Abstract:

This paper intends to give an introduction how to test vulnerabilities. This is based on the OWASP testing guide or an audit approach and concepts used by penetration testers testing in a web environment. Our main disciplines automating a simple guide testing algorithms were developed. Each corresponds to two methods of algorithms of this guide, the algorithms were run on a non-automated process. So, with this work we want to give facilities present or also give more tools for complex tests. Tests were performed in a prepared with errors, such as broken OWASP Web Application Project environment.

KEYWORDS

OWASP, Test Guide, Pentester, XSS, IT Security

References:

1.      CERT; Security Improvement Modules: Securing Public Web Servers; http://www.cert.org/security-improvement/; Access:Nov.2013

2.      CIRT; http://www.cirt.net/passwords; Access:Feb.2014

3.      DOM-2; DOM Based Cross Site Scripting or XSS of the Third Kind -Amit Klein ; http://www.webappsec.org/projects/articles/071105.shtml; Access:Feb.2014

4.      Endler D.; Session ID Brute Force Exploitation and Prediction; http://www.cgisecurity.com/lib/SessionIDs.pdf; Access:Feb.2014

5.      FFIEC, Federal Financial Institutions Examination Council; Authentication in an Internet Banking Environment; http://www.ffiec.gov/pdf/authentication_guidance.pdf; Access:Jan.2014

6.      FTC, Federal Trade Commission; The Gramm-Leach Bliley; http://www.ftc.gov/privacy/privacyinitiatives/glbact.html; Access:Jan.2014

7.      Grossman J.; Cross Site Tracing (XST); http://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf; Access:Jan.2014

8.      Grossman J., Hansen R., Petkov P. D., Rager A., Fogie S.; Cross Site Scripting Attacks: XSS Exploits and Defense; 2009; Syngress; ISBN-10:1-59749-154-3

9.      (ISC)2 Blog: The Attack of the Spiders from Clouds; http://blog.isc2.org/isc2_blog/2008/07/the-attack-of-t.html; Accessed:Oct.2013.

10.  Meucci Spoofing; www.owasp.org/images/7/72/MMS_Spoofing.ppt; Access en:Jan.2014

11.  Mori G., Malik J.; Breaking a Visual CAPTCHA; http://www.cs.sfu.ca/~mori/research/gimpy/; Access en:Jan.2014

12.  Morana M.; Building Security Into The Software Life Cycle, A Business Case; http://www.blackhat.com/presentations/bh-usa-06/bh-us-06-Morana-R3.0.pdf; Access:Jan.2014

13.  NetCat; http://www.vulnwatch.org/netcat; Access:Jan.2014

14.  Nessus; Nessus Vulnerability Scanner; http://www.nessus.org; Access en:Jan.2014

15.  OPHCRACK; The time-memory-trade-off-cracker; http://lasecwww.epfl.ch/~oechslin/projects/ophcrack/; Access:Jan.2014

16.  OWASP Testing Guide; Published:2008; Versione: V3.0; http://www.owasp.org/images/5/56/OWASP_Testing_Guide_v3.pdf; Access:Jan.2014

17.  OWASP-FLASH-2; Finding Vulnerabilities in Flash Applications; http://www.owasp.org/images/d/d8/OWASPWASCAppSec2007SanJose_FindingVulnsinFlashApps.ppt; Published:Jan.2014

18.  Paleari R., Marrone D., Bruschi D., Monga M.; On Race Vulnerabilities in Web Applications; http://security.dico.unimi.it/~roberto/pubs/dimva08-web.pdf; Access:Jan.2014

19.  PCI Security Standards Council; PCI Data Security Standard; https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml; Access en:Oct.2013

20.  Peter W.; Cross-Site Request Forgeries; http://www.tux.org/~peterw/csrf.txt; Access:Dec.2013

21.  POST Injection puremango; Breaking CAPTCHAs Without Using OCR; http://www.puremango.co.uk/2005/11/breaking_captcha_115/; Access:Dec.2013

22.  Rainbowcrack.com; http://project-rainbowcrack.com/generate.htm; Access en:Dec.2013

23.  RFC2817; RFC2817 -Upgrading to TLS HTTP/1.1; http://www.ietf.org/rfc/rfc2817.txt; Access:Nov.2013

24.  RFC3546; RFC3546 -Transport Layer Security (TLS) HTTP Task Within Extensions; http://www.ietf.org/rfc/rfc3546.txt; Access en:Nov.2013 Robots; The Web en:Oct.2013

25.  Robots Pages; http://www.robotstxt.org/; Access:Oct.2013

26.  Schneier, B.; Blog Posts about two factor authentication 2005; http://www.schneier.com/blog/archives/2005/03/the_failure_of.html; http://www.schneier.com/blog/archives/2005/04/more_on_twofact.html; Access en:Oct.2013

27.  SNAC-NSA; The Network Applications Team of the Systems and Network Attack Center (SNAC); NSA; Published:Sep.2013

28.  Two-factor authentication; Wikipedia; Definition of Two Factor Authentication; http://en.wikipedia.org/wiki/Two-factor_authentication; Access:Jan.2013

29.  SEAS-1; SEAS -Gestión y administración de la seguridad; Libro de la clase Gestión y administración de la seguridad; Published:2012,Author:SEAS – Estudios Superiores Abiertos; ISBN:978-84-15545-75-0;

30.  SEAS-2; SEAS – Seguridad informática; Libro de la clase Seguridad informática; Pub-lished:2012, Author:SEAS – Estudios Superiores Abiertos; ISBN:978-84-15545-75-0;

31.  SEAS-3; SEAS – Linux administración de redes y servidores; Libro de la clase Linux administración de redes y servidores; Published:2011,Author:SEAS – Estudios Superiores Abiertos; ISBN:978-84-938884-6-6; Security Risks of; http://www.schneier.com/crypto-gram-0007.html;

32.  Securing SWF Applications; http://www.adobe.com/devnet/flashplayer/articles/secure_swf_apps.html, Access:Feb.2014

33.  Shiflett C.; http://shiflett.org/articles/session-fixation; Access:Jan.2014

34.  Stuttard D., Pinto M.; The Web Application’s Handbook -Discovering and Exploiting Security Flaws;2008; Wiley; ISBN 978-0-470-17077-9 THC Hydra; http://www.thc.org/thc-hydra/ Access:Jan.2014

35.  The Flash Player Development Center Security Section; http://www.adobe.com/devnet/flashplayer/security.html; Access:Feb.2014

36.  Virus.org; http://www.virus.org/default-password/; Access:Jan.2014

37.  WebGoat; Thread Safety Challenge in WebGoat; http://www.owasp.org/index.php/OWASP_WebGoat_Project; Access:Jan.2014

38.  XSS -1;"XSS (Cross Site Scripting) Cheat Sheet"; Scambray J., Shema M., Sima C.; Hacking Exposed Web Applications; Second Edition; McGraw-Hill;2006; ISBN 0-07-226229-0