[Owasp-testing] Testing Guide V4 - Start up

Eduardo Castellanos guayin at gmail.com
Wed Sep 5 14:37:59 UTC 2012


Hello,

I like what Ismael did; It certainly takes into account most of the
comments so far.

My comments:
- I believe that "Incubated vulnerability" is redundant since it is
basically about exploiting XSS, SQLi, or unrestricted file uploads.
- I propose that 4.9 "Testing for Data Encryption" should be renamed to
something like "Testing for insecure cryptography use/impementation", so it
may encompass other vulnerabilities like Hash extension, Viewstate
encryption/signing,  Padding Oracle, etc.

Regards,

Eduardo Castellanos N.


On Tue, Sep 4, 2012 at 7:33 PM, Ismael Rocha <ismaelrocha.projetos at gmail.com
> wrote:

> Hello All!
>
> I've compiled the Web App Penetration Test part from the ToC with all
> (sorry if I missed some!) suggestions presented in the list.
>
> Follow the results.
>
> We also have to decide whether mobile will be part of the scope or not.
>
>
>
> -----------------------------------------
>
> Testing Guide V4 ToC
>
> ...
>
> 4 Web Application Penetration Test
>
> 4.1 Introduction and Objectives [To review--> Mat]
>
> 4.1.1 Testing Checklist [To review at the end of brainstorming --> Mat]
>
> 4.2 Information Gathering [To review--> contributor here]
>
>
> 4.3 Configuration and Deploy Management Testing
>
> Infrastructure Configuration management weakness
> Application Configuration management weakness
> File extensions handling
> Old, backup and unreferenced files
> Access to Admin interfaces
> Bad HTTP Methods enabled, [new]
> Informative Error Messages
> Database credentials/connection strings available
> Test for security HTTP headers (e.g. CSP, X-Frame-Options, HSTS)
> Test for policies (e.g. Flash, Silverlight, robots) [suggestion CheatSheet]
> Check for sensitive data in client-side code (e.g. API keys, credentials)
> Test for policies (e.g. Flash, Silverlight, robots)
> Test for sensitive information in logs
>
>
> 4.4 Authentication Testing
>
> Credentials transport over an unencrypted channel [Robert Winkel]
> User enumeration (also Guessable user account) [Robert Winkel]
> Default passwords [Robert Winkel]
> Weak lock out mechanism [New! - Robert Winkel]
> Account lockout DoS [New! - Robert Winkel]
> Bypassing authentication schema
> Directory traversal/file include
> Vulnerable remember password [Robert Winkel]
> Browser cache weakness [New!]
> Weak password policy [New! - Robert Winkel]
> Weak username policy [New! - Robert Winkel]
> Weak security question/answer [New! - Robert Winkel]
> Failure to restrict access to authenticated resource [New!]
> Weak password change function [New! - Robert Winkel]
> Testing for CAPTCHA
> Test multi factor authentication
> Test for consistent authentication across applications with shared
> authentication schema / SSO [suggetion CheatSheet/SAML Ismael Gonçalves]
> Test for autocomplete on password forms/input
> Test for logout functionality presence
> Test for cache management on HTTP (eg Pragma, Expires, Max-age)
> Test for user-accessible authentication history
> Test for out-of channel notification of account lockouts and successful
> password changes
>
> 4.5 Session Management Testing
>
> Bypassing Session Management Schema
> Weak Session Token
> Cookies are set not ‘HTTP Only’, ‘Secure’, and no time validity
> Exposed sensitive session variables
> CSRF
> Session passed over http [New!]
> Session token within URL [New!]
> Session Fixation
> Session token not removed on server after logout [New!]
> Persistent session token [New!]
> Session token not restrcited properly (such as domain or path not set
> properly) [New!]
>
> Logout function not properly implemented
> Test for consistent session management across applications with shared
> session management
> Confirm that new session tokens are issued on login, role change and
> logout
>
> 4.6 Authorization Testing
>
> Bypassing authorization schema
> Privilege Escalation
> Insecure Direct Object References
> Failure to Restrict access to authorized resource [New!]
>
> 4.7 Business Logic Testing (OWASP-BL-001) [To review--> contributor here]
> Business Logic
>
> 4.8 Data Validation Testing
>
> Reflected XSS
> Stored XSS
> HTTP Verb Tampering [Brad Causey]
> HTTP Parameter pollution [Brad Causey]
> Unvalidated Redirects and Forwards [Brad Causey]
> SQL Injection [Brad Causey]
> LDAP Injection
> ORM Injection
> XML Injection
> SSI Injection
> XPath Injection
> SOAP Injection
> IMAP/SMTP Injection
> Code Injection
> OS Commanding
> Buffer overflow
> Incubated vulnerability
> Test for XXE Injection
> Test for XQuery Injection
> HTTP Splitting/Smuggling
> Test for HTTP Verb Tampering
> Test for Open Redirection
> Test for Local File Inclusion
> Test for Remote File Inclusion
> Compare client-side and server-side validation rules
> Test for NoSQL injection
> Test for HTTP parameter pollution
> Test for auto-binding
> Test for HTML Injection
> Test for File upload
> Expression Language Injection
>
> 4.9 Testing for Data Encryption (New!)
>
>
> Application did not use encryption
> Weak SSL/TSL Ciphers, Insufficient
> Transport Layer Protection
> Cacheable HTTPS Response
> Cache directives insecure
>
> Insecure Cryptographic Storage [mainly CR Guide]
> Sensitive information sent via unencrypted channels
>
>
> 4.10 XML Interpreter? (New!)
>
> Weak XML Structure XML content-level WS HTTP GET parameters/REST WS
> Naughty SOAP attachments WS Replay Testing
>
> 4.11 Client Side Testing (New!)
>
> DOM XSS
> Cross Site Flashing
> ClickHijacking
> JSON
> HTML 5
>
> 4.12 Denial of Service
>
> Test for account lockout
> Test for HTTP protocol DoS
>
> 4.13 Evasive Techniques in General
>
> ...
>
> Regards.
>
> Ismael Gonçalves
>
>
> On Tue, Sep 4, 2012 at 6:39 PM, Ismael Rocha <
> ismaelrocha.projetos at gmail.com> wrote:
>
>> Hello.
>>
>> I think maybe we should make a cross-reference between the ToC and the
>> Testing Cheat Sheet. It would help us to identify which aspects are covered
>> and which aren´t covered in the ToC.
>> For example: SSO is covered in the cheatsheet and not covered in the ToC.
>> Also HTTP DoS.
>> It also can give us some ideas about the names of the sections. If
>> anybody did it already I can do it.
>>
>> Ismael Gonçalves
>>
>>
>> https://www.owasp.org/index.php/Web_Application_Security_Testing_Cheat_Sheet
>>
>> https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents
>>
>>
>> On Tue, Sep 4, 2012 at 6:16 PM, Simone Onofri <simone.onofri at gmail.com>wrote:
>>
>>> On Tue, Sep 4, 2012 at 11:13 PM, Ismael Rocha
>>> <ismaelrocha.projetos at gmail.com> wrote:
>>> > Hello.
>>>
>>> hi ismael,
>>>
>>> > As I mentioned some days ago, I suggested improve SSL Test maybe based
>>> no
>>> > Qualys SSLabs issues and other.
>>> >
>>> > "SSL Test
>>> >  -> Enhace (maybe based on Qualys SSLlabs  tests?)"
>>>
>>>
>>> +1, i also use it!
>>>
>>> > Still talking about "cryptography not used when necessary" I would say
>>> that
>>> > is important to cover aspects of technologies which use ViewState
>>> concept
>>> > (e.g. JSF, .NET).
>>>
>>> of couse!
>>>
>>>
>>> > Ismael Gonçalves
>>> >
>>> >
>>> > On Tue, Sep 4, 2012 at 5:42 PM, Simone Onofri <simone.onofri at gmail.com
>>> >
>>> > wrote:
>>> >>
>>> >> hi all,
>>> >>
>>> >> i see the question is "data encryption" covers transmission and
>>> storage
>>> >> both.
>>> >>
>>> >> historically two issues are divided. to brainstorming some stuff, also
>>> >> using the web application security testing checklist [1]:
>>> >>
>>> >>  - not used when necessary (e.g. for credential transportation or
>>> storage)
>>> >>  - algorithms
>>> >>    - weak/homebrew (e.g. on ssl or when developers uses weak
>>> >> algorithms to protect data)
>>> >>    - wrong context (e.g. symmetric encryption for password storage)
>>> >>    - improper usage (e.g. hashing without salting, kdf with less
>>> >> iterations)
>>> >>  - keys and secrets
>>> >>    - weak/short/guessable (e.g. also on ssl)
>>> >>  - entropy issues
>>> >>    - weak random generators
>>> >>    - ...
>>> >>
>>> >> ideas?
>>> >>
>>> >> s.
>>> >>
>>> >>
>>> >> [1]
>>> >>
>>> https://www.owasp.org/index.php/Web_Application_Security_Testing_Cheat_Sheet
>>> >> On Tue, Sep 4, 2012 at 9:56 PM, Juan Galiana Lara <jgaliana at owasp.org
>>> >
>>> >> wrote:
>>> >> > +1!
>>> >> >
>>> >> > I think that is really important to cover.
>>> >> >
>>> >> > I've seen a new  "Testing for Data Encryption (New!)" under the data
>>> >> > validation section, but I would rather consider to have a main
>>> section
>>> >> > for
>>> >> > "Cryptography" at the same level of authentication, authorization,
>>> data
>>> >> > validation and so on.
>>> >> >
>>> >> > Cryptography is one of the most important topics in security and
>>> there
>>> >> > have
>>> >> > been quite significant crypto vulnerabilities applied to webapps
>>> like
>>> >> > the
>>> >> > padding oracle attack technique that was applied to decrypt HTTP
>>> cookies
>>> >> > in
>>> >> > several frameworks like ASP.NET, ROR and JSF two years back. Or
>>> the one
>>> >> > Eduardo mention, extension attacks due to improper or lack of use of
>>> >> > HMAC
>>> >> > algorithms, that is quite common.
>>> >> >
>>> >> > Actually, there are already few sections under DV in the new table
>>> of
>>> >> > contents, that would fit in that section:
>>> >> >
>>> >> > Testing for Data Encryption (New!)
>>> >> >
>>> >> > Application did not use encryption
>>> >> > Weak SSL/TSL Ciphers
>>> >> >
>>> >> > Insufficient Transport Layer Protection
>>> >> >
>>> >> > Insecure Cryptographic Storage [mainly CR Guide]
>>> >> >
>>> >> >
>>> >> > Thoughts?
>>> >> >
>>> >> >
>>> >> > --
>>> >> > Juan Galiana
>>> >> >
>>> >> >
>>> >> > On Tue, Sep 4, 2012 at 3:58 AM, Eduardo Castellanos <
>>> guayin at gmail.com>
>>> >> > wrote:
>>> >> >>
>>> >> >> Hello,
>>> >> >>
>>> >> >> What about a section for cryptographic attacks? Bad use of crypto
>>> >> >> functions in general. (Hash Length Extension, etc.) or would that
>>> be
>>> >> >> outside
>>> >> >> the scope of the guide?
>>> >> >>
>>> >> >> Related links:
>>> >> >>
>>> >> >> https://blog.whitehatsec.com/hash-length-extension-attacks/
>>> >> >>
>>> https://www.owasp.org/index.php/Category:Cryptographic_Vulnerability
>>> >> >>
>>> >> >>
>>> >> >>
>>> http://blogs.msdn.com/b/ace_team/archive/2008/11/13/vulnerabilities-due-to-improper-use-of-crypto-part-1.aspx
>>> >> >>
>>> >> >>
>>> >> >> Eduardo Castellanos N.
>>> >> >>
>>> >> >>
>>> >> >>
>>> >> >> On Mon, Sep 3, 2012 at 8:01 PM, Robert Winkel
>>> >> >> <robert.winkel at saltbushgroup.com> wrote:
>>> >> >>>
>>> >> >>> I have taken the liberty of assigning myself against several of
>>> the
>>> >> >>> Authentication Testing test cases.  I am happy to hand those over
>>> if
>>> >> >>> someone
>>> >> >>> is interested in be assigned to those instead.
>>> >> >>>
>>> >> >>> What happened to the Denial of Service test cases?
>>> >> >>>
>>> >> >>> Is there a template to adhere to when the writing stage begins?
>>> >> >>>
>>> >> >>> _______________________________________
>>> >> >>> Robert “Bull” Winkel
>>> >> >>> Director Saltbush Assurance
>>> >> >>> email: robert.winkel at saltbushgroup.com
>>> >> >>> http://www.linkedin.com/in/robertwinkel
>>> >> >>>
>>> >> >>>
>>> >> >>> -----Original Message-----
>>> >> >>> From: owasp-testing-bounces at lists.owasp.org
>>> >> >>> [mailto:owasp-testing-bounces at lists.owasp.org] On Behalf Of
>>> Matteo
>>> >> >>> Meucci
>>> >> >>> Sent: Friday, 31 August 2012 1:40 AM
>>> >> >>> To: owasp-testing at lists.owasp.org
>>> >> >>> Subject: [Owasp-testing] Testing Guide V4 - Start up
>>> >> >>>
>>> >> >>> Hi all Testing Guide contributors.
>>> >> >>>
>>> >> >>> Testing Guide v4 has been approved as Projects Reboot 2012!
>>> >> >>> https://www.owasp.org/index.php/Projects_Reboot_2012
>>> >> >>>
>>> >> >>> Here is the list of contributors I've collected:
>>> >> >>>
>>> >> >>> Pavol Luptak
>>> >> >>> Marco Morana
>>> >> >>> Giorgio Fedon
>>> >> >>> Stefano Di Paola
>>> >> >>> Gianrico Ingrosso
>>> >> >>> Giuseppe Bonfà
>>> >> >>> Roberto Suggi Liverani
>>> >> >>> Robert Smith
>>> >> >>> Andrew Muller
>>> >> >>> Robert Winkel
>>> >> >>> tripurari rai
>>> >> >>> Thomas Ryan
>>> >> >>> tim bertels
>>> >> >>> Cecil Su
>>> >> >>> Aung KhAnt
>>> >> >>> Norbert Szetei
>>> >> >>> michael.boman
>>> >> >>> Wagner Elias
>>> >> >>> Kevin Horvat
>>> >> >>> Juan Galiana Lara
>>> >> >>> Kenan Gursoy
>>> >> >>> Jason Flood
>>> >> >>> Javier Marcos de Prado
>>> >> >>> Sumit Siddharth
>>> >> >>> Mike Hryekewicz
>>> >> >>> psiinon
>>> >> >>> Ray Schippers
>>> >> >>> Raul Siles
>>> >> >>> Jayanta Karmakar
>>> >> >>> Brad Causey
>>> >> >>> Vicente Aguilera
>>> >> >>> Ismael Gonçalves
>>> >> >>>
>>> >> >>> Reviewers team:
>>> >> >>>
>>> >> >>> Paolo Perego
>>> >> >>> Daniel Cuthbert
>>> >> >>> Matthew Churcher
>>> >> >>> Lode Vanstechelman
>>> >> >>> Sebastien Gioria
>>> >> >>>
>>> >> >>>
>>> >> >>> Introduction and Project purpose for v4:
>>> >> >>> ============================ ============= The OWASP Testing
>>> Guide v3
>>> >> >>> includes a "best practice" penetration testing framework which
>>> users
>>> >> >>> can
>>> >> >>> implement in their own organizations and a "low level" penetration
>>> >> >>> testing
>>> >> >>> guide that describes techniques for testing most common web
>>> >> >>> application
>>> >> >>> and
>>> >> >>> web service security issues. Nowadays the Testing Guide has
>>> become the
>>> >> >>> standard to perform a Web Application Penetration Testing and many
>>> >> >>> Companies
>>> >> >>> all around the world have adopted it.
>>> >> >>> It is vital for the project mantaining an updated project that
>>> >> >>> represents
>>> >> >>> the state of the art for WebAppSec.
>>> >> >>>
>>> >> >>> Project Roadmap
>>> >> >>> =============
>>> >> >>>
>>> >> >>> - (1) 1st phase: Brainstorming and create a new table of contents
>>> >> >>>
>>> >> >>> Objective: creating a new table of contents of the OTGv4
>>> assigning a
>>> >> >>> task
>>> >> >>> for each contributor.
>>> >> >>> I created a new OWASP Testing Guide v4 table of Contents here:
>>> >> >>>
>>> >> >>>
>>> https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents
>>> >> >>>
>>> >> >>> - (2) 2nd phase:  Writing
>>> >> >>> 20th September 2012: Start writing the articles 1st November
>>> 2012: 1st
>>> >> >>> Draft
>>> >> >>> 30th November: end of writing phase
>>> >> >>>
>>> >> >>> - (3) 3rd phase: Reviewing
>>> >> >>>
>>> >> >>> - 1st December 2012: Starting the review phase,
>>> >> >>> - 15th December 2012: Create the RC1,
>>> >> >>> - 31st January 2013: Release the version 4.
>>> >> >>>
>>> >> >>> Timeline November 2012 1st Draft, January 2013 Final Release
>>> >> >>>
>>> >> >>> So, let's start discussion about phase (1)!
>>> >> >>>
>>> >> >>> Thanks!
>>> >> >>> Mat
>>> >> >>>
>>> >> >>> --
>>> >> >>> Matteo Meucci
>>> >> >>> OWASP Testing Guide Lead
>>> >> >>> OWASP-Italy President
>>> >> >>>
>>> >> >>>
>>> >> >>> _______________________________________________
>>> >> >>> Owasp-testing mailing list
>>> >> >>> Owasp-testing at lists.owasp.org
>>> >> >>> https://lists.owasp.org/mailman/listinfo/owasp-testing
>>> >> >>>
>>> >> >>> _______________________________________________
>>> >> >>> Owasp-testing mailing list
>>> >> >>> Owasp-testing at lists.owasp.org
>>> >> >>> https://lists.owasp.org/mailman/listinfo/owasp-testing
>>> >> >>
>>> >> >>
>>> >> >>
>>> >> >> _______________________________________________
>>> >> >> Owasp-testing mailing list
>>> >> >> Owasp-testing at lists.owasp.org
>>> >> >> https://lists.owasp.org/mailman/listinfo/owasp-testing
>>> >> >>
>>> >> >
>>> >> >
>>> >> > _______________________________________________
>>> >> > Owasp-testing mailing list
>>> >> > Owasp-testing at lists.owasp.org
>>> >> > https://lists.owasp.org/mailman/listinfo/owasp-testing
>>> >> >
>>> >> _______________________________________________
>>> >> Owasp-testing mailing list
>>> >> Owasp-testing at lists.owasp.org
>>> >> https://lists.owasp.org/mailman/listinfo/owasp-testing
>>> >
>>> >
>>> >
>>> >
>>> > --
>>> > Ismael Gonçalves
>>>
>>
>>
>>
>> --
>> Ismael Gonçalves
>>
>
>
>
> --
> Ismael Gonçalves
>
> _______________________________________________
> Owasp-testing mailing list
> Owasp-testing at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-testing
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-testing/attachments/20120905/c1a25183/attachment-0001.html>


More information about the Owasp-testing mailing list