[Owasp-testing] Testing Guide V4 - Start up

rick.mitchell at bell.ca rick.mitchell at bell.ca
Fri Aug 31 12:20:27 UTC 2012


X-FRAME-OPTIONS only provides a solution for modern/recent browser versions. It also assumes that all the proxies, devices, browsers and plugins that touch the traffic along the way are friendly and don't drop the header.

We should be careful in how we're positioning use of X-FRAME-OPTIONS, Content Security Policy (CSP), and the Origin header as at various points in their lives their usefulness has overlapped greatly.
XFO:
https://developer.mozilla.org/en-US/docs/The_X-FRAME-OPTIONS_response_header
http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx

CSP:
http://people.mozilla.com/~bsterne/content-security-policy/
https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html

Origin header:
http://people.mozilla.com/~bsterne/content-security-policy/origin-header-proposal.html

While X-FRAME-OPTIONS should be part of the solution we should probably also recommend use of some type of JS based solution in conjunction.
http://seclab.stanford.edu/websec/framebusting/framebust.pdf for more info.

On the topic of CAPTCHA testing I'd provide the following references for the consideration of whoever puts it together:
http://www.idontplaydarts.com/2012/01/extending-burp-suite-to-solve-recaptcha/
http://www.bonsai-sec.com/blog/index.php/breaking-weak-captcha-in-26-lines-of-code/ -> This one really hit home with me, I've used similar code and a batch script wrapper to loop through images and see if I can OCR them. It's also pretty simple to apply B&W filters or contrast modifications using simple code and the suggested libraries.

Rick

From: owasp-testing-bounces at lists.owasp.org [mailto:owasp-testing-bounces at lists.owasp.org] On Behalf Of Lode Vanstechelman
Sent: August 31, 2012 3:39 AM
To: owasp-testing at lists.owasp.org
Subject: Re: [Owasp-testing] Testing Guide V4 - Start up

Hello everyone,

When looking at the ToC, I see that "Logout function not properly implemented" is mentioned under "Authentication Testing", but shouldn't this be mentioned under "Session Management Testing" since this vulnerability is about the session which is not properly destroyed on the server?

Then I would also propose to add the following 2 vulnerabilities/test methods:

 1.  Clickjacking a.k.a. "Frameable response": I would propose to add this in section "Configuration and Deploy Management Testing" since this vulnerability can be solved by adding the header "X-FRAME-OPTIONS" to the responses.
 2.  CAPTCHA's: what are good ones and how can they be broken. I think this should be added in "Authentication testing"
Regards,
Lode

On 30 August 2012 23:20, Jim Manico <jim.manico at owasp.org<mailto:jim.manico at owasp.org>> wrote:
I love you all.

- Jim Manico
OWASP Volunteer

Hi mat,

Please consider also me!

Ciao,
s.
-----Original Message-----
From: Matteo Meucci <matteo.meucci at owasp.org<mailto:matteo.meucci at owasp.org>>
Sender: owasp-testing-bounces at lists.owasp.org<mailto:owasp-testing-bounces at lists.owasp.org>
Date: Thu, 30 Aug 2012 22:18:07
To: Ismael Rocha<ismaelrocha.projetos at gmail.com<mailto:ismaelrocha.projetos at gmail.com>>
Cc: <owasp-testing at lists.owasp.org<mailto:owasp-testing at lists.owasp.org>>
Subject: Re: [Owasp-testing] Testing Guide V4 - Start up

Hi Ismael,
that's great!

ToC is a DRAFT now. We are at phase (1), we have to brainstorm now.

Thanks,
Mat


On 08/30/2012 07:38 PM, Ismael Rocha wrote:
Hello Matteo.
  I made a cross reference between Top Ten and Testing Guide for the
Cheatsheet project Top Ten.
  https://www.owasp.org/index.php/OWASP_Top_Ten_Cheat_Sheet
  About the Table of Contents, is it the definitive one and we need only
to assign the contribuitors or we are going to discuss the table of
contents as well?
  Regards.
  Ismael Gonçalves

On Thu, Aug 30, 2012 at 12:40 PM, Matteo Meucci <matteo.meucci at owasp.org<mailto:matteo.meucci at owasp.org>
<mailto:matteo.meucci at owasp.org<mailto:matteo.meucci at owasp.org>>> wrote:

     Hi all Testing Guide contributors.

     Testing Guide v4 has been approved as Projects Reboot 2012!
     https://www.owasp.org/index.php/Projects_Reboot_2012

     Here is the list of contributors I've collected:

     Pavol Luptak
     Marco Morana
     Giorgio Fedon
     Stefano Di Paola
     Gianrico Ingrosso
     Giuseppe Bonfà
     Roberto Suggi Liverani
     Robert Smith
     Andrew Muller
     Robert Winkel
     tripurari rai
     Thomas Ryan
     tim bertels
     Cecil Su
     Aung KhAnt
     Norbert Szetei
     michael.boman
     Wagner Elias
     Kevin Horvat
     Juan Galiana Lara
     Kenan Gursoy
     Jason Flood
     Javier Marcos de Prado
     Sumit Siddharth
     Mike Hryekewicz
     psiinon
     Ray Schippers
     Raul Siles
     Jayanta Karmakar
     Brad Causey
     Vicente Aguilera
     Ismael Gonçalves

     Reviewers team:

     Paolo Perego
     Daniel Cuthbert
     Matthew Churcher
     Lode Vanstechelman
     Sebastien Gioria


     Introduction and Project purpose for v4:
     ============================ =============
     The OWASP Testing Guide v3 includes a "best practice" penetration
     testing framework which users can implement in their own organizations
     and a "low level" penetration testing guide that describes techniques
     for testing most common web application and web service security
     issues. Nowadays the Testing Guide has become the standard to perform
     a Web Application Penetration Testing and many Companies all around
     the world have adopted it.
     It is vital for the project mantaining an updated project that
     represents the state of the art for WebAppSec.

     Project Roadmap
     =============

     - (1) 1st phase: Brainstorming and create a new table of contents

     Objective: creating a new table of contents of the OTGv4
     assigning a task for each contributor.
     I created a new OWASP Testing Guide v4 table of Contents here:
     https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents

     - (2) 2nd phase:  Writing
     20th September 2012: Start writing the articles
     1st November 2012: 1st Draft
     30th November: end of writing phase

     - (3) 3rd phase: Reviewing

     - 1st December 2012: Starting the review phase,
     - 15th December 2012: Create the RC1,
     - 31st January 2013: Release the version 4.

     Timeline November 2012 1st Draft, January 2013 Final Release

     So, let's start discussion about phase (1)!

     Thanks!
     Mat

     --
     Matteo Meucci
     OWASP Testing Guide Lead
     OWASP-Italy President


     _______________________________________________
     Owasp-testing mailing list
     Owasp-testing at lists.owasp.org<mailto:Owasp-testing at lists.owasp.org> <mailto:Owasp-testing at lists.owasp.org<mailto:Owasp-testing at lists.owasp.org>>
     https://lists.owasp.org/mailman/listinfo/owasp-testing




--
Ismael Gonçalves

_______________________________________________
Owasp-testing mailing list
Owasp-testing at lists.owasp.org<mailto:Owasp-testing at lists.owasp.org>
https://lists.owasp.org/mailman/listinfo/owasp-testing

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-testing/attachments/20120831/7b8dd4fd/attachment.html>


More information about the Owasp-testing mailing list