backup and Unreferenced Files for Sensitive Information (OTG-CONFIG-004)

4.3.5 Enumerate Infrastructure and Application Admin Interfaces (OTG-CONFIG-005)

4.3.6 Test HTTP Methods (OTG-CONFIG-006)

4.3.7 Test HTTP Strict Transport Security (OTG-CONFIG-007)

4.3.8 Test RIA cross domain policy (OTG-CONFIG-008)

4.3.9 Test File Permission (OTG-CONFIG-009)