[Owasp-testing] Testing Guide V4 - Start up

Pavol Luptak pavol.luptak at nethemba.com
Sat Sep 1 01:02:56 UTC 2012


On Fri, Aug 31, 2012 at 09:38:54AM +0200, Lode Vanstechelman wrote:
>    Hello everyone,
>    When looking at the ToC, I see that "Logout function not properly
>    implemented" is mentioned under "Authentication Testing", but shouldn't
>    this be mentioned under "Session Management Testing" since this
>    vulnerability is about the session which is not properly destroyed on the
>    server?
>    Then I would also propose to add the following 2 vulnerabilities/test
>    methods:
>     1. Clickjacking a.k.a. "Frameable response": I would propose to add this
>        in section "Configuration and Deploy Management Testing" since this
>        vulnerability can be solved by adding the header "X-FRAME-OPTIONS" to
>        the responses.

I would call it more generally - "UI redressing attacks", in addition to basic
clickjacking there is also "strokejacking' (introduced by Michal Zalewski),
"likejacking" (introduced by Sophos), "eventjacking"/"classjacking"..

>     2. CAPTCHA's: what are good ones and how can they be broken. I think this
>        should be added in "Authentication testing"

What are good CAPTCHAs at these days? :-) Using some commercial services (e.g.
http://www.deathbycaptcha.com it is possible to crack almost all CAPTCHAs of
all big services...)...

Pavol
-- 
Pavol Luptak, CISSP, CEH
OWASP Slovakia chapter leader
http://www.owasp.org/index.php/Slovakia
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4792 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/owasp-testing/attachments/20120901/3145e7af/attachment.bin>


More information about the Owasp-testing mailing list