[Owasp-testing] Testing Guide V4 - Start up

Juan Galiana jgaliana at gmail.com
Sat Sep 1 12:31:42 UTC 2012


Hi all,

It's great to see the list active again! :)

Section 4.11 AJAX TESTING describes Ajax specific vulnerabilities and how
to test them explaining the original XMLHttpRequest object. The point is
current browsers supports the new API XMLHttpRequest Level 2 allowing users
to issue cross domain requests (CORS) and that is not covered, so this
needs to be updated.

In a general sense, any of the vulnerabilities that affect HTML5 specific
features are not covered and we should add new sections to describe them
for example:

- Web messaging testing
- XMLHttpRequest Level 2 (CORS) testing
- WebSockets
- Local storage/Client-side databases
- Offline applications
...

I can help with these sections and explain how to test for vulnerabilities
in this new HTML5/JavaScript APIs. That would complement the HTML5 Security
Cheat Sheet that covers how to implement the standard in a secure way.
https://www.owasp.org/index.php/HTML5_Security_Cheat_Sheet

On Sat, Sep 1, 2012 at 2:02 AM, Pavol Luptak <pavol.luptak at nethemba.com>wrote:

> On Fri, Aug 31, 2012 at 09:38:54AM +0200, Lode Vanstechelman wrote:
> >    Hello everyone,
> >    When looking at the ToC, I see that "Logout function not properly
> >    implemented" is mentioned under "Authentication Testing", but
> shouldn't
> >    this be mentioned under "Session Management Testing" since this
> >    vulnerability is about the session which is not properly destroyed on
> the
> >    server?
> >    Then I would also propose to add the following 2 vulnerabilities/test
> >    methods:
> >     1. Clickjacking a.k.a. "Frameable response": I would propose to add
> this
> >        in section "Configuration and Deploy Management Testing" since
> this
> >        vulnerability can be solved by adding the header
> "X-FRAME-OPTIONS" to
> >        the responses.
>
> I would call it more generally - "UI redressing attacks", in addition to
> basic
> clickjacking there is also "strokejacking' (introduced by Michal Zalewski),
> "likejacking" (introduced by Sophos), "eventjacking"/"classjacking"..
>
> >     2. CAPTCHA's: what are good ones and how can they be broken. I think
> this
> >        should be added in "Authentication testing"
>
> What are good CAPTCHAs at these days? :-) Using some commercial services
> (e.g.
> http://www.deathbycaptcha.com it is possible to crack almost all CAPTCHAs
> of
> all big services...)...
>
> Pavol
> --
> Pavol Luptak, CISSP, CEH
> OWASP Slovakia chapter leader
> http://www.owasp.org/index.php/Slovakia
>
> _______________________________________________
> Owasp-testing mailing list
> Owasp-testing at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-testing
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-testing/attachments/20120901/ef1181a7/attachment.html>


More information about the Owasp-testing mailing list