공지사항
2015.09.09 / 12:59

아큐네틱스 웹 취약성 스캐너의 OWASP Penetrate Checklist 지원 내역

autodev
추천 수 133

아큐네틱스 웹 취약성 스캐너의

OWASP Penetrate Checklist 지원 내역

간략히 보면 15개 항목에 대해서 12개 항목을 지원하고 있습니다. 또한 아큐네틱스 WVS의 장점은 국내에서 기술지원을 제공하는 (주)아이시큐어(http://www.isecurekr.com)에서 아큐네틱스사와의 원활한 관계로 지속적으로 제품 업데이트가 이루어지고 있고, 빠른 지원으로 요구되는 사항을 점검 할 수 있도록 지원해주고 있습니다.

Category Re. Number Name Objective Notes
AppDOS OWASP-AD-001 Application Flooding Ensure that the application functions correctly when presented with large volumes of requests, transactions, and/or network traffic. Use various fuzzing tools to perform this test(e.g., SPIKE)
  OWASP-AD-002 Application Lockout Ensure that the application does not allow an attacker to reset or lockout users’ account  
AccessControl OWASP-AC-001 Parameter Analysis Ensure that the application enforces its access control model by ensuring that any parameters available to an attacker would not afford additional service Typically, this includes manipulation of form fields, URL query strings, client-side script values and cookies.
  OWASP-AC-002 Authorization Ensure that resources that require authorization checks before being sent to a user.  
  OWASP-AC-003 Authorization Parameter Manipulation Ensure that once a valid user has logged in, it is not possible to change the session ID’s parameter to reflect another user account. I.e., accountnumber, policynumber, usernumber, etc.
  OWASP-AC-004 Authorized pages/functions Check if it is possible to access pages or functions that require logon but can be bypassed backup files, directory listing checks, …
  OWASP-AC-005 Application Workflow Ensure that where the application requires the user to perform actions in a specific sequence, the sequences is enforced.  
Authentication OWASP-AUTHN-001 Authentication endpoint request should be HTTPS Ensure that users are only asked to submit authentication credentials on pages that are served with SSL This ensures that the user knows who is asking for their credentials as well as where they are being sent.
  OWASP-AUTHN-002 Authentication bypass Ensure that the authentication process cannot be bypassed Typically, this happens in conjunction with flaws such as SQL Injection
Authentication User OWASP-AUTHN-003 Credentials transport over an encrypted channel Ensure that usernames and passwords are sent over an encrypted channel Typically, this should be SSL
  OWASP-AUTHN-004 Default Account Check for default account names and passwords in use.  
  OWASP-AUTHN-005 Username Ensure that the username is not public (or “wallet”) information such as e-mail or SSN.  
  OWASP-AUTHN-006 Password Quality Ensure that the password complexity makes guessing passwords difficult.  
  OWASP-AUTHN-007 Password Reset Ensure that the user must respond to a secret answer or secret question or other predetermined information before passwords can be reset Ensure that passwords are not sent to users in e-mail.
  OWASP-AUTHN-008 Password Lockout Ensure that the users account is locked out for a period of time when the incorrect password is entered more that a specific number of times(usually 5).  
  OWASP-AUTHN-009 Password Structure Ensure that special meta characters cannot be used within the password. Can be useful when performing SQL injection.
  OWASP-AUTHN-0010 Blank Passwords Ensure that passwords are not blank.  
Authentication Session Management OWASP-AUTHSM-001 Session Token Length Ensure that the session token is of adequate length to provide protection from guessing during an authenticated session.  
  OWASP-AUTHSM-002 Session Timeout Ensure that the session tokens are only valid for a predetermined period after the last request by the user.  
  OWASP-AUTHSM-003 Session Reuse Ensure that session tokens are changed when the user moves from an SSL protected resource to a non-SSL protected resource.  
  OWASP-AUTHSM-004 Session Deletion Ensure that the session token is invalidated when the user logs out.  
  OWASP-AUTHSM-005 Session Token Format Ensure that the session token is non-persistent and is never written to the browsers history or cache.  
Configuration Management OWASP-CM-001 HTTP Methods Ensure that the web server does not support the ability to manipulate resources form the Internet(e.g., PUT and DELETE).  
  OWASP-CM-002 Virtually Hosted Sites Try to determine if the site is virtually hosted. If there are further sites, they could be vulnerable and lead to the compromise of the base server.
  OWASP-CM-003 Known Vulnerabilities/Security Patches Ensure that known vulnerabilities that vendors have patched are not present. Web Application tests
  OWASP-CM-004 Back-up Files Ensure that no backup files of source code are accessible on the publicly accessible part of the application.  
  OWASP-CM-004 Web Server Configuration Ensure that common configuration issues such as directory listings and sample files have been addressed.  
  OWASP-CM-005 Web Server Components Ensure that web server components such as Front Page Server Extensions or Apache modules do not introduce any security vulnerabilities.  
  OWASP-CM-006 Common Paths Check for existence of common directories within the application root. /backup & /admin may contain information.
  OWASP-CM-007 Language/Application defaults I.e., J2EE environmental quirks; e.g., availability of snoop.jsp /*Spy.jsp and loaded modules.  
Configuration Management Infrastructure OWASP-CM-008 Infrastructure Admin Interfaces Ensure that administrative interfaces to infrastructure, such as web servers and application servers, are not accessible to the Internet.  
Configuration Management Application OWASP-CM-009 Application Admin Interfaces Ensure that administrative interfaces to the application are not accessible to the Internet. ghdb
Error Handling OWASP-EH-001 Application Error Messages Ensure that the application does not present application error messages to an attacker that could be used in an attack. This typically occurs when applications return verbose error messages such as stack traces or database errors.
  OWASP-EH-002 User Error Messages Ensure that the application does not present user error messages to an attacker that could be used in an attack. This typically occurs when applications return error messages such as “User does not exist” or “User Correct, Password Incorrect.”
Data Protection OWASP-DP-001 Sensitive Data in HTML Ensure that there is not sensitive data in the HTML (cached in the browser history) that could lead an attacker to mount a focused attack. This typically occurs when developers leave information in HTML comments or the application renders names and addresses in HTML
  OWASP-DP-002 Data Storage Ensure data is protected to ensure its confidentiality and integrity, where required.  
  OWASP-DP-003 SSL Version Ensure that supported SSL versions do not have cryptographic weaknesses. Typically, this means supporting SSL3 and TLS 1.0 only.
  OWASP-DP-004 SSL Key Exchange Methods Ensure that the web server does not allow anonymous key exchange methods. Typically ADH Anonymous Diffie-Hellman.
  OWASP-DP-005 SSL Algorithms Ensure that weak algorithms are not available. Typically, algorithms such as RC2 and DES.
  OWASP-DP-006 SSL Key Lengths Ensure the web site uses an appropriate length key. Most web sites should enforce 128bit encryption
  OWASP-DP-007 Digital Certificate Validity Ensure the application uses valid digital certificates. Ensure that the digital certificate is valid; i.e., its signature, host, date, etc. are valid.
Input Validation OWASP-IV-001 Script Injection Ensure that any part of the application that allows input does not process scripts as part of the input. Classic case of Cross Site Scripting but includes other scripting as well
Input Validation. SQL OWASP-IV-002 SQL Injection Ensure the application will not process SQL commands from the user.  
Input Validation. OS OWASP-IV-003 OS Command Injection Ensure the applications will not process operating system commands from the user. This typically includes issues such as path traversal spawning command shells, and OS functions.
Input Validation. LDAP OWASP-IV-004 LDAP Injection Ensure the application will not process LDAP commands form the user.  
Input Validation. XSS OWASP-IV-005 Cross Site Scripting Ensure that the application will not store or reflect malicious script code.