[OWASP-TESTING] Testing Part 2 Outline - additions
llmora at sentryware.com
Wed Jul 14 18:25:13 EDT 2004
Another thing to add could be "Weak encryption":
Check for data that aparently looks random but is not (not just the
session-id, but also reversible encoding of passwords stored in cookies,
etc.), faulty homemade encryption algorithms and so on. Present a general
way on how to test this: gather various """encrypted""" data, try to find
similarities between them and so on.
> -----Original Message-----
> From: owasp-testing-admin at lists.sourceforge.net
> [mailto:owasp-testing-admin at lists.sourceforge.net] On Behalf
> Of Roshen Chandran
> Sent: miércoles, 14 de julio de 2004 23:53
> To: owasp-testing at lists.sourceforge.net
> Subject: [OWASP-TESTING] Testing Part 2 Outline - additions
> A few more areas that we could add in the Testing Part 2 Outline are:
> In the Authentication section:
> 1. Vulnerable Remember password implementation
> Check for cases where the password itself is stored as a persistent
> cookie, or the token given assigned for remembering passwords
> is never
> reset and becomes as powerful as the password itself in plain text.
> 2. Weak "forgot password" implementations
> Check for vulnerabilities like "weak hint question", "displaying
> original password to the user" and other design-level weaknesses
> and in the Data Protection section:
> 3. Sensitive data in persistent cookies
> Check for passwords, and other user sensitive information stored in
> persistent cookies
> 4. Sensitive data in URLs
> Check for account information etc, turning up in the "History" of the
> browser even after the user has logged off.
> This SF.Net email is sponsored by BEA Weblogic Workshop
> FREE Java Enterprise J2EE developer tools!
> Get your free copy of BEA WebLogic Workshop 8.1 today.
> owasp-testing mailing list
> owasp-testing at lists.sourceforge.net
More information about the Owasp-testing