[Owasp-testing] Testing Guide V4 - Start up
pavol.luptak at nethemba.com
Sat Sep 1 01:02:56 UTC 2012
On Fri, Aug 31, 2012 at 09:38:54AM +0200, Lode Vanstechelman wrote:
> Hello everyone,
> When looking at the ToC, I see that "Logout function not properly
> implemented" is mentioned under "Authentication Testing", but shouldn't
> this be mentioned under "Session Management Testing" since this
> vulnerability is about the session which is not properly destroyed on the
> Then I would also propose to add the following 2 vulnerabilities/test
> 1. Clickjacking a.k.a. "Frameable response": I would propose to add this
> in section "Configuration and Deploy Management Testing" since this
> vulnerability can be solved by adding the header "X-FRAME-OPTIONS" to
> the responses.
I would call it more generally - "UI redressing attacks", in addition to basic
clickjacking there is also "strokejacking' (introduced by Michal Zalewski),
"likejacking" (introduced by Sophos), "eventjacking"/"classjacking"..
> 2. CAPTCHA's: what are good ones and how can they be broken. I think this
> should be added in "Authentication testing"
What are good CAPTCHAs at these days? :-) Using some commercial services (e.g.
http://www.deathbycaptcha.com it is possible to crack almost all CAPTCHAs of
all big services...)...
Pavol Luptak, CISSP, CEH
OWASP Slovakia chapter leader
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 4792 bytes
Desc: not available
More information about the Owasp-testing