[Owasp-testing] Testing Guide V4 - Start up

Eduardo Castellanos guayin at gmail.com
Fri Aug 31 15:16:18 UTC 2012


Hello!

I like Ismael's suggestions; I think LFI/RFI might be covered under
"TESTING FOR PATH TRAVERSAL (OWASP-AZ-001)" on the OWASP 3 guide.

I would also like to add a section for CMS/COTS software. I've noticed a
trend to use a CMS as a base for webapps, and then adding plugins for the
desired functionality. Sometimes people develop their own plugins. These
custom plugins end up being vulnerable most of the time. So maybe a
CMS/COTS Fingerprinting / Discovery would make sense? We could leverage
OWASP projects such as Joomla Scan.


Eduardo Castellanos N.


On Fri, Aug 31, 2012 at 8:29 AM, Ismael Rocha <
ismaelrocha.projetos at gmail.com> wrote:

> Hello all!
>
> The following are some points I've noticed we can improve/add/discuss.
> It's not organized, it's a brainstorm about some subjects. Maybe some of
> them are already related with some section.
> This weekend I'm gonna try to make it organized and submit it to the list.
>
> General
>     LFI/RFI
>
> Application Discovery
>     Entry points
>        -> Include Ajax as well
>
> ViewState tests (.NET/JSF)
>
> SQL Injection
>  Oracle
>   BlindSQLInjection
>   Out of band techniques
>  SQLite
>   Is it worth to add it?
>
> SSO SAML (SSO Profile)
>  -> Bind (post/get)
>  -> Token Signature
>  -> Anonymity
>  -> OneTimeUse
>  -> NotBefore
>  -> Local Logout
>  -> Global Logout
>  -> DoS
>
> DoS
>  -> Slow HTTP Get
>  -> Slow HTTP Pos
>
> SSL Test
>  -> Enhace (maybe based on Qualys SSLlabs results and tests?)
>
> Evasive Techniques
>  -> Is it worth? One per section or one chapter?
>
> Top Ten X Testing Guide Cross-Reference Table
>
> About the chapter Value The Real Risk I think we have to fix the
> calculations.
> I think the risk rates (low and high) compared to the examples are wrong.
>
> Maybe somethings I put here is too specific but maybe it's worth to think
> about one way to put them.
>
> Regards.
>
> Ismael Gonçalves
>
>
>  On Fri, Aug 31, 2012 at 10:17 AM, Amro <amro at owasp.org> wrote:
>
>>  We can add both based on the attack factor while list of Webscarab and
>> ZAP capabilities will leave the tester to decide what tool to use without
>> pushing him/her for a particular one.
>>
>> below are my suggestions
>>
>> *(Dedicated section for relevant OWASP tools as we need to attract
>> supporters)*
>> **
>> *Tool Name:* X Y Z
>> *Project leader:* ( This will help the project leader getting
>> suggestions to improve his/her project)
>> *Short introduction* ( high level introduction that should not exceed
>> one or two lines)
>> *Features:* ( we can list them or provide a direct link to the project
>> wiki)
>> *Video tutorial*: ( if applicable )
>> *Download: *( direct download link or the project wiki)
>>
>> And so on .......
>>
>> I think by doing the above we will hit two birds with one stone ( market
>> our tools and leave the tester to decide what tool he/she need the most
>> based on the tool features/capabilities)
>>
>> Regards,
>> Amro
>>
>>
>> On 8/31/12 2:48 PM, psiinon wrote:
>>
>> I'd definitely like to be closely involved in the ZAP related sections,
>> but very happy for Amro to lead on it.
>>
>> Cheers,
>>
>> Simon
>>
>> On Fri, Aug 31, 2012 at 11:28 AM, Matteo Meucci <matteo.meucci at owasp.org>wrote:
>>
>>> Hi Simon,
>>> yep I agree.
>>>
>>> Maybe we can distinguish as follow for each paragraph:
>>> - OWASP Tools:
>>>  (Flagship, Labs, Incubator, Archive)
>>> - Other Open Source tools:
>>>
>>> I think that a contributor should be dedicated to verifies which tests
>>> are suitable using ZAP (maybe Amro who writes the Appendix A "Testing
>>> Tools")?
>>>
>>> Thanks,
>>> Mat
>>>
>>>
>>>
>>> On 08/31/2012 09:56 AM, psiinon wrote:
>>> > I think its right for us to suggest an open source tool (or tools) for
>>> > using in each section, however I dont think we should view this as a
>>> ZAP
>>> > vs WebScarab contest.
>>> > We want to suggest the best possible tool, but I also think that its
>>>  > reasonable for us to /prefer /OWASP ones.
>>>  > But we should also favour tools that are more mature and/or more
>>> > frequently updated.
>>> > For OWASP tools I think we can rely on the new classifications:
>>> > Flagship, Labs, Incubator, Archive.
>>> > So I think its really a sliding scale.
>>> > If theres a Flagship OWASP project that is great at finding a specific
>>> > type of vulnerability then we should definitely use that as the
>>> example.
>>> > If not then we have to balance how relevant that tool is likely to
>>> remain.
>>> > A brand new Incubator project might be great in one specific case, but
>>> > may also not really be in a fit state for most people to use, or the
>>> > project may quickly wither and die.
>>> > And if a well regarded non OWASP open source tool is the best option
>>> > then we should use that.
>>> >
>>> > Going back to ZAP, I obviously hope it will be the ideal tool in many
>>> > cases :)
>>> > And helping to establish if this is the case and explaining exactly how
>>> > ZAP can be used may be the most effective way I can contribute to this
>>> > guide.
>>> >
>>> > But I also want to use this process to learn where ZAP's weaknesses
>>> are.
>>> > And depending on how long it takes to produce the guide we (the ZAP
>>> > developers) may be able to enhance specific areas of ZAP as the work on
>>> > the guide develops.
>>> > So please let me know asap if/when you work on an area of the guide
>>> that
>>> > you dont think ZAP is effective in helping with, or if you would like
>>> > advice and guidance on how to use ZAP as effectively as possible.
>>> >
>>> > Cheers,
>>> >
>>> > Simon (ZAP Project Lead)
>>> >
>>> > On Thu, Aug 30, 2012 at 10:18 PM, Matteo Meucci <
>>> matteo.meucci at owasp.org
>>>  > <mailto:matteo.meucci at owasp.org>> wrote:
>>> >
>>> >     Perfect!
>>> >     I've updated the wiki, thanks!
>>> >
>>> >     Mat
>>> >
>>> >     On 08/30/2012 11:15 PM, Amro wrote:
>>> >     > Thanks Mat,
>>> >     >
>>> >     > Please assign this task to me and I will make sure that our tool
>>> >     sets are updated.
>>> >     >
>>> >     > Regards,
>>> >     > Amro
>>> >     > Sent from BlackBerry®. Excuse typo's and brevity.
>>> >     >
>>> >     > -----Original Message-----
>>> >     > From: Matteo Meucci <matteo.meucci at owasp.org
>>>  >     <mailto:matteo.meucci at owasp.org>>
>>> >     > Date: Thu, 30 Aug 2012 23:11:41
>>>  >     > To: <amro at owasp.org <mailto:amro at owasp.org>>
>>> >     > Cc: <owasp-testing-bounces at lists.owasp.org
>>> >     <mailto:owasp-testing-bounces at lists.owasp.org>>;
>>> >     <owasp-testing at lists.owasp.org <mailto:
>>> owasp-testing at lists.owasp.org>>
>>> >     > Subject: Re: [Owasp-testing] Testing Guide V4 - Start up
>>> >     >
>>> >     > Hi Amro,
>>> >     > good question related to the tools. Here we have to update many
>>> >     references.
>>> >     >
>>> >     > Usually at the end of each article we suggest to use a
>>> particular open
>>> >     > source tool to perform the test. I think we can use and suggest
>>> >     both the
>>> >     > tools in many situations.
>>> >     > Also the Appendix A "Testing Tools" should pick all the testing
>>> tools
>>> >     > cited in the Testing Guide and give more details.
>>> >     >
>>> >     > Thanks,
>>> >     > Mat
>>> >     >
>>> >     > On 08/30/2012 10:58 PM, Amro wrote:
>>> >     >> Please count me in as well .. Are we gonna use ZAP instead of
>>> >     WebScarab in the new version?
>>> >     >>
>>> >     >> Regards,
>>> >     >> Amro
>>> >     >> Sent from BlackBerry®. Excuse typo's and brevity.
>>> >     >>
>>> >     >> -----Original Message-----
>>> >     >> From: Matteo Meucci <matteo.meucci at owasp.org
>>>  >     <mailto:matteo.meucci at owasp.org>>
>>> >     >> Sender: owasp-testing-bounces at lists.owasp.org
>>> >     <mailto:owasp-testing-bounces at lists.owasp.org>
>>> >     >> Date: Thu, 30 Aug 2012 17:40:29
>>> >     >> To: <owasp-testing at lists.owasp.org
>>>  >     <mailto:owasp-testing at lists.owasp.org>>
>>> >     >> Subject: [Owasp-testing] Testing Guide V4 - Start up
>>> >     >>
>>> >     >> Hi all Testing Guide contributors.
>>> >     >>
>>> >     >> Testing Guide v4 has been approved as Projects Reboot 2012!
>>> >     >> https://www.owasp.org/index.php/Projects_Reboot_2012
>>> >     >>
>>> >     >> Here is the list of contributors I've collected:
>>> >     >>
>>> >     >> Pavol Luptak
>>> >     >> Marco Morana
>>> >     >> Giorgio Fedon
>>> >     >> Stefano Di Paola
>>> >     >> Gianrico Ingrosso
>>> >     >> Giuseppe Bonfà
>>> >     >> Roberto Suggi Liverani
>>> >     >> Robert Smith
>>> >     >> Andrew Muller
>>> >     >> Robert Winkel
>>> >     >> tripurari rai
>>> >     >> Thomas Ryan
>>> >     >> tim bertels
>>> >     >> Cecil Su
>>> >     >> Aung KhAnt
>>> >     >> Norbert Szetei
>>> >     >> michael.boman
>>> >     >> Wagner Elias
>>> >     >> Kevin Horvat
>>> >     >> Juan Galiana Lara
>>> >     >> Kenan Gursoy
>>> >     >> Jason Flood
>>> >     >> Javier Marcos de Prado
>>> >     >> Sumit Siddharth
>>> >     >> Mike Hryekewicz
>>> >     >> psiinon
>>> >     >> Ray Schippers
>>> >     >> Raul Siles
>>> >     >> Jayanta Karmakar
>>> >     >> Brad Causey
>>> >     >> Vicente Aguilera
>>> >     >> Ismael Gonçalves
>>> >     >>
>>> >     >> Reviewers team:
>>> >     >>
>>> >     >> Paolo Perego
>>> >     >> Daniel Cuthbert
>>> >     >> Matthew Churcher
>>> >     >> Lode Vanstechelman
>>> >     >> Sebastien Gioria
>>> >     >>
>>> >     >>
>>> >     >> Introduction and Project purpose for v4:
>>> >     >> ============================ =============
>>> >     >> The OWASP Testing Guide v3 includes a "best practice"
>>> penetration
>>> >     >> testing framework which users can implement in their own
>>> >     organizations
>>> >     >> and a "low level" penetration testing guide that describes
>>> techniques
>>> >     >> for testing most common web application and web service security
>>> >     >> issues. Nowadays the Testing Guide has become the standard to
>>> perform
>>> >     >> a Web Application Penetration Testing and many Companies all
>>> around
>>> >     >> the world have adopted it.
>>> >     >> It is vital for the project mantaining an updated project that
>>> >     >> represents the state of the art for WebAppSec.
>>> >     >>
>>> >     >> Project Roadmap
>>> >     >> =============
>>> >     >>
>>> >     >> - (1) 1st phase: Brainstorming and create a new table of
>>> contents
>>> >     >>
>>> >     >> Objective: creating a new table of contents of the OTGv4
>>> >     >> assigning a task for each contributor.
>>> >     >> I created a new OWASP Testing Guide v4 table of Contents here:
>>> >     >>
>>> >
>>> https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents
>>> >     >>
>>> >     >> - (2) 2nd phase:  Writing
>>> >     >> 20th September 2012: Start writing the articles
>>> >     >> 1st November 2012: 1st Draft
>>> >     >> 30th November: end of writing phase
>>> >     >>
>>> >     >> - (3) 3rd phase: Reviewing
>>> >     >>
>>> >     >> - 1st December 2012: Starting the review phase,
>>> >     >> - 15th December 2012: Create the RC1,
>>> >     >> - 31st January 2013: Release the version 4.
>>> >     >>
>>> >     >> Timeline November 2012 1st Draft, January 2013 Final Release
>>> >     >>
>>> >     >> So, let's start discussion about phase (1)!
>>> >     >>
>>> >     >> Thanks!
>>> >     >> Mat
>>> >     >>
>>> >     >> --
>>> >     >> Matteo Meucci
>>> >     >> OWASP Testing Guide Lead
>>> >     >> OWASP-Italy President
>>> >     >>
>>> >     >>
>>> >     >> _______________________________________________
>>> >     >> Owasp-testing mailing list
>>>  >     >> Owasp-testing at lists.owasp.org <mailto:
>>> Owasp-testing at lists.owasp.org>
>>> >     >> https://lists.owasp.org/mailman/listinfo/owasp-testing
>>> >     >>
>>> >     >
>>> >
>>> >     --
>>> >     --
>>> >     Matteo Meucci
>>> >     OWASP Testing Guide Lead
>>> >     OWASP Italy President
>>> >     _______________________________________________
>>> >     Owasp-testing mailing list
>>>  >     Owasp-testing at lists.owasp.org <mailto:
>>> Owasp-testing at lists.owasp.org>
>>> >     https://lists.owasp.org/mailman/listinfo/owasp-testing
>>> >
>>> >
>>> >
>>> >
>>> > --
>>> > OWASP ZAP: Toolsmith Tool of the Year 2011
>>>  > <
>>> http://holisticinfosec.blogspot.com/2012/02/2011-toolsmith-tool-of-year-owasp-zap.html
>>> >
>>>  >
>>>
>>> --
>>> --
>>> Matteo Meucci
>>> OWASP Testing Guide Lead
>>> OWASP Italy President
>>>
>>
>>
>>
>> --
>> OWASP ZAP: Toolsmith Tool of the Year 2011<http://holisticinfosec.blogspot.com/2012/02/2011-toolsmith-tool-of-year-owasp-zap.html>
>>
>>
>>
>>
>> _______________________________________________
>> Owasp-testing mailing list
>> Owasp-testing at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-testing
>>
>>
>
>
> --
> Ismael Gonçalves
>
> _______________________________________________
> Owasp-testing mailing list
> Owasp-testing at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-testing
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-testing/attachments/20120831/e2e0f244/attachment-0001.html>


More information about the Owasp-testing mailing list