[OWASP-TESTING] Next stage

[Stephen Venter]

Hi Dan

Before you re-publish this document with the following statement in it:
"Token storage? (If not marked as 'secure' a cookie will be stored on
hard disk)"

Please can you change it, as it is NOT correct - which I tried to
explain before:
http://sourceforge.net/mailarchive/message.php?msg_id=11721627

The storage / caching of cookies & http content can be influenced by
the "Max-Age=" attribute of the "Set-Cookie:" header, or the
"Pragma:", "Expires:" and "Cache-Control:" headers (for caching
proxies) - it is NOT affected by the "secure" attribute of the
"Set-Cookie:" header [which is intended to stop a end-user client from
sending a cookie value over HTTP, i.e. unencrypted].

Refer to:
 http://www.faqs.org/rfcs/rfc2109.html
 sections:
- 4.2.2  Set-Cookie Syntax
 - 4.2.3  Controlling Caching
- 10.1.2  Expires and Max-Age
 - 10.2  Caching and HTTP/1.0

Also, reference should be made to other RFC's, like:
http://www.faqs.org/rfcs/rfc2616.html

Perhaps I could be involved in / run with the "Token storage" section
of the testing guide.  Perhaps I should also put my name down for the
"Improper use of cache control directives" section.
I would also like to offer assistance with other sections, like SQL &
XSS injection sections, Parameter analysis, Bypassing logon process,
and Parameter Manipulation sections like HTTP header manipulation and
URL parameters.

Cheers
Steve

On 6/21/05, Daniel Cuthbert <daniel.cuthbert at owasp.org> wrote:
> Morning all,
> 
> Sorry for the short break in the testing guide progress, the real
> world caught up with me.
> Attached are the documents needed for the next part of the guide, and
> they are:
> 
> Testing Guide II Structure.doc
> 
> This is the final TOC as we agreed and next to each section, there is
> the option to add your name and your e-mail address(i.e you will be
> writing this section)
> 
> template1.htm
> 
> If you could structure all your submissions using this template (you
> can use any format you like, word/text/xml, as long as i can read it
> on a mac!)
> 
> Guidelines for creating sections:
> 
> - DO NOT DO A STRAIGHT COPY FROM ANY OTHER SOURCES ON THE WEB!
> Plagiarism won't be accepted.
> This testing guide should reflect the experience you all have in
> application testing. One of the benefits of OWASP is that the wealth
> of experience from the contributors enables the reader to understand
> the section they are reading, as it is presented in a well structured
> format, which unlike a large amount of research papers on the web
> today, isn't normally the case.
> 
> - Try and use examples where possible and also let other "non-
> security" individuals read what you have written. This ensures that
> it makes sense to everyone and not just the hardcore penetration
> testers out there.
> 
> - I understand everyone has a life and work commitments, so please
> don't select loads of sections if you know you may not be able to
> commit to them in the end run.
> 
> - Contact me if you have any issues during this next phase
> 
> 
> I think we should aim to have all the sections written by mid August,
> how does this sound for everyone?
> 
> Obviously if you feel there is a section missing from the TOC, by all
> means contact me
> 
> Look forward to seeing the work coming in
> 
> Daniel Cuthbert
>