[Owasp-testing] Testing Guide V4 - Start up

Simone Onofri simone.onofri at gmail.com
Sun Sep 2 22:20:11 UTC 2012


hi juan,

i don't know if can be a nice idea to add a specific section for html5
testing (some issues are known vulnerabilities but in new ways and
others new)... and if is into the scope of the tg also mobile testing
can be handled in a similar way. i think web, html5 and mobile testing
have some differences but also similarities.

s.

On Sat, Sep 1, 2012 at 2:31 PM, Juan Galiana <jgaliana at gmail.com> wrote:
> Hi all,
>
> It's great to see the list active again! :)
>
> Section 4.11 AJAX TESTING describes Ajax specific vulnerabilities and how to
> test them explaining the original XMLHttpRequest object. The point is
> current browsers supports the new API XMLHttpRequest Level 2 allowing users
> to issue cross domain requests (CORS) and that is not covered, so this needs
> to be updated.
>
> In a general sense, any of the vulnerabilities that affect HTML5 specific
> features are not covered and we should add new sections to describe them for
> example:
>
> - Web messaging testing
> - XMLHttpRequest Level 2 (CORS) testing
> - WebSockets
> - Local storage/Client-side databases
> - Offline applications
> ...
>
> I can help with these sections and explain how to test for vulnerabilities
> in this new HTML5/JavaScript APIs. That would complement the HTML5 Security
> Cheat Sheet that covers how to implement the standard in a secure way.
> https://www.owasp.org/index.php/HTML5_Security_Cheat_Sheet
>
> On Sat, Sep 1, 2012 at 2:02 AM, Pavol Luptak <pavol.luptak at nethemba.com>
> wrote:
>>
>> On Fri, Aug 31, 2012 at 09:38:54AM +0200, Lode Vanstechelman wrote:
>> >    Hello everyone,
>> >    When looking at the ToC, I see that "Logout function not properly
>> >    implemented" is mentioned under "Authentication Testing", but
>> > shouldn't
>> >    this be mentioned under "Session Management Testing" since this
>> >    vulnerability is about the session which is not properly destroyed on
>> > the
>> >    server?
>> >    Then I would also propose to add the following 2 vulnerabilities/test
>> >    methods:
>> >     1. Clickjacking a.k.a. "Frameable response": I would propose to add
>> > this
>> >        in section "Configuration and Deploy Management Testing" since
>> > this
>> >        vulnerability can be solved by adding the header
>> > "X-FRAME-OPTIONS" to
>> >        the responses.
>>
>> I would call it more generally - "UI redressing attacks", in addition to
>> basic
>> clickjacking there is also "strokejacking' (introduced by Michal
>> Zalewski),
>> "likejacking" (introduced by Sophos), "eventjacking"/"classjacking"..
>>
>> >     2. CAPTCHA's: what are good ones and how can they be broken. I think
>> > this
>> >        should be added in "Authentication testing"
>>
>> What are good CAPTCHAs at these days? :-) Using some commercial services
>> (e.g.
>> http://www.deathbycaptcha.com it is possible to crack almost all CAPTCHAs
>> of
>> all big services...)...
>>
>> Pavol
>> --
>> Pavol Luptak, CISSP, CEH
>> OWASP Slovakia chapter leader
>> http://www.owasp.org/index.php/Slovakia
>>
>> _______________________________________________
>> Owasp-testing mailing list
>> Owasp-testing at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-testing
>>
>
>
> _______________________________________________
> Owasp-testing mailing list
> Owasp-testing at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-testing
>


More information about the Owasp-testing mailing list