[Owasp-testing] Testing Guide V4 - Start up

Lode Vanstechelman lode at vanstechelman.eu
Fri Aug 31 07:38:54 UTC 2012


Hello everyone,

When looking at the ToC, I see that "Logout function not properly
implemented" is mentioned under "Authentication Testing", but shouldn't
this be mentioned under "Session Management Testing" since this
vulnerability is about the session which is not properly destroyed on the
server?

Then I would also propose to add the following 2 vulnerabilities/test
methods:

   1. Clickjacking a.k.a. "Frameable response": I would propose to add this
   in section "Configuration and Deploy Management Testing" since this
   vulnerability can be solved by adding the header "X-FRAME-OPTIONS" to the
   responses.
   2. CAPTCHA's: what are good ones and how can they be broken. I think
   this should be added in "Authentication testing"

Regards,
Lode

On 30 August 2012 23:20, Jim Manico <jim.manico at owasp.org> wrote:

> I love you all.
>
> - Jim Manico
> OWASP Volunteer
>
>
>  Hi mat,
>>
>> Please consider also me!
>>
>> Ciao,
>> s.
>> -----Original Message-----
>> From: Matteo Meucci <matteo.meucci at owasp.org>
>> Sender: owasp-testing-bounces at lists.**owasp.org<owasp-testing-bounces at lists.owasp.org>
>> Date: Thu, 30 Aug 2012 22:18:07
>> To: Ismael Rocha<[email protected]**gmail.com<ismaelrocha.projetos at gmail.com>
>> >
>> Cc: <owasp-testing at lists.owasp.org**>
>> Subject: Re: [Owasp-testing] Testing Guide V4 - Start up
>>
>> Hi Ismael,
>> that's great!
>>
>> ToC is a DRAFT now. We are at phase (1), we have to brainstorm now.
>>
>> Thanks,
>> Mat
>>
>>
>> On 08/30/2012 07:38 PM, Ismael Rocha wrote:
>>
>>> Hello Matteo.
>>>   I made a cross reference between Top Ten and Testing Guide for the
>>> Cheatsheet project Top Ten.
>>>   https://www.owasp.org/index.**php/OWASP_Top_Ten_Cheat_Sheet<https://www.owasp.org/index.php/OWASP_Top_Ten_Cheat_Sheet>
>>>   About the Table of Contents, is it the definitive one and we need only
>>> to assign the contribuitors or we are going to discuss the table of
>>> contents as well?
>>>   Regards.
>>>   Ismael Gonçalves
>>>
>>> On Thu, Aug 30, 2012 at 12:40 PM, Matteo Meucci <matteo.meucci at owasp.org
>>> <mailto:matteo.meucci at owasp.**org <matteo.meucci at owasp.org>>> wrote:
>>>
>>>      Hi all Testing Guide contributors.
>>>
>>>      Testing Guide v4 has been approved as Projects Reboot 2012!
>>>      https://www.owasp.org/index.**php/Projects_Reboot_2012<https://www.owasp.org/index.php/Projects_Reboot_2012>
>>>
>>>      Here is the list of contributors I've collected:
>>>
>>>      Pavol Luptak
>>>      Marco Morana
>>>      Giorgio Fedon
>>>      Stefano Di Paola
>>>      Gianrico Ingrosso
>>>      Giuseppe Bonfà
>>>      Roberto Suggi Liverani
>>>      Robert Smith
>>>      Andrew Muller
>>>      Robert Winkel
>>>      tripurari rai
>>>      Thomas Ryan
>>>      tim bertels
>>>      Cecil Su
>>>      Aung KhAnt
>>>      Norbert Szetei
>>>      michael.boman
>>>      Wagner Elias
>>>      Kevin Horvat
>>>      Juan Galiana Lara
>>>      Kenan Gursoy
>>>      Jason Flood
>>>      Javier Marcos de Prado
>>>      Sumit Siddharth
>>>      Mike Hryekewicz
>>>      psiinon
>>>      Ray Schippers
>>>      Raul Siles
>>>      Jayanta Karmakar
>>>      Brad Causey
>>>      Vicente Aguilera
>>>      Ismael Gonçalves
>>>
>>>      Reviewers team:
>>>
>>>      Paolo Perego
>>>      Daniel Cuthbert
>>>      Matthew Churcher
>>>      Lode Vanstechelman
>>>      Sebastien Gioria
>>>
>>>
>>>      Introduction and Project purpose for v4:
>>>      ============================ =============
>>>      The OWASP Testing Guide v3 includes a "best practice" penetration
>>>      testing framework which users can implement in their own
>>> organizations
>>>      and a "low level" penetration testing guide that describes
>>> techniques
>>>      for testing most common web application and web service security
>>>      issues. Nowadays the Testing Guide has become the standard to
>>> perform
>>>      a Web Application Penetration Testing and many Companies all around
>>>      the world have adopted it.
>>>      It is vital for the project mantaining an updated project that
>>>      represents the state of the art for WebAppSec.
>>>
>>>      Project Roadmap
>>>      =============
>>>
>>>      - (1) 1st phase: Brainstorming and create a new table of contents
>>>
>>>      Objective: creating a new table of contents of the OTGv4
>>>      assigning a task for each contributor.
>>>      I created a new OWASP Testing Guide v4 table of Contents here:
>>>      https://www.owasp.org/index.**php/OWASP_Testing_Guide_v4_**
>>> Table_of_Contents<https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents>
>>>
>>>      - (2) 2nd phase:  Writing
>>>      20th September 2012: Start writing the articles
>>>      1st November 2012: 1st Draft
>>>      30th November: end of writing phase
>>>
>>>      - (3) 3rd phase: Reviewing
>>>
>>>      - 1st December 2012: Starting the review phase,
>>>      - 15th December 2012: Create the RC1,
>>>      - 31st January 2013: Release the version 4.
>>>
>>>      Timeline November 2012 1st Draft, January 2013 Final Release
>>>
>>>      So, let's start discussion about phase (1)!
>>>
>>>      Thanks!
>>>      Mat
>>>
>>>      --
>>>      Matteo Meucci
>>>      OWASP Testing Guide Lead
>>>      OWASP-Italy President
>>>
>>>
>>>      ______________________________**_________________
>>>      Owasp-testing mailing list
>>>      Owasp-testing at lists.owasp.org <mailto:Owasp-testing at lists.**
>>> owasp.org <Owasp-testing at lists.owasp.org>>
>>>      https://lists.owasp.org/**mailman/listinfo/owasp-testing<https://lists.owasp.org/mailman/listinfo/owasp-testing>
>>>
>>>
>>>
>>>
>>> --
>>> Ismael Gonçalves
>>>
>>
> ______________________________**_________________
> Owasp-testing mailing list
> Owasp-testing at lists.owasp.org
> https://lists.owasp.org/**mailman/listinfo/owasp-testing<https://lists.owasp.org/mailman/listinfo/owasp-testing>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-testing/attachments/20120831/a13d529b/attachment-0001.html>


More information about the Owasp-testing mailing list