Test Results

Test Results

Please note that the individual test results are not available on-line for this report.

If you wish to read these, they are available in the complete report, which is only available to purchase from our on-line store.

Click here to visit our on-line store.

Click here to return to the Web Application Index Section

Security Testing

NSS Awards

Group Test Reports

Articles/White Papers

Contact

Home

Sample Test Results

Section 1 - Detection Engine

Test 1.1 - Attack Recognition
Test ID	Attack Category	Description	Custom?	Pass/Fail
1.1.1	Buffer Overflows	Attempt to overflow input field on form
1.1.2	Hidden Field Tampering	Change price in hidden field after SUBMIT
1.1.3	Cross Site Scripting (GET)	Attempt to display document cookie via script in URL
1.1.4	Cross Site Scripting (POST)	Enter script in input field on e-mail submission form
1.1.5	Parameter tampering	Alter target e-mail address on e-mail submission form after SUBMIT
1.1.6	Buffer Overflows	Restrict size of message returned in e-mail submission form
1.1.7	Input Validation	Change validated values after SUBMIT (product should enforce same field validation)
1.1.8	Injection Flaws	Enter ..\..\..\<filename> when selecting from list of files on-screen
1.1.9	Broken Authentication	Remove parameter field after SUBMIT
1.1.10	Broken Authentication	Change USER or ROLE after submit
1.1.11	Cookie Poisoning	Add AuthCookie=******** to Cookie: Header
1.1.12	Cookie Poisoning	Modify Cookie after SUBMIT
1.1.13	Cookie Poisoning	Modify Cookie file after it has been stored on local hard drive
1.1.14	Cross Site Scripting (POST)	Enter script in message field on guestbook form
1.1.15	Cross Site Scripting (POST)	Enter script in USER field on guestbook form
1.1.16	Injection Flaws	Attempt local directory listing (concatenate OS commands when accessing local OS)
1.1.17	SQL Injection	Attempt to list all entries of database - enter SQL commands in URL
1.1.18	SQL Injection	Attempt to list all entries of database - enter SQL commands in input field
1.1.19	Broken Authentication	Remove PASSWORD field after SUBMIT (fail-open authentication)
1.1.20	Invalid request	Attempt a non-HTTP connection or chunked request
1.1.21	Invalid Request	Attempt a disallowed method (HEAD instead of GET)
1.1.22	Invalid Request	Enter invalid server ID in HTTP/1.1 HOST header field
1.1.23	Invalid Request	Submit request containing shell code
1.1.24	Forceful Browsing	Attempt to access disallowed Web page directly
1.1.25	Forceful Browsing	Attempt to access “sample” Web site directly
1.1.26	Forceful Browsing	Attempt to subvert application flow - change STEP number directly in URL
1.1.27	Forceful Browsing	Attempt to subvert application flow - change STEP number after SUBMIT
1.1.28	Parameter Tampering	Change submitted parameter directly in URL
1.1.29	Information Disclosure	Filter/replace server banners
1.1.30	Information Disclosure	Strip comments from HTML/Java code
1.1.31	Common Exploits	Attempt common HTTP exploits (test-cgi, PHF, etc.)
			Total

Section 2 - Evasion Techniques

Test 2.1 - URL Obfuscation
Test ID	Evasion Technique	Detected?	Decoded?	Blocked?
2.1.1	URL encoding
2.1.2	/./ directory insertion
2.1.3	Premature URL ending
2.1.4	Long URL
2.1.5	Fake parameter
2.1.6	TAB separation
2.1.7	Case sensitivity
2.1.8	Windows \ delimiter
2.1.9	Session splicing
	Total

Section 3 - Performance Under Load - No Security Policy

Test 3.1 - UDP traffic to random valid ports (not port 80)
Test ID	Packet size	Packets per second (pps)	Max throughput
3.1.1
3.1.2
3.1.3

Test 3.2 - Maximum capacity HTTP traffic
Test ID	Packet Size (Bytes)	Response size (Mbytes)	Total no. response packets	HTTP response (ms)	Max conns per sec (cps)	Max packets per sec	Max throughput (Mbps)
3.2.1
3.2.2
3.2.3
3.2.4
3.2.5

Section 4 - Performance Under Load - Security Policy Applied

Test 4.1 - Standard Spirent Avalanche Traffic

Test ID	1000 byte packets - 44KByte response	25%	50%	75%	Max
4.1.1	Connections Per Second (cps)
	HTTP response time per transaction (ms)
	Throughput (Mbps)

Test ID	550 byte packets - 22KByte response	25%	50%	75%	Max
4.1.2	Connections Per Second (cps)
	HTTP response time per transaction (ms)
	Throughput (Mbps)

Test ID	440 byte packets - 11KByte response	25%	50%	75%	Max
4.1.3	Connections Per Second (cps)
	HTTP response time per transaction (ms)
	Throughput (Mbps)

Test ID	360 byte packets - 5KByte response	25%	50%	75%	Max
4.1.4	Connections Per Second (cps)
	HTTP response time per transaction (ms)
	Throughput (Mbps)

Test ID	285 byte packets - 2KByte response	25%	50%	75%	Max
4.1.5	Connections Per Second (cps)
	HTTP response time per transaction (ms)
	Throughput (Mbps)	3	6	9	12

Test 4.2 - NSS Home Page - No Images Loaded

Test ID	440 byte packets - 11KByte response	25%	50%	75%	Max
4.2.1	Simulated users
	Transactions per second (tps)
	HTTP response time per URL/page (ms)
	Throughput (Mbps)

Test 4.3 - NSS Home Page - Plus 10 Associated Images Loaded

Test ID	360 byte packets - 42KByte response	25%	50%	75%	Max
4.3.1	Simulated users
	Transactions per second (tps)
	HTTP response time per URL/page (ms)
	Throughput (Mbps)

Test 4.4 - Maximum Open Connections

Test ID	Test Description	Result
4.4.1	Maximum simultaneous open TCP connections

Section 5 - Latency & User Response Times

Test ID	Test Description	Packet Size	Network Load
Test ID	Test Description	Packet Size	250Mbps	500Mbps	750Mbps	1Gbps
5.1.1	Average latency (�s) with no background traffic

Section 6 - Stability & Reliability

Test ID	Test Description	Result
6.1.1	Blocking Under Extended Attack
6.1.2	Passing legitimate traffic under extended attack
6.1.3	ISIC/ESIC/TCPSIC/UDPSIC/ICMPSIC

Section 7 - Management Interface

Test ID	Test Description	Result
7.1.1	Open Ports
7.1.2	ISIC/ESIC/TCPSIC/UDPSIC/ICMPSIC

Click here to return to the Web Apps Index Section

Top Home

Send mail to webmaster with questions or comments about this web site. Copyright � 1991-2005 The NSS Group Ltd. All rights reserved.

Send mail to webmaster with questions or
comments about this web site.
Copyright � 1991-2005 The NSS Group Ltd.
All rights reserved.