Friday, October 2, 2015

Steps in conducting Web Pen Testing

1. Check the versions of OS, middlewares (web server, web application engine, database, framework, etc) used
  • If we found that the version used is an EOL software/product, report to the client as soon as possible. It is imperative to let them know before they plan to release the website. Let them know that there is a risk that further vulnerablities for that version would not be patched. Suggest them to use newer version.
  • Check if there is any known vulnerabilites with high severity level, and if the web application have that vulnerabilities. The client needs to patch if they insist to use the EOL software/product.
2.  Check for generally known vulnerabilities, i.e.
  • SQL injection
  • Command injection
  • XSS
  • Open redirect 
  • URL rewriting of cookie sesion
  • If the user IDs are subject to dictionary attacks / rainbow attacks
  • If the login are subject to brute force attack (no account lockout, etc)
  • If users can set a password that is easy to guess
  • Cookie for Session ID is not secure 
  • No logout
  • Credit card info was not handled properly
  • Codes or information not deleted properly or shown when error occuredetc.
Things to consider:
  • Even though the page shows an error when we tried to do some attack by manupulating parameters, sometimes error handling is not done correctly, i.e. manipulated data is in the session and is not cleared, or even written back to database, etc.)
Posted by at No comments:

Dos and Donts in Developing Ecommerce Sites

Things to do:
1. Handling E-Commerce Payment
Ref: https://www.owasp.org/index.php/Handling_E-Commerce_Payments
Best practices compliant with the Payment Card Industry (PCI) guidelines is explained in the link above.

PCI compliance goal:
  • Build and maintain a secure network
  • Protect Cardholder Data
  • Maintain a Vulnerability Management Program
  • Implement Strong Access Control Measures
  • Regularly Monitor and Test Networks
  • Maintain an Information Security Policy


Things to avoid:
1. Unvalidated Redirects and Forwards
Ref:
https://www.owasp.org/index.php/Unvalidated_Redirects_and_Forwards_Cheat_Sheet

Safe use of redirects and forwards can be done in a number of ways:
  • Simply avoid using redirects and forwards.
  • If used, do not allow the url as user input for the destination. This can usually be done. In this case, you should have a method to validate URL.
  • If user input can’t be avoided, ensure that the supplied value is valid, appropriate for the application, and is authorized for the user.
  • It is recommended that any such destination input be mapped to a value, rather than the actual URL or portion of the URL, and that server side code translate this value to the target URL.
  • Sanitize input by creating a list of trusted URL's (lists of hosts or a regex).
  • Force all redirects to first go through a page notifying users that they are going off of your site, and have them click a link to confirm. 
Posted by at No comments:
Subscribe to: Comments (Atom)