Scribd Logo
Upload

Welcome to Scribd!

  • 217 views

    A New Web Application Vulnerability Assessment Framework

    Uploaded by

    Mark Jayson
    A new framework for testing websites with regards to application, server, and network vulnerabilities with dependence on OWASP techniques, manual, and automated exploitation, and assessment.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PPTX, PDF, TXT or read online from Scribd

    A New Web Application Vulnerability Assessment Framework

    Uploaded by

    Mark Jayson
    217 views20 pages
    A new framework for testing websites with regards to application, server, and network vulnerabilities with dependence on OWASP techniques, manual, and automated exploitation, and assessment.

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    PPTX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    A new framework for testing websites with regards to application, server, and network vulnerabilities with dependence on OWASP techniques, manual, and automated exploitation, and assessment.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PPTX, PDF, TXT or read online from Scribd
    Download as pptx, pdf, or txt
    217 views20 pages

    A New Web Application Vulnerability Assessment Framework

    Uploaded by

    Mark Jayson
    A new framework for testing websites with regards to application, server, and network vulnerabilities with dependence on OWASP techniques, manual, and automated exploitation, and assessment.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PPTX, PDF, TXT or read online from Scribd
    Download as pptx, pdf, or txt
    of 20

    Proposal

    FUENTES, ET. AL.

    Objectives
    Propose a new framework for web vulnerability assessment and mitigation

    Test the proposed framework to an active web application


    Gather research data from the test implementation Work with the client to improve the framework and the target web application Establish a simplified redo able approach to web vulnerability assessment for adoption in the local IT industry

    What we currently know


    Buy and sell Real Estate Automotive Services Jobs Business Establishments Events

    A new web application vulnerability assessment framework


    A PROPOSAL

    OSSTMM 3
    BY THE INSTITUTE FOR SECURITY AND OPEN METHODOLOGIES

    Coverage
    OSSTMM

    Human

    Physical

    Wireless

    Telecommunications

    Data Networks

    OWASP Testing Guide v3


    BY OWASP (OPEN WEB APPLICATION SECURITY PROJECT)

    Information Gathering

    Configuration Management Testing

    Business Logic Testing

    Authentication Testing

    Authorization Testing

    Session Management Testing

    Data Validation Testing

    Denial of Service Testing

    Web Services Testing

    Ajax Testing

    Coverage

    Web Application
    Production Development

    A new framework

    Proposed Vulnerability Assessment Methodology


    A simplified approach to web vulnerability assessment

    WEB APPLICATION
    Application Analysis Vulnerability Scanning/Exploitation

    Mitigation

    Assessment

    Personal

    Framework
    Government

    Application Server

    Web App
    Commercial

    Network

    Application Analysis

    Application Analysis
    Application Specific Server Specific Network Specific

    Domain Name IP Address Development Language/ CMS Identification Third-Party Software Libraries

    Web Server Identification Database Server Application

    Network Architecture Modeling Proxy, Firewall Rules etc.

    Vulnerability Scanning/Exploitation

    Vulnerability Scanning/Exploitation
    Application Specific XSS Session grabbing Clickjacking Bruteforce form cracking Server Specific SQL injection DoS attack Malicious code execution Remote shell exploits Network Specific Live host scan Port scan

    Assessment

    Assessment
    Application Specific Number of fields vulnerable Exposed classified information Personal information Server Specific Maximum server load evaluation Weak/unhashed passwords Obsolete authentication mechanisms Network Specific No Proxy Number of opened ports Firewall/proxy rules

    Mitigation

    References
    Open Web Application Security Project. OWASP Testing Project. Published December 16, 2008. Accessed January 18, 2013. http://www.owasp.org/images/5/56/OWASP%20Testing%20Guide%20v3.pdf

    Open Web Application Security Project. OWASP Top 10 2013 Project. Published December 16, 2008. Accessed March 18, 2013. http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010.pdf
    Pete Herzog, Institute for Security and Open Methodologies. OSSTMM 3 (The Open Source Security Testing Methodology Manual: Contemporary Security Testing and Analysis

    You might also like