sample report - test plan
TRANSCRIPT
-
8/12/2019 Sample Report - Test Plan
1/11
-
8/12/2019 Sample Report - Test Plan
2/11
Table of Contents
1.0 Executive Summary .................................................................................. 3
2.0 Introduction ................................................................................................ 3
3.0 Strategy ..................................................................................................... 4
4.0 Deliverables ............................................................................................... 4
5.0 Test Cases................................................................................................. 5
Automation .................................................................................................................................. 5
Table of Attack Vectors .............................................................................................................. 7
-
8/12/2019 Sample Report - Test Plan
3/11
-
8/12/2019 Sample Report - Test Plan
4/11
-
8/12/2019 Sample Report - Test Plan
5/115
Certain kinds of security testing are not performed by Security Innovation, including:
Physical security of the SIJamsAndJellies.com plant, servers, etc.
Effectiveness of failover or redundant systems, power protection, etc.
Protection from insider threats from employees or others with physical or electronic access
Review of internal IT security policy
Social engineering, industrial espionage, etc.
Review of documentation or requirements for compliance with laws, standards or certification programs
5.0 Test Cases
SI will focus on three key areas of security as part of this test engagement. Those areas are:
Common Website Attacks
Security Functionality Specific to SIJamsAndJellies.com
Attacks Against the E-commerce business model
The format of the test case table is as follows:
The test case number, an internal number to the test plan and is used by SI to track test cases electronicallyduring test execution.
The attack scenario for the test case.
A finer description of the test along with the necessary tool(s) to perform it.
The expected result for the test case.
Automation
Certain kinds of security testing lend themselves more to automation than others. SI has as part of its toolset for
security testing a number of proprietary programs that aid in performing a single task (such as data corruption) or in
finding a certain category of vulnerabilities (such as keys left in memory.) At the very least, a basic set of tools for
tasks like these is required. We would recommend:
Ethereal Windows/Open Source ethereal.com
From their site: "Ethereal is a free network protocol analyzer for Unix and Windows. It allows you to examine data
from a live network or from a capture file on disk. You can interactively browse the capture data, viewing summary
and detail information for each packet. Ethereal has several powerful features, including a rich display filter language
and the ability to view the reconstructed stream of a TCP session."
Ettercap Linux/Open Source ettercap.sourceforge.net__
"Ettercap is a multipurpose sniffer/interceptor/logger for switched LAN. It supports active and passive dissection of
many protocols (even ciphered ones) and includes many features for network and host analysis." Ettercap for Linux
is the only freely available packet sniffer that works as an SSL proxy. By using ettercap, SSL traffic can be captured
and replayed for SSL replay attacks.
-
8/12/2019 Sample Report - Test Plan
6/116
Nmap Windows/Open Source www.insecure.org/nmap_______________
From their site: "Nmap ("Network Mapper") is an open source utility for network exploration or security auditing. It was
designed to rapidly scan large networks, although it works fine against single hosts. Nmap uses raw IP packets in
novel ways to determine what hosts are available on the network, what services (ports) they are offering, what
operating system (and OS version) they are running, what type of packet filters/firewalls are in use, and dozens of
other characteristics."
HOLODECK/HEAT/I2 Windows/SI Proprietary
These tools, which intercept function calls on the client AUT in order to perform fault injection and theft of key material
attacks, presuppose the ability to run arbitrary code on the box. However, in trying to obtain a shared secret, such as
a universal public key that compromises all systems if one system is compromised, these tools are useful.
The highest automation return is achieved through automation of attacks that require lots of combinations such as
buffer overrun testing. We would recommend a dedicated test bank of machines to perform corruption testing for file
and network buffer overruns.
In addition, some custom test automation or additional tools may be developed during test execution. Generally, we
experience the need for additional tools at one of two times: during exploratory testing to achieve a specific task, and
during testing, when a particular vulnerability is found and we feel related vulnerabilities may exist elsewhere in the
product.
SI Data Corruption Framework Windows/SI Proprietary _______ _
SI has an in-house data corruption framework for finding file-based buffer overruns. It works by repeatedly corrupting
a file, then loading that file in the application under test with a custom debugger test harness. The debugger test
harness interprets (1) whether the application crashes and (2) what the likelihood of that crash being exploitable is
(from "Very Low" to "Almost Certain"). This framework is useful in finding file-based buffer overruns in safe-for-scripting and safe-for-data ActiveX controls such as Flash, Windows Media Player, etc.
Hydra Proxy Linux/SI Proprietary __
A combination blind proxy and network corruption tool, Hydra is connected inline between a client AUT and server
application to perform corruption testing on the client, server or both. By functioning as a normal router for most
packets and performing corruption based on rulesets in loadable modules, Hydra allows for exact testing of a
particular protocol implementation as well as general network and protocol corruption, without modification to the
client or server system. Additionally, the same functionality can be used for in-stream modification of cookies,
authentication keys and data parameters.
HOLODECK WEB Windows/SI Proprietary ________________
Holodeck Web is an automatic fault injection test system for web-based applications. It incorporates a spider, which
automatically discovers potentially vulnerable pages, an injector that injects code for common web vulnerabilities
including buffer overflows, cross-site scripting, SQL injection, OS command injection, forceful browsing and
paramater tampering, and an "oracle" that examines responses to determine the success of an attack. Holodeck web
works with any HTTP or HTTPS application.
-
8/12/2019 Sample Report - Test Plan
7/11
-
8/12/2019 Sample Report - Test Plan
8/118
CL7 Attempt to uncoverusernames/passwords usingbrute-force/dictionary attacks.
Web Cracker can be usedto determine whether it iseasy to uncover validusernames andpasswords.
It should not be easy touncover a password, due topassword guidelines or a lock-out of the account after threefailed attempts.
Products Page
CP1 Verify that there is server sidevalidation of the input lengthso that long string injectionmethods cannot be used tocreate Denials of Service etc
Due to its nature, this testwill be conducted during aspecial and scheduledtest execution window
There should always beserver-side input lengthchecks.
CP2 Study the hidden fields of theProducts page and derivetests from the results
The source of the pagecan be used to determinewhether client-sidesecurity/input validation isimplemented
The server should not rely onhidden fields to prevent usersfrom altering sensitive data
Search Page
CS1 Attempt SQL injection in theusername and password
fields on the Search page.
Holodeck Webcan beused to ensure that fields
on this page are notsubject to SQL injection.Manual testing will beperformed for complextests.
Fields on this page should notbe vulnerable to SQL injection
CS2 Attempt OS commandinjection in the username andpassword fields on the Searchpage.
Holodeck Webcan beused to ensure that fieldson this page are notsubject to OS comandinjection. Manual testingwill be performed forcomplex tests.
Fields on this page shouldnot be vulnerable to OScommand injection
CS3 Verify that there is server sidevalidation of the input lengthso that long string injectionmethods cannot be used tocreate Denials of Service etc
Due to its nature, this testwill be conducted during aspecial and scheduledtest execution window
There should always beserver-side input lengthchecks.
CS4 Study the hidden fields of theSearch page and derive testsfrom the results
The source of the pagecan be used to determinewhether client-sidesecurity/input validation isimplemented
The server should not relyon hidden fields to preventusers from altering sensitivedata
CS5 Attempt cross-site scriptingattacks on every input field onthe Search.
Holodeck Webcan beused to ensure that fieldson this page are not
subject to cross-sitescripting attacks. Manualtesting will be performedfor complex tests.
Fields on this page shouldnot be vulnerable to cross-site scripting
-
8/12/2019 Sample Report - Test Plan
9/119
My Cart Page
CM1 Alter user input by modifyingthe HTML source of the MyCart page in an attempt toprovoke an unexpected replyfrom the server
This test includesmodifying the menu itemsin drop-boxes, such asthe Update drop-downbox.
Modifying the names of menuitems should have no effecton the application (menuitems should be referred to bytheir value rather than its
name to limit such attacks)Checkou t Page
CC1 Attempt SQL injection in theusername and passwordfields on the Checkout page.
Holodeck Webcan beused to ensure that fieldson this page are notsubject to SQL injection.Manual testing will beperformed for complextests.
Fields on this page should notbe vulnerable to SQL injection
CC2 Attempt OS commandinjection in the username andpassword fields on theCheckout page.
Holodeck Webcan beused to ensure that fieldson this page are notsubject to OS comandinjection. Manual testingwill be performed forcomplex tests.
Fields on this page should notbe vulnerable to OScommand injection
CC3 Verify that there is server sidevalidation of the input lengthso that long string injectionmethods cannot be used tocreate Denials of Service etc
Due to its nature, this testwill be conducted during aspecial and scheduledtest execution window
There should always beserver-side input lengthchecks.
CC4 Study the hidden fields of theCheckout page and derivetests from the results
The source of the pagecan be used to determinewhether client-sidesecurity/input validation is
implemented
The server should not rely onhidden fields to prevent usersfrom altering sensitive data
CC5 Attempt cross-site scriptingattacks on every input field onthe Checkout page.
Holodeck Webcan beused to ensure that fieldson this page are notsubject to cross-sitescripting attacks. Manualtesting will be performedfor complex tests.
Fields on this page should notbe vulnerable to cross-sitescripting
Cookie Tests
CI1 Study the cookie to determinewhether it expires after a
certain period of time.
This test ensures that acookie would expire after
a certain period of time(TBD).
A user should not be able tostay logged-in with the same
cookie indefinitely.
-
8/12/2019 Sample Report - Test Plan
10/1110
CI2 Study the cookie to determinewhether it becomes obsoletewhen a session ends
This test ensures that acookie cannot be reusedindefinitely. The HydraProxy can be used tochange values inlineduring a session.
An attacker should not beable to reuse an old cookie.
CI3 Study the cookie to attempt todetermine whether it can bepredicted.
Observation of severalcookie contents mightgive us an indication onwhether a session ID canbe predicted.
An attacker should not beable to predict the content of acookie.
CI4 Study the cookie to determinewhether it can bereplayed/spoofed
The Hydra Proxycan beused to change valuesinline during a sessionand determine if a sessioncan be replayed.
An attacker should not beable to replay/spoof a cookieto access data he does nothave permission to.
CI5 Study the cookie to determinewhether it can be stolen.
Ettercapcan be used toattempt capturing thecookie when it is sentduring a secure session.
An attacker should not beable to steal a cookie.
Security Functionality Tests
TestCase
Attack Vector Description Details and Tools Expected result
F1 NMap the web to determinewhat platform is used.
This is a research test todetermine what platformis used on the server side.
N/A
F2 Look for knownvulnerabilities in Apache1.3.29
This is a due diligencetest to ensure that theserver is not stillvulnerable to old issues or
variations of.
N/A
Attacks Against the Business Model
Test Case Attack Vector Description Details and Tools Expected result
B1 Attempt to reach the Add toCart or Checkout pageswithout authenticating.
Forceful browsing pastauthentication checks canbe used in order todetermine whetherknowing an attacker canaccess these pages
without authenticating
A malicious user should notbe able to access thesepages without authenticating.
B2 Attempt to modify the sourceof the Products page in anattempt to modify the price ofthe order
Both negative and smallvalues would represent arisk to theSIJamsAndJellies.combusiness model
A user should not be able tochange the amount he/shehas to pay for a service.
B3 Attempt to enter a negativequantity on the Productspage.
Negative quantities ofproducts would result in arefund instead of acharge.
A user should not be able toenter a negative quantity.
-
8/12/2019 Sample Report - Test Plan
11/1111
B4 Attempt to enter a negativequantity on the ProductDescription page.
Negative quantities ofproducts would result in arefund instead of acharge.
A user should not be able toenter a negative quantity.
B5 Attempt to modify the sourceof the My Cart page in an
attempt to modify the price ofthe order
Both negative and smallvalues would represent a
risk to theSIJamsAndJellies.combusiness model
A user should not be able tochange the amount he/she
has to pay for a service.
B6 Attempt to log-in as anotheruser without the propercredentials.
Parameter tamperingtechniques can be usedfor this test.
A user should not be able tolog in as another user withoutvalid credentials.