Below are different categorizations of testing that the
security team can provide. Based on the application requirements and the
timeline different level of security testing options can be chosen.
Level 1 is the most basic which can be performed it the
application team has time and only basic testing is required. Level 3 is
exhaustive and covers almost all the pages and parameters in the application.
Level 1 Testing
Description: This is the basic testing that we will be
performing on application. Before starting the testing we would require
pre-requites mentioned above in this document.
Testing Duration: Typically 2 days
Findings Covered: Below are the lists of attacks that will
be covered in Level 1 testing on the target application. Based on the scope,
only 8-9 high critical pages will be tested and only 6-7 parameters per page
will be modified.
- Cross Site Scripting Stored/Reflected
- SQL Injection
- Broken Authentication and Session
Management
- Sensitive data exposer
- Cross Site Request Forgery
- Content spoofing
- Parameter Tampering
- Forceful Browsing
- Security Misconfiguration
Level 2 Testing
Description: This is more detailed testing that we will be
performing on application. Before starting the testing we would require
pre-requites mentioned above in this document.
Testing Duration: Typically 5 days
Findings Covered: Below are the lists of findings/attacks
that will be covered in Level 2 testing on the target application. Based on the
scope, all high, 8-9 medium and 2-3 low criticality pages will be tested and
only 8-9 parameters per page will be modified
- Cross Site Scripting Stored
- Cross Site Scripting Reflected
- SQL Injection
- Broken Authentication and Session
Management
- Sensitive data exposer
- Missing Function Level Access
- Cross Site Request Forgery
- Content spoofing
- Hidden Form Fields
- Insecure Session ID Generation
- Hijacking Session IDs
- Parameter Tampering
- Access to Web Server Directories
- Default Passwords
- Account Lockout
- Forceful Browsing
- Hidden Form Fields
- Security Misconfiguration
Level 3 Testing
Description: This is the advanced testing that we will be
performing on application. Before starting the testing we would require
pre-requites mentioned above in this document.
Testing Duration: Typically 10 days
Findings Covered: Below are the lists of findings/attacks
that will be covered in Level 3 testing on the target application. Based on the
scope, all the high, medium and low critical pages will be tested and almost
all the parameters will be covered.
- Cross Site Scripting Stored
- Cross Site Scripting Reflected
- SQL Injection
- Broken Authentication and Session
Management
- Sensitive data exposer
- Missing Function Level Access
- Cross Site Request Forgery
- Buffer overflow
- Content spoofing
- Hidden Form Fields
- Information Disclosure
- Insecure Session ID Generation
- Hijacking Session IDs
- Parameter Tampering
- Access to Web Server Directories
- Account Lockout
- Forceful Browsing
- Information Contained in Cookies
- Unexpected Input
- Hidden Form Fields
- Autocomplete feature set to on
- SSL Cookie Not In Use
- Persistent Cookie in use
- Unvalidated redirects and forwards
- Older software implementation
- Default Passwords
- Security Misconfiguration
1 comments:
Thanks for sharing different type of security testing and description is very useful to understand how to these application security testing work. Thanks again.
Post a Comment