[ OWASP - Montréal ]OWASP Testing Guide v2 - How to learn from that huge brick?
laurent.desaulniers at gmail.com
Thu Nov 27 21:32:47 EST 2008
I know it is silly, but my best "framework" for security is a checklist:
This is a high level view of what i need; certainly not as restraining as
the usual framework but also does not help as much as other frameworks. For
example, using this framework, it does not tell HOW to check for session id
analysis or XSS. It just makes sure everything is covered.
OSSTM is more focused toward "standard pen-test" i.e Networks and
applications, BO and SO.
The OWASP testing guide is still THE reference, at least for all the SOAP
and AJAX sections.
I hope it helps.
I can give you my "procedure" at the next talk. But here is a little
1) Focus on logic flaws. Many app scanners can now find blind sql
injections, Xss and even csrf. But it is not possible for an application to
know that a negative amount is not valid for an amount transfer. This is not
only the easiest thing to test, but also what will ensure you to most
visibilty to your clients. (imho)
2) I abuse of paper cards. Usually, what i do is write a little card for
every page, including every input and ouput and hidden fields. If there is a
web service, i also write every parameters. It not only allows you to get a
good idea of the inner working of a web app
3) Check encryption, especially on parameters you can control. Even if the
page redirects to https, all you need is a SINGLE valid image on http and
the application is insecure to cookie stealing. Same about cookies. Make
sure all cookies are marked as safe.
4) Usually, when i do a white box web assesment, i require 2 accounts. An
admin account and a "user" account. This allows to know more about the
application and inner function.
5) Fuzzing. I am not a fan of fuzzing but i have seen very good results. It
is not for me, but you might want to check it out.
On Thu, Nov 27, 2008 at 9:10 PM, Benoit Guerette
<benoit.guerette at gmail.com>wrote:
> I was looking for a framework to guide my webapps penetration testing.
> At this point, I found lot of useful powerpoint presentations, maximum
> 30 pages, and parts of some books.
> Now, I want to go the next level. There is OSSTM, NIST security
> testing guide, the Penetration Testing Framework 0.51 and OWASP
> Testing Guide v2.
> OWASP is the reference, but where do you start from that 344 pages
> Did you all read the whole brick and create your shortest how-to?
> I guess holidays vacations will serve that goal ;)
> Owasp-montreal mailing list
> Owasp-montreal at lists.owasp.org
*CONFIDENTIALITÉ* L'information apparaissant dans ce message électronique
est de nature légalement privilégiée et confidentielle. Si ce message vous
est parvenu par erreur et que vous n'êtes pas le destinataire visé, vous
êtes par les présentes avisé que tout usage, copie ou distribution de ce
message est strictement interdit. Vous êtes donc prié de nous informer
immédiatement de cette erreur et de détruire ce message.
*CONFIDENTIALITY* The information in this message is legally privileged and
confidential. In the event of a transmission error and if you are not the
individual or entity mentioned above, you are hereby advised that any use,
copying or reproduction of this document is strictly forbidden. Please
advise us of this error and destroy this message.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-montreal