Page 612 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 612

Assess and Mitigate Vulnerabilities in Web-

               Based Systems


               There is a wide variety of application and system vulnerabilities and
               threats in web-based systems, and the range is constantly expanding.

               Vulnerabilities include concerns related to Extensible Markup
               Language (XML) and Security Association Markup Language (SAML)
               plus many other concerns discussed by the open community-focused
               web project known as the Open Web Application Security Project
               (OWASP).

               OWASP is a nonprofit security project focusing on improving security
               for online or web-based applications. OWASP is not just an

               organization—it is also a large community that works together to freely
               share information, methodology, tools, and techniques related to
               better coding practices and more secure deployment architectures. For
               more information on OWASP and to participate in the community,
               visit www.owasp.org. The OWASP group maintains a guide of
               recommendations for assessing the security of a web service at
               https://www.owasp.org/index.php/Web_Application_Security_Testing_Cheat_Sheet

               OWASP also maintains a top ten list of the most critical web
               application attacks at
               https://www.owasp.org/images/7/72/OWASP_Top_10-
               2017_%28en%29.pdf.pdf. Both of these documents would be a
               reasonable starting point for planning a security evaluation or
               penetration test of an organization’s web services.

               Any security evaluation should start off with reconnaissance or

               information gathering. This step is to collect as much information as
               possible about the target for later steps to use. This usually includes
               viewing each of the hosted web pages, discovering the automation
               technologies in use, looking for information that should not have been
               posted, and checking for configuration and security leaks. This is

               followed by an assessment of the site’s configuration management
               (such as file handling, extensions in use, backups, looking for sensitive
               data in client-side code), and evaluating the site’s transmission
               security (such as checking for Secure Sockets Layer (SSL)/Transport
   607   608   609   610   611   612   613   614   615   616   617