More Related Content
What's hot (20)
Similar to Owasp security testing methodlogies –part2 (20)
Recently uploaded (20)
Owasp security testing methodlogies –part2
- 1. OWASP TESTING METHODOLOGIES –Part2 • Identity management testing. ? • Authentication Testing
- 2. Identity Management Testing • Identity management testing required in each and every web application for the roles and responsibilities. • Various test cases required to prepare to check identity management testing like user registration process, user enumeration, user account provisioning, user roles, unenforced password policy. • To test the user roles need to validate the system roles defined within the application sufficiently based on the functionality and information. • For the security tester need to assure that user roles are properly defined with their respective functionality. • To test this process the best way to execute it through manually also with the help of spider tool can identify the respective access pages of different users.
- 3. Identity Management Testing • User provisioning account also play important part for the identity management testing. • Security Tester need to assure that the same user can not provision the user with high privilege. • Need to verify that the same user can not de- provision themselves. • Need to verify if the administrator create multiple administrator If yes then need to check business requirement. • This process also test through the manual testing and with the burp suite tool. • User enumeration attack is the first level of attack on the login pages. • Here the attackers grab the user name without having any information of the user. • Security Tester need to assure the response from the server for the correct and wrong credentials remain same. • Security tester can also verify the response length with the burp suite tool to enumerate the account name.
- 4. Identity Management Testing • In the below screenshot it reveals that the response length signify the presence of valid name and invalid name.
- 5. Identity Management Testing • When the user registered himself into the application, the password policy play the crucial role. • A weak password policy make the task of the attacker easier to crack the user credentials. • Security tester need to assure that strong password policy have to be follow by the application. • Manual security testing help to identify that whether the application implemented the strong password policy or not. • Some of the recommended suggestion are that password should be equal to or greater than eight character, it is combination of numeric, upper case and lower case character, it expire after 90 days etc. • Attackers generally use the password crackers tools like Brutus, wfuz,rainbow crack etc. to crash the password.
- 6. Authentication Testing • Authentication page is entry point for the attacker to access the restricted pages. • Compromising the credentials means the efforts to create security restriction by developer on other areas get inadequate. • Security Tester need to create various test cases to identify the weakness on the authentication pages. • Attackers gain access of the credentials with the help of various techniques and tools. • Various test cases need to be created to test the authentication testing. • Some of the examples are credentials must passes over encrypted channel, default credentials ,Bypass the authentication mechanism, browser cache the credentials ,weak password policy, weak security challenge/answer, weak password change or reset functionality, remember password functionality. • Authentication testing process can be test through the manual testing and also with the automated tools. • Some of the good tools are IBM appscan, acunetix, Web inspect helps to identifying authentication related vulnerability very easily. • Various types of authentication mechanism used by the application are basic, form-based, NTLM etc.
- 7. Authentication Testing • To test the credentials is working over encrypted channel, identify manually with the proxy tool or with the Wireshark tools. • Tester need to verify that some times credentials working over https and http protocols too. • Below screenshot shows that credentials passes over http protocol.
- 8. Authentication Testing • In the below screenshot shows that user id and password travel over http in the base 64 encoded format. • Various techniques can be used by the attackers to bypass the authentication mechanism of the application.
- 9. • Also to bypass the authentication attacker can login into the application with SQL injection attacks For example the sql injection ‘ or 1=1– help the attackers to by pass the authentication: Authentication Testing
- 10. Authentication Testing • Any techniques which reached to the restricted pages without entering the correct credentials can be named as bypass the authentication. • Security tester must assure that restricted pages can only be accessible through login mechanism
- 11. Authentication Testing • In the below screenshot of paypal website shows that how the password echo from the server when the invalid user or password entered by the user. • Here the attackers can retrieve the html files from the browser history pages to view the source code .
- 12. Authentication Testing • As shown here the echo's password shown in the html source code of the page in the clear text format.
- 13. Authentication Testing • Security tester need to verify each mechanism where the credentials sent over the server from the client machine. • In the below screen shots of shopify website on the user password reset page, the password value also travel over the GET method.
- 14. Authentication Testing • Most of the time developer open the entry points of default credentials on the production server too. • Security tester need to verify the same with manually or with automated tools (brutus as shown in below screen shot) to identify the default credentials access.
- 15. Authentication Testing • Most of the ecommerce application required to have the remember me password functionality because it become ease for the customer to re login into the application without remembering the password. • But this functionality become dangerous when the application business domain changed from ecommerce to the banking domain. • Remember me password save on the user browser which can retrieve easily through web browser.
- 16. Authentication Testing • Most of the application provide authority to the user to set the challenge question and answers for password recovery. • A lazy user always set the very easy question & answer which can easily breakable by the attackers. • Some of the examples are “what is your name”, what come after 8” etc. • Attackers with the help of password crackers tools can easily break the security challenge. • Security tester must ensure that such kind of weak challenges avoided into the application. • Security Tester also need to verify the password reset and change password functionalities. • Most of the application provide the authorization token to the registered email address. Security tester must ensure that the reset link always bind with time period and destroy after it use. • The authorization token should be puzzle and lengthy so that attacker should not easily predict the token id. • Change password feature only allowed if the previous password feature also available with the request. • Security tester must ensure that no user can change the password of other user.