2015.09.09 / 12:59
¾ÆÅ¥³×ƽ½º À¥ Ãë¾à¼º ½ºÄ³³ÊÀÇ OWASP Penetrate Checklist Áö¿ø ³»¿ª
autodev
Ãßõ ¼ö 386
¾ÆÅ¥³×ƽ½º À¥ Ãë¾à¼º ½ºÄ³³ÊÀÇ
OWASP Penetrate Checklist Áö¿ø ³»¿ª
°£·«È÷ º¸¸é 15°³ Ç׸ñ¿¡ ´ëÇؼ 12°³ Ç׸ñÀ» Áö¿øÇÏ°í ÀÖ½À´Ï´Ù. ¶ÇÇÑ ¾ÆÅ¥³×ƽ½º WVSÀÇ ÀåÁ¡Àº ±¹³»¿¡¼ ±â¼úÁö¿øÀ» Á¦°øÇÏ´Â (ÁÖ)¾ÆÀ̽ÃÅ¥¾î(http://www.isecurekr.com)¿¡¼ ¾ÆÅ¥³×ƽ½º»ç¿ÍÀÇ ¿øÈ°ÇÑ °ü°è·Î Áö¼ÓÀûÀ¸·Î Á¦Ç° ¾÷µ¥ÀÌÆ®°¡ ÀÌ·ç¾îÁö°í ÀÖ°í, ºü¸¥ Áö¿øÀ¸·Î ¿ä±¸µÇ´Â »çÇ×À» Á¡°Ë ÇÒ ¼ö ÀÖµµ·Ï Áö¿øÇØÁÖ°í ÀÖ½À´Ï´Ù.
| Category | Re. Number | Name | Objective | Notes |
| AppDOS | OWASP-AD-001 | Application Flooding | Ensure that the application functions correctly when presented with large volumes of requests, transactions, and/or network traffic. | Use various fuzzing tools to perform this test(e.g., SPIKE) |
| ¡¡ | OWASP-AD-002 | Application Lockout | Ensure that the application does not allow an attacker to reset or lockout users¡¯ account | ¡¡ |
| AccessControl | OWASP-AC-001 | Parameter Analysis | Ensure that the application enforces its access control model by ensuring that any parameters available to an attacker would not afford additional service | Typically, this includes manipulation of form fields, URL query strings, client-side script values and cookies. |
| ¡¡ | OWASP-AC-002 | Authorization | Ensure that resources that require authorization checks before being sent to a user. | ¡¡ |
| ¡¡ | OWASP-AC-003 | Authorization Parameter Manipulation | Ensure that once a valid user has logged in, it is not possible to change the session ID¡¯s parameter to reflect another user account. | I.e., accountnumber, policynumber, usernumber, etc. |
| ¡¡ | OWASP-AC-004 | Authorized pages/functions | Check if it is possible to access pages or functions that require logon but can be bypassed | backup files, directory listing checks, ¡¦ |
| ¡¡ | OWASP-AC-005 | Application Workflow | Ensure that where the application requires the user to perform actions in a specific sequence, the sequences is enforced. | ¡¡ |
| Authentication | OWASP-AUTHN-001 | Authentication endpoint request should be HTTPS | Ensure that users are only asked to submit authentication credentials on pages that are served with SSL | This ensures that the user knows who is asking for their credentials as well as where they are being sent. |
| ¡¡ | OWASP-AUTHN-002 | Authentication bypass | Ensure that the authentication process cannot be bypassed | Typically, this happens in conjunction with flaws such as SQL Injection |
| Authentication User | OWASP-AUTHN-003 | Credentials transport over an encrypted channel | Ensure that usernames and passwords are sent over an encrypted channel | Typically, this should be SSL |
| ¡¡ | OWASP-AUTHN-004 | Default Account | Check for default account names and passwords in use. | ¡¡ |
| ¡¡ | OWASP-AUTHN-005 | Username | Ensure that the username is not public (or ¡°wallet¡±) information such as e-mail or SSN. | ¡¡ |
| ¡¡ | OWASP-AUTHN-006 | Password Quality | Ensure that the password complexity makes guessing passwords difficult. | ¡¡ |
| ¡¡ | OWASP-AUTHN-007 | Password Reset | Ensure that the user must respond to a secret answer or secret question or other predetermined information before passwords can be reset | Ensure that passwords are not sent to users in e-mail. |
| ¡¡ | OWASP-AUTHN-008 | Password Lockout | Ensure that the users account is locked out for a period of time when the incorrect password is entered more that a specific number of times(usually 5). | ¡¡ |
| ¡¡ | OWASP-AUTHN-009 | Password Structure | Ensure that special meta characters cannot be used within the password. | Can be useful when performing SQL injection. |
| ¡¡ | OWASP-AUTHN-0010 | Blank Passwords | Ensure that passwords are not blank. | ¡¡ |
| Authentication Session Management | OWASP-AUTHSM-001 | Session Token Length | Ensure that the session token is of adequate length to provide protection from guessing during an authenticated session. | ¡¡ |
| ¡¡ | OWASP-AUTHSM-002 | Session Timeout | Ensure that the session tokens are only valid for a predetermined period after the last request by the user. | ¡¡ |
| ¡¡ | OWASP-AUTHSM-003 | Session Reuse | Ensure that session tokens are changed when the user moves from an SSL protected resource to a non-SSL protected resource. | ¡¡ |
| ¡¡ | OWASP-AUTHSM-004 | Session Deletion | Ensure that the session token is invalidated when the user logs out. | ¡¡ |
| ¡¡ | OWASP-AUTHSM-005 | Session Token Format | Ensure that the session token is non-persistent and is never written to the browsers history or cache. | ¡¡ |
| Configuration Management | OWASP-CM-001 | HTTP Methods | Ensure that the web server does not support the ability to manipulate resources form the Internet(e.g., PUT and DELETE). | ¡¡ |
| ¡¡ | OWASP-CM-002 | Virtually Hosted Sites | Try to determine if the site is virtually hosted. | If there are further sites, they could be vulnerable and lead to the compromise of the base server. |
| ¡¡ | OWASP-CM-003 | Known Vulnerabilities/Security Patches | Ensure that known vulnerabilities that vendors have patched are not present. | Web Application tests |
| ¡¡ | OWASP-CM-004 | Back-up Files | Ensure that no backup files of source code are accessible on the publicly accessible part of the application. | ¡¡ |
| ¡¡ | OWASP-CM-004 | Web Server Configuration | Ensure that common configuration issues such as directory listings and sample files have been addressed. | ¡¡ |
| ¡¡ | OWASP-CM-005 | Web Server Components | Ensure that web server components such as Front Page Server Extensions or Apache modules do not introduce any security vulnerabilities. | ¡¡ |
| ¡¡ | OWASP-CM-006 | Common Paths | Check for existence of common directories within the application root. | /backup & /admin may contain information. |
| ¡¡ | OWASP-CM-007 | Language/Application defaults | I.e., J2EE environmental quirks; e.g., availability of snoop.jsp /*Spy.jsp and loaded modules. | ¡¡ |
| Configuration Management Infrastructure | OWASP-CM-008 | Infrastructure Admin Interfaces | Ensure that administrative interfaces to infrastructure, such as web servers and application servers, are not accessible to the Internet. | ¡¡ |
| Configuration Management Application | OWASP-CM-009 | Application Admin Interfaces | Ensure that administrative interfaces to the application are not accessible to the Internet. | ghdb |
| Error Handling | OWASP-EH-001 | Application Error Messages | Ensure that the application does not present application error messages to an attacker that could be used in an attack. | This typically occurs when applications return verbose error messages such as stack traces or database errors. |
| ¡¡ | OWASP-EH-002 | User Error Messages | Ensure that the application does not present user error messages to an attacker that could be used in an attack. | This typically occurs when applications return error messages such as ¡°User does not exist¡± or ¡°User Correct, Password Incorrect.¡± |
| Data Protection | OWASP-DP-001 | Sensitive Data in HTML | Ensure that there is not sensitive data in the HTML (cached in the browser history) that could lead an attacker to mount a focused attack. | This typically occurs when developers leave information in HTML comments or the application renders names and addresses in HTML |
| ¡¡ | OWASP-DP-002 | Data Storage | Ensure data is protected to ensure its confidentiality and integrity, where required. | ¡¡ |
| ¡¡ | OWASP-DP-003 | SSL Version | Ensure that supported SSL versions do not have cryptographic weaknesses. | Typically, this means supporting SSL3 and TLS 1.0 only. |
| ¡¡ | OWASP-DP-004 | SSL Key Exchange Methods | Ensure that the web server does not allow anonymous key exchange methods. | Typically ADH Anonymous Diffie-Hellman. |
| ¡¡ | OWASP-DP-005 | SSL Algorithms | Ensure that weak algorithms are not available. | Typically, algorithms such as RC2 and DES. |
| ¡¡ | OWASP-DP-006 | SSL Key Lengths | Ensure the web site uses an appropriate length key. | Most web sites should enforce 128bit encryption |
| ¡¡ | OWASP-DP-007 | Digital Certificate Validity | Ensure the application uses valid digital certificates. | Ensure that the digital certificate is valid; i.e., its signature, host, date, etc. are valid. |
| Input Validation | OWASP-IV-001 | Script Injection | Ensure that any part of the application that allows input does not process scripts as part of the input. | Classic case of Cross Site Scripting but includes other scripting as well |
| Input Validation. SQL | OWASP-IV-002 | SQL Injection | Ensure the application will not process SQL commands from the user. | ¡¡ |
| Input Validation. OS | OWASP-IV-003 | OS Command Injection | Ensure the applications will not process operating system commands from the user. | This typically includes issues such as path traversal spawning command shells, and OS functions. |
| Input Validation. LDAP | OWASP-IV-004 | LDAP Injection | Ensure the application will not process LDAP commands form the user. | ¡¡ |
| Input Validation. XSS | OWASP-IV-005 | Cross Site Scripting | Ensure that the application will not store or reflect malicious script code. | ¡¡ |