[Owasp-testing] v3 Index
Carlo Pelliccioni
carlo.pelliccioni at gmail.com
Thu May 22 04:11:38 EDT 2008
Hi all,
in the OWASP Backend Security Project we included a section about
postgresql testing so if you want you can integrate into testing guide
v3.
Regards
Carlo
On Thu, May 22, 2008 at 9:50 AM, Dave van Stein <dvstein at gmail.com> wrote:
> Hi Kevin,
>
> I think that your points are certainly things to take up in the testing
> manual. The only thing I disagree with is 4.4: test for weak passwords.
>
> The way I see it we have Web Application Security Testing (WAST) and
> Penetration Testing (PenTest). WAST is about bypassing security, whereas
> PenTest is about breaching security. Breaching security can be achieved by
> bypassing security (so WAST is a part of PenTest), but there are also other
> ways to accomplish that. Personally I think weak passwords fall in that last
> category.
>
> Since we already had a discussion about where to draw the line in the scope
> of WAST, testing for weak passwords is (IMHO) outside the scope of WAST
> (although a note can be added to the autorization section about having
> appropriate password policies).
> Dave
> 2008/5/21 kevin horvath <kevin.horvath at gmail.com>:
>>
>> Hello All,
>>
>> Any thoughts on the possible additions below? Thanks.
>>
>> Kevin
>>
>> On Tue, May 20, 2008 at 1:22 PM, kevin horvath <kevin.horvath at gmail.com>
>> wrote:
>> > Hello Matteo,
>> >
>> > the number of reviewers and authors sound good to me. I like the TOC
>> > for v3 but have the following additions to propose:
>> >
>> > 4.2.2 Application Discovery (add the following subsections)
>> > -identify data entry points that accept user input into the application.
>> > -Try to identify server and client technologies such as application
>> > platforms, server operation system, scripting languages, applets,
>> > forms, cookies, encoding, etc
>> >
>> > 4.4 Authentication Testing (add the following subsections)
>> > test for username enumeration
>> > test for weak passwords in use
>> >
>> > 4.5 Session Management Testing (add the following subsections)
>> > test for fixed session tokens (ie new session token not issued upon
>> > athentication, etc)
>> > test for secure cookie attributes (ie secure flag and http only set
>> > and correct path attribute set) -- this touched on briefly in this
>> > section in grey box testing but maybe we should break this out into
>> > its own subsection of Session management testing?
>> >
>> >
>> > Web Server Testing section (proposed this in a previous email but no
>> > final word from the group?)
>> > test for default content
>> > test HTTP methods (options, delete, put, or webdav enabled)
>> > vulnerable web server software
>> > etc
>> >
>> > On Tue, May 20, 2008 at 2:15 AM, Matteo Meucci <matteo.meucci at gmail.com>
>> > wrote:
>> >> Hi all,
>> >> here a new draft of the index, with the new articles:
>> >>
>> >> https://www.owasp.org/index.php/OWASP_Testing_Guide_v3_Table_of_Contents
>> >>
>> >> At this time we have 20 authors and 5 reviewers.
>> >> What do you think about that?
>> >>
>> >> Thanks,
>> >> Mat
>> >>
>> >> --
>> >> Matteo Meucci
>> >> OWASP-Italy Chair, CISSP, CISA
>> >> http://www.owasp.org/index.php/Italy
>> >> OWASP Testing Guide lead
>> >> http://www.owasp.org/index.php/Testing_Guide
>> >> _______________________________________________
>> >> Owasp-testing mailing list
>> >> Owasp-testing at lists.owasp.org
>> >> https://lists.owasp.org/mailman/listinfo/owasp-testing
>> >>
>> >
>> _______________________________________________
>> Owasp-testing mailing list
>> Owasp-testing at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-testing
>
>
> _______________________________________________
> Owasp-testing mailing list
> Owasp-testing at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-testing
>
>
--
Carlo Pelliccioni
OWASP Backend Security Project leader
http://www.owasp.org/index.php/Category:OWASP_Backend_Security_Project
More information about the Owasp-testing
mailing list