[OWASP-TESTING] Next stage

Stephen Venter stephen.venter at gmail.com
Thu Jun 23 15:42:09 EDT 2005

Hi Dan

Before you re-publish this document with the following statement in it:
"Token storage? (If not marked as 'secure' a cookie will be stored on
hard disk)"

Please can you change it, as it is NOT correct - which I tried to
explain before:

The storage / caching of cookies & http content can be influenced by
the "Max-Age=" attribute of the "Set-Cookie:" header, or the
"Pragma:", "Expires:" and "Cache-Control:" headers (for caching
proxies) - it is NOT affected by the "secure" attribute of the
"Set-Cookie:" header [which is intended to stop a end-user client from
sending a cookie value over HTTP, i.e. unencrypted].

Refer to:
- 4.2.2  Set-Cookie Syntax
 - 4.2.3  Controlling Caching
- 10.1.2  Expires and Max-Age
 - 10.2  Caching and HTTP/1.0

Also, reference should be made to other RFC's, like:

Perhaps I could be involved in / run with the "Token storage" section
of the testing guide.  Perhaps I should also put my name down for the
"Improper use of cache control directives" section.
I would also like to offer assistance with other sections, like SQL &
XSS injection sections, Parameter analysis, Bypassing logon process,
and Parameter Manipulation sections like HTTP header manipulation and
URL parameters.


On 6/21/05, Daniel Cuthbert <daniel.cuthbert at owasp.org> wrote:
> Morning all,
> Sorry for the short break in the testing guide progress, the real
> world caught up with me.
> Attached are the documents needed for the next part of the guide, and
> they are:
> Testing Guide II Structure.doc
> This is the final TOC as we agreed and next to each section, there is
> the option to add your name and your e-mail address(i.e you will be
> writing this section)
> template1.htm
> If you could structure all your submissions using this template (you
> can use any format you like, word/text/xml, as long as i can read it
> on a mac!)
> Guidelines for creating sections:
> Plagiarism won't be accepted.
> This testing guide should reflect the experience you all have in
> application testing. One of the benefits of OWASP is that the wealth
> of experience from the contributors enables the reader to understand
> the section they are reading, as it is presented in a well structured
> format, which unlike a large amount of research papers on the web
> today, isn't normally the case.
> - Try and use examples where possible and also let other "non-
> security" individuals read what you have written. This ensures that
> it makes sense to everyone and not just the hardcore penetration
> testers out there.
> - I understand everyone has a life and work commitments, so please
> don't select loads of sections if you know you may not be able to
> commit to them in the end run.
> - Contact me if you have any issues during this next phase
> I think we should aim to have all the sections written by mid August,
> how does this sound for everyone?
> Obviously if you feel there is a section missing from the TOC, by all
> means contact me
> Look forward to seeing the work coming in
> Daniel Cuthbert

More information about the Owasp-testing mailing list