[ OWASP - Montreal ] [ OWASP - Montréal ] OWASP Testing Guide v2 - How to learn from that huge brick?

Benoit Guerette benoit.guerette at gmail.com
Sat Nov 29 20:31:58 EST 2008


I found a document, seems to be a great starting point, shorter than
the official document and look like your document.

OWASP Web Application Penetration Checklist

http://voxel.dl.sourceforge.net/sourceforge/owasp/OWASPWebAppPenTestList1.1.pdf

Thanks Laurent!

On Thu, Nov 27, 2008 at 9:32 PM, Laurent Desaulniers
<laurent.desaulniers at gmail.com> wrote:
> I know it is silly, but my best "framework" for security is a checklist:
> www.secguru.com/files/cheatsheet/webappcheatsheet2.pdf
>
> This is a high level view of what i need; certainly not as restraining as
> the usual framework but also does not help as much as other frameworks. For
> example, using this framework, it does not tell HOW to check for session id
> analysis or XSS. It just makes sure everything is covered.
>
> OSSTM is more focused toward "standard pen-test" i.e Networks and
> applications, BO and SO.
>
> The OWASP testing guide is still THE reference, at least for all the SOAP
> and AJAX sections.
>
> I hope it helps.
>
>
> I can give you my "procedure" at the next talk. But here is a little
> excerpt:
>
> 1) Focus on logic flaws. Many app scanners can now find blind sql
> injections, Xss and even csrf. But it is not possible for an application to
> know that a negative amount is not valid for an amount transfer. This is not
> only the easiest thing to test, but also what will ensure you to most
> visibilty to your clients. (imho)
>
> 2) I abuse of paper cards. Usually, what i do is write a little card for
> every page, including every input and ouput and hidden fields. If there is a
> web service, i also write every parameters. It not only allows you to get a
> good idea of the inner working of a web app
>
> 3) Check encryption, especially on parameters you can control. Even if the
> page redirects to https, all you need is a SINGLE valid image on http and
> the application is insecure to cookie stealing. Same about cookies. Make
> sure all cookies are marked as safe.
>
> 4) Usually, when i do a white box web assesment, i require 2 accounts. An
> admin account and a "user" account. This allows to know more about the
> application and inner function.
>
> 5) Fuzzing. I am not a fan of fuzzing but i have seen very good results. It
> is not for me, but you might want to check it out.
>
> Laurent
>
>
>
> On Thu, Nov 27, 2008 at 9:10 PM, Benoit Guerette <benoit.guerette at gmail.com>
> wrote:
>>
>> I was looking for a framework to guide my webapps penetration testing.
>> At this point, I found lot of useful powerpoint presentations, maximum
>> 30 pages, and parts of some books.
>>
>> Now, I want to go the next level. There is OSSTM, NIST security
>> testing guide, the Penetration Testing Framework 0.51 and OWASP
>> Testing Guide v2.
>>
>> OWASP is the reference, but where do you start from that 344 pages
>> documents?
>>
>> Did you all read the whole brick and create your shortest how-to?
>>
>> I guess holidays vacations will serve that goal ;)
>>
>> Thanks!
>>
>>
>> --
>> http://www.linkedin.com/in/benoitguerette
>> _______________________________________________
>> Owasp-montreal mailing list
>> Owasp-montreal at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-montreal
>
>
>
> --
> *CONFIDENTIALITÉ* L'information apparaissant dans ce message électronique
> est de nature légalement privilégiée et confidentielle. Si ce message vous
> est parvenu par erreur et que vous n'êtes pas le destinataire visé, vous
> êtes par les présentes avisé que tout usage, copie ou distribution de ce
> message est strictement interdit. Vous êtes donc prié de nous informer
> immédiatement de cette erreur et de détruire ce message.
>
>
>
> *CONFIDENTIALITY* The information in this message is legally privileged and
> confidential. In the event of a transmission error and if you are not the
> individual or entity mentioned above, you are hereby advised that any use,
> copying or reproduction of this document is strictly forbidden. Please
> advise us of this error and destroy this message.
>



-- 
http://www.linkedin.com/in/benoitguerette
http://www.owasp.org/index.php/Montreal


More information about the Owasp-montreal mailing list