[Owasp-testing] Testing Guide V4 - Start up

Simone Onofri simone.onofri at gmail.com
Wed Sep 5 13:52:55 UTC 2012


On Wed, Sep 5, 2012 at 12:29 PM, Matteo Meucci <matteo.meucci at owasp.org> wrote:
> Hi,
> thanks Ismael.
> I'll update the ToC on the wiki (there are some items repeated 2 times
> and some to understand better if include).
>
> As Kevin said mobile testing is part of another OWASP project.
>
> Regarding many contributors contacting me directly or asking to
> contribute, first of all thanks, then please specify which
> area/paragraph would you like to cover.
>
> Paragraph template: yes we have a template from v3, may we can review
> also that. From the 2nd phase (writing the new guide) I'll create a new
> paragraph with this template for each item to write.
>
> Tools: as Daniel said yes we have to be agnostic regarding the tools.
> But at the end of each paragraph as usual we can specify a list of Open
> Source tools that help to perform that test.
>
> Remember that we are creating a guide for Web Application Penetration
> Testing. All the test will be called "Testing for [test]".
>
> So cryptographic tests are good to add but only that regarding the
> running application testing, for example Padding Oracle.
> But "weak random generators" and "weak algorithms to protect data" in
> general is not possible to test when performing a WebAppPentest.

hi matt,

in general is not possible, but as you know it's possible - for
example exploiting a sql injection - to find clear-text passwords.

in this case i think is nice to insert in report(s) a link to the
testing guide (as the testing guide the standard for security testing)
:)

other owasp document can be integrated/considered is the owasp asvs
(for specfic verifications required by the level), if is needed i've
some mappings.

ciao,

s.


> WebAppSecTesting Cheat Sheet:
> https://www.owasp.org/index.php/Web_Application_Security_Testing_Cheat_Sheet
>
> In the testing Guide we have already a similar paragraph (v3):
> https://www.owasp.org/index.php/Testing_Checklist
>
> I think we can use it to verify if some items are missing, than the
> cheat sheet will be updated to the new Testing Checklist paragraph (as
> mentioned in the Cheat sheet purpose).
>
> Thanks!
> Mat
>
>
>
> On 09/05/2012 03:33 AM, Ismael Rocha wrote:
>> Hello All!
>>
>> I've compiled the Web App Penetration Test part from the ToC with all
>> (sorry if I missed some!) suggestions presented in the list.
>>
>> Follow the results.
>>
>> We also have to decide whether mobile will be part of the scope or not.
>>
>>
>>
>> -----------------------------------------
>>
>> Testing Guide V4 ToC
>>
>> ...
>>
>> 4 Web Application Penetration Test
>>
>> 4.1 Introduction and Objectives [To review--> Mat]
>>
>> 4.1.1 Testing Checklist [To review at the end of brainstorming --> Mat]
>>
>> 4.2 Information Gathering [To review--> contributor here]
>>
>>
>> 4.3 Configuration and Deploy Management Testing
>>
>> Infrastructure Configuration management weakness
>> Application Configuration management weakness
>> File extensions handling
>> Old, backup and unreferenced files
>> Access to Admin interfaces
>> Bad HTTP Methods enabled, [new]
>> Informative Error Messages
>> Database credentials/connection strings available
>> Test for security HTTP headers (e.g. CSP, X-Frame-Options, HSTS)
>> Test for policies (e.g. Flash, Silverlight, robots) [suggestion CheatSheet]
>> Check for sensitive data in client-side code (e.g. API keys, credentials)
>> Test for policies (e.g. Flash, Silverlight, robots)
>> Test for sensitive information in logs
>>
>>
>> 4.4 Authentication Testing
>>
>> Credentials transport over an unencrypted channel [Robert Winkel]
>> User enumeration (also Guessable user account) [Robert Winkel]
>> Default passwords [Robert Winkel]
>> Weak lock out mechanism [New! - Robert Winkel]
>> Account lockout DoS [New! - Robert Winkel]
>> Bypassing authentication schema
>> Directory traversal/file include
>> Vulnerable remember password [Robert Winkel]
>> Browser cache weakness [New!]
>> Weak password policy [New! - Robert Winkel]
>> Weak username policy [New! - Robert Winkel]
>> Weak security question/answer [New! - Robert Winkel]
>> Failure to restrict access to authenticated resource [New!]
>> Weak password change function [New! - Robert Winkel]
>> Testing for CAPTCHA
>> Test multi factor authentication
>> Test for consistent authentication across applications with shared
>> authentication schema / SSO [suggetion CheatSheet/SAML Ismael Gonçalves]
>> Test for autocomplete on password forms/input
>> Test for logout functionality presence
>> Test for cache management on HTTP (eg Pragma, Expires, Max-age)
>> Test for user-accessible authentication history
>> Test for out-of channel notification of account lockouts and successful
>> password changes
>>
>> 4.5 Session Management Testing
>>
>> Bypassing Session Management Schema
>> Weak Session Token
>> Cookies are set not ‘HTTP Only’, ‘Secure’, and no time validity
>> Exposed sensitive session variables
>> CSRF
>> Session passed over http [New!]
>> Session token within URL [New!]
>> Session Fixation
>> Session token not removed on server after logout [New!]
>> Persistent session token [New!]
>> Session token not restrcited properly (such as domain or path not set
>> properly) [New!]
>> Logout function not properly implemented
>> Test for consistent session management across applications with shared
>> session management
>> Confirm that new session tokens are issued on login, role change and logout
>>
>> 4.6 Authorization Testing
>>
>> Bypassing authorization schema
>> Privilege Escalation
>> Insecure Direct Object References
>> Failure to Restrict access to authorized resource [New!]
>>
>> 4.7 Business Logic Testing (OWASP-BL-001) [To review--> contributor
>> here] Business Logic
>>
>> 4.8 Data Validation Testing
>>
>> Reflected XSS
>> Stored XSS
>> HTTP Verb Tampering [Brad Causey]
>> HTTP Parameter pollution [Brad Causey]
>> Unvalidated Redirects and Forwards [Brad Causey]
>> SQL Injection [Brad Causey]
>> LDAP Injection
>> ORM Injection
>> XML Injection
>> SSI Injection
>> XPath Injection
>> SOAP Injection
>> IMAP/SMTP Injection
>> Code Injection
>> OS Commanding
>> Buffer overflow
>> Incubated vulnerability
>> Test for XXE Injection
>> Test for XQuery Injection
>> HTTP Splitting/Smuggling
>> Test for HTTP Verb Tampering
>> Test for Open Redirection
>> Test for Local File Inclusion
>> Test for Remote File Inclusion
>> Compare client-side and server-side validation rules
>> Test for NoSQL injection
>> Test for HTTP parameter pollution
>> Test for auto-binding
>> Test for HTML Injection
>> Test for File upload
>> Expression Language Injection
>>
>> 4.9 Testing for Data Encryption (New!)
>>
>> Application did not use encryption
>> Weak SSL/TSL Ciphers, Insufficient
>> Transport Layer Protection
>> Cacheable HTTPS Response
>> Cache directives insecure
>> Insecure Cryptographic Storage [mainly CR Guide]
>> Sensitive information sent via unencrypted channels
>>
>>
>> 4.10 XML Interpreter? (New!)
>>
>> Weak XML Structure XML content-level WS HTTP GET parameters/REST WS
>> Naughty SOAP attachments WS Replay Testing
>>
>> 4.11 Client Side Testing (New!)
>>
>> DOM XSS
>> Cross Site Flashing
>> ClickHijacking
>> JSON
>> HTML 5
>>
>> 4.12 Denial of Service
>>
>> Test for account lockout
>> Test for HTTP protocol DoS
>>
>> 4.13 Evasive Techniques in General
>>
>> ...
>>
>> Regards.
>>
>> Ismael Gonçalves
>>
>> On Tue, Sep 4, 2012 at 6:39 PM, Ismael Rocha
>> <ismaelrocha.projetos at gmail.com <mailto:ismaelrocha.projetos at gmail.com>>
>> wrote:
>>
>>     Hello.
>>
>>     I think maybe we should make a cross-reference between the ToC and
>>     the Testing Cheat Sheet. It would help us to identify which aspects
>>     are covered and which aren´t covered in the ToC.
>>     For example: SSO is covered in the cheatsheet and not covered in the
>>     ToC. Also HTTP DoS.
>>     It also can give us some ideas about the names of the sections. If
>>     anybody did it already I can do it.
>>
>>     Ismael Gonçalves
>>
>>     https://www.owasp.org/index.php/Web_Application_Security_Testing_Cheat_Sheet
>>
>>     https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents
>>
>>
>>     On Tue, Sep 4, 2012 at 6:16 PM, Simone Onofri
>>     <simone.onofri at gmail.com <mailto:simone.onofri at gmail.com>> wrote:
>>
>>         On Tue, Sep 4, 2012 at 11:13 PM, Ismael Rocha
>>         <ismaelrocha.projetos at gmail.com
>>         <mailto:ismaelrocha.projetos at gmail.com>> wrote:
>>         > Hello.
>>
>>         hi ismael,
>>
>>         > As I mentioned some days ago, I suggested improve SSL Test
>>         maybe based no
>>         > Qualys SSLabs issues and other.
>>         >
>>         > "SSL Test
>>         >  -> Enhace (maybe based on Qualys SSLlabs  tests?)"
>>
>>
>>         +1, i also use it!
>>
>>         > Still talking about "cryptography not used when necessary" I
>>         would say that
>>         > is important to cover aspects of technologies which use
>>         ViewState concept
>>         > (e.g. JSF, .NET).
>>
>>         of couse!
>>
>>
>>         > Ismael Gonçalves
>>         >
>>         >
>>         > On Tue, Sep 4, 2012 at 5:42 PM, Simone Onofri
>>         <simone.onofri at gmail.com <mailto:simone.onofri at gmail.com>>
>>         > wrote:
>>         >>
>>         >> hi all,
>>         >>
>>         >> i see the question is "data encryption" covers transmission
>>         and storage
>>         >> both.
>>         >>
>>         >> historically two issues are divided. to brainstorming some
>>         stuff, also
>>         >> using the web application security testing checklist [1]:
>>         >>
>>         >>  - not used when necessary (e.g. for credential
>>         transportation or storage)
>>         >>  - algorithms
>>         >>    - weak/homebrew (e.g. on ssl or when developers uses weak
>>         >> algorithms to protect data)
>>         >>    - wrong context (e.g. symmetric encryption for password
>>         storage)
>>         >>    - improper usage (e.g. hashing without salting, kdf with less
>>         >> iterations)
>>         >>  - keys and secrets
>>         >>    - weak/short/guessable (e.g. also on ssl)
>>         >>  - entropy issues
>>         >>    - weak random generators
>>         >>    - ...
>>         >>
>>         >> ideas?
>>         >>
>>         >> s.
>>         >>
>>         >>
>>         >> [1]
>>         >>
>>         https://www.owasp.org/index.php/Web_Application_Security_Testing_Cheat_Sheet
>>         >> On Tue, Sep 4, 2012 at 9:56 PM, Juan Galiana Lara
>>         <jgaliana at owasp.org <mailto:jgaliana at owasp.org>>
>>         >> wrote:
>>         >> > +1!
>>         >> >
>>         >> > I think that is really important to cover.
>>         >> >
>>         >> > I've seen a new  "Testing for Data Encryption (New!)" under
>>         the data
>>         >> > validation section, but I would rather consider to have a
>>         main section
>>         >> > for
>>         >> > "Cryptography" at the same level of authentication,
>>         authorization, data
>>         >> > validation and so on.
>>         >> >
>>         >> > Cryptography is one of the most important topics in
>>         security and there
>>         >> > have
>>         >> > been quite significant crypto vulnerabilities applied to
>>         webapps like
>>         >> > the
>>         >> > padding oracle attack technique that was applied to decrypt
>>         HTTP cookies
>>         >> > in
>>         >> > several frameworks like ASP.NET <http://ASP.NET>, ROR and
>>         JSF two years back. Or the one
>>         >> > Eduardo mention, extension attacks due to improper or lack
>>         of use of
>>         >> > HMAC
>>         >> > algorithms, that is quite common.
>>         >> >
>>         >> > Actually, there are already few sections under DV in the
>>         new table of
>>         >> > contents, that would fit in that section:
>>         >> >
>>         >> > Testing for Data Encryption (New!)
>>         >> >
>>         >> > Application did not use encryption
>>         >> > Weak SSL/TSL Ciphers
>>         >> >
>>         >> > Insufficient Transport Layer Protection
>>         >> >
>>         >> > Insecure Cryptographic Storage [mainly CR Guide]
>>         >> >
>>         >> >
>>         >> > Thoughts?
>>         >> >
>>         >> >
>>         >> > --
>>         >> > Juan Galiana
>>         >> >
>>         >> >
>>         >> > On Tue, Sep 4, 2012 at 3:58 AM, Eduardo Castellanos
>>         <guayin at gmail.com <mailto:guayin at gmail.com>>
>>         >> > wrote:
>>         >> >>
>>         >> >> Hello,
>>         >> >>
>>         >> >> What about a section for cryptographic attacks? Bad use of
>>         crypto
>>         >> >> functions in general. (Hash Length Extension, etc.) or
>>         would that be
>>         >> >> outside
>>         >> >> the scope of the guide?
>>         >> >>
>>         >> >> Related links:
>>         >> >>
>>         >> >> https://blog.whitehatsec.com/hash-length-extension-attacks/
>>         >> >>
>>         https://www.owasp.org/index.php/Category:Cryptographic_Vulnerability
>>         >> >>
>>         >> >>
>>         >> >>
>>         http://blogs.msdn.com/b/ace_team/archive/2008/11/13/vulnerabilities-due-to-improper-use-of-crypto-part-1.aspx
>>         >> >>
>>         >> >>
>>         >> >> Eduardo Castellanos N.
>>         >> >>
>>         >> >>
>>         >> >>
>>         >> >> On Mon, Sep 3, 2012 at 8:01 PM, Robert Winkel
>>         >> >> <robert.winkel at saltbushgroup.com
>>         <mailto:robert.winkel at saltbushgroup.com>> wrote:
>>         >> >>>
>>         >> >>> I have taken the liberty of assigning myself against
>>         several of the
>>         >> >>> Authentication Testing test cases.  I am happy to hand
>>         those over if
>>         >> >>> someone
>>         >> >>> is interested in be assigned to those instead.
>>         >> >>>
>>         >> >>> What happened to the Denial of Service test cases?
>>         >> >>>
>>         >> >>> Is there a template to adhere to when the writing stage
>>         begins?
>>         >> >>>
>>         >> >>> _______________________________________
>>         >> >>> Robert “Bull” Winkel
>>         >> >>> Director Saltbush Assurance
>>         >> >>> email: robert.winkel at saltbushgroup.com
>>         <mailto:robert.winkel at saltbushgroup.com>
>>         >> >>> http://www.linkedin.com/in/robertwinkel
>>         >> >>>
>>         >> >>>
>>         >> >>> -----Original Message-----
>>         >> >>> From: owasp-testing-bounces at lists.owasp.org
>>         <mailto:owasp-testing-bounces at lists.owasp.org>
>>         >> >>> [mailto:owasp-testing-bounces at lists.owasp.org
>>         <mailto:owasp-testing-bounces at lists.owasp.org>] On Behalf Of Matteo
>>         >> >>> Meucci
>>         >> >>> Sent: Friday, 31 August 2012 1:40 AM
>>         >> >>> To: owasp-testing at lists.owasp.org
>>         <mailto:owasp-testing at lists.owasp.org>
>>         >> >>> Subject: [Owasp-testing] Testing Guide V4 - Start up
>>         >> >>>
>>         >> >>> Hi all Testing Guide contributors.
>>         >> >>>
>>         >> >>> Testing Guide v4 has been approved as Projects Reboot 2012!
>>         >> >>> https://www.owasp.org/index.php/Projects_Reboot_2012
>>         >> >>>
>>         >> >>> Here is the list of contributors I've collected:
>>         >> >>>
>>         >> >>> Pavol Luptak
>>         >> >>> Marco Morana
>>         >> >>> Giorgio Fedon
>>         >> >>> Stefano Di Paola
>>         >> >>> Gianrico Ingrosso
>>         >> >>> Giuseppe Bonfà
>>         >> >>> Roberto Suggi Liverani
>>         >> >>> Robert Smith
>>         >> >>> Andrew Muller
>>         >> >>> Robert Winkel
>>         >> >>> tripurari rai
>>         >> >>> Thomas Ryan
>>         >> >>> tim bertels
>>         >> >>> Cecil Su
>>         >> >>> Aung KhAnt
>>         >> >>> Norbert Szetei
>>         >> >>> michael.boman
>>         >> >>> Wagner Elias
>>         >> >>> Kevin Horvat
>>         >> >>> Juan Galiana Lara
>>         >> >>> Kenan Gursoy
>>         >> >>> Jason Flood
>>         >> >>> Javier Marcos de Prado
>>         >> >>> Sumit Siddharth
>>         >> >>> Mike Hryekewicz
>>         >> >>> psiinon
>>         >> >>> Ray Schippers
>>         >> >>> Raul Siles
>>         >> >>> Jayanta Karmakar
>>         >> >>> Brad Causey
>>         >> >>> Vicente Aguilera
>>         >> >>> Ismael Gonçalves
>>         >> >>>
>>         >> >>> Reviewers team:
>>         >> >>>
>>         >> >>> Paolo Perego
>>         >> >>> Daniel Cuthbert
>>         >> >>> Matthew Churcher
>>         >> >>> Lode Vanstechelman
>>         >> >>> Sebastien Gioria
>>         >> >>>
>>         >> >>>
>>         >> >>> Introduction and Project purpose for v4:
>>         >> >>> ============================ ============= The OWASP
>>         Testing Guide v3
>>         >> >>> includes a "best practice" penetration testing framework
>>         which users
>>         >> >>> can
>>         >> >>> implement in their own organizations and a "low level"
>>         penetration
>>         >> >>> testing
>>         >> >>> guide that describes techniques for testing most common web
>>         >> >>> application
>>         >> >>> and
>>         >> >>> web service security issues. Nowadays the Testing Guide
>>         has become the
>>         >> >>> standard to perform a Web Application Penetration Testing
>>         and many
>>         >> >>> Companies
>>         >> >>> all around the world have adopted it.
>>         >> >>> It is vital for the project mantaining an updated project
>>         that
>>         >> >>> represents
>>         >> >>> the state of the art for WebAppSec.
>>         >> >>>
>>         >> >>> Project Roadmap
>>         >> >>> =============
>>         >> >>>
>>         >> >>> - (1) 1st phase: Brainstorming and create a new table of
>>         contents
>>         >> >>>
>>         >> >>> Objective: creating a new table of contents of the OTGv4
>>         assigning a
>>         >> >>> task
>>         >> >>> for each contributor.
>>         >> >>> I created a new OWASP Testing Guide v4 table of Contents
>>         here:
>>         >> >>>
>>         >> >>>
>>         https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents
>>         >> >>>
>>         >> >>> - (2) 2nd phase:  Writing
>>         >> >>> 20th September 2012: Start writing the articles 1st
>>         November 2012: 1st
>>         >> >>> Draft
>>         >> >>> 30th November: end of writing phase
>>         >> >>>
>>         >> >>> - (3) 3rd phase: Reviewing
>>         >> >>>
>>         >> >>> - 1st December 2012: Starting the review phase,
>>         >> >>> - 15th December 2012: Create the RC1,
>>         >> >>> - 31st January 2013: Release the version 4.
>>         >> >>>
>>         >> >>> Timeline November 2012 1st Draft, January 2013 Final Release
>>         >> >>>
>>         >> >>> So, let's start discussion about phase (1)!
>>         >> >>>
>>         >> >>> Thanks!
>>         >> >>> Mat
>>         >> >>>
>>         >> >>> --
>>         >> >>> Matteo Meucci
>>         >> >>> OWASP Testing Guide Lead
>>         >> >>> OWASP-Italy President
>>         >> >>>
>>         >> >>>
>>         >> >>> _______________________________________________
>>         >> >>> Owasp-testing mailing list
>>         >> >>> Owasp-testing at lists.owasp.org
>>         <mailto:Owasp-testing at lists.owasp.org>
>>         >> >>> https://lists.owasp.org/mailman/listinfo/owasp-testing
>>         >> >>>
>>         >> >>> _______________________________________________
>>         >> >>> Owasp-testing mailing list
>>         >> >>> Owasp-testing at lists.owasp.org
>>         <mailto:Owasp-testing at lists.owasp.org>
>>         >> >>> https://lists.owasp.org/mailman/listinfo/owasp-testing
>>         >> >>
>>         >> >>
>>         >> >>
>>         >> >> _______________________________________________
>>         >> >> Owasp-testing mailing list
>>         >> >> Owasp-testing at lists.owasp.org
>>         <mailto:Owasp-testing at lists.owasp.org>
>>         >> >> https://lists.owasp.org/mailman/listinfo/owasp-testing
>>         >> >>
>>         >> >
>>         >> >
>>         >> > _______________________________________________
>>         >> > Owasp-testing mailing list
>>         >> > Owasp-testing at lists.owasp.org
>>         <mailto:Owasp-testing at lists.owasp.org>
>>         >> > https://lists.owasp.org/mailman/listinfo/owasp-testing
>>         >> >
>>         >> _______________________________________________
>>         >> Owasp-testing mailing list
>>         >> Owasp-testing at lists.owasp.org
>>         <mailto:Owasp-testing at lists.owasp.org>
>>         >> https://lists.owasp.org/mailman/listinfo/owasp-testing
>>         >
>>         >
>>         >
>>         >
>>         > --
>>         > Ismael Gonçalves
>>
>>
>>
>>
>>     --
>>     Ismael Gonçalves
>>
>>
>>
>>
>> --
>> Ismael Gonçalves
>>
>>
>> _______________________________________________
>> Owasp-testing mailing list
>> Owasp-testing at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-testing
>>
>
> --
> --
> Matteo Meucci
> OWASP Testing Guide Lead
> OWASP Italy President
> _______________________________________________
> Owasp-testing mailing list
> Owasp-testing at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-testing


More information about the Owasp-testing mailing list