[Owasp-testing] Testing Guide V4 - Start up

Simone Onofri simone.onofri at gmail.com
Tue Sep 4 20:42:00 UTC 2012


hi all,

i see the question is "data encryption" covers transmission and storage both.

historically two issues are divided. to brainstorming some stuff, also
using the web application security testing checklist [1]:

 - not used when necessary (e.g. for credential transportation or storage)
 - algorithms
   - weak/homebrew (e.g. on ssl or when developers uses weak
algorithms to protect data)
   - wrong context (e.g. symmetric encryption for password storage)
   - improper usage (e.g. hashing without salting, kdf with less iterations)
 - keys and secrets
   - weak/short/guessable (e.g. also on ssl)
 - entropy issues
   - weak random generators
   - ...

ideas?

s.


[1] https://www.owasp.org/index.php/Web_Application_Security_Testing_Cheat_Sheet
On Tue, Sep 4, 2012 at 9:56 PM, Juan Galiana Lara <jgaliana at owasp.org> wrote:
> +1!
>
> I think that is really important to cover.
>
> I've seen a new  "Testing for Data Encryption (New!)" under the data
> validation section, but I would rather consider to have a main section for
> "Cryptography" at the same level of authentication, authorization, data
> validation and so on.
>
> Cryptography is one of the most important topics in security and there have
> been quite significant crypto vulnerabilities applied to webapps like the
> padding oracle attack technique that was applied to decrypt HTTP cookies in
> several frameworks like ASP.NET, ROR and JSF two years back. Or the one
> Eduardo mention, extension attacks due to improper or lack of use of HMAC
> algorithms, that is quite common.
>
> Actually, there are already few sections under DV in the new table of
> contents, that would fit in that section:
>
> Testing for Data Encryption (New!)
>
> Application did not use encryption
> Weak SSL/TSL Ciphers
>
> Insufficient Transport Layer Protection
>
> Insecure Cryptographic Storage [mainly CR Guide]
>
>
> Thoughts?
>
>
> --
> Juan Galiana
>
>
> On Tue, Sep 4, 2012 at 3:58 AM, Eduardo Castellanos <guayin at gmail.com>
> wrote:
>>
>> Hello,
>>
>> What about a section for cryptographic attacks? Bad use of crypto
>> functions in general. (Hash Length Extension, etc.) or would that be outside
>> the scope of the guide?
>>
>> Related links:
>>
>> https://blog.whitehatsec.com/hash-length-extension-attacks/
>> https://www.owasp.org/index.php/Category:Cryptographic_Vulnerability
>>
>> http://blogs.msdn.com/b/ace_team/archive/2008/11/13/vulnerabilities-due-to-improper-use-of-crypto-part-1.aspx
>>
>>
>> Eduardo Castellanos N.
>>
>>
>>
>> On Mon, Sep 3, 2012 at 8:01 PM, Robert Winkel
>> <robert.winkel at saltbushgroup.com> wrote:
>>>
>>> I have taken the liberty of assigning myself against several of the
>>> Authentication Testing test cases.  I am happy to hand those over if
>>> someone
>>> is interested in be assigned to those instead.
>>>
>>> What happened to the Denial of Service test cases?
>>>
>>> Is there a template to adhere to when the writing stage begins?
>>>
>>> _______________________________________
>>> Robert “Bull” Winkel
>>> Director Saltbush Assurance
>>> email: robert.winkel at saltbushgroup.com
>>> http://www.linkedin.com/in/robertwinkel
>>>
>>>
>>> -----Original Message-----
>>> From: owasp-testing-bounces at lists.owasp.org
>>> [mailto:owasp-testing-bounces at lists.owasp.org] On Behalf Of Matteo Meucci
>>> Sent: Friday, 31 August 2012 1:40 AM
>>> To: owasp-testing at lists.owasp.org
>>> Subject: [Owasp-testing] Testing Guide V4 - Start up
>>>
>>> Hi all Testing Guide contributors.
>>>
>>> Testing Guide v4 has been approved as Projects Reboot 2012!
>>> https://www.owasp.org/index.php/Projects_Reboot_2012
>>>
>>> Here is the list of contributors I've collected:
>>>
>>> Pavol Luptak
>>> Marco Morana
>>> Giorgio Fedon
>>> Stefano Di Paola
>>> Gianrico Ingrosso
>>> Giuseppe Bonfà
>>> Roberto Suggi Liverani
>>> Robert Smith
>>> Andrew Muller
>>> Robert Winkel
>>> tripurari rai
>>> Thomas Ryan
>>> tim bertels
>>> Cecil Su
>>> Aung KhAnt
>>> Norbert Szetei
>>> michael.boman
>>> Wagner Elias
>>> Kevin Horvat
>>> Juan Galiana Lara
>>> Kenan Gursoy
>>> Jason Flood
>>> Javier Marcos de Prado
>>> Sumit Siddharth
>>> Mike Hryekewicz
>>> psiinon
>>> Ray Schippers
>>> Raul Siles
>>> Jayanta Karmakar
>>> Brad Causey
>>> Vicente Aguilera
>>> Ismael Gonçalves
>>>
>>> Reviewers team:
>>>
>>> Paolo Perego
>>> Daniel Cuthbert
>>> Matthew Churcher
>>> Lode Vanstechelman
>>> Sebastien Gioria
>>>
>>>
>>> Introduction and Project purpose for v4:
>>> ============================ ============= The OWASP Testing Guide v3
>>> includes a "best practice" penetration testing framework which users can
>>> implement in their own organizations and a "low level" penetration
>>> testing
>>> guide that describes techniques for testing most common web application
>>> and
>>> web service security issues. Nowadays the Testing Guide has become the
>>> standard to perform a Web Application Penetration Testing and many
>>> Companies
>>> all around the world have adopted it.
>>> It is vital for the project mantaining an updated project that represents
>>> the state of the art for WebAppSec.
>>>
>>> Project Roadmap
>>> =============
>>>
>>> - (1) 1st phase: Brainstorming and create a new table of contents
>>>
>>> Objective: creating a new table of contents of the OTGv4 assigning a task
>>> for each contributor.
>>> I created a new OWASP Testing Guide v4 table of Contents here:
>>> https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents
>>>
>>> - (2) 2nd phase:  Writing
>>> 20th September 2012: Start writing the articles 1st November 2012: 1st
>>> Draft
>>> 30th November: end of writing phase
>>>
>>> - (3) 3rd phase: Reviewing
>>>
>>> - 1st December 2012: Starting the review phase,
>>> - 15th December 2012: Create the RC1,
>>> - 31st January 2013: Release the version 4.
>>>
>>> Timeline November 2012 1st Draft, January 2013 Final Release
>>>
>>> So, let's start discussion about phase (1)!
>>>
>>> Thanks!
>>> Mat
>>>
>>> --
>>> Matteo Meucci
>>> OWASP Testing Guide Lead
>>> OWASP-Italy President
>>>
>>>
>>> _______________________________________________
>>> Owasp-testing mailing list
>>> Owasp-testing at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-testing
>>>
>>> _______________________________________________
>>> Owasp-testing mailing list
>>> Owasp-testing at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-testing
>>
>>
>>
>> _______________________________________________
>> Owasp-testing mailing list
>> Owasp-testing at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-testing
>>
>
>
> _______________________________________________
> Owasp-testing mailing list
> Owasp-testing at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-testing
>


More information about the Owasp-testing mailing list