[Owasp-testing] Testing Guide v4: 2nd phase: Writing

Ismael Rocha ismaelrocha.projetos at gmail.com
Tue Oct 16 14:25:09 UTC 2012

Hello All!

Follow the feedback about the draft ToC:

*4.3 Configuration and Deploy Management Testing *

Ismael >> Somebody suggested previously to test for sensitive information
in logs.
Assuming that there is a test for connection strings couldn't we check also
for sensitive information in logs?
And this is the kind of test if we are covering only black box tests, in
theory the tester would need to gain
access in a way they could perform the test.

Ismael >> About Unpatched components and libraries (e.g. JavaScript
libraries)[New! NOTE: tu discuss it] :
I think this could be covered inside OWASP-CM-001/OWASP-CM-002.

*4.4 Authentication Testing *
Failure to restrict access to authenticated resource [New!]
Ismael  >> Isn't it authorization?

*4.5 Session Management Testing*

4.5.2 Testing for Cookies attributes (Cookies are set not ‘HTTP Only’,
‘Secure’, and no time validity) (OWASP-SM-002)
4.5.6 Testing for Session token not restricted properly (such as domain or
path not set properly) (OWASP-SM-006) OWASP-SM-006
Ismael >> Couldn't these tests be covered under the same item?

*4.6 Authorization Testing*
4.6.2 Testing for bypassing authorization schema (OWASP-AZ-002)
4.6.5 Testing for Failure to Restrict access to authorized resource
(OWASP-AZ-005) [New!]
Ismael>> Is the 4.6.5 a test in which the tester would check for resources
that were supposed to be protected and actual are not (e.g. Top Ten A8)?
What's the difference between 4.6.2 and 4.6.5? Looking at the Testing Guide
V3 I understand the 4.6.5 is already covered.

*Other comments:*
Aren't we covering Test for HTTP Dos? Do you guys think isn't worth to
cover this kind of DoS test?


Ismael Gonçalves
On Fri, Oct 12, 2012 at 3:26 PM, Tom A. Eston <teston at securestate.com>wrote:

> Matteo,
> I can write the Web Service Testing section (XML Interpreter).  However,
> as part of the web service testing methodology I assisted on for Black Hat
> USA last year there are other items to include besides how to exploit the
> areas listed in the XML Interpreter section.  For example, I'd like to
> include items specific to information gathering and web services and
> testing for web service management misconfigurations (example: Axis2 or
> GlassFish).  These two sections could be added to sections 4.2 and 4.3
> respectively.  BPEL testing should also be added to the XML Interpreter
> section as well.  Also, can we reference the section "XML Interpreter" as
> "Web Services" instead?  Or could you name it "XML Interpreter (Web
> Services)" for context clarification and for ease of reference?
> Thanks,
> Tom Eston | Manager, Profiling & Penetration Team | SecureState
> 216.927.8200 - office| 216.927.8266 - direct | 440.670.3798 - mobile
> -----Original Message-----
> From: Matteo Meucci [mailto:matteo.meucci at owasp.org]
> Sent: Tuesday, October 09, 2012 11:37 AM
> To: owasp-testing at lists.owasp.org
> Subject: [Owasp-testing] Testing Guide v4: 2nd phase: Writing
> Hi all,
> I've reviewed the ToC and add a new paragraph for each new issue to write.
> https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents#4._Web_Application_Penetration_Testing
> For example a new article will be like that:
> https://www.owasp.org/index.php/Testing_for_HTTP_Parameter_pollution_%28OWASP-DV-004%29
> Regarding the set of articles to review I linked the v3 articles with the
> idea to modify that.
> For example:
> https://www.owasp.org/index.php/Testing_for_Reflected_Cross_site_scripting_%28OWASP-DV-001%29
> So from now the wiki will be our draft for v4 and v3 will be available
> only via PDF.
> Many of you are not assigned to an article.
> Please, from now tell me what section would you like to write. We have to
> assign all the articles in the next few days.
> Feedback: The Toc is completed at 90%, please send me your feedback about
> the new ToC and my notes in the Toc.
> Now we can start writing!
> Please keep me update (I monitor all the changes on the wiki). Use the ml
> for general discussion and my email for specific issues.
> Thanks,
> Mat
> --
> Matteo Meucci
> OWASP Testing Guide Lead
> OWASP Italy President
> _______________________________________________
> Owasp-testing mailing list
> Owasp-testing at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-testing
> ********************************************************************************************
> This email, and any attachments sent with it, are confidential property of
> SecureState and are intended solely for the use of the individual to whom
> it is addressed. Anyone who attempts to view, modify or replicate this
> email in any way will be prosecuted to the fullest extent of the law. If
> you are not an intended recipient, you may not review, copy or distribute
> this message. If you have received this communication in error please
> notify the sender immediately by replying to this e-mail and delete the
> original message. Please contact the sender if you believe you have
> received this email in error.
> ********************************************************************************************
> _______________________________________________
> Owasp-testing mailing list
> Owasp-testing at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-testing

Ismael Gonçalves
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-testing/attachments/20121016/105cfc90/attachment.html>

More information about the Owasp-testing mailing list