一、什么是渗透测试?
渗透测试(penet ration testing , pentest)是实施安全评估(即审计)的具体手段。
方法论是在制定、实施信息安全审计方案时,需要遵循的规则、惯例和过程。人们在评估网络、应用、系统或三者组合的安全状况时,不断摸索各种务实的理念和成熟的做法,并总结了一套理论一 渗透测试方法论。
二、渗透测试种类
1.黑盒测试
在进行黑盒测试时,安全审计员在不清楚被测单位的内部技术构造的情况下,从外部评估网络基础设施的安全性。
在渗透测试的各个阶段,黑盒测试借助真实世界的黑客技术,暴露出目标的安全问题,甚至可以揭露尚未被他人利用的安全弱点。
渗透测试人员应能理解安全弱点,将之分类并按照风险等级(高危、中危、低危、信息泄露)对其排序。通常来说,风险级别取决于相关弱点可能形成危害的大小。老练的渗透测试专家应能够确定可引发安全事故的所有攻击模式。
当测试人员完成黑盒测试的所有测试工作之后,他们会把与测试对象安全状况有关的必要信息进行整理,并使用业务的语言描述这些被识别出来的风险,继而将之汇总为书面报告。黑盒测试的市场报价通常高于白盒测试。
简而言之,渗透测试中的黑盒测试就是模拟真实的黑客攻击环境,所有的工作(如信息收集)都要由渗透测试工程师从头执行,这有助于验证我们的边界防护的有效性,同时需要的工作量和难度也会相应提升。
2.白盒测试
白盒测试的审计员可以获取被测单位的各种内部资料甚至不公开的资料,所以渗透测试人员的视野更为开阔。
若以白盒测试的方法评估安全漏洞,测试人员可以以自小的工作量达到最高的评估精确度。
白盒测试从被测系统环境自身出发,全面消除内部安全问题。从而增加了从单位外部渗透系统的难度。黑盒测试起不到这样的作用。白盒测试所需要的步骤数目与黑盒测试不相上下。
另外,若能够将白盒测试与常规的研发生命周期相结合,就可以在入侵者发现甚至利用安全弱点之前,尽可能最早地消除全部安全隐患,这使得白盒测试的事件、成本,以及发现、解决安全弱点的技术门槛都全面低于黑盒测试。
三、脆弱性评估与渗透测试
脆弱性评估通过分析企业资产面临安全威胁的情况和程度,评估内部和外部的安全控制的安全性。
这种技术上的信息系统评估,不仅揭露现有防范措施里存在的风险,而且要提出多重备选的补救策略,并将这些策略进行比较。
内部脆弱性评估可保证内部系统的安全性,而外部的脆弱性评估则是验证边界防护(perimeter defenses)的有效性。
无论内部脆弱性评估还是进行外部脆弱性评估,评估人员都会采用各种攻击模式来严格测试网络资产的安全性,从而验证信息系统处理安全威胁的能力,进而确定应对措施的有效性。
不同类别的脆弱性评估需要的测试流程、测试工具和自动化测试技术也不相同。这可通过一体化的安全弱点管控(vulnerability management)平台来实现。
现在的安全弱点管理平台带有可自动更新的漏洞数据库,能够测试不同类型的网络设备,而且不会影响配置管理和变更管理的完整性。
脆弱性评估和渗透测试两者最大的区别就是:渗透测试不仅要识别目标的弱点,它还设计在目标系统上进行漏洞利用、权限提升和访问维护。
换句话说,脆弱性评估虽然可以充分发现系统里的缺陷,但不会考虑去衡量这些缺陷对系统造成的危害。
另外,相比脆弱性评估,渗透测试更倾向于入侵,会刻意使用各种技术手段利用安全漏洞;所以渗透测试可能对生产环境带来实际的破坏性影响。而脆弱性评估以非入侵的方式,定性、定量得识别已知安全弱点。
四、开放式web 应用程序安全项目(Open Web Aplication Security Project ,OWASP)
OWASP是一个开放式的web应用程序安全项目,其中分别提供给了测试人员和开发人员《测试指南》和《开发指南》,我们可以通过阅读这两本指南来对web安全有更深的理解。
[https://www.owasp.org.cn/] 测试指南
[https://www.owasp.org/index.php/OWASP_Testing_Project] 开发人员指南
[OWASP Top Ten Web Application Security Risks | OWASP] 代码审查指南
五、OWASP_TOP_TEN 2021
- A01:2021-Broken Access Control moves up from the fifth position; 94% of applications were tested for some form of broken access control. The 34 Common Weakness Enumerations (CWEs) mapped to Broken Access Control had more occurrences in applications than any other category.
- A02:2021-Cryptographic Failures shifts up one position to #2, previously known as Sensitive Data Exposure, which was broad symptom rather than a root cause. The renewed focus here is on failures related to cryptography which often leads to sensitive data exposure or system compromise.
- A03:2021-Injection slides down to the third position. 94% of the applications were tested for some form of injection, and the 33 CWEs mapped into this category have the second most occurrences in applications. Cross-site Scripting is now part of this category in this edition.
- A04:2021-Insecure Design is a new category for 2021, with a focus on risks related to design flaws. If we genuinely want to “move left” as an industry, it calls for more use of threat modeling, secure design patterns and principles, and reference architectures.
- A05:2021-Security Misconfiguration moves up from #6 in the previous edition; 90% of applications were tested for some form of misconfiguration. With more shifts into highly configurable software, it’s not surprising to see this category move up. The former category for XML External Entities (XXE) is now part of this category.
- A06:2021-Vulnerable and Outdated Components was previously titled Using Components with Known Vulnerabilities and is #2 in the Top 10 community survey, but also had enough data to make the Top 10 via data analysis. This category moves up from #9 in 2017 and is a known issue that we struggle to test and assess risk. It is the only category not to have any Common Vulnerability and Exposures (CVEs) mapped to the included CWEs, so a default exploit and impact weights of 5.0 are factored into their scores.
- A07:2021-Identification and Authentication Failures was previously Broken Authentication and is sliding down from the second position, and now includes CWEs that are more related to identification failures. This category is still an integral part of the Top 10, but the increased availability of standardized frameworks seems to be helping.
- A08:2021-Software and Data Integrity Failures is a new category for 2021, focusing on making assumptions related to software updates, critical data, and CI/CD pipelines without verifying integrity. One of the highest weighted impacts from Common Vulnerability and Exposures/Common Vulnerability Scoring System (CVE/CVSS) data mapped to the 10 CWEs in this category. Insecure Deserialization from 2017 is now a part of this larger category.
- A09:2021-Security Logging and Monitoring Failures was previously Insufficient Logging & Monitoring and is added from the industry survey (#3), moving up from #10 previously. This category is expanded to include more types of failures, is challenging to test for, and isn’t well represented in the CVE/CVSS data. However, failures in this category can directly impact visibility, incident alerting, and forensics.
- A10:2021-Server-Side Request Forgery is added from the Top 10 community survey (#1). The data shows a relatively low incidence rate with above average testing coverage, along with above-average ratings for Exploit and Impact potential. This category represents the scenario where the security community members are telling us this is important, even though it’s not illustrated in the data at this time.
通用缺陷列表(CWE)
CWE-79:XSS漏洞
[http://cwe.mitre.org/data/definitions/79.html]
CWE-89:SQLi
[http://cwe.mitre.org/data/definitions/89.html]
通用漏洞与披露(CVE)
[http://cve.scap.org.cn/]
具体的某一个漏洞
[http://cve.mitre.org/]