4.10 Business Logic Testing
Evidence:
Evidence:
4.10.3 Test Integrity Checks
Evidence:
4.10.4 Test for Process Timing
Evidence:
Evidence:
Evidence:
Evidence:
Study the applications logical requirements.
Prepare a library of files that are “not approved” for upload that may contain files such as: jsp, exe, or HTML files containing script.
In the application navigate to the file submission or upload mechanism.
Submit the “not approved” file for upload and verify that they are properly prevented from uploading
Check if the website only do file type check in client-side JavaScript
Check if the website only check the file type by “Content-Type” in HTTP request.
Check if the website only check by the file extension.
Check if other uploaded files can be accessed directly by specified URL.
Check if the uploaded file can include code or script injection.
Check if there is any file path checking for uploaded files. Especially, hackers may compress files with specified path in ZIP so that the unzip files can be uploaded to intended path after uploading and unzip.
Evidence:
Try to upload an EICAR file and try to access it.
Evidence:
Last updated