V – KẾT QUẢ: Application Data 1 Tổng quan dữ liệu ứng dụng
VI.6 Tạo các mẫu báo cáo người dùng tự định nghĩa
Có thể tự tạo các mẫu người dùng tự định nghĩa có hay không thêm vào các báo cáo theo chuẩn hoặc theo quy tắc, Các mẫu báo cáo AppScan có file mở rộng .asreg. Các mẫu cung cấp được lưu trữ trong thư mục \Regulations của thư mục cài AppScan.
1. Mở thư mục \AppScan\Regulations và copy 1 file .asreg
Lưu ý: Theo mặc định thư mục AppScan được chỉ định tại C:\Program
Files\IBM\Rational AppScan, trừ khi chỉ ra 1 vị trí khác trong suốt quá trình cài đặt 2. Paste file vào thư mục AppScan User Files, đặt 1 tên mới
4. tag tiếp theo là tiêu đề của mẫu:
<Title>Our Organization's Web Application Requirement Compliance Report </Title>
5. Nhập miêu tả quy tắc hoặc chuẩn sử dụng tag Description :
<Description>
<Subtitle>Sub Section</Subtitle> <p>This regulation addresses ...</p> <p>It is important because...</p> <Subtitle>Sub Section 2</Subtitle>
<p>This section of the regulation addresses ...</p> </Description>
6. Theo mặc định, có 1 tag <Disclaimer>,cái mà đảm bảo rằng không yêu cầu trách nhiệm về luật pháp cho các nội dung của báo cáo.
7. Tạo các phần yêu cầu (<Section> tag) cho mẫu theo quy tắc và định nghĩa cái mà phát sinh Rational® AppScan có liên quan tới mỗi phần, bằng cách sử dụng các thẻ <Cause> và <Risk>.
o Các phần này là tự định nghĩa, thuộc tính name của tag Section định nghĩa cho phần này
o Nguyên nhân bên trong mỗi phần nằm trong List of causes. Mỗi nguyên nhân miêu tả 1 cấu hình chưa hoàn chỉnh hoặc chưa đúng, không hiệu lực hoặc các trạng thái tương tự.
o Các rủi ro trong mỗi phần lấy từ List of risks. Mỗi rủi ro coi như là “1 ngữ canh tồi tệ”
o Các lớp đe dọa bên trong mỗi phần lấy từ List of threat classes. 1 lớp đe dọa là 1 sắp xếp các kiểm tra
For example:
<Section name="My Application login must be secured"> <Cause>inputLengthNotChecked</Cause>
<Risk>denialOfService</Risk> <Risk>siteDefacement</Risk> </Section>
8. Đóng file với tag kết thúc: </Regulation>
List of causes
Cause Description
hazardousCharactersNotSanitized Sanitation of hazardous characters was not performed correctly on user input.
Cause Description
formatStringsVulnerability User input is used directly as a formatting string input for C/C++'s sprintf and similar functions.
hiddenParameterUsed Parameter values were 'hardcoded' in the HTML as a
parameter of type 'hidden'.
boundsCheckingOnParamValues Proper bounds checking were not performed on incoming
parameter values.
incorrectDataType No validation was done to ensure user input matches
expected data type.
inputLengthNotChecked User input length is not limited, thereby enabling buffer
overflows.
errorMessagesReturned Exceptions and error messages, which may contain sensitive
debugging information, are presented to users.
debugInfoInHtmlSource Debugging information was left by the programmer in web
pages.
backDoorLeftBehind A backdoor or a debugging option was left behind by
programmers.
clientSideValidation User input validation is done at the client-side and may be
bypassed.
usOfClientSideLogic The web application uses client-side logic to create web
pages.
cookiesCreatedAtClientSide Cookies are created at the client-side.
javaScriptPassWordMechanism The web application uses a client-side password
authentication.
sqlBuiltByJavaScript The web application uses client-side logic to create SQL
queries.
dotDotNotSanitized User input is not checked for the '..' string.
weakTokenUsed A weak token algorithm is used by the web application.
missingPatchesForThirdPartyProds Latest patches or hotfixes for 3rd party products were not installed.
Cause Description
sampleScriptsFound Default sample scripts or directories were installed on the
web site.
insecureThirdPartySoftware A vulnerable third party software, which does not have a
known patch, is installed on the web site.
directoryBrowsingEnabled Directory browsing is enabled.
managementConsoleAccess Web management console is accessible from the web.
insecureWebServerConfiguration The web server or application server is configured in an insecure way.
frontPageServerUnsecureInstall FrontPage server extensions were installed with improper security settings.
insecureWebAppConfiguration Insecure web application programming or configuration.
vulnSOAPserializer The SOAP serializer used by your web services server does
not validate SOAP input properly.
sensitiveDataNotSSL Sensitive input fields such as usernames, passwords, and
credit card numbers are passed unencrypted.
nonSecureCookiesSentOverSSL The web application sends non-secure cookies over SSL.
sessionCookieNotRAM The web application stores sensitive session information in a
permanent cookie (on disk).
redirectionFromWithinSite The web application performs a redirection to an external
site.
List of risks
Risk Name Description
tempScriptDownload It is possible to download temporary script files, which may expose the application logic and other sensitive information such as usernames and passwords.
sourceCodeDisclosure It is possible to retrieve the source code of server-side scripts, which may expose the application logic and other sensitive information such as usernames and passwords.
pathDisclosure It is possible to retrieve the absolute path of the web server installation, which may help an attacker to develop further attacks and to gain information about the file system structure of the web application.
Risk Name Description
directoryListing It is possible to view and download the contents of certain web application virtual directories, which may contain restricted files.
envVariablesExposure It is possible to expose server environment variables, which may help an attacker to develop further attacks against the web application.
anyFileDownload It is possible to view the contents of any file (e.g. databases, user information or configuration files) on the web server (under the permission restrictions of the web server user).
userImpersonation It is possible to steal customer session and cookies, which may be used to impersonate a legitimate user, allowing the hacker to view or alter user records, and to perform transactions as that user.
remoteCommand Execution
It is possible to execute remote commands on the web server. This usually means complete compromise of the server and its contents. cacheFilesDownload It is possible to view the contents of cache files, which may contain
sensitive information regarding the web application. debugErrorInformation It is possible to gather sensitive debugging information.
eShoplifting It is possible to steal goods or services (eShoplifting).
denialOfService It is possible to prevent the web application from serving other users (denial of service).
privilegeEscalation It is possible to escalate user privileges and gain administrative permissions over the web application.
genericWorstCase It is possible to undermine application logic.
confgurationFile Downloadable
It is possible to download or view the contents of a configuration file, which may contain vital information such as usernames and passwords. sensitiveInformation It is possible to gather sensitive information about the web application
such as usernames, passwords, machine name and/or sensitive file locations.
genericWorstCase
JavaScript It is possible to exploit JavaScript™; the extent of the risk depends on the context of the page modified at the client side. genericWorstCase
Risk Name Description
databaseManipulations It is possible to view, modify or delete database entries and tables (SQL Injection).
authBypass It is possible to bypass the web application's authentication mechanism.
siteStructureRevealed It is possible to retrieve information about the site's file system structure, which may help the attacker to map the web site.
publisherInformation Revealed
It is possible to retrieve sensitive FrontPage publishing information.
dataResource Download
It is possible to access information stored in a sensitive data resource.
sensitiveNotOverSSL It is possible to steal sensitive data such as credit card numbers, social security numbers etc. that are sent unencrypted.
loginNotOverSSL It is possible to steal user login information such as usernames and password that are sent unencrypted.
unsecureCookieInSSL It is possible to steal user and session information (cookies) that was sent during an encrypted session.
sessionCookieNot RAM
It is possible to steal session information (cookies) that was kept on disk as permanent cookies.
phishing It is possible to persuade a naive user to supply sensitive information
such as username, password, credit card number, social security number etc.
List of threat classes
Threat class Description
Authentication: Brute Force An automated process of trial and error used to guess a
person's username, password, credit-card number or cryptographic key.
Authentication: Insufficient Authentication
Occurs when a web site permits an attacker to access sensitive content or functionality without having to properly authenticate.
Authentication: Weak Password
Recovery Validation Occurs when a web site permits an attacker to illegally obtain, change or recover another user's password. Authorization: Credential/Session
Prediction
A method of hijacking or impersonating a web site user, by deducing or guessing the unique value that identifies a particular session or user.
Threat class Description
Authorization: Insufficient Authorization
When a web site permits access to sensitive content or functionality that should require increased access control restrictions.
Authorization: Insufficient Session
Expiration When a web site permits an attacker to reuse old session credentials or session IDs for authorization. Authorization: Session Fixation An attack technique that forces a user's session ID to an
explicit value. After a user's session ID has been fixed, the attacker will wait for them to login. Once the user does so, the attacker uses the predefined session ID value to assume their online identity.
Client-side Attacks: Content Spoofing
An attack technique used to trick a user into believing that certain content appearing on a web site is legitimate and not from an external source.
Client-side Attacks: Cross-site Scripting
An attack technique that forces a web site to echo attacker- supplied executable code, which loads in a user's browser. Command Execution: Buffer
Overflow
Attacks that alter the flow of an application by overwriting parts of memory with data that exceeds the allocated size of the buffer.
Command Execution: Format String
Attack Attacks that alter the flow of an application by using string formatting library features to access other memory space. Command Execution: LDAP
Injection
An attack technique used to exploit web sites that construct LDAP statements from user-supplied input.
Command Execution: OS Commanding
An attack technique used to exploit web sites by executing Operating System commands through manipulation of application input.
Command Execution: SQL Injection An attack technique used to exploit web sites that construct SQL statements from user-supplied input.
Command Execution: SSI Injection A server-side exploit technique that allows an attacker to send code into a web application, which will later be executed locally by the web server.
Command Execution: XPath Injection
An attack technique used to exploit web sites that construct XPath queries from user-supplied input.
Threat class Description
Unintended directory listings may be possible due to software vulnerabilities combined with a specific web request.
Information Disclosure: Information
Leakage When a web site reveals sensitive data, such as developer comments or error messages, which may aid an attacker in exploiting the system.
Information Disclosure: Path Traversal
This is a technique that forces access to files, directories, and commands that potentially reside outside the web document root directory.
Information Disclosure: Predictable
Resource Location An attack technique used to uncover hidden web site content and functionality, by making educated guesses. Logical Attacks: Abuse of
Functionality An attack technique that uses a web site's own features and functionality to consume, defraud, or circumvents access controls mechanisms.
Logical Attacks: Denial of Service An attack technique with the intent of preventing a web site from serving normal user activity.
Logical Attacks: Insufficient Anti- automation
When a web site permits an attacker to automate a process
that should only be performed manually.
Logical Attacks: Insufficient Process Validation
When a web site permits an attacker to bypass or circumvent the intended flow control of an application.
Application Privacy Tests n/a
Application Quality Tests n/a
User-Defined Tests n/a
