Testing for configuration management

Often analysis of the infrastructure and topology architecture can reveal a great deal about a web application. Information such as source code, HTTP methods permitted, administrative functionality, authentication methods and infrastructural configurations can be obtained.

4.3.1 SSL/TLS Testing

SSL and TLS are two protocols that provide, with the support of cryptography, secure channels for the protection, confidentiality, and authentication of the information being transmitted. Considering the criticality of these security implementations, it is important to verify the usage of a strong cipher algorithm and its proper implementation.

4.3.2 DB Listener Testing

During the configuration of a database server, many DB administrators do not adequately consider the security of the DB listener component. The listener could reveal sensitive data as well as configuration settings or running database instances if insecurely configured and probed with manual or automated techniques. Information revealed will often be useful to a tester serving as input to more impacting follow-on tests.

4.3.3 Application Configuration Management Testing

Web applications hide some information that is usually not considered during the development or configuration of the application itself. This data can be discovered in the source code, in the log files or in the default error codes of the web servers. A correct approach to this topic is fundamental during a security assessment.

4.3.4 Testing for misconfiguration

4.3.5 Testing for File Extensions Handling

The file extensions present in a web server or a web application make it possible to identify the technologies which compose the target application, e.g. jsp and asp extensions. File extensions can also expose additional systems connected to the application.

4.3.6 Old, Backup and Unreferenced Files

Redundant, readable and downloadable files on a web server, such as old, backup and renamed files, are a big source of information leakage. It is necessary to verify the presence of these files because they may contain parts of source code, installation paths as well as passwords for applications and/or databases.

4.3.7 Infrastructure and Application Admin Interfaces

4.3.8 Testing for HTTP Methods and XST