OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

was message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Thoughts on WAS Test


I drawed the diagram on my tablet. And this is the background information or
theory I want to think throughly before I put them into VulnXML like definition
for WAS Test:

I separated web application test into three parts: Analyze, Test and

Analyze means functional analysis, attack graph, and threat/risk analysis then
move on to building attack matrix (or attack planning). The result should be a
test description in WAS Test XML format.

In the WAS test element, my thought is that from the abstract level of web
application testing, the fundamental element is an HTTP Request, then HTTP
Response. Multiple requests and responses form a 'session' element (or
threadgroup as others may call it). Each session can contain different
combination of HTTP Request and Response so you can do differential analysis,
or session fixation test. And then you can also define a Request -> 302
Response session to be a customized 404 or something like that. So the diagram
should look like (from highest level to lowest level): Test -> Session ->
Request + Response -> Test pattern. 

In each HTTP Request as a test element, we should have something call 'test
pattern' as the data to be put in the HTTP headers or body (or even SOAP
request). Test pattern could include say long buffer data, unicode
representation of data, or just rules (like regular expression) to define what
test pattern should the data looks like.

So my approach is that I'm trying to understand what is the philosophy behind
VulnXML, and then I'm trying to build my thought first (or theory background)
before I go on to design the XML elements. 

I'm thinking how am I going to describe a test for MS Passport password reset
problem under this model. The idea might be to define a "Function state test"
which take a normal session from a function, then generate test sessions for
each state with different test pattern.

As to remediation, basically it is the way to describe the finding from the
test phase and have some other program to respond. I think that will be the
responsibility of WAS Protect. 

The drawing is not really too good. Please bear with that.

Best Regards,


Yen-Ming Chen


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]