[Owasp-testing] Update on Brute Force Section

Herman Stevens herman at astyran.com
Fri Sep 23 00:09:05 EDT 2011


Hi Akhmad,

This is not directly related to your great work, but I have some general remarks about form and style.

For each issues (at least this one) we now have:

1) Brief Summary
2) Related Security Activities
3) Description of the Issue
4) Black Box Testing and Example
5) Gray Box Testing and Example
6) References

Remarks:

1) the titles are too long (makes it more difficult to read). Suggestion: "Brief Summary" (a summary should always be brief) -> "Summary", "Description of the Issue" -> "Description". (and further nit-picking, sorry, we are not listing issues/vulnerabilities but 'tests'). 

2) it is unclear what the "Related Security Activities" are??? Are this 'testing' activities? From the content: this should simply be moved to "References". I also suggest that for all possible brute force attacks (listed in the referenced OWASP article) we describe a means to test for it. Probably it would be nice to also have references to CVE (common vulnerabilities enumeration) and CAPEC (common attack patterns) from Mitre and make certain that for all attacks/vulnerabilities we provide a way to test it (if possible)

3) Section 4) and 5) -> make it one section with all the possible DOS attacks/vulnerabilities + how to test it. AT-004-01, AT-004-02 ...

4) White box example is missing: e.g. predictable file-names without proper authorization checks

5) I would add a section with an 'exclamation' mark: what not to do, what to look out for ... etc.   (e.g. as admin user, be very careful about what your tool is doing especially when testing in  production environment...)

Sincerely,

Herman
http://blog.astyran.sg

-----Original Message-----
From: owasp-testing-bounces at lists.owasp.org [mailto:owasp-testing-bounces at lists.owasp.org] On Behalf Of Zaki Akhmad
Sent: Thursday, 22 September, 2011 5:33 PM
To: owasp-testing at lists.owasp.org
Subject: [Owasp-testing] Update on Brute Force Section

Hello lists,

I just updated the brute force section. I added at brute force on digest authentication[1]

[1]https://www.owasp.org/index.php/Testing_for_Brute_Force_%28OWASP-AT-004%29#Brute_force_Attacks

The history page is available for tracking changes. Any comments?

--
Zaki Akhmad
OWASP Indonesia Chapter Leader
http://www.owasp.org/index.php/Indonesia
_______________________________________________
Owasp-testing mailing list
Owasp-testing at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-testing




More information about the Owasp-testing mailing list