Proposal

FUENTES, ET. AL.

Objectives
Propose a new framework for web vulnerability assessment and mitigation

Test the proposed framework to an active web application

Gather research data from the test implementation Work with the client to improve the framework and the target web application Establish a simplified redo able approach to web vulnerability assessment for adoption in the local IT industry

What we currently know

Buy and sell Real Estate Automotive Services Jobs Business Establishments Events

A new web application vulnerability assessment framework

A PROPOSAL

OSSTMM 3
BY THE INSTITUTE FOR SECURITY AND OPEN METHODOLOGIES

Coverage
OSSTMM

Human

Physical

Wireless

Telecommunications

Data Networks

OWASP Testing Guide v3

BY OWASP (OPEN WEB APPLICATION SECURITY PROJECT)

Information Gathering

Configuration Management Testing

Business Logic Testing

Authentication Testing

Authorization Testing

Session Management Testing

Data Validation Testing

Denial of Service Testing

Web Services Testing

Ajax Testing

Coverage

Web Application
Production Development

A new framework

Proposed Vulnerability Assessment Methodology

A simplified approach to web vulnerability assessment

WEB APPLICATION
Application Analysis Vulnerability Scanning/Exploitation

Mitigation

Assessment

Personal

Framework
Government

Application Server

Web App
Commercial

Network

Application Analysis

Application Analysis
Application Specific Server Specific Network Specific

Domain Name IP Address Development Language/ CMS Identification Third-Party Software Libraries

Web Server Identification Database Server Application

Network Architecture Modeling Proxy, Firewall Rules etc.

Vulnerability Scanning/Exploitation

Vulnerability Scanning/Exploitation
Application Specific XSS Session grabbing Clickjacking Bruteforce form cracking Server Specific SQL injection DoS attack Malicious code execution Remote shell exploits Network Specific Live host scan Port scan

Assessment

Assessment
Application Specific Number of fields vulnerable Exposed classified information Personal information Server Specific Maximum server load evaluation Weak/unhashed passwords Obsolete authentication mechanisms Network Specific No Proxy Number of opened ports Firewall/proxy rules

Mitigation

References
Open Web Application Security Project. OWASP Testing Project. Published December 16, 2008. Accessed January 18, 2013. http://www.owasp.org/images/5/56/OWASP%20Testing%20Guide%20v3.pdf

Open Web Application Security Project. OWASP Top 10 2013 Project. Published December 16, 2008. Accessed March 18, 2013. http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010.pdf
Pete Herzog, Institute for Security and Open Methodologies. OSSTMM 3 (The Open Source Security Testing Methodology Manual: Contemporary Security Testing and Analysis