In my previous article, Application security assessment, part 1: An opportunity for VARs and consultants, I explain the value of providing Web application security assessments for your customers. So how do you conduct an application security assessment? The key is to establish and follow a repeatable methodology, such as the following.
Requires Membership to View
To gain access to this and all member only content, please provide the following information:
By submitting your registration information to SearchSecurityChannel.com you agree to receive email communications from the TechTarget network of sites, and/or third party content providers that have relationships with TechTarget, based on your topic interests and activity, including updates on new content, event notifications, new site launches and market research surveys. Please verify all information and selections above. You may unsubscribe at any time from one or more of the services you have selected by editing your profile, unsubscribing via email or by contacting us here
- Your use of SearchSecurityChannel.com is governed by our Terms of Use
- We designed our Privacy Policy to provide you with important disclosures about how we collect and use your registration and other information. We encourage you to read the Privacy Policy, and to use it to help make informed decisions.
- If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States.
 |
||||
|
|
|||
|
||||
Begin by creating a project plan with your customer that details both tasks to be performed and their timing. Include customer-authorized test windows, proposed on-site dates if required, as well as projected dates for major project milestones. Also identify, with the customer's help, critical documents and artifacts that you will use to plan and conduct scanning and testing. Requested information may include:
- Network architecture diagrams
- IP addresses and URLs for application testing
- Test windows and schedule information
- Application user and administrator guides
- Application credentials
Conduct the application security assessment remotely, beginning with application functional security testing. Test the customer Web application up to an agreed upon number of unique user roles, looking for functional security flaws that may expose the customer to risk.
Next, assess the effectiveness of the application-layer security controls by attempting to gain unauthorized access to the application. Try to bypass authentication, authorization, input validation and other controls, using the following hacking techniques:
- Parameter tampering – Modify query strings, POST parameters and hidden fields in an attempt to gain unauthorized access to data or functionality.
- Cookie poisoning – Modify data sent in cookies to test the application's response to unexpected cookie values.
- Session hijacking – Attempt to take over a session established by another user to assume the privileges of that user.
- User privilege escalation – Attempt to gain unauthorized access to administrator or other users' privileges.
- Credential manipulation – Modify identification and authorization credentials in an attempt to gain unauthorized access to other users' privileges.
- Forceful browsing – Misconfigured Web servers will send any file to a user, as long as the user knows the file name and the file is not protected. Attempt to exploit this security hole and "jump" directly to private pages.
- Backdoors and debug options – Many applications contain code left by developers for debugging purposes. Debugging code typically runs with a higher level of access, making it a target for potential exploitation. Developers may also leave backdoors in their code. These backdoors, if discovered, could potentially allow an intruder to gain additional level of access. Attempt to identify debugging code and backdoors.
- Configuration subversion – Misconfiguring Web servers and application servers is a common mistake. The most common misconfiguration is one that permits directory browsing. Hackers can utilize this functionality in order to browse the application's directories (such as cgi-bin/). Attempt to do so yourself by simply typing in the directory name.
- Input validation bypass – Remove client-side validation routines and bounds-checking to ensure controls are implemented on the server.
- SQL injection – Submit specially crafted SQL commands to input fields to validate input type controls.
- Cross-site scripting – Submit active content to the application in an attempt to cause a user's Web browser to execute unauthorized code. This test is meant to validate user input type controls.
- Note: Immediately notify the customer of all "high" severity findings, which expose the customer to immediate risk of security compromise.
When you have completed the application security assessment, analyze the results for false-positives to ensure their accuracy. Also analyze each finding for severity and criticality.
Finally, deliver a concise Report of Findings and Recommendations detailing weaknesses identified within the customer's Web application. Where appropriate, provide recommendations for correcting security exposures.
About the author
|
|
|
|
|
|
Adam Rice is a Manager at VeriSign's Global Security Consulting. VeriSign's Global Security Consulting Services help Fortune 500 companies understand corporate security requirements, navigate the maze of diverse regulations, identify security vulnerabilities, defend against and respond to attacks, reduce risk, and meet the security compliance requirements of your business and industry.
Adam has authored several white papers and technical articles on security professional services and emerging threats to the Internet community. He has an extensive background working in security professional services product development and business delivery.
This was first published in October 2006