[OWASP-TESTING] Testing Part 2 Outline - additions

Lluis Mora llmora at sentryware.com
Wed Jul 14 18:25:13 EDT 2004


Another thing to add could be "Weak encryption":

Check for data that aparently looks random but is not (not just the
session-id, but also reversible encoding of passwords stored in cookies,
etc.), faulty homemade encryption algorithms and so on. Present a general
way on how to test this: gather various """encrypted""" data, try to find
similarities between them and so on.

> -----Original Message-----
> From: owasp-testing-admin at lists.sourceforge.net 
> [mailto:owasp-testing-admin at lists.sourceforge.net] On Behalf 
> Of Roshen Chandran
> Sent: miércoles, 14 de julio de 2004 23:53
> To: owasp-testing at lists.sourceforge.net
> Subject: [OWASP-TESTING] Testing Part 2 Outline - additions
> 
> 
> A few more areas that we could add in the Testing Part 2 Outline are:
> 
> In the Authentication section:
> 
> 1. Vulnerable Remember password implementation
> 
> Check for cases where the password itself is stored as a persistent 
> cookie, or the token given assigned for remembering passwords 
> is never 
> reset and becomes as powerful as the password itself in plain text.
> 
> 2. Weak "forgot password" implementations
> Check for vulnerabilities like "weak hint question", "displaying 
> original password to the user" and other design-level weaknesses
> 
> and in the Data Protection section:
> 
> 3. Sensitive data in persistent cookies
> Check for passwords, and other user sensitive information stored in 
> persistent cookies
> 
> 4. Sensitive data in URLs
> Check for account information etc, turning up in the "History" of the 
> browser even after the user has logged off.
> 
> 
> -Roshen.
> 
> 
> 
> -------------------------------------------------------
> This SF.Net email is sponsored by BEA Weblogic Workshop
> FREE Java Enterprise J2EE developer tools!
> Get your free copy of BEA WebLogic Workshop 8.1 today. 
> http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click
> _______________________________________________
> owasp-testing mailing list
> owasp-testing at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/owasp-testing
> 
> 





More information about the Owasp-testing mailing list