VI.6 Tạo các mẫu báo cáo người dùng tự định nghĩa

Một phần của tài liệu Hướng dẫn sử dụng rational appscan (Trang 97 - 104)

V – KẾT QUẢ: Application Data 1 Tổng quan dữ liệu ứng dụng

VI.6 Tạo các mẫu báo cáo người dùng tự định nghĩa

Có thể tự tạo các mẫu người dùng tự định nghĩa có hay không thêm vào các báo cáo theo chuẩn hoặc theo quy tắc, Các mẫu báo cáo AppScan có file mở rộng .asreg. Các mẫu cung cấp được lưu trữ trong thư mục \Regulations của thư mục cài AppScan.

1. Mở thư mục \AppScan\Regulations và copy 1 file .asreg

Lưu ý: Theo mặc định thư mục AppScan được chỉ định tại C:\Program

Files\IBM\Rational AppScan, trừ khi chỉ ra 1 vị trí khác trong suốt quá trình cài đặt 2. Paste file vào thư mục AppScan User Files, đặt 1 tên mới

4. tag tiếp theo là tiêu đề của mẫu:

<Title>Our Organization's Web Application Requirement Compliance Report </Title>

5. Nhập miêu tả quy tắc hoặc chuẩn sử dụng tag Description :

<Description>

<Subtitle>Sub Section</Subtitle> <p>This regulation addresses ...</p> <p>It is important because...</p> <Subtitle>Sub Section 2</Subtitle>

<p>This section of the regulation addresses ...</p> </Description>

6. Theo mặc định, có 1 tag <Disclaimer>,cái mà đảm bảo rằng không yêu cầu trách nhiệm về luật pháp cho các nội dung của báo cáo.

7. Tạo các phần yêu cầu (<Section> tag) cho mẫu theo quy tắc và định nghĩa cái mà phát sinh Rational® AppScan có liên quan tới mỗi phần, bằng cách sử dụng các thẻ <Cause> và <Risk>.

o Các phần này là tự định nghĩa, thuộc tính name của tag Section định nghĩa cho phần này

o Nguyên nhân bên trong mỗi phần nằm trong List of causes. Mỗi nguyên nhân miêu tả 1 cấu hình chưa hoàn chỉnh hoặc chưa đúng, không hiệu lực hoặc các trạng thái tương tự.

o Các rủi ro trong mỗi phần lấy từ List of risks. Mỗi rủi ro coi như là “1 ngữ canh tồi tệ”

o Các lớp đe dọa bên trong mỗi phần lấy từ List of threat classes. 1 lớp đe dọa là 1 sắp xếp các kiểm tra

For example:

<Section name="My Application login must be secured"> <Cause>inputLengthNotChecked</Cause>

<Risk>denialOfService</Risk> <Risk>siteDefacement</Risk> </Section>

8. Đóng file với tag kết thúc: </Regulation>

List of causes

Cause Description

hazardousCharactersNotSanitized Sanitation of hazardous characters was not performed correctly on user input.

Cause Description

formatStringsVulnerability User input is used directly as a formatting string input for C/C++'s sprintf and similar functions.

hiddenParameterUsed Parameter values were 'hardcoded' in the HTML as a

parameter of type 'hidden'.

boundsCheckingOnParamValues Proper bounds checking were not performed on incoming

parameter values.

incorrectDataType No validation was done to ensure user input matches

expected data type.

inputLengthNotChecked User input length is not limited, thereby enabling buffer

overflows.

errorMessagesReturned Exceptions and error messages, which may contain sensitive

debugging information, are presented to users.

debugInfoInHtmlSource Debugging information was left by the programmer in web

pages.

backDoorLeftBehind A backdoor or a debugging option was left behind by

programmers.

clientSideValidation User input validation is done at the client-side and may be

bypassed.

usOfClientSideLogic The web application uses client-side logic to create web

pages.

cookiesCreatedAtClientSide Cookies are created at the client-side.

javaScriptPassWordMechanism The web application uses a client-side password

authentication.

sqlBuiltByJavaScript The web application uses client-side logic to create SQL

queries.

dotDotNotSanitized User input is not checked for the '..' string.

weakTokenUsed A weak token algorithm is used by the web application.

missingPatchesForThirdPartyProds Latest patches or hotfixes for 3rd party products were not installed.

Cause Description

sampleScriptsFound Default sample scripts or directories were installed on the

web site.

insecureThirdPartySoftware A vulnerable third party software, which does not have a

known patch, is installed on the web site.

directoryBrowsingEnabled Directory browsing is enabled.

managementConsoleAccess Web management console is accessible from the web.

insecureWebServerConfiguration The web server or application server is configured in an insecure way.

frontPageServerUnsecureInstall FrontPage server extensions were installed with improper security settings.

insecureWebAppConfiguration Insecure web application programming or configuration.

vulnSOAPserializer The SOAP serializer used by your web services server does

not validate SOAP input properly.

sensitiveDataNotSSL Sensitive input fields such as usernames, passwords, and

credit card numbers are passed unencrypted.

nonSecureCookiesSentOverSSL The web application sends non-secure cookies over SSL.

sessionCookieNotRAM The web application stores sensitive session information in a

permanent cookie (on disk).

redirectionFromWithinSite The web application performs a redirection to an external

site.

List of risks

Risk Name Description

tempScriptDownload It is possible to download temporary script files, which may expose the application logic and other sensitive information such as usernames and passwords.

sourceCodeDisclosure It is possible to retrieve the source code of server-side scripts, which may expose the application logic and other sensitive information such as usernames and passwords.

pathDisclosure It is possible to retrieve the absolute path of the web server installation, which may help an attacker to develop further attacks and to gain information about the file system structure of the web application.

Risk Name Description

directoryListing It is possible to view and download the contents of certain web application virtual directories, which may contain restricted files.

envVariablesExposure It is possible to expose server environment variables, which may help an attacker to develop further attacks against the web application.

anyFileDownload It is possible to view the contents of any file (e.g. databases, user information or configuration files) on the web server (under the permission restrictions of the web server user).

userImpersonation It is possible to steal customer session and cookies, which may be used to impersonate a legitimate user, allowing the hacker to view or alter user records, and to perform transactions as that user.

remoteCommand Execution

It is possible to execute remote commands on the web server. This usually means complete compromise of the server and its contents. cacheFilesDownload It is possible to view the contents of cache files, which may contain

sensitive information regarding the web application. debugErrorInformation It is possible to gather sensitive debugging information.

eShoplifting It is possible to steal goods or services (eShoplifting).

denialOfService It is possible to prevent the web application from serving other users (denial of service).

privilegeEscalation It is possible to escalate user privileges and gain administrative permissions over the web application.

genericWorstCase It is possible to undermine application logic.

confgurationFile Downloadable

It is possible to download or view the contents of a configuration file, which may contain vital information such as usernames and passwords. sensitiveInformation It is possible to gather sensitive information about the web application

such as usernames, passwords, machine name and/or sensitive file locations.

genericWorstCase

JavaScript It is possible to exploit JavaScript™; the extent of the risk depends on the context of the page modified at the client side. genericWorstCase

Risk Name Description

databaseManipulations It is possible to view, modify or delete database entries and tables (SQL Injection).

authBypass It is possible to bypass the web application's authentication mechanism.

siteStructureRevealed It is possible to retrieve information about the site's file system structure, which may help the attacker to map the web site.

publisherInformation Revealed

It is possible to retrieve sensitive FrontPage publishing information.

dataResource Download

It is possible to access information stored in a sensitive data resource.

sensitiveNotOverSSL It is possible to steal sensitive data such as credit card numbers, social security numbers etc. that are sent unencrypted.

loginNotOverSSL It is possible to steal user login information such as usernames and password that are sent unencrypted.

unsecureCookieInSSL It is possible to steal user and session information (cookies) that was sent during an encrypted session.

sessionCookieNot RAM

It is possible to steal session information (cookies) that was kept on disk as permanent cookies.

phishing It is possible to persuade a naive user to supply sensitive information

such as username, password, credit card number, social security number etc.

List of threat classes

Threat class Description

Authentication: Brute Force An automated process of trial and error used to guess a

person's username, password, credit-card number or cryptographic key.

Authentication: Insufficient Authentication

Occurs when a web site permits an attacker to access sensitive content or functionality without having to properly authenticate.

Authentication: Weak Password

Recovery Validation Occurs when a web site permits an attacker to illegally obtain, change or recover another user's password. Authorization: Credential/Session

Prediction

A method of hijacking or impersonating a web site user, by deducing or guessing the unique value that identifies a particular session or user.

Threat class Description

Authorization: Insufficient Authorization

When a web site permits access to sensitive content or functionality that should require increased access control restrictions.

Authorization: Insufficient Session

Expiration When a web site permits an attacker to reuse old session credentials or session IDs for authorization. Authorization: Session Fixation An attack technique that forces a user's session ID to an

explicit value. After a user's session ID has been fixed, the attacker will wait for them to login. Once the user does so, the attacker uses the predefined session ID value to assume their online identity.

Client-side Attacks: Content Spoofing

An attack technique used to trick a user into believing that certain content appearing on a web site is legitimate and not from an external source.

Client-side Attacks: Cross-site Scripting

An attack technique that forces a web site to echo attacker- supplied executable code, which loads in a user's browser. Command Execution: Buffer

Overflow

Attacks that alter the flow of an application by overwriting parts of memory with data that exceeds the allocated size of the buffer.

Command Execution: Format String

Attack Attacks that alter the flow of an application by using string formatting library features to access other memory space. Command Execution: LDAP

Injection

An attack technique used to exploit web sites that construct LDAP statements from user-supplied input.

Command Execution: OS Commanding

An attack technique used to exploit web sites by executing Operating System commands through manipulation of application input.

Command Execution: SQL Injection An attack technique used to exploit web sites that construct SQL statements from user-supplied input.

Command Execution: SSI Injection A server-side exploit technique that allows an attacker to send code into a web application, which will later be executed locally by the web server.

Command Execution: XPath Injection

An attack technique used to exploit web sites that construct XPath queries from user-supplied input.

Threat class Description

Unintended directory listings may be possible due to software vulnerabilities combined with a specific web request.

Information Disclosure: Information

Leakage When a web site reveals sensitive data, such as developer comments or error messages, which may aid an attacker in exploiting the system.

Information Disclosure: Path Traversal

This is a technique that forces access to files, directories, and commands that potentially reside outside the web document root directory.

Information Disclosure: Predictable

Resource Location An attack technique used to uncover hidden web site content and functionality, by making educated guesses. Logical Attacks: Abuse of

Functionality An attack technique that uses a web site's own features and functionality to consume, defraud, or circumvents access controls mechanisms.

Logical Attacks: Denial of Service An attack technique with the intent of preventing a web site from serving normal user activity.

Logical Attacks: Insufficient Anti- automation

When a web site permits an attacker to automate a process that should only be performed manually.

Logical Attacks: Insufficient Process Validation

When a web site permits an attacker to bypass or circumvent the intended flow control of an application.

Application Privacy Tests n/a

Application Quality Tests n/a

User-Defined Tests n/a

VII – CÔNG CỤ

Một phần của tài liệu Hướng dẫn sử dụng rational appscan (Trang 97 - 104)

Tải bản đầy đủ (DOC)

(123 trang)
w