sample report - test plan

8/12/2019 Sample Report - Test Plan

1/11


2/11

Table of Contents

1.0 Executive Summary .................................................................................. 3

2.0 Introduction ................................................................................................ 3

3.0 Strategy ..................................................................................................... 4

4.0 Deliverables ............................................................................................... 4

5.0 Test Cases................................................................................................. 5

Automation .................................................................................................................................. 5

Table of Attack Vectors .............................................................................................................. 7


3/11


4/11


5/115

Certain kinds of security testing are not performed by Security Innovation, including:

Physical security of the SIJamsAndJellies.com plant, servers, etc.

Effectiveness of failover or redundant systems, power protection, etc.

Protection from insider threats from employees or others with physical or electronic access

Review of internal IT security policy

Social engineering, industrial espionage, etc.

Review of documentation or requirements for compliance with laws, standards or certification programs

5.0 Test Cases

SI will focus on three key areas of security as part of this test engagement. Those areas are:

Common Website Attacks

Security Functionality Specific to SIJamsAndJellies.com

Attacks Against the E-commerce business model

The format of the test case table is as follows:

The test case number, an internal number to the test plan and is used by SI to track test cases electronicallyduring test execution.

The attack scenario for the test case.

A finer description of the test along with the necessary tool(s) to perform it.

The expected result for the test case.

Automation

Certain kinds of security testing lend themselves more to automation than others. SI has as part of its toolset for

security testing a number of proprietary programs that aid in performing a single task (such as data corruption) or in

finding a certain category of vulnerabilities (such as keys left in memory.) At the very least, a basic set of tools for

tasks like these is required. We would recommend:

Ethereal Windows/Open Source ethereal.com

From their site: "Ethereal is a free network protocol analyzer for Unix and Windows. It allows you to examine data

from a live network or from a capture file on disk. You can interactively browse the capture data, viewing summary

and detail information for each packet. Ethereal has several powerful features, including a rich display filter language

and the ability to view the reconstructed stream of a TCP session."

Ettercap Linux/Open Source ettercap.sourceforge.net__

"Ettercap is a multipurpose sniffer/interceptor/logger for switched LAN. It supports active and passive dissection of

many protocols (even ciphered ones) and includes many features for network and host analysis." Ettercap for Linux

is the only freely available packet sniffer that works as an SSL proxy. By using ettercap, SSL traffic can be captured

and replayed for SSL replay attacks.


6/116

Nmap Windows/Open Source www.insecure.org/nmap_______________

From their site: "Nmap ("Network Mapper") is an open source utility for network exploration or security auditing. It was

designed to rapidly scan large networks, although it works fine against single hosts. Nmap uses raw IP packets in

novel ways to determine what hosts are available on the network, what services (ports) they are offering, what

operating system (and OS version) they are running, what type of packet filters/firewalls are in use, and dozens of

other characteristics."

HOLODECK/HEAT/I2 Windows/SI Proprietary

These tools, which intercept function calls on the client AUT in order to perform fault injection and theft of key material

attacks, presuppose the ability to run arbitrary code on the box. However, in trying to obtain a shared secret, such as

a universal public key that compromises all systems if one system is compromised, these tools are useful.

The highest automation return is achieved through automation of attacks that require lots of combinations such as

buffer overrun testing. We would recommend a dedicated test bank of machines to perform corruption testing for file

and network buffer overruns.

In addition, some custom test automation or additional tools may be developed during test execution. Generally, we

experience the need for additional tools at one of two times: during exploratory testing to achieve a specific task, and

during testing, when a particular vulnerability is found and we feel related vulnerabilities may exist elsewhere in the

product.

SI Data Corruption Framework Windows/SI Proprietary _______ _

SI has an in-house data corruption framework for finding file-based buffer overruns. It works by repeatedly corrupting

a file, then loading that file in the application under test with a custom debugger test harness. The debugger test

harness interprets (1) whether the application crashes and (2) what the likelihood of that crash being exploitable is

(from "Very Low" to "Almost Certain"). This framework is useful in finding file-based buffer overruns in safe-for-scripting and safe-for-data ActiveX controls such as Flash, Windows Media Player, etc.

Hydra Proxy Linux/SI Proprietary __

A combination blind proxy and network corruption tool, Hydra is connected inline between a client AUT and server

application to perform corruption testing on the client, server or both. By functioning as a normal router for most

packets and performing corruption based on rulesets in loadable modules, Hydra allows for exact testing of a

particular protocol implementation as well as general network and protocol corruption, without modification to the

client or server system. Additionally, the same functionality can be used for in-stream modification of cookies,

authentication keys and data parameters.

HOLODECK WEB Windows/SI Proprietary ________________

Holodeck Web is an automatic fault injection test system for web-based applications. It incorporates a spider, which

automatically discovers potentially vulnerable pages, an injector that injects code for common web vulnerabilities

including buffer overflows, cross-site scripting, SQL injection, OS command injection, forceful browsing and

paramater tampering, and an "oracle" that examines responses to determine the success of an attack. Holodeck web

works with any HTTP or HTTPS application.


7/11


8/118

CL7 Attempt to uncoverusernames/passwords usingbrute-force/dictionary attacks.

Web Cracker can be usedto determine whether it iseasy to uncover validusernames andpasswords.

It should not be easy touncover a password, due topassword guidelines or a lock-out of the account after threefailed attempts.

Products Page

CP1 Verify that there is server sidevalidation of the input lengthso that long string injectionmethods cannot be used tocreate Denials of Service etc

Due to its nature, this testwill be conducted during aspecial and scheduledtest execution window

There should always beserver-side input lengthchecks.

CP2 Study the hidden fields of theProducts page and derivetests from the results

The source of the pagecan be used to determinewhether client-sidesecurity/input validation isimplemented

The server should not rely onhidden fields to prevent usersfrom altering sensitive data

Search Page

CS1 Attempt SQL injection in theusername and password

fields on the Search page.

Holodeck Webcan beused to ensure that fields

on this page are notsubject to SQL injection.Manual testing will beperformed for complextests.

Fields on this page should notbe vulnerable to SQL injection

CS2 Attempt OS commandinjection in the username andpassword fields on the Searchpage.

Holodeck Webcan beused to ensure that fieldson this page are notsubject to OS comandinjection. Manual testingwill be performed forcomplex tests.

Fields on this page shouldnot be vulnerable to OScommand injection

CS3 Verify that there is server sidevalidation of the input lengthso that long string injectionmethods cannot be used tocreate Denials of Service etc



CS4 Study the hidden fields of theSearch page and derive testsfrom the results

The source of the pagecan be used to determinewhether client-sidesecurity/input validation isimplemented

The server should not relyon hidden fields to preventusers from altering sensitivedata

CS5 Attempt cross-site scriptingattacks on every input field onthe Search.

Holodeck Webcan beused to ensure that fieldson this page are not

subject to cross-sitescripting attacks. Manualtesting will be performedfor complex tests.

Fields on this page shouldnot be vulnerable to cross-site scripting


9/119

My Cart Page

CM1 Alter user input by modifyingthe HTML source of the MyCart page in an attempt toprovoke an unexpected replyfrom the server

This test includesmodifying the menu itemsin drop-boxes, such asthe Update drop-downbox.

Modifying the names of menuitems should have no effecton the application (menuitems should be referred to bytheir value rather than its

name to limit such attacks)Checkou t Page

CC1 Attempt SQL injection in theusername and passwordfields on the Checkout page.

Holodeck Webcan beused to ensure that fieldson this page are notsubject to SQL injection.Manual testing will beperformed for complextests.

Fields on this page should notbe vulnerable to SQL injection

CC2 Attempt OS commandinjection in the username andpassword fields on theCheckout page.

Holodeck Webcan beused to ensure that fieldson this page are notsubject to OS comandinjection. Manual testingwill be performed forcomplex tests.

Fields on this page should notbe vulnerable to OScommand injection

CC3 Verify that there is server sidevalidation of the input lengthso that long string injectionmethods cannot be used tocreate Denials of Service etc



CC4 Study the hidden fields of theCheckout page and derivetests from the results

The source of the pagecan be used to determinewhether client-sidesecurity/input validation is

implemented

The server should not rely onhidden fields to prevent usersfrom altering sensitive data

CC5 Attempt cross-site scriptingattacks on every input field onthe Checkout page.

Holodeck Webcan beused to ensure that fieldson this page are notsubject to cross-sitescripting attacks. Manualtesting will be performedfor complex tests.

Fields on this page should notbe vulnerable to cross-sitescripting

Cookie Tests

CI1 Study the cookie to determinewhether it expires after a

certain period of time.

This test ensures that acookie would expire after

a certain period of time(TBD).

A user should not be able tostay logged-in with the same

cookie indefinitely.


10/1110

CI2 Study the cookie to determinewhether it becomes obsoletewhen a session ends

This test ensures that acookie cannot be reusedindefinitely. The HydraProxy can be used tochange values inlineduring a session.

An attacker should not beable to reuse an old cookie.

CI3 Study the cookie to attempt todetermine whether it can bepredicted.

Observation of severalcookie contents mightgive us an indication onwhether a session ID canbe predicted.

An attacker should not beable to predict the content of acookie.

CI4 Study the cookie to determinewhether it can bereplayed/spoofed

The Hydra Proxycan beused to change valuesinline during a sessionand determine if a sessioncan be replayed.

An attacker should not beable to replay/spoof a cookieto access data he does nothave permission to.

CI5 Study the cookie to determinewhether it can be stolen.

Ettercapcan be used toattempt capturing thecookie when it is sentduring a secure session.

An attacker should not beable to steal a cookie.

Security Functionality Tests

TestCase

Attack Vector Description Details and Tools Expected result

F1 NMap the web to determinewhat platform is used.

This is a research test todetermine what platformis used on the server side.

N/A

F2 Look for knownvulnerabilities in Apache1.3.29

This is a due diligencetest to ensure that theserver is not stillvulnerable to old issues or

variations of.

N/A

Attacks Against the Business Model

Test Case Attack Vector Description Details and Tools Expected result

B1 Attempt to reach the Add toCart or Checkout pageswithout authenticating.

Forceful browsing pastauthentication checks canbe used in order todetermine whetherknowing an attacker canaccess these pages

without authenticating

A malicious user should notbe able to access thesepages without authenticating.

B2 Attempt to modify the sourceof the Products page in anattempt to modify the price ofthe order

Both negative and smallvalues would represent arisk to theSIJamsAndJellies.combusiness model

A user should not be able tochange the amount he/shehas to pay for a service.

B3 Attempt to enter a negativequantity on the Productspage.

Negative quantities ofproducts would result in arefund instead of acharge.

A user should not be able toenter a negative quantity.


11/1111

B4 Attempt to enter a negativequantity on the ProductDescription page.

Negative quantities ofproducts would result in arefund instead of acharge.

A user should not be able toenter a negative quantity.

B5 Attempt to modify the sourceof the My Cart page in an

attempt to modify the price ofthe order

Both negative and smallvalues would represent a

risk to theSIJamsAndJellies.combusiness model

A user should not be able tochange the amount he/she

has to pay for a service.

B6 Attempt to log-in as anotheruser without the propercredentials.

Parameter tamperingtechniques can be usedfor this test.

A user should not be able tolog in as another user withoutvalid credentials.

sample report - test plan

Documents