[Owasp-testing] Testing Guide V4 - Start up

Juan Galiana Lara jgaliana at owasp.org
Tue Sep 4 19:56:54 UTC 2012


+1!

I think that is really important to cover.

I've seen a new  "Testing for Data Encryption (New!)" under the data
validation section, but I would rather consider to have a main section for
"Cryptography" at the same level of authentication, authorization, data
validation and so on.

Cryptography is one of the most important topics in security and there have
been quite significant crypto vulnerabilities applied to webapps like the
padding oracle attack technique that was applied to decrypt HTTP cookies in
several frameworks like ASP.NET, ROR and JSF two years back. Or the one
Eduardo mention, extension attacks due to improper or lack of use of HMAC
algorithms, that is quite common.

Actually, there are already few sections under DV in the new table of
contents, that would fit in that section:

Testing for Data Encryption
(New!)<https://www.owasp.org/index.php?title=Testing_for_Data_Encryption_(New!)&action=edit&redlink=1>

Application did not use encryption
Weak SSL/TSL Ciphers

Insufficient Transport Layer Protection

Insecure Cryptographic Storage [mainly CR Guide]


Thoughts?

--
Juan Galiana

On Tue, Sep 4, 2012 at 3:58 AM, Eduardo Castellanos <guayin at gmail.com>wrote:

> Hello,
>
> What about a section for cryptographic attacks? Bad use of crypto
> functions in general. (Hash Length Extension, etc.) or would that be
> outside the scope of the guide?
>
> Related links:
>
>
>    - https://blog.whitehatsec.com/hash-length-extension-attacks/
>    - https://www.owasp.org/index.php/Category:Cryptographic_Vulnerability
>    -
>    http://blogs.msdn.com/b/ace_team/archive/2008/11/13/vulnerabilities-due-to-improper-use-of-crypto-part-1.aspx
>
>
> Eduardo Castellanos N.
>
>
>
> On Mon, Sep 3, 2012 at 8:01 PM, Robert Winkel <
> robert.winkel at saltbushgroup.com> wrote:
>
>> I have taken the liberty of assigning myself against several of the
>> Authentication Testing test cases.  I am happy to hand those over if
>> someone
>> is interested in be assigned to those instead.
>>
>> What happened to the Denial of Service test cases?
>>
>> Is there a template to adhere to when the writing stage begins?
>>
>> _______________________________________
>> Robert “Bull” Winkel
>> Director Saltbush Assurance
>> email: robert.winkel at saltbushgroup.com
>> http://www.linkedin.com/in/robertwinkel
>>
>>
>> -----Original Message-----
>> From: owasp-testing-bounces at lists.owasp.org
>> [mailto:owasp-testing-bounces at lists.owasp.org] On Behalf Of Matteo Meucci
>> Sent: Friday, 31 August 2012 1:40 AM
>> To: owasp-testing at lists.owasp.org
>> Subject: [Owasp-testing] Testing Guide V4 - Start up
>>
>> Hi all Testing Guide contributors.
>>
>> Testing Guide v4 has been approved as Projects Reboot 2012!
>> https://www.owasp.org/index.php/Projects_Reboot_2012
>>
>> Here is the list of contributors I've collected:
>>
>> Pavol Luptak
>> Marco Morana
>> Giorgio Fedon
>> Stefano Di Paola
>> Gianrico Ingrosso
>> Giuseppe Bonfà
>> Roberto Suggi Liverani
>> Robert Smith
>> Andrew Muller
>> Robert Winkel
>> tripurari rai
>> Thomas Ryan
>> tim bertels
>> Cecil Su
>> Aung KhAnt
>> Norbert Szetei
>> michael.boman
>> Wagner Elias
>> Kevin Horvat
>> Juan Galiana Lara
>> Kenan Gursoy
>> Jason Flood
>> Javier Marcos de Prado
>> Sumit Siddharth
>> Mike Hryekewicz
>> psiinon
>> Ray Schippers
>> Raul Siles
>> Jayanta Karmakar
>> Brad Causey
>> Vicente Aguilera
>> Ismael Gonçalves
>>
>> Reviewers team:
>>
>> Paolo Perego
>> Daniel Cuthbert
>> Matthew Churcher
>> Lode Vanstechelman
>> Sebastien Gioria
>>
>>
>> Introduction and Project purpose for v4:
>> ============================ ============= The OWASP Testing Guide v3
>> includes a "best practice" penetration testing framework which users can
>> implement in their own organizations and a "low level" penetration testing
>> guide that describes techniques for testing most common web application
>> and
>> web service security issues. Nowadays the Testing Guide has become the
>> standard to perform a Web Application Penetration Testing and many
>> Companies
>> all around the world have adopted it.
>> It is vital for the project mantaining an updated project that represents
>> the state of the art for WebAppSec.
>>
>> Project Roadmap
>> =============
>>
>> - (1) 1st phase: Brainstorming and create a new table of contents
>>
>> Objective: creating a new table of contents of the OTGv4 assigning a task
>> for each contributor.
>> I created a new OWASP Testing Guide v4 table of Contents here:
>> https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents
>>
>> - (2) 2nd phase:  Writing
>> 20th September 2012: Start writing the articles 1st November 2012: 1st
>> Draft
>> 30th November: end of writing phase
>>
>> - (3) 3rd phase: Reviewing
>>
>> - 1st December 2012: Starting the review phase,
>> - 15th December 2012: Create the RC1,
>> - 31st January 2013: Release the version 4.
>>
>> Timeline November 2012 1st Draft, January 2013 Final Release
>>
>> So, let's start discussion about phase (1)!
>>
>> Thanks!
>> Mat
>>
>> --
>> Matteo Meucci
>> OWASP Testing Guide Lead
>> OWASP-Italy President
>>
>>
>> _______________________________________________
>> Owasp-testing mailing list
>> Owasp-testing at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-testing
>>
>> _______________________________________________
>> Owasp-testing mailing list
>> Owasp-testing at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-testing
>>
>
>
> _______________________________________________
> Owasp-testing mailing list
> Owasp-testing at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-testing
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-testing/attachments/20120904/7bfc404e/attachment.html>


More information about the Owasp-testing mailing list