As per latest OWASP Guidelines (2019) - a security assessor has to test against application platform configuration dubbed as OTG-CONFIG-002
in OWASP Testing Guide v4.
Since OWASP is a Security Principle Guide rather than being a security checklist which is meant to be validated & restricted to those steps only - I'm trying to figure out how I can prepare a step wise security test case against Test Application Platform Configuration
I understand I am supposed to look for sensitive exposure of log files in directories, unprotected web server component(s) & such - however is their any reference to a tool which could be used in order for me to establish that goal?
Example: Suppose an external attacker is attempting to cause triggered errors via input validation violation(s) & these errors might just be logged for reference purposes - how do I attempt to figure out (using a security tool, opensource security tools, google hacking, etc) how/where logs are being stored?
Is there a way to figure those out?
Note:
- Our sysadmins do not provide us with a know-about of where log is stored/located
- Our sysadmins do not provide us with the logging software(s) being used in the webserver