[Owasp-testing] Testing Guide v4: 2nd phase: Writing

Ismael Rocha ismaelrocha.projetos at gmail.com
Wed Oct 17 11:13:44 UTC 2012


Hello Matt.

Follow my opinion.

Ismael Gonçalves

On Tue, Oct 16, 2012 at 11:48 AM, Matteo Meucci <matteo.meucci at owasp.org>wrote:

> Hi Ismael,
> thank you for your notes.
>
> On 10/16/2012 04:25 PM, Ismael Rocha wrote:
> > Hello All!
> >
> > Follow the feedback about the draft ToC:
> >
> > *4.3 Configuration and Deploy Management Testing *
> >
> > Ismael >> Somebody suggested previously to test for sensitive
> > information in logs.
> > Assuming that there is a test for connection strings couldn't we check
> > also for sensitive information in logs?
> > And this is the kind of test if we are covering only black box tests, in
> > theory the tester would need to gain
> > access in a way they could perform the test.
> >
> > Ismael >> About Unpatched components and libraries (e.g. JavaScript
> > libraries)[New! NOTE: tu discuss it] :
> > I think this could be covered inside OWASP-CM-001/OWASP-CM-002.
>
> Yes, I agree
>
> > *4.4 Authentication Testing *
> > Failure to restrict access to authenticated resource [New!]
> > Ismael  >> Isn't it authorization?
>
> No, the idea here is to verify if all the resources that need an
> authentication are accessible also if a user is not authenticated
>
>
> > *4.5 Session Management Testing*
> >
> > 4.5.2 Testing for Cookies attributes (Cookies are set not ‘HTTP Only’,
> > ‘Secure’, and no time validity) (OWASP-SM-002)
> > 4.5.6 Testing for Session token not restricted properly (such as domain
> > or path not set properly) (OWASP-SM-006) OWASP-SM-006
> > Ismael >> Couldn't these tests be covered under the same item?
>
> Yes, I agree. Maybe Testing for cookie attributes can test also for 4.5.6?
>
    >>  Yes. I think the OWASP-SM-002 could cover both.

>
> >
> > *4.6 Authorization Testing*
> > 4.6.2 Testing for bypassing authorization schema (OWASP-AZ-002)
> > 4.6.5 Testing for Failure to Restrict access to authorized resource
> > (OWASP-AZ-005) [New!]
> > Ismael>> Is the 4.6.5 a test in which the tester would check for
> > resources that were supposed to be protected and actual are not (e.g.
> > Top Ten A8)?  What's the difference between 4.6.2 and 4.6.5? Looking at
> > the Testing Guide V3 I understand the 4.6.5 is already covered.
>
> We need to have this test more explicit because it is one of the Top10
> risk. Maybe we can merge it and eliminate 4.6.2?
>


> Ismael >> Yes, I think we should merge it. I already made the
> cross-reference of Top 10 and Testing Guide in the Top Ten CheatSheets and
> I refer this item with OWASP-AZ-002. Maybe we can add a cross-reference in
> the Appendix.
>
> >
> > *Other comments:*
> > Aren't we covering Test for HTTP Dos? Do you guys think isn't worth to
> > cover this kind of DoS test?
> >
> > Regards.
> >
> > Ismael Gonçalves
>
> No one is modifying the wiki, so I'm going to send emails to the authors
> asking for a plan.
>
> Thanks!
> Mat
>
>
> > On Fri, Oct 12, 2012 at 3:26 PM, Tom A. Eston <teston at securestate.com
> > <mailto:teston at securestate.com>> wrote:
> >
> >     Matteo,
> >
> >     I can write the Web Service Testing section (XML Interpreter).
> >      However, as part of the web service testing methodology I assisted
> >     on for Black Hat USA last year there are other items to include
> >     besides how to exploit the areas listed in the XML Interpreter
> >     section.  For example, I'd like to include items specific to
> >     information gathering and web services and testing for web service
> >     management misconfigurations (example: Axis2 or GlassFish).  These
> >     two sections could be added to sections 4.2 and 4.3 respectively.
> >      BPEL testing should also be added to the XML Interpreter section as
> >     well.  Also, can we reference the section "XML Interpreter" as "Web
> >     Services" instead?  Or could you name it "XML Interpreter (Web
> >     Services)" for context clarification and for ease of reference?
> >
> >     Thanks,
> >
> >     Tom Eston | Manager, Profiling & Penetration Team | SecureState
> >     216.927.8200 <tel:216.927.8200> - office| 216.927.8266
> >     <tel:216.927.8266> - direct | 440.670.3798 <tel:440.670.3798> -
> mobile
> >
> >
> >     -----Original Message-----
> >     From: Matteo Meucci [mailto:matteo.meucci at owasp.org
> >     <mailto:matteo.meucci at owasp.org>]
> >     Sent: Tuesday, October 09, 2012 11:37 AM
> >     To: owasp-testing at lists.owasp.org <mailto:
> owasp-testing at lists.owasp.org>
> >     Subject: [Owasp-testing] Testing Guide v4: 2nd phase: Writing
> >
> >     Hi all,
> >     I've reviewed the ToC and add a new paragraph for each new issue to
> >     write.
> >
> https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents#4._Web_Application_Penetration_Testing
> >
> >     For example a new article will be like that:
> >
> https://www.owasp.org/index.php/Testing_for_HTTP_Parameter_pollution_%28OWASP-DV-004%29
> >
> >     Regarding the set of articles to review I linked the v3 articles
> >     with the idea to modify that.
> >     For example:
> >
> https://www.owasp.org/index.php/Testing_for_Reflected_Cross_site_scripting_%28OWASP-DV-001%29
> >
> >     So from now the wiki will be our draft for v4 and v3 will be
> >     available only via PDF.
> >
> >     Many of you are not assigned to an article.
> >     Please, from now tell me what section would you like to write. We
> >     have to assign all the articles in the next few days.
> >
> >     Feedback: The Toc is completed at 90%, please send me your feedback
> >     about the new ToC and my notes in the Toc.
> >
> >     Now we can start writing!
> >     Please keep me update (I monitor all the changes on the wiki). Use
> >     the ml for general discussion and my email for specific issues.
> >
> >     Thanks,
> >     Mat
> >
> >
> >     --
> >     Matteo Meucci
> >     OWASP Testing Guide Lead
> >     OWASP Italy President
> >     _______________________________________________
> >     Owasp-testing mailing list
> >     Owasp-testing at lists.owasp.org <mailto:Owasp-testing at lists.owasp.org>
> >     https://lists.owasp.org/mailman/listinfo/owasp-testing
> >
> >
> ********************************************************************************************
> >     This email, and any attachments sent with it, are confidential
> >     property of SecureState and are intended solely for the use of the
> >     individual to whom it is addressed. Anyone who attempts to view,
> >     modify or replicate this email in any way will be prosecuted to the
> >     fullest extent of the law. If you are not an intended recipient, you
> >     may not review, copy or distribute this message. If you have
> >     received this communication in error please notify the sender
> >     immediately by replying to this e-mail and delete the original
> >     message. Please contact the sender if you believe you have received
> >     this email in error.
> >
> ********************************************************************************************
> >
> >     _______________________________________________
> >     Owasp-testing mailing list
> >     Owasp-testing at lists.owasp.org <mailto:Owasp-testing at lists.owasp.org>
> >     https://lists.owasp.org/mailman/listinfo/owasp-testing
> >
> >
> >
> >
> > --
> > Ismael Gonçalves
>
> --
> --
> Matteo Meucci
> OWASP Testing Guide Lead
> OWASP Italy President
>



-- 
Ismael Gonçalves
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-testing/attachments/20121017/1cbe3525/attachment-0001.html>


More information about the Owasp-testing mailing list