Owasp Methodology PDF

Preview

Summary

OWASP is an active community which makes this methodology one of the best maintained, is comprehensive and also up to date. Currently, they are many pentest projects which include some web apps form. Therefore, OWASP Testing Guide is one of the methodologies that everyone should be familiar with and...

Description

OWASP Penetration Testing The penetration test is a cyber-attack in check for exploitable vulnerabilities against a computer system. It is also known as Pen test. Pentest may involve breach attempt involving the following application system such as application protocol interfaces, backend and frontend servers in uncovering vulnerabilities. Those vulnerabilities are like unsanitized inputs which to attack of code injection are susceptible. Penetration test insights are used in fine-tuning the policies of WAF security and vulnerabilities of patch detected (Imperva, 2019). Pen test in divided into different stages.

Planning and reconnaissance is the first stage which involves definition of the scope and test goals. It includes the testing method and the system to be addressed. Scanning understands how the application which is targeted responds to various attempts of intrusion. This scanning is usually done through static and dynamic analysis. In static, code of an application's is inspected in estimating how it behaves while running while dynamic analysis, in a running state, application code is inspected. Gaining access stage makes use of web application attacks such as SQL injection, cross-site scripting, and backdoors in uncovering target vulnerabilities. Testers Southern New Hampshire University

Page 1

will try in exploiting these vulnerabilities through privileges escalation, intercepting traffic, stealing data, etc., this is done in understanding the damage they can cause. Maintaining access is the stage to access whether the vulnerability can be utilized in achieving a persistent availability in the system which is exploited, in that is long enough giving time for an illegal actor to get indepth access. The results of the pen test in the analysis stage are compiled to a report. This report indicates the specific vulnerabilities exploited, accessed sensitive data, and the time pen tester persisted undetected in the system (Imperva, 2019). Penetration testing methodology is essential to success for ethical hacking techniques which helps professionals in evaluating the measures of information security. Methodologies are guidelines on how a test is carried out. They ensure that a thorough test is done. Open Web Application Security Project OWASP is a penetration testing methodology which concentrates on the core testing phases on the web applications security testings. OWASP Web pen test is based on the approach of black box. OWASP testing methodology divides the test into active and passive mode. In the passive mode, is where the testers are trying to understand the logic of the application. Tools are used for gathering information such as HTTP proxy which is used in observing all the HTTP responses and requests. The testers can understand all the access points of the application at the end of this phase. The active mode has nine sub-categories which consist of 66 controls (Dewhurst Security, 2010). Those categories include: 

Configuration Management Testing



Authentication Testing



Session Management Testing



Denial of Service Testing

Southern New Hampshire University

Page 2



Business Logic Testing



Data Validation Testing



Ajax Testing



Authorization testing



Web Services Testing

Every control in certain test should be carried out and has a unique reference number. The Testing g Guide v3.o for OWASP has a list of all 66 controls that are supposed to be tested and how the testing should take place (FutureLearn, 2017). The main phases, which are defined by the OWASP Testing Guide, are: 

Information gathering- covers assessment of exposure and fingerprinting deployment



Configuration and deployment management testing- server security configuration assessment



Web application security testing – lists steps of testing specific vulnerabilities for webapps

Webapps vulnerabilities include: o Identify management testing – user account management assessment o Authentication testing – authentication methods assessment o Authorization testing – vulnerabilities testing by bypassing privilege and authorization escalation.

Southern New Hampshire University

Page 3

o Session management testing – session management flaws finding like cross-site request forgery o Input validation testing – vulnerabilities assessment such as cross-site scripting and other injection flaws o Error handling testing – look for a leak of error message o Weak cryptography testing – used encryption checking o Business logic testing – covers common flaws in the implementation of business logic o Client-side testing – vulnerabilities checking such as HTML, Java execution, or CSS injection 

Reporting is the last phase of project testing as discussed in the guide

OWASP is an active community which makes this methodology one of the best maintained, is comprehensive and also up to date. Currently, they are many pentest projects which include some web apps form. Therefore, OWASP Testing Guide is one of the methodologies that everyone should be familiar with and take advantage when needed.

Southern New Hampshire University

Page 4

References Dewhurst Security. (2010, March 8). OWASP Testing Methodology. Retrieved October 6, 2019, from Dewhurstsecurity.com website: https://blog.dewhurstsecurity.com/2010/03/08/owasp-testing-methodology.html FutureLearn. (2017). OWASP Penetration Testing Methodology. Retrieved October 6, 2019, from FutureLearn website: https://www.futurelearn.com/courses/ethical-hacking-anintroduction/1/steps/523894 Imperva. (2019). What is Penetration Testing | Step-By-Step Process & Methods | Imperva. Retrieved from Learning Center website: https://www.imperva.com/learn/applicationsecurity/penetration-testing/

Southern New Hampshire University

Page 5...