[Owasp-testing] Testing Guide V4 - Start up

Paolo Perego thesp0nge at owasp.org
Mon Sep 3 06:46:11 UTC 2012


My 0.02€ if we want to produce a cutting edge guide that it will sound
appealing also to devs (and a lot of devs I know they want to being
introduced in testing, at least in the basics), supporting HTML5 and
all the news it introduced it *is a must*.

Matteo, as usual count on me for reviewing.

Paolo

On Mon, Sep 3, 2012 at 12:20 AM, Simone Onofri <simone.onofri at gmail.com> wrote:
> hi juan,
>
> i don't know if can be a nice idea to add a specific section for html5
> testing (some issues are known vulnerabilities but in new ways and
> others new)... and if is into the scope of the tg also mobile testing
> can be handled in a similar way. i think web, html5 and mobile testing
> have some differences but also similarities.
>
> s.
>
> On Sat, Sep 1, 2012 at 2:31 PM, Juan Galiana <jgaliana at gmail.com> wrote:
>> Hi all,
>>
>> It's great to see the list active again! :)
>>
>> Section 4.11 AJAX TESTING describes Ajax specific vulnerabilities and how to
>> test them explaining the original XMLHttpRequest object. The point is
>> current browsers supports the new API XMLHttpRequest Level 2 allowing users
>> to issue cross domain requests (CORS) and that is not covered, so this needs
>> to be updated.
>>
>> In a general sense, any of the vulnerabilities that affect HTML5 specific
>> features are not covered and we should add new sections to describe them for
>> example:
>>
>> - Web messaging testing
>> - XMLHttpRequest Level 2 (CORS) testing
>> - WebSockets
>> - Local storage/Client-side databases
>> - Offline applications
>> ...
>>
>> I can help with these sections and explain how to test for vulnerabilities
>> in this new HTML5/JavaScript APIs. That would complement the HTML5 Security
>> Cheat Sheet that covers how to implement the standard in a secure way.
>> https://www.owasp.org/index.php/HTML5_Security_Cheat_Sheet
>>
>> On Sat, Sep 1, 2012 at 2:02 AM, Pavol Luptak <pavol.luptak at nethemba.com>
>> wrote:
>>>
>>> On Fri, Aug 31, 2012 at 09:38:54AM +0200, Lode Vanstechelman wrote:
>>> >    Hello everyone,
>>> >    When looking at the ToC, I see that "Logout function not properly
>>> >    implemented" is mentioned under "Authentication Testing", but
>>> > shouldn't
>>> >    this be mentioned under "Session Management Testing" since this
>>> >    vulnerability is about the session which is not properly destroyed on
>>> > the
>>> >    server?
>>> >    Then I would also propose to add the following 2 vulnerabilities/test
>>> >    methods:
>>> >     1. Clickjacking a.k.a. "Frameable response": I would propose to add
>>> > this
>>> >        in section "Configuration and Deploy Management Testing" since
>>> > this
>>> >        vulnerability can be solved by adding the header
>>> > "X-FRAME-OPTIONS" to
>>> >        the responses.
>>>
>>> I would call it more generally - "UI redressing attacks", in addition to
>>> basic
>>> clickjacking there is also "strokejacking' (introduced by Michal
>>> Zalewski),
>>> "likejacking" (introduced by Sophos), "eventjacking"/"classjacking"..
>>>
>>> >     2. CAPTCHA's: what are good ones and how can they be broken. I think
>>> > this
>>> >        should be added in "Authentication testing"
>>>
>>> What are good CAPTCHAs at these days? :-) Using some commercial services
>>> (e.g.
>>> http://www.deathbycaptcha.com it is possible to crack almost all CAPTCHAs
>>> of
>>> all big services...)...
>>>
>>> Pavol
>>> --
>>> Pavol Luptak, CISSP, CEH
>>> OWASP Slovakia chapter leader
>>> http://www.owasp.org/index.php/Slovakia
>>>
>>> _______________________________________________
>>> Owasp-testing mailing list
>>> Owasp-testing at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-testing
>>>
>>
>>
>> _______________________________________________
>> Owasp-testing mailing list
>> Owasp-testing at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-testing
>>
> _______________________________________________
> Owasp-testing mailing list
> Owasp-testing at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-testing



-- 
"... static analysis is fun, again!"

OWASP Orizon project leader, http://github.com/thesp0nge/owasp-orizon
OWASP Esapi Ruby project leader, https://github.com/thesp0nge/owasp-esapi-ruby


More information about the Owasp-testing mailing list