[Owasp-testing] Testing Guide V4 - Start up

Simone Onofri simone.onofri at gmail.com
Tue Sep 4 21:16:55 UTC 2012


On Tue, Sep 4, 2012 at 11:13 PM, Ismael Rocha
<ismaelrocha.projetos at gmail.com> wrote:
> Hello.

hi ismael,

> As I mentioned some days ago, I suggested improve SSL Test maybe based no
> Qualys SSLabs issues and other.
>
> "SSL Test
>  -> Enhace (maybe based on Qualys SSLlabs  tests?)"


+1, i also use it!

> Still talking about "cryptography not used when necessary" I would say that
> is important to cover aspects of technologies which use ViewState concept
> (e.g. JSF, .NET).

of couse!


> Ismael Gonçalves
>
>
> On Tue, Sep 4, 2012 at 5:42 PM, Simone Onofri <simone.onofri at gmail.com>
> wrote:
>>
>> hi all,
>>
>> i see the question is "data encryption" covers transmission and storage
>> both.
>>
>> historically two issues are divided. to brainstorming some stuff, also
>> using the web application security testing checklist [1]:
>>
>>  - not used when necessary (e.g. for credential transportation or storage)
>>  - algorithms
>>    - weak/homebrew (e.g. on ssl or when developers uses weak
>> algorithms to protect data)
>>    - wrong context (e.g. symmetric encryption for password storage)
>>    - improper usage (e.g. hashing without salting, kdf with less
>> iterations)
>>  - keys and secrets
>>    - weak/short/guessable (e.g. also on ssl)
>>  - entropy issues
>>    - weak random generators
>>    - ...
>>
>> ideas?
>>
>> s.
>>
>>
>> [1]
>> https://www.owasp.org/index.php/Web_Application_Security_Testing_Cheat_Sheet
>> On Tue, Sep 4, 2012 at 9:56 PM, Juan Galiana Lara <jgaliana at owasp.org>
>> wrote:
>> > +1!
>> >
>> > I think that is really important to cover.
>> >
>> > I've seen a new  "Testing for Data Encryption (New!)" under the data
>> > validation section, but I would rather consider to have a main section
>> > for
>> > "Cryptography" at the same level of authentication, authorization, data
>> > validation and so on.
>> >
>> > Cryptography is one of the most important topics in security and there
>> > have
>> > been quite significant crypto vulnerabilities applied to webapps like
>> > the
>> > padding oracle attack technique that was applied to decrypt HTTP cookies
>> > in
>> > several frameworks like ASP.NET, ROR and JSF two years back. Or the one
>> > Eduardo mention, extension attacks due to improper or lack of use of
>> > HMAC
>> > algorithms, that is quite common.
>> >
>> > Actually, there are already few sections under DV in the new table of
>> > contents, that would fit in that section:
>> >
>> > Testing for Data Encryption (New!)
>> >
>> > Application did not use encryption
>> > Weak SSL/TSL Ciphers
>> >
>> > Insufficient Transport Layer Protection
>> >
>> > Insecure Cryptographic Storage [mainly CR Guide]
>> >
>> >
>> > Thoughts?
>> >
>> >
>> > --
>> > Juan Galiana
>> >
>> >
>> > On Tue, Sep 4, 2012 at 3:58 AM, Eduardo Castellanos <guayin at gmail.com>
>> > wrote:
>> >>
>> >> Hello,
>> >>
>> >> What about a section for cryptographic attacks? Bad use of crypto
>> >> functions in general. (Hash Length Extension, etc.) or would that be
>> >> outside
>> >> the scope of the guide?
>> >>
>> >> Related links:
>> >>
>> >> https://blog.whitehatsec.com/hash-length-extension-attacks/
>> >> https://www.owasp.org/index.php/Category:Cryptographic_Vulnerability
>> >>
>> >>
>> >> http://blogs.msdn.com/b/ace_team/archive/2008/11/13/vulnerabilities-due-to-improper-use-of-crypto-part-1.aspx
>> >>
>> >>
>> >> Eduardo Castellanos N.
>> >>
>> >>
>> >>
>> >> On Mon, Sep 3, 2012 at 8:01 PM, Robert Winkel
>> >> <robert.winkel at saltbushgroup.com> wrote:
>> >>>
>> >>> I have taken the liberty of assigning myself against several of the
>> >>> Authentication Testing test cases.  I am happy to hand those over if
>> >>> someone
>> >>> is interested in be assigned to those instead.
>> >>>
>> >>> What happened to the Denial of Service test cases?
>> >>>
>> >>> Is there a template to adhere to when the writing stage begins?
>> >>>
>> >>> _______________________________________
>> >>> Robert “Bull” Winkel
>> >>> Director Saltbush Assurance
>> >>> email: robert.winkel at saltbushgroup.com
>> >>> http://www.linkedin.com/in/robertwinkel
>> >>>
>> >>>
>> >>> -----Original Message-----
>> >>> From: owasp-testing-bounces at lists.owasp.org
>> >>> [mailto:owasp-testing-bounces at lists.owasp.org] On Behalf Of Matteo
>> >>> Meucci
>> >>> Sent: Friday, 31 August 2012 1:40 AM
>> >>> To: owasp-testing at lists.owasp.org
>> >>> Subject: [Owasp-testing] Testing Guide V4 - Start up
>> >>>
>> >>> Hi all Testing Guide contributors.
>> >>>
>> >>> Testing Guide v4 has been approved as Projects Reboot 2012!
>> >>> https://www.owasp.org/index.php/Projects_Reboot_2012
>> >>>
>> >>> Here is the list of contributors I've collected:
>> >>>
>> >>> Pavol Luptak
>> >>> Marco Morana
>> >>> Giorgio Fedon
>> >>> Stefano Di Paola
>> >>> Gianrico Ingrosso
>> >>> Giuseppe Bonfà
>> >>> Roberto Suggi Liverani
>> >>> Robert Smith
>> >>> Andrew Muller
>> >>> Robert Winkel
>> >>> tripurari rai
>> >>> Thomas Ryan
>> >>> tim bertels
>> >>> Cecil Su
>> >>> Aung KhAnt
>> >>> Norbert Szetei
>> >>> michael.boman
>> >>> Wagner Elias
>> >>> Kevin Horvat
>> >>> Juan Galiana Lara
>> >>> Kenan Gursoy
>> >>> Jason Flood
>> >>> Javier Marcos de Prado
>> >>> Sumit Siddharth
>> >>> Mike Hryekewicz
>> >>> psiinon
>> >>> Ray Schippers
>> >>> Raul Siles
>> >>> Jayanta Karmakar
>> >>> Brad Causey
>> >>> Vicente Aguilera
>> >>> Ismael Gonçalves
>> >>>
>> >>> Reviewers team:
>> >>>
>> >>> Paolo Perego
>> >>> Daniel Cuthbert
>> >>> Matthew Churcher
>> >>> Lode Vanstechelman
>> >>> Sebastien Gioria
>> >>>
>> >>>
>> >>> Introduction and Project purpose for v4:
>> >>> ============================ ============= The OWASP Testing Guide v3
>> >>> includes a "best practice" penetration testing framework which users
>> >>> can
>> >>> implement in their own organizations and a "low level" penetration
>> >>> testing
>> >>> guide that describes techniques for testing most common web
>> >>> application
>> >>> and
>> >>> web service security issues. Nowadays the Testing Guide has become the
>> >>> standard to perform a Web Application Penetration Testing and many
>> >>> Companies
>> >>> all around the world have adopted it.
>> >>> It is vital for the project mantaining an updated project that
>> >>> represents
>> >>> the state of the art for WebAppSec.
>> >>>
>> >>> Project Roadmap
>> >>> =============
>> >>>
>> >>> - (1) 1st phase: Brainstorming and create a new table of contents
>> >>>
>> >>> Objective: creating a new table of contents of the OTGv4 assigning a
>> >>> task
>> >>> for each contributor.
>> >>> I created a new OWASP Testing Guide v4 table of Contents here:
>> >>>
>> >>> https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents
>> >>>
>> >>> - (2) 2nd phase:  Writing
>> >>> 20th September 2012: Start writing the articles 1st November 2012: 1st
>> >>> Draft
>> >>> 30th November: end of writing phase
>> >>>
>> >>> - (3) 3rd phase: Reviewing
>> >>>
>> >>> - 1st December 2012: Starting the review phase,
>> >>> - 15th December 2012: Create the RC1,
>> >>> - 31st January 2013: Release the version 4.
>> >>>
>> >>> Timeline November 2012 1st Draft, January 2013 Final Release
>> >>>
>> >>> So, let's start discussion about phase (1)!
>> >>>
>> >>> Thanks!
>> >>> Mat
>> >>>
>> >>> --
>> >>> Matteo Meucci
>> >>> OWASP Testing Guide Lead
>> >>> OWASP-Italy President
>> >>>
>> >>>
>> >>> _______________________________________________
>> >>> Owasp-testing mailing list
>> >>> Owasp-testing at lists.owasp.org
>> >>> https://lists.owasp.org/mailman/listinfo/owasp-testing
>> >>>
>> >>> _______________________________________________
>> >>> Owasp-testing mailing list
>> >>> Owasp-testing at lists.owasp.org
>> >>> https://lists.owasp.org/mailman/listinfo/owasp-testing
>> >>
>> >>
>> >>
>> >> _______________________________________________
>> >> Owasp-testing mailing list
>> >> Owasp-testing at lists.owasp.org
>> >> https://lists.owasp.org/mailman/listinfo/owasp-testing
>> >>
>> >
>> >
>> > _______________________________________________
>> > Owasp-testing mailing list
>> > Owasp-testing at lists.owasp.org
>> > https://lists.owasp.org/mailman/listinfo/owasp-testing
>> >
>> _______________________________________________
>> Owasp-testing mailing list
>> Owasp-testing at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-testing
>
>
>
>
> --
> Ismael Gonçalves


More information about the Owasp-testing mailing list