From: Mark Curphey [mark@curphey.com] Sent: Monday, January 21, 2002 9:25 PM To: webappsec@securityfocus.com Subject: FW: OWASP : What to test ? -----Original Message----- From: Kevin Spett [mailto:kspett@spidynamics.com] Sent: Monday, January 21, 2002 5:12 PM To: mark@curphey.com; owasp@securityfocus.com Subject: Re: OWASP : What to test ? You guys seem to be on the right track... here are some things that are frequently overlooked that we've found to be useful: Testing for "hidden" files on the server that exist for administration purposes or that were left on the server by developers. Always check every directory for files like "admin.asp" and "upload.asp" that may exist to help administrators. Equally as interesting can be files like "test.asp" or "example.asp" that may have been placed on the server by developers and never removed. I cannot tell you how many times that I've ran into a seemingly bulletproof server, and then found a "test.asp" that contains some code that a developer abandoned. Lots of the time these will contain information on other "hidden" files, failed database connection errors and other such things. Along similar lines, looking for core dump files, CVS files, and application logs can be very fruitful. For example, older versions of WS FTP, by default, will always upload a file called "WS_FTP.LOG" to the remote host. Who says you're the first person to check out a site's security? Look for backdoors and other tools. The most common ones are obviously going to be "root.exe" and "cmd.exe". Check for other common ones like "ackcmds.exe", "nc.exe", etc. Another neat trick is abusing a site's search function. Nearly every web site now has a search tool. If the admin is lazy and has the search application index the /entire/ server from the webroot up, you can search for the admin pages, configuration files, databases... anything at all above the webroot. Kevin. ----- Original Message ----- From: "Mark Curphey" To: Sent: Friday, January 11, 2002 11:04 AM Subject: OWASP : What to test ? > As you know we are starting to build the testing framework....we are > going to capture the mailing list debate and thoughts to want your input. > Well then publish it for community review and input. > > One of the areas that seems really important is What to test ? I put > some provisional headings down at http://www.owasp.org/projects/testing/ > > Imaginary scneario : you are presented with a site dns name and asked > to review its security of the applications running on it. > > Where do you start ? > Do you spider the site looking for any place that sends paramaters to > an application ? > How do you find where application reside ? > What about web services and WDSL ? Do you look at a UDDI ? > Should you test an application issolation (ie a single cgi) or all applications > on that site ? > > These are just a few thoughts, really just a few... > > So does anyone want to share the way they approach deciding what should > be tested with the list ? > > __________________________________________________ > FREE voicemail, email, and fax...all in one place. > Sign Up Now! http://www.onebox.com > >