[Owasp-testing] Testing Guide v4: 2nd phase: Writing

Matteo Meucci matteo.meucci at owasp.org
Tue Oct 16 14:48:52 UTC 2012

Hi Ismael,
thank you for your notes.

On 10/16/2012 04:25 PM, Ismael Rocha wrote:
> Hello All!
> Follow the feedback about the draft ToC:
> *4.3 Configuration and Deploy Management Testing *
> Ismael >> Somebody suggested previously to test for sensitive
> information in logs.
> Assuming that there is a test for connection strings couldn't we check
> also for sensitive information in logs?
> And this is the kind of test if we are covering only black box tests, in
> theory the tester would need to gain
> access in a way they could perform the test.
> Ismael >> About Unpatched components and libraries (e.g. JavaScript
> libraries)[New! NOTE: tu discuss it] :
> I think this could be covered inside OWASP-CM-001/OWASP-CM-002.

Yes, I agree

> *4.4 Authentication Testing *
> Failure to restrict access to authenticated resource [New!]
> Ismael  >> Isn't it authorization?

No, the idea here is to verify if all the resources that need an
authentication are accessible also if a user is not authenticated

> *4.5 Session Management Testing*
> 4.5.2 Testing for Cookies attributes (Cookies are set not ‘HTTP Only’,
> ‘Secure’, and no time validity) (OWASP-SM-002) 
> 4.5.6 Testing for Session token not restricted properly (such as domain
> or path not set properly) (OWASP-SM-006) OWASP-SM-006
> Ismael >> Couldn't these tests be covered under the same item?

Yes, I agree. Maybe Testing for cookie attributes can test also for 4.5.6?

> *4.6 Authorization Testing*
> 4.6.2 Testing for bypassing authorization schema (OWASP-AZ-002)
> 4.6.5 Testing for Failure to Restrict access to authorized resource
> (OWASP-AZ-005) [New!]
> Ismael>> Is the 4.6.5 a test in which the tester would check for
> resources that were supposed to be protected and actual are not (e.g.
> Top Ten A8)?  What's the difference between 4.6.2 and 4.6.5? Looking at
> the Testing Guide V3 I understand the 4.6.5 is already covered.

We need to have this test more explicit because it is one of the Top10
risk. Maybe we can merge it and eliminate 4.6.2?

> *Other comments:*
> Aren't we covering Test for HTTP Dos? Do you guys think isn't worth to
> cover this kind of DoS test?
> Regards.
> Ismael Gonçalves

No one is modifying the wiki, so I'm going to send emails to the authors
asking for a plan.


> On Fri, Oct 12, 2012 at 3:26 PM, Tom A. Eston <teston at securestate.com
> <mailto:teston at securestate.com>> wrote:
>     Matteo,
>     I can write the Web Service Testing section (XML Interpreter).
>      However, as part of the web service testing methodology I assisted
>     on for Black Hat USA last year there are other items to include
>     besides how to exploit the areas listed in the XML Interpreter
>     section.  For example, I'd like to include items specific to
>     information gathering and web services and testing for web service
>     management misconfigurations (example: Axis2 or GlassFish).  These
>     two sections could be added to sections 4.2 and 4.3 respectively.
>      BPEL testing should also be added to the XML Interpreter section as
>     well.  Also, can we reference the section "XML Interpreter" as "Web
>     Services" instead?  Or could you name it "XML Interpreter (Web
>     Services)" for context clarification and for ease of reference?
>     Thanks,
>     Tom Eston | Manager, Profiling & Penetration Team | SecureState
>     216.927.8200 <tel:216.927.8200> - office| 216.927.8266
>     <tel:216.927.8266> - direct | 440.670.3798 <tel:440.670.3798> - mobile
>     -----Original Message-----
>     From: Matteo Meucci [mailto:matteo.meucci at owasp.org
>     <mailto:matteo.meucci at owasp.org>]
>     Sent: Tuesday, October 09, 2012 11:37 AM
>     To: owasp-testing at lists.owasp.org <mailto:owasp-testing at lists.owasp.org>
>     Subject: [Owasp-testing] Testing Guide v4: 2nd phase: Writing
>     Hi all,
>     I've reviewed the ToC and add a new paragraph for each new issue to
>     write.
>     https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents#4._Web_Application_Penetration_Testing
>     For example a new article will be like that:
>     https://www.owasp.org/index.php/Testing_for_HTTP_Parameter_pollution_%28OWASP-DV-004%29
>     Regarding the set of articles to review I linked the v3 articles
>     with the idea to modify that.
>     For example:
>     https://www.owasp.org/index.php/Testing_for_Reflected_Cross_site_scripting_%28OWASP-DV-001%29
>     So from now the wiki will be our draft for v4 and v3 will be
>     available only via PDF.
>     Many of you are not assigned to an article.
>     Please, from now tell me what section would you like to write. We
>     have to assign all the articles in the next few days.
>     Feedback: The Toc is completed at 90%, please send me your feedback
>     about the new ToC and my notes in the Toc.
>     Now we can start writing!
>     Please keep me update (I monitor all the changes on the wiki). Use
>     the ml for general discussion and my email for specific issues.
>     Thanks,
>     Mat
>     --
>     Matteo Meucci
>     OWASP Testing Guide Lead
>     OWASP Italy President
>     _______________________________________________
>     Owasp-testing mailing list
>     Owasp-testing at lists.owasp.org <mailto:Owasp-testing at lists.owasp.org>
>     https://lists.owasp.org/mailman/listinfo/owasp-testing
>     ********************************************************************************************
>     This email, and any attachments sent with it, are confidential
>     property of SecureState and are intended solely for the use of the
>     individual to whom it is addressed. Anyone who attempts to view,
>     modify or replicate this email in any way will be prosecuted to the
>     fullest extent of the law. If you are not an intended recipient, you
>     may not review, copy or distribute this message. If you have
>     received this communication in error please notify the sender
>     immediately by replying to this e-mail and delete the original
>     message. Please contact the sender if you believe you have received
>     this email in error.
>     ********************************************************************************************
>     _______________________________________________
>     Owasp-testing mailing list
>     Owasp-testing at lists.owasp.org <mailto:Owasp-testing at lists.owasp.org>
>     https://lists.owasp.org/mailman/listinfo/owasp-testing
> -- 
> Ismael Gonçalves

Matteo Meucci
OWASP Testing Guide Lead
OWASP Italy President

More information about the Owasp-testing mailing list