[Owasp-testing] Testing Guide V4 - Start up

Ismael Rocha ismaelrocha.projetos at gmail.com
Tue Sep 4 21:13:47 UTC 2012


Hello.

As I mentioned some days ago, I suggested improve SSL Test maybe based no
Qualys SSLabs issues and other.

"SSL Test
 -> Enhace (maybe based on Qualys SSLlabs  tests?)"

Still talking about "cryptography not used when necessary" I would say that
is important to cover aspects of technologies which use ViewState concept
(e.g. JSF, .NET).

Ismael Gonçalves

On Tue, Sep 4, 2012 at 5:42 PM, Simone Onofri <simone.onofri at gmail.com>wrote:

> hi all,
>
> i see the question is "data encryption" covers transmission and storage
> both.
>
> historically two issues are divided. to brainstorming some stuff, also
> using the web application security testing checklist [1]:
>
>  - not used when necessary (e.g. for credential transportation or storage)
>  - algorithms
>    - weak/homebrew (e.g. on ssl or when developers uses weak
> algorithms to protect data)
>    - wrong context (e.g. symmetric encryption for password storage)
>    - improper usage (e.g. hashing without salting, kdf with less
> iterations)
>  - keys and secrets
>    - weak/short/guessable (e.g. also on ssl)
>  - entropy issues
>    - weak random generators
>    - ...
>
> ideas?
>
> s.
>
>
> [1]
> https://www.owasp.org/index.php/Web_Application_Security_Testing_Cheat_Sheet
> On Tue, Sep 4, 2012 at 9:56 PM, Juan Galiana Lara <jgaliana at owasp.org>
> wrote:
> > +1!
> >
> > I think that is really important to cover.
> >
> > I've seen a new  "Testing for Data Encryption (New!)" under the data
> > validation section, but I would rather consider to have a main section
> for
> > "Cryptography" at the same level of authentication, authorization, data
> > validation and so on.
> >
> > Cryptography is one of the most important topics in security and there
> have
> > been quite significant crypto vulnerabilities applied to webapps like the
> > padding oracle attack technique that was applied to decrypt HTTP cookies
> in
> > several frameworks like ASP.NET, ROR and JSF two years back. Or the one
> > Eduardo mention, extension attacks due to improper or lack of use of HMAC
> > algorithms, that is quite common.
> >
> > Actually, there are already few sections under DV in the new table of
> > contents, that would fit in that section:
> >
> > Testing for Data Encryption (New!)
> >
> > Application did not use encryption
> > Weak SSL/TSL Ciphers
> >
> > Insufficient Transport Layer Protection
> >
> > Insecure Cryptographic Storage [mainly CR Guide]
> >
> >
> > Thoughts?
> >
> >
> > --
> > Juan Galiana
> >
> >
> > On Tue, Sep 4, 2012 at 3:58 AM, Eduardo Castellanos <guayin at gmail.com>
> > wrote:
> >>
> >> Hello,
> >>
> >> What about a section for cryptographic attacks? Bad use of crypto
> >> functions in general. (Hash Length Extension, etc.) or would that be
> outside
> >> the scope of the guide?
> >>
> >> Related links:
> >>
> >> https://blog.whitehatsec.com/hash-length-extension-attacks/
> >> https://www.owasp.org/index.php/Category:Cryptographic_Vulnerability
> >>
> >>
> http://blogs.msdn.com/b/ace_team/archive/2008/11/13/vulnerabilities-due-to-improper-use-of-crypto-part-1.aspx
> >>
> >>
> >> Eduardo Castellanos N.
> >>
> >>
> >>
> >> On Mon, Sep 3, 2012 at 8:01 PM, Robert Winkel
> >> <robert.winkel at saltbushgroup.com> wrote:
> >>>
> >>> I have taken the liberty of assigning myself against several of the
> >>> Authentication Testing test cases.  I am happy to hand those over if
> >>> someone
> >>> is interested in be assigned to those instead.
> >>>
> >>> What happened to the Denial of Service test cases?
> >>>
> >>> Is there a template to adhere to when the writing stage begins?
> >>>
> >>> _______________________________________
> >>> Robert “Bull” Winkel
> >>> Director Saltbush Assurance
> >>> email: robert.winkel at saltbushgroup.com
> >>> http://www.linkedin.com/in/robertwinkel
> >>>
> >>>
> >>> -----Original Message-----
> >>> From: owasp-testing-bounces at lists.owasp.org
> >>> [mailto:owasp-testing-bounces at lists.owasp.org] On Behalf Of Matteo
> Meucci
> >>> Sent: Friday, 31 August 2012 1:40 AM
> >>> To: owasp-testing at lists.owasp.org
> >>> Subject: [Owasp-testing] Testing Guide V4 - Start up
> >>>
> >>> Hi all Testing Guide contributors.
> >>>
> >>> Testing Guide v4 has been approved as Projects Reboot 2012!
> >>> https://www.owasp.org/index.php/Projects_Reboot_2012
> >>>
> >>> Here is the list of contributors I've collected:
> >>>
> >>> Pavol Luptak
> >>> Marco Morana
> >>> Giorgio Fedon
> >>> Stefano Di Paola
> >>> Gianrico Ingrosso
> >>> Giuseppe Bonfà
> >>> Roberto Suggi Liverani
> >>> Robert Smith
> >>> Andrew Muller
> >>> Robert Winkel
> >>> tripurari rai
> >>> Thomas Ryan
> >>> tim bertels
> >>> Cecil Su
> >>> Aung KhAnt
> >>> Norbert Szetei
> >>> michael.boman
> >>> Wagner Elias
> >>> Kevin Horvat
> >>> Juan Galiana Lara
> >>> Kenan Gursoy
> >>> Jason Flood
> >>> Javier Marcos de Prado
> >>> Sumit Siddharth
> >>> Mike Hryekewicz
> >>> psiinon
> >>> Ray Schippers
> >>> Raul Siles
> >>> Jayanta Karmakar
> >>> Brad Causey
> >>> Vicente Aguilera
> >>> Ismael Gonçalves
> >>>
> >>> Reviewers team:
> >>>
> >>> Paolo Perego
> >>> Daniel Cuthbert
> >>> Matthew Churcher
> >>> Lode Vanstechelman
> >>> Sebastien Gioria
> >>>
> >>>
> >>> Introduction and Project purpose for v4:
> >>> ============================ ============= The OWASP Testing Guide v3
> >>> includes a "best practice" penetration testing framework which users
> can
> >>> implement in their own organizations and a "low level" penetration
> >>> testing
> >>> guide that describes techniques for testing most common web application
> >>> and
> >>> web service security issues. Nowadays the Testing Guide has become the
> >>> standard to perform a Web Application Penetration Testing and many
> >>> Companies
> >>> all around the world have adopted it.
> >>> It is vital for the project mantaining an updated project that
> represents
> >>> the state of the art for WebAppSec.
> >>>
> >>> Project Roadmap
> >>> =============
> >>>
> >>> - (1) 1st phase: Brainstorming and create a new table of contents
> >>>
> >>> Objective: creating a new table of contents of the OTGv4 assigning a
> task
> >>> for each contributor.
> >>> I created a new OWASP Testing Guide v4 table of Contents here:
> >>>
> https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents
> >>>
> >>> - (2) 2nd phase:  Writing
> >>> 20th September 2012: Start writing the articles 1st November 2012: 1st
> >>> Draft
> >>> 30th November: end of writing phase
> >>>
> >>> - (3) 3rd phase: Reviewing
> >>>
> >>> - 1st December 2012: Starting the review phase,
> >>> - 15th December 2012: Create the RC1,
> >>> - 31st January 2013: Release the version 4.
> >>>
> >>> Timeline November 2012 1st Draft, January 2013 Final Release
> >>>
> >>> So, let's start discussion about phase (1)!
> >>>
> >>> Thanks!
> >>> Mat
> >>>
> >>> --
> >>> Matteo Meucci
> >>> OWASP Testing Guide Lead
> >>> OWASP-Italy President
> >>>
> >>>
> >>> _______________________________________________
> >>> Owasp-testing mailing list
> >>> Owasp-testing at lists.owasp.org
> >>> https://lists.owasp.org/mailman/listinfo/owasp-testing
> >>>
> >>> _______________________________________________
> >>> Owasp-testing mailing list
> >>> Owasp-testing at lists.owasp.org
> >>> https://lists.owasp.org/mailman/listinfo/owasp-testing
> >>
> >>
> >>
> >> _______________________________________________
> >> Owasp-testing mailing list
> >> Owasp-testing at lists.owasp.org
> >> https://lists.owasp.org/mailman/listinfo/owasp-testing
> >>
> >
> >
> > _______________________________________________
> > Owasp-testing mailing list
> > Owasp-testing at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/owasp-testing
> >
> _______________________________________________
> Owasp-testing mailing list
> Owasp-testing at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-testing
>



-- 
Ismael Gonçalves
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-testing/attachments/20120904/ec25abc4/attachment-0001.html>


More information about the Owasp-testing mailing list