[Owasp-testing] Testing Guide V4 - Start up
thesp0nge at owasp.org
Mon Sep 3 06:46:11 UTC 2012
My 0.02€ if we want to produce a cutting edge guide that it will sound
appealing also to devs (and a lot of devs I know they want to being
introduced in testing, at least in the basics), supporting HTML5 and
all the news it introduced it *is a must*.
Matteo, as usual count on me for reviewing.
On Mon, Sep 3, 2012 at 12:20 AM, Simone Onofri <simone.onofri at gmail.com> wrote:
> hi juan,
> i don't know if can be a nice idea to add a specific section for html5
> testing (some issues are known vulnerabilities but in new ways and
> others new)... and if is into the scope of the tg also mobile testing
> can be handled in a similar way. i think web, html5 and mobile testing
> have some differences but also similarities.
> On Sat, Sep 1, 2012 at 2:31 PM, Juan Galiana <jgaliana at gmail.com> wrote:
>> Hi all,
>> It's great to see the list active again! :)
>> Section 4.11 AJAX TESTING describes Ajax specific vulnerabilities and how to
>> test them explaining the original XMLHttpRequest object. The point is
>> current browsers supports the new API XMLHttpRequest Level 2 allowing users
>> to issue cross domain requests (CORS) and that is not covered, so this needs
>> to be updated.
>> In a general sense, any of the vulnerabilities that affect HTML5 specific
>> features are not covered and we should add new sections to describe them for
>> - Web messaging testing
>> - XMLHttpRequest Level 2 (CORS) testing
>> - WebSockets
>> - Local storage/Client-side databases
>> - Offline applications
>> I can help with these sections and explain how to test for vulnerabilities
>> Cheat Sheet that covers how to implement the standard in a secure way.
>> On Sat, Sep 1, 2012 at 2:02 AM, Pavol Luptak <pavol.luptak at nethemba.com>
>>> On Fri, Aug 31, 2012 at 09:38:54AM +0200, Lode Vanstechelman wrote:
>>> > Hello everyone,
>>> > When looking at the ToC, I see that "Logout function not properly
>>> > implemented" is mentioned under "Authentication Testing", but
>>> > shouldn't
>>> > this be mentioned under "Session Management Testing" since this
>>> > vulnerability is about the session which is not properly destroyed on
>>> > the
>>> > server?
>>> > Then I would also propose to add the following 2 vulnerabilities/test
>>> > methods:
>>> > 1. Clickjacking a.k.a. "Frameable response": I would propose to add
>>> > this
>>> > in section "Configuration and Deploy Management Testing" since
>>> > this
>>> > vulnerability can be solved by adding the header
>>> > "X-FRAME-OPTIONS" to
>>> > the responses.
>>> I would call it more generally - "UI redressing attacks", in addition to
>>> clickjacking there is also "strokejacking' (introduced by Michal
>>> "likejacking" (introduced by Sophos), "eventjacking"/"classjacking"..
>>> > 2. CAPTCHA's: what are good ones and how can they be broken. I think
>>> > this
>>> > should be added in "Authentication testing"
>>> What are good CAPTCHAs at these days? :-) Using some commercial services
>>> http://www.deathbycaptcha.com it is possible to crack almost all CAPTCHAs
>>> all big services...)...
>>> Pavol Luptak, CISSP, CEH
>>> OWASP Slovakia chapter leader
>>> Owasp-testing mailing list
>>> Owasp-testing at lists.owasp.org
>> Owasp-testing mailing list
>> Owasp-testing at lists.owasp.org
> Owasp-testing mailing list
> Owasp-testing at lists.owasp.org
"... static analysis is fun, again!"
OWASP Orizon project leader, http://github.com/thesp0nge/owasp-orizon
OWASP Esapi Ruby project leader, https://github.com/thesp0nge/owasp-esapi-ruby
More information about the Owasp-testing