[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Thoughts on WAS Test
All, I drawed the diagram on my tablet. And this is the background information or theory I want to think throughly before I put them into VulnXML like definition for WAS Test: I separated web application test into three parts: Analyze, Test and Remediation Analyze means functional analysis, attack graph, and threat/risk analysis then move on to building attack matrix (or attack planning). The result should be a test description in WAS Test XML format. In the WAS test element, my thought is that from the abstract level of web application testing, the fundamental element is an HTTP Request, then HTTP Response. Multiple requests and responses form a 'session' element (or threadgroup as others may call it). Each session can contain different combination of HTTP Request and Response so you can do differential analysis, or session fixation test. And then you can also define a Request -> 302 Response session to be a customized 404 or something like that. So the diagram should look like (from highest level to lowest level): Test -> Session -> Request + Response -> Test pattern. In each HTTP Request as a test element, we should have something call 'test pattern' as the data to be put in the HTTP headers or body (or even SOAP request). Test pattern could include say long buffer data, unicode representation of data, or just rules (like regular expression) to define what test pattern should the data looks like. So my approach is that I'm trying to understand what is the philosophy behind VulnXML, and then I'm trying to build my thought first (or theory background) before I go on to design the XML elements. I'm thinking how am I going to describe a test for MS Passport password reset problem under this model. The idea might be to define a "Function state test" which take a normal session from a function, then generate test sessions for each state with different test pattern. As to remediation, basically it is the way to describe the finding from the test phase and have some other program to respond. I think that will be the responsibility of WAS Protect. The drawing is not really too good. Please bear with that. Best Regards, ... Yen-Ming Chen
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]