راهنمای تست نفوذ آشنا ایمن
برای علاقمندان حوزه تست نفوذ، همواره تنوع و تکثر عناوین ارزیابیها، یکی از چالشهای پیش رو بوده است. اگرچه مراجع معتبری مانند OWASP برای این منظور تدوین شده، اما با توجه به تأکید این مراجع بر حداقلی بودن این عناوین، خبرگان تست نفوذ بر حسب تجربه، تخصص و نیاز خود، بعضاً مواردی را به این مراجع اضافه و یا از آن کم میکنند.
راهنمای زیر بر اساس مرجع OWASP v4 تنظیم شده و عناوین تستهای اصلی را برای علاقمندان و کارشناسان تست نفوذ فهرست کرده است. اگرچه در مرجع اصلی، ارزیابی ها در 12 دسته، گروه بندی شده اما بر حسب تجربه تیم ارزیابی امنیتی آشنا ایمن، این ارزیابی ها مورد بازنگری و شخصی سازی قرار گرفته و نهایتاً در 9 کلاس (که هر کدام عناوین متعددی را – که بعضاً از دسته های متنوع 12گانه اصلی استخراج شده اند – در بر میگیرد) دسته بندی شده است. در هر یک از این کلاسها، موارد آزمون متعددی گنجانده شده و چند عنوان تست جدید که ماحصل تجربه تیم ارزیابی امنیتی آشنا ایمن است، نیز به جداول اضافه شده که به مرور زمان به روز رسانی خواهد شد. این موارد اضافه شده در جدول با شناسه EXTRA-AI مشخص هستند.
هدف از تهیه این راهنما، دستیابی به مرجعی جامع (بصورت ترکیبی از مراجع بین المللی و تجربیات بومی) بوده است که بتواند پاسخی درخور برای نیاز کارشناسان این حوزه ارائه نماید.
لابراتوار ارزیابی امنیتی آشنا ایمن از نظرات سازنده متخصصین حوزه تست نفوذ برای تکمیل و به روز رسانی این فهرست، استقبال میکند.
| Status | Detailed Verification Requirement | ID | |
| Information Gathering | 1 | ||
| Fingerprint Technologies | 1.1 | ||
| Fingerprint Web Server | OTG-INFO-002 | ||
| Enumerate Applications on Webserver | OTG-INFO-004 | ||
| Fingerprint Web Application Framework | OTG-INFO-008 | ||
| Fingerprint Web Application | OTG-INFO-009 | ||
| Information Leakage | 1.2 | ||
| Conduct Search Engine Discovery and Reconnaissance for Information Leakage | OTG-INFO-001 | ||
| Review Webserver Metafiles for Information Leakage | OTG-INFO-003 | ||
| Review Webpage Comments and Metadata for Information Leakage | OTG-INFO-005 | ||
| Analysis of Error Codes | OTG-ERR-001 | ||
| Analysis of Stack Traces | OTG-ERR-002 | ||
| Conduct a Fuzzing for Hidden and Sensitive Files or Directories | EXTRA-AI-001 | ||
| Directory Indexing | 1.3 | ||
| Search for Directory Indexing | EXTRA-AI-002 | ||
| Storing Sensitive Information on Client Side | 1.4 | ||
| Test Local Storage | OTG-CLIENT-012 | ||
| Insecure Client-Side Information Storage | EXTRA-AI-003 | ||
| Configuration and Deployment Management | 2 | ||
| Enumerate Infrastructure and Application Admin Interfaces | 2.1 | ||
| Enumerate Infrastructure and Application Admin Interfaces | OTG-CONFIG-005 | ||
| Test Network/Infrastructure Configuration | OTG-CONFIG-001 | ||
| Hidden Resources Discovery | 2.2 | ||
| Review Old, Backup and Unreferenced Files for Sensitive Information | OTG-CONFIG-004 | ||
| HTTP Security Headers | 2.3 | ||
| Testing for Lack of HTTP Security Headers | EXTRA-AI-004 | ||
| Identity Management and Authentication | 3 | ||
| Secure Authentication Class | 3.1 | ||
| Test User Registration Process | OTG-IDENT-002 | ||
| Testing for Weak Lock Out Mechanism | OTG-AUTHN-003 | ||
| Testing for Bypassing Authentication Schema | OTG-AUTHN-004 | ||
| Test Remember Password Functionality | OTG-AUTHN-005 | ||
| Testing for Browser Cache Weakness | OTG-AUTHN-006 | ||
| Testing for Weak Security Question/Answer | OTG-AUTHN-008 | ||
| Testing for Weak Password Change or Reset Functionalities | OTG-AUTHN-009 | ||
| Testing for Weaker Authentication in Alternative Channel | OTG-AUTHN-010 | ||
| Testing for Weak or Unenforced Username Policy | OTG-IDENT-005 | ||
| Testing for Default Credentials | OTG-AUTHN-002 | ||
| Testing for Two Factor Authentication Bypass | EXTRA-AI-005 | ||
| Username Enumeration | 3.2 | ||
| Testing for Account Enumeration and Guessable User Account | OTG-IDENT-004 | ||
| Testing for Recovering Sensitive Information | 3.3 | ||
| Storing Sensitive Information in a Recoverable Format | EXTRA-AI-006 | ||
| Testing against Brute Force attack | 3.4 | ||
| Testing against Brute Force attack | EXTRA-AI-007 | ||
| Password Policy | 3.5 | ||
| Testing for Weak password policy | OTG-AUTHN-007 | ||
| Testing for SSL over User Authentication | 3.6 | ||
| Testing for Credentials Transported over an Encrypted Channel | OTG-AUTHN-001 | ||
| Authorization and Boundary Test | 4 | ||
| User Access Control | 4.1 | ||
| Test Role Definitions | OTG-IDENT-001 | ||
| Test Account Provisioning Process | OTG-IDENT-003 | ||
| Testing for Bypassing Authorization Schema | OTG-AUTHZ-002 | ||
| Testing for Privilege Escalation | OTG-AUTHZ-003 | ||
| Testing for HTTP Verb Tampering | OTG-INPVAL-003 | ||
| Testing for JSON Web Token Flaw | EXTRA-AI-008 | ||
| Test Cross Origin Resource Sharing | OTG-CLIENT-007 | ||
| File Inclusions | 4.2 | ||
| Testing Directory Traversal/File Include | OTG-AUTHZ-001 | ||
| Execution after Redirect | 4.3 | ||
| Execution after Redirect | EXTRA-AI-009 | ||
| Cross Site Request Forgery | 4.4 | ||
| Testing for Cross Site Request Forgery (CSRF) | OTG-SESS-005 | ||
| Secure File Upload | 4.5 | ||
| Arbitrary File Upload | EXTRA-AI-010 | ||
| Test Upload of Unexpected File Types | OTG-BUSLOGIC-008 | ||
| Test Upload of Malicious Files | OTG-BUSLOGIC-009 | ||
| Insecure Direct Object References | 4.6 | ||
| Testing for Insecure Direct Object References | OTG-AUTHZ-004 | ||
| Secure Captcha implementation | 4.7 | ||
| Test for Secured Captcha Workflow | EXTRA-AI-011 | ||
| Cookie and Session Management | 5 | ||
| Testing for Cookies attributes | 5.1 | ||
| Testing for Cookies attributes | OTG-SESS-002 | ||
| Cryptographic Pseudo-Random Number Generator | EXTRA-AI-012 | ||
| Secure Session Management | 5.2 | ||
| Testing for Bypassing Session Management Schema | OTG-SESS-001 | ||
| Testing for Session Fixation | OTG-SESS-003 | ||
| Testing for Exposed Session Variables | OTG-SESS-004 | ||
| Testing for Logout functionality | OTG-SESS-006 | ||
| Test Session Timeout | OTG-SESS-007 | ||
| Testing for Session puzzling | OTG-SESS-008 | ||
| Accessibility | 6 | ||
| Denial of Service | 6.1 | ||
| Test for Denial of Service | EXTRA-AI-013 | ||
| Input/Output Validation | 7 | ||
| Cross Site Scripting | 7.1 | ||
| Testing for Reflected Cross Site Scripting | OTG-INPVAL-001 | ||
| Testing for Stored Cross Site Scripting | OTG-INPVAL-002 | ||
| Testing for DOM based Cross Site Scripting | OTG-CLIENT-001 | ||
| Testing for JavaScript Execution | OTG-CLIENT-002 | ||
| Testing for HTML Injection | OTG-CLIENT-003 | ||
| Testing for CSS Injection | OTG-CLIENT-005 | ||
| Testing for Client Side Resource Manipulation | OTG-CLIENT-006 | ||
| Testing for Clickjacking | OTG-CLIENT-009 | ||
| Testing for Cross Frame Scripting (XFS) | EXTRA-AI-014 | ||
| SQL Injection | 7.2 | ||
| Testing for SQL Injection | OTG-INPVAL-005 | ||
| Testing for Incubated Vulnerabilities | OTG-INPVAL-015 | ||
| NoSQL Injection | 7.3 | ||
| Testing for XPath Injection | OTG-INPVAL-010 | ||
| Testing for XML Injection | OTG-INPVAL-008 | ||
| Testing for MongoDB Injection | EXTRA-AI-015 | ||
| Server Side Code Injection | 7.4 | ||
| Testing for LDAP Injection | OTG-INPVAL-006 | ||
| Testing for ORM Injection | OTG-INPVAL-007 | ||
| Testing for SSI Injection | OTG-INPVAL-009 | ||
| IMAP/SMTP Injection | OTG-INPVAL-011 | ||
| Testing for Code Injection | OTG-INPVAL-012 | ||
| Remote Command Execution | 7.5 | ||
| Testing for Command Injection | OTG-INPVAL-013 | ||
| Testing for Server Side Template Injection | EXTRA-AI-015 | ||
| Buffer Overflow | 7.6 | ||
| Testing for Buffer Overflow | OTG-INPVAL-014 | ||
| XML External Entity (XXE) | 7.7 | ||
| Testing for XML External Entity (XXE) | EXTRA-AI-017 | ||
| Server Side Request Forgery (SSRF) | 7.8 | ||
| Testing for Server Side Request Forgery (SSRF) | EXTRA-AI-018 | ||
| Open Redirect | 7.9 | ||
| Testing for Client Side URL Redirect | OTG-CLIENT-004 | ||
| Testing for weak Cryptography | 8 | ||
| Testing for Weak SSL/TLS Ciphers, Insufficient Transport Layer Protection | 8.1 | ||
| Testing for Weak SSL/TLS Ciphers, Insufficient Transport Layer Protection | OTG-CRYPST-001 | ||
| Testing for Sensitive Information Sent via Unencrypted Channels | 8.2 | ||
| Testing for Sensitive Information Sent via Unencrypted Channels | OTG-CRYPST-003 | ||
| Testing for Padding Oracle | OTG-CRYPST-002 | ||
| Workflow/Dataflow Tests | 9 | ||
| Test Business Logic Data Validation | OTG-BUSLOGIC-001 | ||
| Test Ability to Forge Requests | OTG-BUSLOGIC-002 | ||
| Test Integrity Checks | OTG-BUSLOGIC-003 | ||
| Test for Process Timing | OTG-BUSLOGIC-004 | ||
| Test Number of Times a Function Can be Used Limits | OTG-BUSLOGIC-005 | ||
| Testing for the Circumvention of Work Flows | OTG-BUSLOGIC-006 | ||
| Test Defenses Against Application Mis-use | OTG-BUSLOGIC-007 |