[Owasp-testing] Testing Guide v4: 2nd phase: Writing

Simone Onofri simone.onofri at gmail.com
Tue Oct 16 19:07:59 UTC 2012


hi all,

i'm for: 4.3.8 Testing for Content Security Policy weakness (OWASP-CM-008)

ask me if something else is needed.

s.

On Tue, Oct 16, 2012 at 4:48 PM, Matteo Meucci <matteo.meucci at owasp.org> wrote:
> Hi Ismael,
> thank you for your notes.
>
> On 10/16/2012 04:25 PM, Ismael Rocha wrote:
>> Hello All!
>>
>> Follow the feedback about the draft ToC:
>>
>> *4.3 Configuration and Deploy Management Testing *
>>
>> Ismael >> Somebody suggested previously to test for sensitive
>> information in logs.
>> Assuming that there is a test for connection strings couldn't we check
>> also for sensitive information in logs?
>> And this is the kind of test if we are covering only black box tests, in
>> theory the tester would need to gain
>> access in a way they could perform the test.
>>
>> Ismael >> About Unpatched components and libraries (e.g. JavaScript
>> libraries)[New! NOTE: tu discuss it] :
>> I think this could be covered inside OWASP-CM-001/OWASP-CM-002.
>
> Yes, I agree
>
>> *4.4 Authentication Testing *
>> Failure to restrict access to authenticated resource [New!]
>> Ismael  >> Isn't it authorization?
>
> No, the idea here is to verify if all the resources that need an
> authentication are accessible also if a user is not authenticated
>
>
>> *4.5 Session Management Testing*
>>
>> 4.5.2 Testing for Cookies attributes (Cookies are set not ‘HTTP Only’,
>> ‘Secure’, and no time validity) (OWASP-SM-002)
>> 4.5.6 Testing for Session token not restricted properly (such as domain
>> or path not set properly) (OWASP-SM-006) OWASP-SM-006
>> Ismael >> Couldn't these tests be covered under the same item?
>
> Yes, I agree. Maybe Testing for cookie attributes can test also for 4.5.6?
>
>>
>> *4.6 Authorization Testing*
>> 4.6.2 Testing for bypassing authorization schema (OWASP-AZ-002)
>> 4.6.5 Testing for Failure to Restrict access to authorized resource
>> (OWASP-AZ-005) [New!]
>> Ismael>> Is the 4.6.5 a test in which the tester would check for
>> resources that were supposed to be protected and actual are not (e.g.
>> Top Ten A8)?  What's the difference between 4.6.2 and 4.6.5? Looking at
>> the Testing Guide V3 I understand the 4.6.5 is already covered.
>
> We need to have this test more explicit because it is one of the Top10
> risk. Maybe we can merge it and eliminate 4.6.2?
>
>
>>
>> *Other comments:*
>> Aren't we covering Test for HTTP Dos? Do you guys think isn't worth to
>> cover this kind of DoS test?
>>
>> Regards.
>>
>> Ismael Gonçalves
>
> No one is modifying the wiki, so I'm going to send emails to the authors
> asking for a plan.
>
> Thanks!
> Mat
>
>
>> On Fri, Oct 12, 2012 at 3:26 PM, Tom A. Eston <teston at securestate.com
>> <mailto:teston at securestate.com>> wrote:
>>
>>     Matteo,
>>
>>     I can write the Web Service Testing section (XML Interpreter).
>>      However, as part of the web service testing methodology I assisted
>>     on for Black Hat USA last year there are other items to include
>>     besides how to exploit the areas listed in the XML Interpreter
>>     section.  For example, I'd like to include items specific to
>>     information gathering and web services and testing for web service
>>     management misconfigurations (example: Axis2 or GlassFish).  These
>>     two sections could be added to sections 4.2 and 4.3 respectively.
>>      BPEL testing should also be added to the XML Interpreter section as
>>     well.  Also, can we reference the section "XML Interpreter" as "Web
>>     Services" instead?  Or could you name it "XML Interpreter (Web
>>     Services)" for context clarification and for ease of reference?
>>
>>     Thanks,
>>
>>     Tom Eston | Manager, Profiling & Penetration Team | SecureState
>>     216.927.8200 <tel:216.927.8200> - office| 216.927.8266
>>     <tel:216.927.8266> - direct | 440.670.3798 <tel:440.670.3798> - mobile
>>
>>
>>     -----Original Message-----
>>     From: Matteo Meucci [mailto:matteo.meucci at owasp.org
>>     <mailto:matteo.meucci at owasp.org>]
>>     Sent: Tuesday, October 09, 2012 11:37 AM
>>     To: owasp-testing at lists.owasp.org <mailto:owasp-testing at lists.owasp.org>
>>     Subject: [Owasp-testing] Testing Guide v4: 2nd phase: Writing
>>
>>     Hi all,
>>     I've reviewed the ToC and add a new paragraph for each new issue to
>>     write.
>>     https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents#4._Web_Application_Penetration_Testing
>>
>>     For example a new article will be like that:
>>     https://www.owasp.org/index.php/Testing_for_HTTP_Parameter_pollution_%28OWASP-DV-004%29
>>
>>     Regarding the set of articles to review I linked the v3 articles
>>     with the idea to modify that.
>>     For example:
>>     https://www.owasp.org/index.php/Testing_for_Reflected_Cross_site_scripting_%28OWASP-DV-001%29
>>
>>     So from now the wiki will be our draft for v4 and v3 will be
>>     available only via PDF.
>>
>>     Many of you are not assigned to an article.
>>     Please, from now tell me what section would you like to write. We
>>     have to assign all the articles in the next few days.
>>
>>     Feedback: The Toc is completed at 90%, please send me your feedback
>>     about the new ToC and my notes in the Toc.
>>
>>     Now we can start writing!
>>     Please keep me update (I monitor all the changes on the wiki). Use
>>     the ml for general discussion and my email for specific issues.
>>
>>     Thanks,
>>     Mat
>>
>>
>>     --
>>     Matteo Meucci
>>     OWASP Testing Guide Lead
>>     OWASP Italy President
>>     _______________________________________________
>>     Owasp-testing mailing list
>>     Owasp-testing at lists.owasp.org <mailto:Owasp-testing at lists.owasp.org>
>>     https://lists.owasp.org/mailman/listinfo/owasp-testing
>>
>>     ********************************************************************************************
>>     This email, and any attachments sent with it, are confidential
>>     property of SecureState and are intended solely for the use of the
>>     individual to whom it is addressed. Anyone who attempts to view,
>>     modify or replicate this email in any way will be prosecuted to the
>>     fullest extent of the law. If you are not an intended recipient, you
>>     may not review, copy or distribute this message. If you have
>>     received this communication in error please notify the sender
>>     immediately by replying to this e-mail and delete the original
>>     message. Please contact the sender if you believe you have received
>>     this email in error.
>>     ********************************************************************************************
>>
>>     _______________________________________________
>>     Owasp-testing mailing list
>>     Owasp-testing at lists.owasp.org <mailto:Owasp-testing at lists.owasp.org>
>>     https://lists.owasp.org/mailman/listinfo/owasp-testing
>>
>>
>>
>>
>> --
>> Ismael Gonçalves
>
> --
> --
> Matteo Meucci
> OWASP Testing Guide Lead
> OWASP Italy President
> _______________________________________________
> Owasp-testing mailing list
> Owasp-testing at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-testing


More information about the Owasp-testing mailing list