[Owasp-testing] Testing Guide V4 - Start up

Ismael Rocha ismaelrocha.projetos at gmail.com
Wed Sep 5 01:33:27 UTC 2012


Hello All!

I've compiled the Web App Penetration Test part from the ToC with all
(sorry if I missed some!) suggestions presented in the list.

Follow the results.

We also have to decide whether mobile will be part of the scope or not.



-----------------------------------------

Testing Guide V4 ToC

...

4 Web Application Penetration Test

4.1 Introduction and Objectives [To review--> Mat]

4.1.1 Testing Checklist [To review at the end of brainstorming --> Mat]

4.2 Information Gathering [To review--> contributor here]


4.3 Configuration and Deploy Management Testing

Infrastructure Configuration management weakness
Application Configuration management weakness
File extensions handling
Old, backup and unreferenced files
Access to Admin interfaces
Bad HTTP Methods enabled, [new]
Informative Error Messages
Database credentials/connection strings available
Test for security HTTP headers (e.g. CSP, X-Frame-Options, HSTS)
Test for policies (e.g. Flash, Silverlight, robots) [suggestion CheatSheet]
Check for sensitive data in client-side code (e.g. API keys, credentials)
Test for policies (e.g. Flash, Silverlight, robots)
Test for sensitive information in logs


4.4 Authentication Testing

Credentials transport over an unencrypted channel [Robert Winkel]
User enumeration (also Guessable user account) [Robert Winkel]
Default passwords [Robert Winkel]
Weak lock out mechanism [New! - Robert Winkel]
Account lockout DoS [New! - Robert Winkel]
Bypassing authentication schema
Directory traversal/file include
Vulnerable remember password [Robert Winkel]
Browser cache weakness [New!]
Weak password policy [New! - Robert Winkel]
Weak username policy [New! - Robert Winkel]
Weak security question/answer [New! - Robert Winkel]
Failure to restrict access to authenticated resource [New!]
Weak password change function [New! - Robert Winkel]
Testing for CAPTCHA
Test multi factor authentication
Test for consistent authentication across applications with shared
authentication schema / SSO [suggetion CheatSheet/SAML Ismael Gonçalves]
Test for autocomplete on password forms/input
Test for logout functionality presence
Test for cache management on HTTP (eg Pragma, Expires, Max-age)
Test for user-accessible authentication history
Test for out-of channel notification of account lockouts and successful
password changes

4.5 Session Management Testing

Bypassing Session Management Schema
Weak Session Token
Cookies are set not ‘HTTP Only’, ‘Secure’, and no time validity
Exposed sensitive session variables
CSRF
Session passed over http [New!]
Session token within URL [New!]
Session Fixation
Session token not removed on server after logout [New!]
Persistent session token [New!]
Session token not restrcited properly (such as domain or path not set
properly) [New!]
Logout function not properly implemented
Test for consistent session management across applications with shared
session management
Confirm that new session tokens are issued on login, role change and logout

4.6 Authorization Testing

Bypassing authorization schema
Privilege Escalation
Insecure Direct Object References
Failure to Restrict access to authorized resource [New!]

4.7 Business Logic Testing (OWASP-BL-001) [To review--> contributor here]
Business Logic

4.8 Data Validation Testing

Reflected XSS
Stored XSS
HTTP Verb Tampering [Brad Causey]
HTTP Parameter pollution [Brad Causey]
Unvalidated Redirects and Forwards [Brad Causey]
SQL Injection [Brad Causey]
LDAP Injection
ORM Injection
XML Injection
SSI Injection
XPath Injection
SOAP Injection
IMAP/SMTP Injection
Code Injection
OS Commanding
Buffer overflow
Incubated vulnerability
Test for XXE Injection
Test for XQuery Injection
HTTP Splitting/Smuggling
Test for HTTP Verb Tampering
Test for Open Redirection
Test for Local File Inclusion
Test for Remote File Inclusion
Compare client-side and server-side validation rules
Test for NoSQL injection
Test for HTTP parameter pollution
Test for auto-binding
Test for HTML Injection
Test for File upload
Expression Language Injection

4.9 Testing for Data Encryption (New!)

Application did not use encryption
Weak SSL/TSL Ciphers, Insufficient
Transport Layer Protection
Cacheable HTTPS Response
Cache directives insecure
Insecure Cryptographic Storage [mainly CR Guide]
Sensitive information sent via unencrypted channels


4.10 XML Interpreter? (New!)

Weak XML Structure XML content-level WS HTTP GET parameters/REST WS Naughty
SOAP attachments WS Replay Testing

4.11 Client Side Testing (New!)

DOM XSS
Cross Site Flashing
ClickHijacking
JSON
HTML 5

4.12 Denial of Service

Test for account lockout
Test for HTTP protocol DoS

4.13 Evasive Techniques in General

...

Regards.

Ismael Gonçalves

On Tue, Sep 4, 2012 at 6:39 PM, Ismael Rocha <ismaelrocha.projetos at gmail.com
> wrote:

> Hello.
>
> I think maybe we should make a cross-reference between the ToC and the
> Testing Cheat Sheet. It would help us to identify which aspects are covered
> and which aren´t covered in the ToC.
> For example: SSO is covered in the cheatsheet and not covered in the ToC.
> Also HTTP DoS.
> It also can give us some ideas about the names of the sections. If anybody
> did it already I can do it.
>
> Ismael Gonçalves
>
>
> https://www.owasp.org/index.php/Web_Application_Security_Testing_Cheat_Sheet
>
> https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents
>
>
> On Tue, Sep 4, 2012 at 6:16 PM, Simone Onofri <simone.onofri at gmail.com>wrote:
>
>> On Tue, Sep 4, 2012 at 11:13 PM, Ismael Rocha
>> <ismaelrocha.projetos at gmail.com> wrote:
>> > Hello.
>>
>> hi ismael,
>>
>> > As I mentioned some days ago, I suggested improve SSL Test maybe based
>> no
>> > Qualys SSLabs issues and other.
>> >
>> > "SSL Test
>> >  -> Enhace (maybe based on Qualys SSLlabs  tests?)"
>>
>>
>> +1, i also use it!
>>
>> > Still talking about "cryptography not used when necessary" I would say
>> that
>> > is important to cover aspects of technologies which use ViewState
>> concept
>> > (e.g. JSF, .NET).
>>
>> of couse!
>>
>>
>> > Ismael Gonçalves
>> >
>> >
>> > On Tue, Sep 4, 2012 at 5:42 PM, Simone Onofri <simone.onofri at gmail.com>
>> > wrote:
>> >>
>> >> hi all,
>> >>
>> >> i see the question is "data encryption" covers transmission and storage
>> >> both.
>> >>
>> >> historically two issues are divided. to brainstorming some stuff, also
>> >> using the web application security testing checklist [1]:
>> >>
>> >>  - not used when necessary (e.g. for credential transportation or
>> storage)
>> >>  - algorithms
>> >>    - weak/homebrew (e.g. on ssl or when developers uses weak
>> >> algorithms to protect data)
>> >>    - wrong context (e.g. symmetric encryption for password storage)
>> >>    - improper usage (e.g. hashing without salting, kdf with less
>> >> iterations)
>> >>  - keys and secrets
>> >>    - weak/short/guessable (e.g. also on ssl)
>> >>  - entropy issues
>> >>    - weak random generators
>> >>    - ...
>> >>
>> >> ideas?
>> >>
>> >> s.
>> >>
>> >>
>> >> [1]
>> >>
>> https://www.owasp.org/index.php/Web_Application_Security_Testing_Cheat_Sheet
>> >> On Tue, Sep 4, 2012 at 9:56 PM, Juan Galiana Lara <jgaliana at owasp.org>
>> >> wrote:
>> >> > +1!
>> >> >
>> >> > I think that is really important to cover.
>> >> >
>> >> > I've seen a new  "Testing for Data Encryption (New!)" under the data
>> >> > validation section, but I would rather consider to have a main
>> section
>> >> > for
>> >> > "Cryptography" at the same level of authentication, authorization,
>> data
>> >> > validation and so on.
>> >> >
>> >> > Cryptography is one of the most important topics in security and
>> there
>> >> > have
>> >> > been quite significant crypto vulnerabilities applied to webapps like
>> >> > the
>> >> > padding oracle attack technique that was applied to decrypt HTTP
>> cookies
>> >> > in
>> >> > several frameworks like ASP.NET, ROR and JSF two years back. Or the
>> one
>> >> > Eduardo mention, extension attacks due to improper or lack of use of
>> >> > HMAC
>> >> > algorithms, that is quite common.
>> >> >
>> >> > Actually, there are already few sections under DV in the new table of
>> >> > contents, that would fit in that section:
>> >> >
>> >> > Testing for Data Encryption (New!)
>> >> >
>> >> > Application did not use encryption
>> >> > Weak SSL/TSL Ciphers
>> >> >
>> >> > Insufficient Transport Layer Protection
>> >> >
>> >> > Insecure Cryptographic Storage [mainly CR Guide]
>> >> >
>> >> >
>> >> > Thoughts?
>> >> >
>> >> >
>> >> > --
>> >> > Juan Galiana
>> >> >
>> >> >
>> >> > On Tue, Sep 4, 2012 at 3:58 AM, Eduardo Castellanos <
>> guayin at gmail.com>
>> >> > wrote:
>> >> >>
>> >> >> Hello,
>> >> >>
>> >> >> What about a section for cryptographic attacks? Bad use of crypto
>> >> >> functions in general. (Hash Length Extension, etc.) or would that be
>> >> >> outside
>> >> >> the scope of the guide?
>> >> >>
>> >> >> Related links:
>> >> >>
>> >> >> https://blog.whitehatsec.com/hash-length-extension-attacks/
>> >> >>
>> https://www.owasp.org/index.php/Category:Cryptographic_Vulnerability
>> >> >>
>> >> >>
>> >> >>
>> http://blogs.msdn.com/b/ace_team/archive/2008/11/13/vulnerabilities-due-to-improper-use-of-crypto-part-1.aspx
>> >> >>
>> >> >>
>> >> >> Eduardo Castellanos N.
>> >> >>
>> >> >>
>> >> >>
>> >> >> On Mon, Sep 3, 2012 at 8:01 PM, Robert Winkel
>> >> >> <robert.winkel at saltbushgroup.com> wrote:
>> >> >>>
>> >> >>> I have taken the liberty of assigning myself against several of the
>> >> >>> Authentication Testing test cases.  I am happy to hand those over
>> if
>> >> >>> someone
>> >> >>> is interested in be assigned to those instead.
>> >> >>>
>> >> >>> What happened to the Denial of Service test cases?
>> >> >>>
>> >> >>> Is there a template to adhere to when the writing stage begins?
>> >> >>>
>> >> >>> _______________________________________
>> >> >>> Robert “Bull” Winkel
>> >> >>> Director Saltbush Assurance
>> >> >>> email: robert.winkel at saltbushgroup.com
>> >> >>> http://www.linkedin.com/in/robertwinkel
>> >> >>>
>> >> >>>
>> >> >>> -----Original Message-----
>> >> >>> From: owasp-testing-bounces at lists.owasp.org
>> >> >>> [mailto:owasp-testing-bounces at lists.owasp.org] On Behalf Of Matteo
>> >> >>> Meucci
>> >> >>> Sent: Friday, 31 August 2012 1:40 AM
>> >> >>> To: owasp-testing at lists.owasp.org
>> >> >>> Subject: [Owasp-testing] Testing Guide V4 - Start up
>> >> >>>
>> >> >>> Hi all Testing Guide contributors.
>> >> >>>
>> >> >>> Testing Guide v4 has been approved as Projects Reboot 2012!
>> >> >>> https://www.owasp.org/index.php/Projects_Reboot_2012
>> >> >>>
>> >> >>> Here is the list of contributors I've collected:
>> >> >>>
>> >> >>> Pavol Luptak
>> >> >>> Marco Morana
>> >> >>> Giorgio Fedon
>> >> >>> Stefano Di Paola
>> >> >>> Gianrico Ingrosso
>> >> >>> Giuseppe Bonfà
>> >> >>> Roberto Suggi Liverani
>> >> >>> Robert Smith
>> >> >>> Andrew Muller
>> >> >>> Robert Winkel
>> >> >>> tripurari rai
>> >> >>> Thomas Ryan
>> >> >>> tim bertels
>> >> >>> Cecil Su
>> >> >>> Aung KhAnt
>> >> >>> Norbert Szetei
>> >> >>> michael.boman
>> >> >>> Wagner Elias
>> >> >>> Kevin Horvat
>> >> >>> Juan Galiana Lara
>> >> >>> Kenan Gursoy
>> >> >>> Jason Flood
>> >> >>> Javier Marcos de Prado
>> >> >>> Sumit Siddharth
>> >> >>> Mike Hryekewicz
>> >> >>> psiinon
>> >> >>> Ray Schippers
>> >> >>> Raul Siles
>> >> >>> Jayanta Karmakar
>> >> >>> Brad Causey
>> >> >>> Vicente Aguilera
>> >> >>> Ismael Gonçalves
>> >> >>>
>> >> >>> Reviewers team:
>> >> >>>
>> >> >>> Paolo Perego
>> >> >>> Daniel Cuthbert
>> >> >>> Matthew Churcher
>> >> >>> Lode Vanstechelman
>> >> >>> Sebastien Gioria
>> >> >>>
>> >> >>>
>> >> >>> Introduction and Project purpose for v4:
>> >> >>> ============================ ============= The OWASP Testing Guide
>> v3
>> >> >>> includes a "best practice" penetration testing framework which
>> users
>> >> >>> can
>> >> >>> implement in their own organizations and a "low level" penetration
>> >> >>> testing
>> >> >>> guide that describes techniques for testing most common web
>> >> >>> application
>> >> >>> and
>> >> >>> web service security issues. Nowadays the Testing Guide has become
>> the
>> >> >>> standard to perform a Web Application Penetration Testing and many
>> >> >>> Companies
>> >> >>> all around the world have adopted it.
>> >> >>> It is vital for the project mantaining an updated project that
>> >> >>> represents
>> >> >>> the state of the art for WebAppSec.
>> >> >>>
>> >> >>> Project Roadmap
>> >> >>> =============
>> >> >>>
>> >> >>> - (1) 1st phase: Brainstorming and create a new table of contents
>> >> >>>
>> >> >>> Objective: creating a new table of contents of the OTGv4 assigning
>> a
>> >> >>> task
>> >> >>> for each contributor.
>> >> >>> I created a new OWASP Testing Guide v4 table of Contents here:
>> >> >>>
>> >> >>>
>> https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents
>> >> >>>
>> >> >>> - (2) 2nd phase:  Writing
>> >> >>> 20th September 2012: Start writing the articles 1st November 2012:
>> 1st
>> >> >>> Draft
>> >> >>> 30th November: end of writing phase
>> >> >>>
>> >> >>> - (3) 3rd phase: Reviewing
>> >> >>>
>> >> >>> - 1st December 2012: Starting the review phase,
>> >> >>> - 15th December 2012: Create the RC1,
>> >> >>> - 31st January 2013: Release the version 4.
>> >> >>>
>> >> >>> Timeline November 2012 1st Draft, January 2013 Final Release
>> >> >>>
>> >> >>> So, let's start discussion about phase (1)!
>> >> >>>
>> >> >>> Thanks!
>> >> >>> Mat
>> >> >>>
>> >> >>> --
>> >> >>> Matteo Meucci
>> >> >>> OWASP Testing Guide Lead
>> >> >>> OWASP-Italy President
>> >> >>>
>> >> >>>
>> >> >>> _______________________________________________
>> >> >>> Owasp-testing mailing list
>> >> >>> Owasp-testing at lists.owasp.org
>> >> >>> https://lists.owasp.org/mailman/listinfo/owasp-testing
>> >> >>>
>> >> >>> _______________________________________________
>> >> >>> Owasp-testing mailing list
>> >> >>> Owasp-testing at lists.owasp.org
>> >> >>> https://lists.owasp.org/mailman/listinfo/owasp-testing
>> >> >>
>> >> >>
>> >> >>
>> >> >> _______________________________________________
>> >> >> Owasp-testing mailing list
>> >> >> Owasp-testing at lists.owasp.org
>> >> >> https://lists.owasp.org/mailman/listinfo/owasp-testing
>> >> >>
>> >> >
>> >> >
>> >> > _______________________________________________
>> >> > Owasp-testing mailing list
>> >> > Owasp-testing at lists.owasp.org
>> >> > https://lists.owasp.org/mailman/listinfo/owasp-testing
>> >> >
>> >> _______________________________________________
>> >> Owasp-testing mailing list
>> >> Owasp-testing at lists.owasp.org
>> >> https://lists.owasp.org/mailman/listinfo/owasp-testing
>> >
>> >
>> >
>> >
>> > --
>> > Ismael Gonçalves
>>
>
>
>
> --
> Ismael Gonçalves
>



-- 
Ismael Gonçalves
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-testing/attachments/20120904/12ba84f2/attachment-0001.html>


More information about the Owasp-testing mailing list