Who are OWASP?
OWASP (Online Web Application Security Project) is an organisation providing unbiased information and advice surrounding computer and internet applications. They achieve this via operating a number of "projects", each focused on a different remit.
OWASP are perhaps best known for their flagship "OWASP Top 10 Web Application Security Risks" project, commonly known as the "OWASP Top 10". However OWASP acts as an umbrella for dozens of projects, listed at https://owasp.org/projects/
What is the OWASP Penetration Testing Checklist?
OWASP operates many projects in the area of web security, each of which delivers different artefacts and outputs of use to security professionals. In the areas of security testing and assurance, major projects include the OWASP Application Security Verification Standard (ASVS) and OWASP Testing Guide (WSTG), both of which are very in-depth and offer detailed scope, technique and methodology guidance in the areas of web application security testing.
However OWASP found that many of its members and followers (especially financial services companies) required a simpler checklist that they can use during RFP (Request For Proposal) or other bidding/onboarding, or due diligence assessments of external vendors offering web application security assessment services specifically in the area of vulnerability scanning and penetration testing.
OWASP therefore developed the Penetration Testing Checklist as a relatively lightweight set of benchmarks against which vendor offerings can be assessed, focusing on which set of potential web application security issues should be covered by vendor solutions.
This list is then published by OWASP at https://owasp.org/www-project-web-security-testing-guide/assets/archive/OWASP_Web_Application_Penetration_Checklist_v1_1.pdf
It is important to assess whether the OWASP Penetration Testing Checklist provides sufficient assurance for your specific business requirements - OWASP offers many alternative requirements lists and standards that deliver different levels of technical detail as well as requiring varying levels of resource to deliver them.
What does the OWASP Penetration Testing Checklist contain?
The Checklist does not contain a prescribed methodology, but rather a specific coverage list (list of checks) that should be performed by a web application security penetration test or similar solution. It also does not cover requirements for infrastructure level testing, but only testing at the web application level.
What does the OWASP Penetration Testing Checklist deliver or assure?
The Checklist is aimed at delivering a basic standard against which vendor solutions can be assessed to ensure that an assessed web application security testing provider delivers a service that is sufficient in coverage as well as both methodical and repeatable. As the name suggests, it primarily relates to penetration testing (testing performed by a human tester) and not vulnerability scanning solutions such as AppCheck (which are automated). However there is a large degree of crossover in coverage.
Does AppCheck meet all of OWASP's Penetration Testing Checklist requirements?
In the tables below, we map what AppCheck covers within in each area of the OWASP Checklist:
AppDOS (Denial of Service)
| Reference | Name | Objective | AppCheck Coverage |
| OWASP-AD-001 | Application Flooding | Ensure that the application functions correctly when presented with large volumes of requests, transactions and / or network traffic. |
NO - AppCheck deliberately does not target scanned services and applications with Denial of Service type attacks, since these can take down targeted services. The request rate/intensity of AppCheck scans is configurable. |
| OWASP-AD-002 | Application Lockout | Ensure that the application does not allow an attacker to reset or lockout users' accounts. |
YES - AppCheck's "Authentication Audit" plugin can be enabled in order to detect account lockouts, this plugin will attempt to authenticate with a valid username and incorrect password a number of times, then confirm if the valid username/password combination are still successful. For best results a valid username/password combination should be provided during scan configuration. |
AccessControl
| Reference | Name | Objective | AppCheck Coverage |
| OWASP-AC-001 | Parameter Analysis | Ensure that the application enforces its access control model by ensuring that any parameters available to an attacker would not afford additional service. Typically this includes manipulation of form fields, URL query strings, client-side script values and cookies. |
YES - AppCheck checks for file path manipulation vulnerabilities as well as IDOR weaknesses |
| OWASP-AC-002 | Authorization | Ensure that resources that require authorization perform adequate authorization checks before being sent to a user. |
PARTIAL - AppCheck checks for technical authentication weaknesses such as unprotected resources and/or authentication bypass methods, however business logic and/or context (e.g. which user *should* be granted authorization to perform which action) is often not possible for an automated scanner to assess |
| OWASP-AC-003 | Authorization Parameter Manipulation |
Ensure that once valid user has logged in it is not possible to change the session ID’s parameter to reflect another user account |
YES - AppCheck checks for IDOR vulnerabilities and also warns if sensitive parameters are passed in the URL |
| OWASP-AC-004 | Authorized pages/functions | Check to see if its possible to access pages or functions which require logon but can be bypassed |
YES - AppCheck checks for authentication bypass methods |
| OWASP-AC-005 | Application Workflow | Ensure that where the application requires the user to perform actions in a specific sequence, the sequence is enforced. |
PARTIAL - Different user journeys can be modelled using our in-house GoScript functionality and used during scanning, but the scanner cannot confirm that the same result cannot be achieved without said workflow. |
Authentication
| Reference | Name | Objective | AppCheck Coverage |
| OWASPAUTHN-001 | Authentication endpoint request should be HTTPS | Ensure that users are only asked to submit authentication credentials on pages that are served with SSL |
YES - AppCheck will warn about instances where credentials are requested or transmitted in plaintext (unencrypted) |
| OWASPAUTHN-002 | Authentication bypass | Ensure that the authentication process can not be bypassed. Typically this happens in conjunction with flaws like SQL Injection |
PARTIAL - AppCheck includes extensive SQL Injection testing, and will attempt to detect broken authentication systems, but sometimes knowing what is intended to be locked behind an authentication barrier requires human knowledge/intelligence. |
Authentication.User
| Reference | Name | Objective | AppCheck Coverage |
| OWASP-AUTHN-003 | Credentials transport over an encrypted channel |
Ensure that usernames and passwords are sent over an encrypted channel. Typically this should be SSL. |
YES - AppCheck will warn about instances where credentials are requested or transmitted in plaintext (unencrypted) |
| OWASP-AUTHN-004 | Default Accounts | Check for default account names and passwords in use | YES - AppCheck will check for default account names and passwords using both a built-in and customer-provided list if required |
| OWASP-AUTHN-005 | Username | Ensure that the username is not public (or “wallet”) information such as email or SSN |
PARTIAL - AppCheck will report on user ID and User Name disclosure issues, however does not report email address used as username as an issue. |
| OWASP-AUTHN-006 | Password Quality | Ensure that the password complexity makes guessing passwords difficult. |
YES - AppCheck will test for weak passwords |
| OWASP-AUTHN-007 | Password Reset | Ensure that user must respond to a secret answer / secret question or other predetermined information before passwords can be reset |
PARTIAL - AppCheck includes checks for instances where password reset tokens are not properly validated |
| OWASP-AUTHN-008 | Password Lockout | Ensure that the users account is locked out for a period of time when the incorrect password is entered more that a specific number of times (usually 5). |
YES - AppCheck's "Authentication Audit" plugin can be enabled in order to detect account lockouts, this plugin will attempt to authenticate with a valid username and incorrect password a number of times, then confirm if the valid username/password combination are still successful. For best results a valid username/password combination should be provided during scan configuration. |
| OWASP-AUTHN-009 | Password Structure | Ensure that special meta characters cannot be used within the password |
PARTIAL - AppCheck will check for control characters and character injection, however does not report an unrestricted character set as an issue |
| OWASP-AUTHN-010 | Blank Password | Ensure that passwords are not blank | YES - AppCheck will test for weak passwords including blank passwords |
Authentication.SessionManagement
| Reference | Name | Objective | AppCheck Coverage |
| OWASP-AUTHSM001 | Session Token Length | Ensure that the session token is of adequate length to provide protection from guessing during an authenticated session. |
NO- AppCheck does not currently report on session token length |
| OWASP-AUTHSM002 | Session Timeout | Ensure that the session tokens are only valid for a predetermined period after the last request by the user |
YES - AppCheck reports on instances such as long JWT Expiry times |
| OWASP-AUTHSM003 | Session Reuse | Ensure that session tokens are changed when the user moves from an SSL protected resource to a non-SSL protected resource. |
PARTIAL - AppCheck will report on HTTP Cookies which do not have the 'secure' flag set, but does not report on failure to change the session token when the user moves context. |
| OWASP-AUTHSM004 | Session Deletion | Ensure that the session token is invalidated when the user logs out. | NO - AppCheck does not currently report on failure to invalidate the session token when logging out |
| OWASP-AUTHSM005 | Session Token Format | Ensure that the session token is non-persistent and is never written to the browsers history or cache. | YES - AppCheck tests that the session token is not included as a URL parameter |
Configuration.Management
| Reference | Name | Objective | AppCheck Coverage |
| OWASP-CM-001 | HTTP Methods | Ensure that the web server does not support the ability to manipulate resources from the Internet (e.g. PUT and DELETE) |
YES - AppCheck will report if 'dangerous' HTTP Methods such as PUT or DELETE are honoured by the server, as well as debugging methods such as TRACK/TRACE or DEBUG |
| OWASP-CM-002 | Virtually Hosted Sites | Try and determine if site is virtually hosted. | NO - AppCheck does not currently report if the site is virtually hosted |
| OWASP-CM-003 | Known Vulnerabilities / Security Patches | Ensure that known vulnerabilities which vendors have patched are not present |
YES - AppCheck will perform version detection/enumeration and report known vulnerabilities in versions found. |
| OWASP-CM-004 | Back-up Files | Ensure that no backup files of source code are accessible on the publicly accessible part of the application. |
YES - AppCheck detects if potential backup or temporary files are detected. |
| OWASP-CM-004 | Web Server Configuration | Ensure that common configuration issues such as directory listings and sample files have been addressed |
YES - AppCheck will report if instances are found of directory traversal, directory listing, possible source code as well as sensitive files/components such as Dockerfiles. |
| OWASP-CM-005 | Web Server Components | Ensure that web server components like Front Page Server Extensions or Apache modules do not introduce any security vulnerabilities |
YES - AppCheck will report on known vulnerabilities within web server software and components detected. |
| OWASP-CM-006 | Common Paths | Check for existence of common directories within the application root. /backup & /admin may contain information |
YES - AppCheck checks for known common paths such as /admin and /backup. |
| OWASP-CM-007 | Language/Application defaults | I.e. J2EE environmental quirks e.g Availability of snoop.jsp /*Spy.jsp and loaded modules |
YES - AppCheck will warn if default files such as Apache Tomcat servlet/JSP container files are discovered. |
Configuration.ManagementInfrastructure
| Reference | Name | Objective | AppCheck Coverage |
| OWASP-CM-008 | Infrastructure Admin Interfaces | Ensure that administrative interfaces to infrastructure such as web servers and application servers are not accessible to the Internet. |
YES - AppCheck will report if known administration endpoints are found. It will also attempt to discover such endpoints via "bruteforce"/fuzzing/guessing paths |
Configuration.Management.Application
| Reference | Name | Objective | AppCheck Coverage |
| OWASP-CM-009 | Application Admin Interfaces | Ensure that administrative interfaces to the applications are not accessible to the Internet. |
YES - AppCheck will report if known administration endpoints are found. It will also attempt to discover such endpoints via "bruteforce"/fuzzing/guessing paths |
ErrorHandling
| Reference | Name | Objective | AppCheck Coverage |
| OWASP-EH-001 | Application Error Messages |
Ensure that the application does not present application error messages to an attacker that could be used in an attack. This typically occurs when applications return verbose error messages such as stack traces or database errors |
YES - AppCheck will report verbose error messages encountered |
| OWASP-EH-002 | User Error Messages | Ensure that the application does not present user error messages to an attacker that could be used in an attack. This typically occurs when applications return error messages such as “User does not exist” or “User Correct, Password Incorrect” |
YES - AppCheck will report instances where user enumeration appeared to be possible |
DataProtection
| Reference | Name | Objective | AppCheck Coverage |
| OWASP-DP-001 | Sensitive Data in HTML | Ensure that there is no sensitive data in the HTML (cached in the browser history) that could lead an attacker to mount a focused attack |
YES - AppCheck will report caching directives per resource. AppCheck will also report where credentials, sessions tokens etc are found as URL parameters |
| OWASP-DP-002 | Data Storage | Ensure where required, data is protected to protect its confidentiality and integrity |
YES - AppCheck will report if sensitive data can be discovered via browsable directories, AWS S3 bucket indexing, and other methods. |
DataProtection.Transport
| Reference | Name | Objective | AppCheck Coverage |
| OWASP-DP-003 | SSL Version | Ensure that SSL versions supported do not have cryptographic weaknesses. |
YES - AppCheck will report if weak SSL versions/protocols are found |
| OWASP-DP-004 | SSL Key Exchange Methods | Ensure that the web server does not allow anonymous key exchange methods |
YES - AppCheck will report if weak SSL key exchange methods are found |
| OWASP-DP-005 | SSL Algorithms | Ensure that weak algorithms are not available. | YES - AppCheck will report if weak SSL ciphers/algorithms are found |
| OWASP-DP-006 | SSL Key Lengths | Ensure the web site uses an appropriate length key. | YES - AppCheck will report if weak SSL key lengths are found |
| OWASP-DP-007 | Digital Certificate Validity | Ensure the application uses valid digital certificates. | YES - AppCheck will report if certificates are found to be expired, signed with weak algorithms, or otherwise untrusted. |
InputValidation
| Reference | Name | Objective | AppCheck Coverage |
| OWASP-IV-001 | Script Injection | Ensure that any part of the application that allows input does not process scripts as part of the input. Classic case of Cross Site Scripting but includes other scripting as well. |
YES - AppCheck performs extensive checks for injection |
InputValidation.SQL
| Reference | Name | Objective | AppCheck Coverage |
| OWASP-IV-002 | SQL Injection | Ensure the application will not process SQL commands from the user. |
YES - AppCheck performs extensive checks for SQL injection |
InputValidation.OS
| Reference | Name | Objective | AppCheck Coverage |
| OWASP-IV-003 | OS Command Injection | Ensure the applications will not process operating system commands from the user |
YES - AppCheck performs extensive checks for OS command injection |
InputValidation.LDAP
| Reference | Name | Objective | AppCheck Coverage |
| OWASP-IV-004 | LDAP Injection | Ensure the application will not process LDAP commands form the user. |
YES - AppCheck performs extensive checks for LDAP injection |
InputValidation.XSS
| Reference | Name | Objective | AppCheck Coverage |
| OWASP-IV-005 | Cross Site Scripting | Ensure that the application will not store or reflect malicious script code |
YES - AppCheck performs extensive checks for Cross Site Scripting (XSS) |
BufferOverflow
| Reference | Name | Objective | AppCheck Coverage |
| OWASP-BO-001 | Overflows | Ensure that the application is not susceptible to any buffer overflows. |
PARTIAL - AppCheck checks for known overflow vulnerabilities in detected software (where published as CVEs). It however does not attempt to identify these issues from first principle via fuzzing since this type of testing would have an extremely high likelihood of causing denial of service or service impact |
| OWASP-BO-002 | Heap Overflows | Ensure that the application is not susceptible to any heap overflows | PARTIAL - AppCheck checks for known overflow vulnerabilities in detected software (where published as CVEs). It however does not attempt to identify these issues from first principle via fuzzing since this type of testing would have an extremely high likelihood of causing denial of service or service impact |
| OWASP-BO-003 | Stack Overflows | Ensure that the application is not susceptible to any stack overflows. | PARTIAL - AppCheck checks for known overflow vulnerabilities in detected software (where published as CVEs). It however does not attempt to identify these issues from first principle via fuzzing since this type of testing would have an extremely high likelihood of causing denial of service or service impact |
| OWASP-BO-004 | Format Strings | Ensure that the application is not susceptible to any format string overflows. |
PARTIAL - AppCheck checks for known overflow vulnerabilities in detected software (where published as CVEs). It however does not attempt to identify these issues from first principle via fuzzing since this type of testing would have an extremely high likelihood of causing denial of service or service impact |
Comments
0 comments
Article is closed for comments.