[Owasp-testing] Testing Guide v4: 2nd phase: Writing

Matteo Meucci matteo.meucci at owasp.org
Tue Oct 16 21:59:57 UTC 2012


Thank you Simone.
I just put your name on the paragraph.

Thanks!
Mat

On 10/16/2012 09:07 PM, Simone Onofri wrote:
> hi all,
> 
> i'm for: 4.3.8 Testing for Content Security Policy weakness (OWASP-CM-008)
> 
> ask me if something else is needed.
> 
> s.
> 
> On Tue, Oct 16, 2012 at 4:48 PM, Matteo Meucci <matteo.meucci at owasp.org> wrote:
>> Hi Ismael,
>> thank you for your notes.
>>
>> On 10/16/2012 04:25 PM, Ismael Rocha wrote:
>>> Hello All!
>>>
>>> Follow the feedback about the draft ToC:
>>>
>>> *4.3 Configuration and Deploy Management Testing *
>>>
>>> Ismael >> Somebody suggested previously to test for sensitive
>>> information in logs.
>>> Assuming that there is a test for connection strings couldn't we check
>>> also for sensitive information in logs?
>>> And this is the kind of test if we are covering only black box tests, in
>>> theory the tester would need to gain
>>> access in a way they could perform the test.
>>>
>>> Ismael >> About Unpatched components and libraries (e.g. JavaScript
>>> libraries)[New! NOTE: tu discuss it] :
>>> I think this could be covered inside OWASP-CM-001/OWASP-CM-002.
>>
>> Yes, I agree
>>
>>> *4.4 Authentication Testing *
>>> Failure to restrict access to authenticated resource [New!]
>>> Ismael  >> Isn't it authorization?
>>
>> No, the idea here is to verify if all the resources that need an
>> authentication are accessible also if a user is not authenticated
>>
>>
>>> *4.5 Session Management Testing*
>>>
>>> 4.5.2 Testing for Cookies attributes (Cookies are set not ‘HTTP Only’,
>>> ‘Secure’, and no time validity) (OWASP-SM-002)
>>> 4.5.6 Testing for Session token not restricted properly (such as domain
>>> or path not set properly) (OWASP-SM-006) OWASP-SM-006
>>> Ismael >> Couldn't these tests be covered under the same item?
>>
>> Yes, I agree. Maybe Testing for cookie attributes can test also for 4.5.6?
>>
>>>
>>> *4.6 Authorization Testing*
>>> 4.6.2 Testing for bypassing authorization schema (OWASP-AZ-002)
>>> 4.6.5 Testing for Failure to Restrict access to authorized resource
>>> (OWASP-AZ-005) [New!]
>>> Ismael>> Is the 4.6.5 a test in which the tester would check for
>>> resources that were supposed to be protected and actual are not (e.g.
>>> Top Ten A8)?  What's the difference between 4.6.2 and 4.6.5? Looking at
>>> the Testing Guide V3 I understand the 4.6.5 is already covered.
>>
>> We need to have this test more explicit because it is one of the Top10
>> risk. Maybe we can merge it and eliminate 4.6.2?
>>
>>
>>>
>>> *Other comments:*
>>> Aren't we covering Test for HTTP Dos? Do you guys think isn't worth to
>>> cover this kind of DoS test?
>>>
>>> Regards.
>>>
>>> Ismael Gonçalves
>>
>> No one is modifying the wiki, so I'm going to send emails to the authors
>> asking for a plan.
>>
>> Thanks!
>> Mat
>>
>>
>>> On Fri, Oct 12, 2012 at 3:26 PM, Tom A. Eston <teston at securestate.com
>>> <mailto:teston at securestate.com>> wrote:
>>>
>>>     Matteo,
>>>
>>>     I can write the Web Service Testing section (XML Interpreter).
>>>      However, as part of the web service testing methodology I assisted
>>>     on for Black Hat USA last year there are other items to include
>>>     besides how to exploit the areas listed in the XML Interpreter
>>>     section.  For example, I'd like to include items specific to
>>>     information gathering and web services and testing for web service
>>>     management misconfigurations (example: Axis2 or GlassFish).  These
>>>     two sections could be added to sections 4.2 and 4.3 respectively.
>>>      BPEL testing should also be added to the XML Interpreter section as
>>>     well.  Also, can we reference the section "XML Interpreter" as "Web
>>>     Services" instead?  Or could you name it "XML Interpreter (Web
>>>     Services)" for context clarification and for ease of reference?
>>>
>>>     Thanks,
>>>
>>>     Tom Eston | Manager, Profiling & Penetration Team | SecureState
>>>     216.927.8200 <tel:216.927.8200> - office| 216.927.8266
>>>     <tel:216.927.8266> - direct | 440.670.3798 <tel:440.670.3798> - mobile
>>>
>>>
>>>     -----Original Message-----
>>>     From: Matteo Meucci [mailto:matteo.meucci at owasp.org
>>>     <mailto:matteo.meucci at owasp.org>]
>>>     Sent: Tuesday, October 09, 2012 11:37 AM
>>>     To: owasp-testing at lists.owasp.org <mailto:owasp-testing at lists.owasp.org>
>>>     Subject: [Owasp-testing] Testing Guide v4: 2nd phase: Writing
>>>
>>>     Hi all,
>>>     I've reviewed the ToC and add a new paragraph for each new issue to
>>>     write.
>>>     https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents#4._Web_Application_Penetration_Testing
>>>
>>>     For example a new article will be like that:
>>>     https://www.owasp.org/index.php/Testing_for_HTTP_Parameter_pollution_%28OWASP-DV-004%29
>>>
>>>     Regarding the set of articles to review I linked the v3 articles
>>>     with the idea to modify that.
>>>     For example:
>>>     https://www.owasp.org/index.php/Testing_for_Reflected_Cross_site_scripting_%28OWASP-DV-001%29
>>>
>>>     So from now the wiki will be our draft for v4 and v3 will be
>>>     available only via PDF.
>>>
>>>     Many of you are not assigned to an article.
>>>     Please, from now tell me what section would you like to write. We
>>>     have to assign all the articles in the next few days.
>>>
>>>     Feedback: The Toc is completed at 90%, please send me your feedback
>>>     about the new ToC and my notes in the Toc.
>>>
>>>     Now we can start writing!
>>>     Please keep me update (I monitor all the changes on the wiki). Use
>>>     the ml for general discussion and my email for specific issues.
>>>
>>>     Thanks,
>>>     Mat
>>>
>>>
>>>     --
>>>     Matteo Meucci
>>>     OWASP Testing Guide Lead
>>>     OWASP Italy President
>>>     _______________________________________________
>>>     Owasp-testing mailing list
>>>     Owasp-testing at lists.owasp.org <mailto:Owasp-testing at lists.owasp.org>
>>>     https://lists.owasp.org/mailman/listinfo/owasp-testing
>>>
>>>     ********************************************************************************************
>>>     This email, and any attachments sent with it, are confidential
>>>     property of SecureState and are intended solely for the use of the
>>>     individual to whom it is addressed. Anyone who attempts to view,
>>>     modify or replicate this email in any way will be prosecuted to the
>>>     fullest extent of the law. If you are not an intended recipient, you
>>>     may not review, copy or distribute this message. If you have
>>>     received this communication in error please notify the sender
>>>     immediately by replying to this e-mail and delete the original
>>>     message. Please contact the sender if you believe you have received
>>>     this email in error.
>>>     ********************************************************************************************
>>>
>>>     _______________________________________________
>>>     Owasp-testing mailing list
>>>     Owasp-testing at lists.owasp.org <mailto:Owasp-testing at lists.owasp.org>
>>>     https://lists.owasp.org/mailman/listinfo/owasp-testing
>>>
>>>
>>>
>>>
>>> --
>>> Ismael Gonçalves
>>
>> --
>> --
>> Matteo Meucci
>> OWASP Testing Guide Lead
>> OWASP Italy President
>> _______________________________________________
>> Owasp-testing mailing list
>> Owasp-testing at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-testing

-- 
--
Matteo Meucci
OWASP Testing Guide Lead
OWASP Italy President


More information about the Owasp-testing mailing list