Mudanças entre as edições de "Transporte 1.1.1.21"

Edição das 19h10min de 23 de junho de 2016

Índice

1 Sistemas Verificados
2 Verificação de Segurança
- 2.1 Testes Realizados
- 2.2 Resultados
3 Verificação de Desempenho

Sistemas Verificados

Transporte Escolar, versão 1.1.1.21
Transporte Escolar Api, versão 1.0.0.0

Verificação de Segurança

Testes Realizados

Teste	Referência OWASP	Resultado
Review Webpage Comments and Metadata for Information Leakage	OTG-INFO-005	OK
Test Application Platform Configuration	OTG-CONFIG-002	NA
Test File Extensions Handling for Sensitive Information	OTG-CONFIG-003	OK
Review Old, Backup and Unreferenced Files for Sensitive Information	OTG-CONFIG-004	F
Test HTTP Methods	OTG-CONFIG-006	NA
Test HTTP Strict Transport Security	OTG-CONFIG-007	F
Test RIA cross domain policy	OTG-CONFIG-008	NA
Test Role Definitions	OTG-IDENT-001	NA
Test User Registration Process	OTG-IDENT-002	NA
Test Account Provisioning Process	OTG-IDENT-003	NA
Testing for Account Enumeration and Guessable User Account	OTG-IDENT-004	OK
Testing for Credentials Transported over an Encrypted Channel	OTG-AUTHN-001	F
Testing for default credentials	OTG-AUTHN-002	OK
Testing for Weak lock out mechanism	OTG-AUTHN-003	NA
Testing for Bypassing Authentication Schema	OTG-AUTHN-004	OK
Testing for Vulnerable Remember Password	OTG-AUTHN-005	NA
Testing for Browser cache weakness	OTG-AUTHN-006	OK
Testing for Weak password policy	OTG-AUTHN-007	NA
Testing for weak password change or reset functionalities	OTG-AUTHN-009	NA
Testing for Weaker authentication in alternative channel	OTG-AUTHN-010	NA
Testing Directory traversal/file include	OTG-AUTHZ-001	OK
Testing for Bypassing Authorization Schema	OTG-AUTHZ-002	F
Testing for Privilege escalation	OTG-AUTHZ-003	OK
Testing for Insecure Direct Object References	OTG-AUTHZ-004	F
Testing for Session Management Schema	OTG-SESS-001	F
Testing for cookies attributes	OTG-SESS-002	OK
Testing for Session Fixation	OTG-SESS-003	OK
Testing for Exposed Session Variables	OTG-SESS-004	OK
Testing for CSRF	OTG-SESS-005	F
Testing for logout functionality	OTG-SESS-006	F
Testing for Session Timeout	OTG-SESS-007	OK
Testing for Session puzzling	OTG-SESS-008	OK
Testing for Reflected Cross site scripting	OTG-INPVAL-001	OK
Testing for Stored Cross site scripting	OTG-INPVAL-002	OK
Testing for HTTP Verb Tampering	OTG-INPVAL-003	NA
Testing for HTTP Parameter pollution	OTG-INPVAL-004	OK
Testing for SQL Injection	OTG-INPVAL-005	OK
Testing for LDAP Injection	OTG-INPVAL-006	NA
Testing for XML Injection	OTG-INPVAL-008	NA
Testing for SSI Injection	OTG-INPVAL-009	NA
Testing for XPath Injection	OTG-INPVAL-010	NA
Testing for IMAP/SMTP Injection	OTG-INPVAL-011	NA
Testing for Code Injection	OTG-INPVAL-012	OK
Testing for Command Injection	OTG-INPVAL-013	OK
Testing for Buffer Overflow	OTG-INPVAL-014	NA
Testing for Incubated Vulnerability	OTG-INPVAL-015	OK
Testing for HTTP Splitting/Smuggling	OTG-INPVAL-016	OK
Testing for Information Disclosure	OTG-ERR-001, OTG-ERR-002	OK
Testing for Weak SSL/TLS Ciphers, Insufficient Transport Layer Protection	OTG-CRYPST-001	NA
Testing for Padding Oracle	OTG-CRYPST-002	NA
Testing for Sensitive information sent via unencrypted channels	OTG-CRYPST-003	NA
Tests of business logic	OTG-BUSLOGIC-001..009	OK
Testing for DOM-based Cross site scripting	OTG-CLIENT-001	OK
Testing for JavaScript Execution	OTG-CLIENT-002	OK
Testing for HTML Injection	OTG-CLIENT-003	OK
Testing for Client Side URL Redirect	OTG-CLIENT-004	F
Testing for CSS Injection	OTG-CLIENT-005	OK
Testing for Client Side Resource Manipulation	OTG-CLIENT-006	OK
Test Cross Origin Resource Sharing	OTG-CLIENT-007	OK
Testing for Cross site flashing	OTG-CLIENT-008	OK
Testing for Clickjacking	OTG-CLIENT-009	OK
Testing WebSockets	OTG-CLIENT-010	NA
Test Web Messaging	OTG-CLIENT-011	NA
Test Local Storage	OTG-CLIENT-012	NA

Resultados

Verificação de Desempenho

Observações sobre o teste

O CoreSSO utilizado inicialmente para os teste foi o indicado pela equipe do Transportes, copiado do TS-IIS02 e TS-BD. Contudo, o CoreSSO, apresentou problemas, dentre eles o não cadastro da tabela de layout padrão, gerando diversos erros. Desta forma, substituímos o banco e o site por outra versão indicada pela equipe do CoreSSO na época.

Vale ressaltar que o sistema conforme indicação da equipe do Transporte suportaria, em seu limite, o acesso simultâneo de 200 usuário com uma alta taxa de erro no momento de acesso ao sistema TransporteEscolar, tornando necessário a verificação e ajuste do SAML.

Cenário de uso

Cenário de uso #1
Ação realizada		Think Time (segundos)
1 - Acessar tela de login		3
1 - Realizar login		7
1 - Selecionar sistema Transporte Escolar		5
2 - Acessar tela de consulta de veículos		5
2 - Preencher aba "Documentação"		20
2 - Preencher aba "Aquisição"		7
2 - Preencher aba "Condutor"		38
2 - Preencher aba "Peças e acessórios"		25
2 - Preencher aba "Despesas"		15
2 - Salvar cadastro		5
3 - Logout		5

Resultado dos testes

Nesta seção serão apresentados os resultados obtidos da execução dos testes.

Porcentagem de tempo do processador

Descrição: Mede a saturação do processador e mostra a quantidade de tempo despendida para processar as threads por todas as CPUs.

Limite recomendado: Abaixo de 75 %.

2016-06-21 TransporteEscolar TempoDeProcessador.png

Porcentagem de memória utilizada

Descrição: Indica a porcentagem de memória utilizada para uso dos processos.

Limite recomendado: Abaixo de 75 %.

2016-06-21 TransporteEscolar MemoriaUtilizada.png

Kbytes totais pela interface de rede

Descrição: Indica quantos Bbytes foram enviados e recebidos a cada segundo pela interface de rede.

Limite recomendado: Menor que 5 Mbytes para uma rede de 100Mbps, menor que 50 Mbytes para uma rede de 1000 Mbps. (Quanto menor melhor)

2016-06-21 TransporteEscolar NetworkTotal.png

Tempo médio de resposta das requisições

Descrição: Indica o tempo médio de resposta das requisições.

Limite recomendado: 5 segundos.

2016-06-21 TransporteEscolar ResponseTime.png

Tempo de vazão

Descrição: Indica a quantidade total de request por segundo.

Limite recomendado: Quanto maior melhor.

Mudanças entre as edições de "Transporte 1.1.1.21"

Edição das 19h10min de 23 de junho de 2016

Índice

Sistemas Verificados

Verificação de Segurança

Testes Realizados

Resultados

Verificação de Desempenho

Observações sobre o teste

Cenário de uso

Resultado dos testes

Menu de navegação

Ferramentas pessoais

Domínios

Variantes

Visualizações

Mais

Pesquisa

Navegação

Ferramentas

@@ Linha 15: / Linha 15: @@
 |Review Webpage Comments and Metadata for Information Leakage
 |[https://www.owasp.org/index.php/Review_webpage_comments_and_metadata_for_information_leakage_(OTG-INFO-005) OTG-INFO-005]
-|Ok
+|OK
 |-
 |Test Application Platform Configuration
 |[https://www.owasp.org/index.php/Test_Application_Platform_Configuration_(OTG-CONFIG-002) OTG-CONFIG-002]
-|na
+|NA
 |-
 |Test File Extensions Handling for Sensitive Information
 |[https://www.owasp.org/index.php/Test_File_Extensions_Handling_for_Sensitive_Information_(OTG-CONFIG-003) OTG-CONFIG-003]
-|Ok
+|OK
 |-
 |Review Old, Backup and Unreferenced Files for Sensitive Information
@@ Linha 31: / Linha 31: @@
 |Test HTTP Methods
 |[https://www.owasp.org/index.php/Test_HTTP_Methods_(OTG-CONFIG-006) OTG-CONFIG-006]
-|na
+|NA
 |-
 |Test HTTP Strict Transport Security
@@ Linha 39: / Linha 39: @@
 |Test RIA cross domain policy
 |[https://www.owasp.org/index.php/Test_RIA_cross_domain_policy_(OTG-CONFIG-008) OTG-CONFIG-008]
-|na
+|NA
 |-
 |Test Role Definitions
 |[https://www.owasp.org/index.php/Test_Role_Definitions_(OTG-IDENT-001) OTG-IDENT-001]
-|na
+|NA
 |-
 |Test User Registration Process
 |[https://www.owasp.org/index.php/Test_User_Registration_Process_(OTG-IDENT-002) OTG-IDENT-002]
-|na
+|NA
 |-
 |Test Account Provisioning Process
 |[https://www.owasp.org/index.php/Test_Account_Provisioning_Process_(OTG-IDENT-003) OTG-IDENT-003]
-|na
+|NA
 |-
 |Testing for Account Enumeration and Guessable User Account
 |[https://www.owasp.org/index.php/Testing_for_Account_Enumeration_and_Guessable_User_Account_(OTG-IDENT-004) OTG-IDENT-004]
-|Ok
+|OK
 |-
 |Testing for Credentials Transported over an Encrypted Channel
@@ Linha 63: / Linha 63: @@
 |Testing for default credentials
 |[https://www.owasp.org/index.php/Testing_for_default_credentials_(OTG-AUTHN-002) OTG-AUTHN-002]
-|Ok
+|OK
 |-
 |Testing for Weak lock out mechanism
 |[https://www.owasp.org/index.php/Testing_for_Weak_lock_out_mechanism_(OTG-AUTHN-003) OTG-AUTHN-003]
-|na
+|NA
 |-
 |Testing for Bypassing Authentication Schema
 |[https://www.owasp.org/index.php/Testing_for_Bypassing_Authentication_Schema_(OTG-AUTHN-004) OTG-AUTHN-004]
-|Ok
+|OK
 |-
 |Testing for Vulnerable Remember Password
 |[https://www.owasp.org/index.php/Testing_for_Vulnerable_Remember_Password_(OTG-AUTHN-005) OTG-AUTHN-005]
-|na
+|NA
 |-
 |Testing for Browser cache weakness
 |[https://www.owasp.org/index.php/Testing_for_Browser_cache_weakness_(OTG-AUTHN-006) OTG-AUTHN-006]
-|Ok
+|OK
 |-
 |Testing for Weak password policy
 |[https://www.owasp.org/index.php?title=Testing_for_Weak_password_policy_(OTG-AUTHN-007)&setlang=en OTG-AUTHN-007]
-|na
+|NA
 |-
 |Testing for weak password change or reset functionalities
 |[https://www.owasp.org/index.php/Testing_for_weak_password_change_or_reset_functionalities_(OTG-AUTHN-009) OTG-AUTHN-009]
-|na
+|NA
 |-
 |Testing for Weaker authentication in alternative channel
 |[https://www.owasp.org/index.php/Testing_for_Weaker_authentication_in_alternative_channel_(OTG-AUTHN-010) OTG-AUTHN-010]
-|na
+|NA
 |-
 |Testing Directory traversal/file include
 |[https://www.owasp.org/index.php/Testing_Directory_traversal/file_include_(OTG-AUTHZ-001) OTG-AUTHZ-001]
-|Ok
+|OK
 |-
 |Testing for Bypassing Authorization Schema
@@ Linha 103: / Linha 103: @@
 |Testing for Privilege escalation
 |[https://www.owasp.org/index.php?title=Testing_for_Privilege_escalation_(OTG-AUTHZ-003)&setlang=en OTG-AUTHZ-003]
-|Ok
+|OK
 |-
 |Testing for Insecure Direct Object References
@@ Linha 115: / Linha 115: @@
 |Testing for cookies attributes
 |[https://www.owasp.org/index.php/Testing_for_cookies_attributes_(OTG-SESS-002) OTG-SESS-002]
-|Ok
+|OK
 |-
 |Testing for Session Fixation
 |[https://www.owasp.org/index.php/Testing_for_Session_Fixation_(OTG-SESS-003) OTG-SESS-003]
-|Ok
+|OK
 |-
 |Testing for Exposed Session Variables
 |[https://www.owasp.org/index.php/Testing_for_Exposed_Session_Variables_(OTG-SESS-004) OTG-SESS-004]
-|Ok
+|OK
 |-
 |Testing for CSRF
@@ Linha 135: / Linha 135: @@
 |Testing for Session Timeout
 |[https://www.owasp.org/index.php?title=Test_Session_Timeout_(OTG-SESS-007)&setlang=en OTG-SESS-007]
-|Ok
+|OK
 |-
 |Testing for Session puzzling
 |[https://www.owasp.org/index.php/Testing_for_Session_puzzling_(OTG-SESS-008) OTG-SESS-008]
-|Ok
+|OK
 |-
 |Testing for Reflected Cross site scripting
 |[https://www.owasp.org/index.php/Testing_for_Reflected_Cross_site_scripting_(OTG-INPVAL-001) OTG-INPVAL-001]
-|Ok
+|OK
 |-
 |Testing for Stored Cross site scripting
 |[https://www.owasp.org/index.php/Testing_for_Stored_Cross_site_scripting_(OTG-INPVAL-002) OTG-INPVAL-002]
-|Ok
+|OK
 |-
 |Testing for HTTP Verb Tampering
 |[https://www.owasp.org/index.php?title=Testing_for_HTTP_Verb_Tampering_(OTG-INPVAL-003)&setlang=en OTG-INPVAL-003]
-|na
+|NA
 |-
 |Testing for HTTP Parameter pollution
 |[https://www.owasp.org/index.php/Testing_for_HTTP_Parameter_pollution_(OTG-INPVAL-004) OTG-INPVAL-004]
-|Ok
+|OK
 |-
 |Testing for SQL Injection
 |[https://www.owasp.org/index.php/Testing_for_SQL_Injection_(OTG-INPVAL-005) OTG-INPVAL-005]
-|Ok
+|OK
 |-
 |Testing for LDAP Injection
 |[https://www.owasp.org/index.php/Testing_for_LDAP_Injection_(OTG-INPVAL-006) OTG-INPVAL-006]
-|na
+|NA
 |-
 |Testing for XML Injection
 |[https://www.owasp.org/index.php?title=Testing_for_XML_Injection_(OTG-INPVAL-008)&setlang=en OTG-INPVAL-008]
-|na
+|NA
 |-
 |Testing for SSI Injection
 |[https://www.owasp.org/index.php?title=Testing_for_SSI_Injection_(OTG-INPVAL-009)&setlang=en OTG-INPVAL-009]
-|na
+|NA
 |-
 |Testing for XPath Injection
 |[https://www.owasp.org/index.php?title=Testing_for_XPath_Injection_(OTG-INPVAL-010)&setlang=en OTG-INPVAL-010]
-|na
+|NA
 |-
 |Testing for IMAP/SMTP Injection
 |[https://www.owasp.org/index.php/Testing_for_IMAP/SMTP_Injection_(OTG-INPVAL-011) OTG-INPVAL-011]
-|na
+|NA
 |-
 |Testing for Code Injection
 |[https://www.owasp.org/index.php?title=Testing_for_Code_Injection_(OTG-INPVAL-012)&setlang=en OTG-INPVAL-012]
-|Ok
+|OK
 |-
 |Testing for Command Injection
 |[https://www.owasp.org/index.php?title=Testing_for_Command_Injection_(OTG-INPVAL-013)&setlang=en OTG-INPVAL-013]
-|Ok
+|OK
 |-
 |Testing for Buffer Overflow
 |[https://www.owasp.org/index.php/Testing_for_Buffer_Overflow_(OTG-INPVAL-014) OTG-INPVAL-014]
-|na
+|NA
 |-
 |Testing for Incubated Vulnerability
 |[https://www.owasp.org/index.php?title=Testing_for_Incubated_Vulnerability_(OTG-INPVAL-015)&setlang=en OTG-INPVAL-015]
-|Ok
+|OK
 |-
 |Testing for HTTP Splitting/Smuggling
 |[https://www.owasp.org/index.php?title=Testing_for_HTTP_Splitting/Smuggling_(OTG-INPVAL-016)&setlang=en OTG-INPVAL-016]
-|Ok
+|OK
 |-
 |Testing for Information Disclosure
 |[https://www.owasp.org/index.php/Testing_for_Error_Code_(OTG-ERR-001) OTG-ERR-001], [https://www.owasp.org/index.php/Testing_for_Stack_Traces_(OTG-ERR-002) OTG-ERR-002]
-|Ok
+|OK
 |-
 |Testing for Weak SSL/TLS Ciphers, Insufficient Transport Layer Protection
 |[https://www.owasp.org/index.php/Testing_for_Weak_SSL/TLS_Ciphers,_Insufficient_Transport_Layer_Protection_(OTG-CRYPST-001) OTG-CRYPST-001]
-|na
+|NA
 |-
 |Testing for Padding Oracle
 |[https://www.owasp.org/index.php?title=Testing_for_Padding_Oracle_(OTG-CRYPST-002)&setlang=en OTG-CRYPST-002]
-|na
+|NA
 |-
 |Testing for Sensitive information sent via unencrypted channels
 |[https://www.owasp.org/index.php?title=Testing_for_Sensitive_information_sent_via_unencrypted_channels_(OTG-CRYPST-003)&setlang=en OTG-CRYPST-003]
-|na
+|NA
 |-
 |Tests of business logic
 |[https://www.owasp.org/index.php/Testing_for_business_logic OTG-BUSLOGIC-001..009]
-|Ok
+|OK
 |-
 |Testing for DOM-based Cross site scripting
 |[https://www.owasp.org/index.php/Testing_for_DOM-based_Cross_site_scripting_(OTG-CLIENT-001) OTG-CLIENT-001]
-|Ok
+|OK
 |-
 |Testing for JavaScript Execution
 |[https://www.owasp.org/index.php/Testing_for_JavaScript_Execution_(OTG-CLIENT-002) OTG-CLIENT-002]
-|Ok
+|OK
 |-
 |Testing for HTML Injection
 |[https://www.owasp.org/index.php/Testing_for_HTML_Injection_(OTG-CLIENT-003) OTG-CLIENT-003]
-|Ok
+|OK
 |-
 |Testing for Client Side URL Redirect
@@ Linha 239: / Linha 239: @@
 |Testing for CSS Injection
 |[https://www.owasp.org/index.php/Testing_for_CSS_Injection_(OTG-CLIENT-005) OTG-CLIENT-005]
-|Ok
+|OK
 |-
 |Testing for Client Side Resource Manipulation
 |[https://www.owasp.org/index.php/Testing_for_Client_Side_Resource_Manipulation_(OTG-CLIENT-006) OTG-CLIENT-006]
-|Ok
+|OK
 |-
 |Test Cross Origin Resource Sharing
 |[https://www.owasp.org/index.php/Test_Cross_Origin_Resource_Sharing_(OTG-CLIENT-007) OTG-CLIENT-007]
-|Ok
+|OK
 |-
 |Testing for Cross site flashing
 |[https://www.owasp.org/index.php?title=Testing_for_Cross_site_flashing_(OTG-CLIENT-008)&setlang=en OTG-CLIENT-008]
-|Ok
+|OK
 |-
 |Testing for Clickjacking
 |[https://www.owasp.org/index.php/Testing_for_Clickjacking_(OTG-CLIENT-009) OTG-CLIENT-009]
-|Ok
+|OK
 |-
 |Testing WebSockets
 |[https://www.owasp.org/index.php?title=Testing_WebSockets_(OTG-CLIENT-010)&setlang=en OTG-CLIENT-010]
-|na
+|NA
 |-
 |Test Web Messaging
 |[https://www.owasp.org/index.php?title=Test_Web_Messaging_(OTG-CLIENT-011)&setlang=en OTG-CLIENT-011]
-|na
+|NA
 |-
 |Test Local Storage
 |[https://www.owasp.org/index.php?title=Test_Local_Storage_(OTG-CLIENT-012)&setlang=en OTG-CLIENT-012]
-|na
+|NA
 |}