[Owasp-testing] Testing Guide V4 - Start up

Ismael Rocha ismaelrocha.projetos at gmail.com
Wed Sep 12 10:30:06 UTC 2012


Hello Jim.

I'm thinking about a good way to add it because the risk I've put in the
table is also calculated based on business impact, then a XSS flaw once
exploited for example has a different impact according to the business.

Regards.

Ismael Gonçalves

On Sun, Sep 9, 2012 at 5:02 PM, Jim Manico <jim.manico at owasp.org> wrote:

> Can you add the risk column to the cheat sheet?? :)
>
> --
> Jim Manico
> VP, Security Architecture
> WhiteHat Security
> (808) 652-3805
>
> On Sep 9, 2012, at 7:52 AM, Ismael Rocha <ismaelrocha.projetos at gmail.com>
> wrote:
>
> Hello David.
>
> I worked in the Top Ten Cheatsheet to make the link between Top Ten and
> Testing Guide.
> https://www.owasp.org/index.php/OWASP_Top_Ten_Cheat_Sheet
>
> Here is a table I've been providing in reports about analysis based on Top
> Ten. The calculations of the risk are also based on OWASP Testing Guide -
> Risk Methodology and the business impact factors are adapted according to
> the customer.
>
>
>   *Item OWASP Top Ten*
>
> *Id *
>
> *Vulnerability*
>
> *OWASP Testing Guide Iten
> *
>
> *Risk*
>
> A1 – Injection
>
> 01
>
> SQL Injection
>
> OWASP-DV-005
>
> Critical
>
> A2 – *Cross-Site-Scripting*
>
> 02
>
> *Cross-site-scripting*
>
> OWASP-DV-001
>
> Medium
>
> A6 – Security misconfiguration
>
>
>
> 03
>
> Old version PHP
>
> OWASP-CM-003
>
> High
>
> 04
>
> Server* *vulnerable to *Slow* HTTP
>
> OWASP-CM-003
>
> High
>
> 05
>
> Administrative interfaces found
>
> OWASP-CM-007
>
> High
>
> A7 – Insecure cryptographic storage
>
> 06
>
> Password stored with hash and without salt
>
> -
>
> Medium
>
> A9 – Insufficient Transport Layer Protection
>
> 07
>
> Insecure channel for authentication
>
> OWASP-AT-001
>
> High
>
>
> Regards.
>
> Ismael Gonçalves
>
> On Sat, Sep 8, 2012 at 7:32 PM, David Fern <dfern at verizon.net> wrote:
> > I agree here are some process items I have from v3:
> >
> > Section 1 – Testing Techniques Explained – Page 19
> >             Although Black, Grey, white Box testing is addressed in the
> > document and are
> >             common terms should they be defined?
> >
> >             Should the concept of Automated Static and dynamic testing be
> > addressed?
> > Section 1 – Testing Techniques Explained - Page 20 Threat Modeling
> >
> > Should this link to the OWASP Threat Risk Modeling page?
> > https://www.owasp.org/index.php/Threat_Risk_Modeling
> >
> > Section 1 – Testing Techniques Explained – Page 26 – Security
> Requirements
> > Validation
> > Could it be mentioned that the list of controls in Section 4 Could be
> used
> > as “Global” requirements in addition to the “specific” requirements
> > specified in the application requirements. All may not be applicable for
> all
> > applications.
> >
> > Section 1 – Testing Techniques Explained – Page 36
> >
> >             Would this be a good place to discuss the OWASP Risk Rating
> >
> https://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology
> >             Which is included in page 325 in detail
> >
> > Section 3 – The OWASP Testing Framework – Page 40
> >
> >             Should Open SAMM be mentioned here
> >
> >
> https://www.owasp.org/index.php/Category:Software_Assurance_Maturity_Model
> >
> > Section 3 – The OWASP Testing Framework – Phase 2: During Definition and
> > Design - Page 41
> >
> >             Should ESAPI be mentioned here as a best practice?
> >
> > https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API
> >
> >             Should the references to coding standards be given, for
> example:
> > CERT -
> >
> https://www.securecoding.cert.org/confluence/display/seccode/CERT+Secure+Coding+Standards;jsessionid=A9B9B2080B83DEEB21CE15B1415CEDD9
> >
> >
> >
> https://www.securecoding.cert.org/confluence/display/seccode/CERT+C+Secure+Coding+Standard
> >
> >
> >
> https://www.securecoding.cert.org/confluence/display/seccode/Top+10+Secure+Coding+Practices
> > Section 3 – The OWASP Testing Framework – The Phases especially 4 and 5
> page
> > 43
> >
> >             I would like to see some more details, guidance and
> checklists
> > or what exactly to do and
> > check
> >
> > Section 3 – The OWASP Testing Framework – OWASP Testing Framework Work
> Flow
> > – Page 45
> >
> > All work tasks do not seem to be included in this section, for example
> the
> > section details do not include “Unit and System Tests” and “Acceptance
> > Tests” in the Deployment part of this section on page 43 or 44.
> >
> > Section 4 - Web Application Penetration Testing – Chart - page 47
> >
> >             Would it be possible to add another column  linking to the
> > specific OWASP top 10. My reasoning is that someone may say they will
> test
> > to the OWASP top 10. So they need a good list.
> >
> > Section 4 - Web Application Penetration Testing
> >
> >             It seems like the test types have Grey box, White box and
> Black
> > Box but it is not consistent. I think all should probably include all 3
> > types and if it is not applicable state it.
> >
> > Appendix A: Testing Tools
> >
> >             Should WebInspect be added to the Commercial Black Box
> Testing
> > Tools?
> >
> > Should there be an acceptance Testing Tools – Commercial section for
> tools
> > such as:
> >             HP Quick Test Professional
> >                         IBM Rational Robot
> >                         Etc.
> >
> >             Should the BuildSecurityin web site be added to the “Useful
> > Websites” section?
> >
> https://buildsecurityin.us-cert.gov/bsi/home.html
> >
> >             Should Web Service testing tool soapUI be added?
> >
> http://www.soapui.org/Security/getting-started.html
> >
> > Thanks,
> > David :)
> >
> > From: Ismael Rocha <ismaelrocha.projetos at gmail.com>
> > To: Matteo Meucci <matteo.meucci at owasp.org>
> > Cc: owasp-testing at lists.owasp.org
> > Sent: Friday, September 7, 2012 6:26 PM
> >
> > Subject: Re: [Owasp-testing] Testing Guide V4 - Start up
> >
> > Hello.
> > I know we've been focused on testing list but I have some comments for
> other
> > sections.
> > a) About the Web Application Penetration Testing
> > Talking about the Web Application Penetration Testing (chapter 4), I
> suggest
> > we improve the section with some explanations.
> > 4. Web Application Penetration testing
> > 4.1 Introduction and Objectives
> >  -> Introduce about typical penetration test phases
> >   Here we would have an overview of a typical pen-test, divided into 4
> > phases.
> >   1) Plan
> >    This part basically talks about how to plan a penetration test
> >    -> Types of the Test (maybe the explanation about types of test could
> be
> > fit in a section in the beginning of the testing guide)
> >     -> Black Box
> >     -> White Box
> >     -> Gray Box
> >    -> Viewpoint
> >     -> External
> >     -> Internal
> >    -> Scope
> >     -> http://www.targetedapp.com
> >    -> Restrictions
> >     -> List of all restrictions (e.g. do not perform DoS, social
> > engineering)
> >   2) Discovery
> >    -> Information Gathering
> >    -> Vulnerability Analysis
> >   3) Attack
> >    -> Attack itself
> >   4) Report
> >    -> Last Phase of a penetration test (chapter 5 writing report)
> >
> >
> > b) About the paragraph of the testing cases:
> > One of the goals of this version is to make the Testing Guide more
> readable.
> > I think we need to define commons subsections present in all testing
> cases.
> > Then, all testing cases would have the same sections and formats. I
> already
> > suggest to have the checklist (questions) in a pre-defined subsection
> inside
> > each
> > testing case. If we have a checklist in a table format, we could get them
> > and put them into a big table that could be printed and checked.
> > For example:
> > 4.5.4 Testing for Exposed Session Variables (OWASP-SM-004)
> >  4.5.4.2   Brief Summary
> >  4.5.4.3   Description of the issue
> >  4.5.4.4   Related security activities
> >  4.5.4.5   Threats
> >  4.5.4.6   Countermesures
> >  4.5.4.7   Testing
> >     -> Black Box
> >             -> Technique 1
> >             -> Results expected
> >     -> Gray Box
> >              ....
> >     -> White Box
> >              ....
> >  4.5.4.8   Checklist
> >
> >
> -------------------------------------------------------------------------------------------------------
> >    | OWASP-SM-004                                      | Black Box |
> White
> > Box | Gray Box |
> >
> >
> -------------------------------------------------------------------------------------------------------
> >    | 1. Cache-control definied to no-cache      |           |
> |
> > |                    |
> >
> >
> -------------------------------------------------------------------------------------------------------
> >    | 2. Different session token after login        |           |
>   |
> > |                    |
> >
> >
> -------------------------------------------------------------------------------------------------------
> >  4.5.4.9    References
> >  4.5.4.10  Tools
> > We can also have a box called tips in each section with some tips
> > highlighted.
> > Regards.
> >
> > Ismael Gonçalves
> >
> > On Thu, Sep 6, 2012 at 4:22 AM, Matteo Meucci <matteo.meucci at owasp.org>
> > wrote:
> >
> > Great Luca!
> >
> > Thanks,
> > Mat
> >
> > On 09/04/2012 07:29 PM, Luca Carettoni wrote:
> >> On Thu, 2012-08-30 at 22:44 +0200, Matteo Meucci wrote:
> >>> My idea is also to contact the authors of the new testing techniques
> >>> asking for their contributes.
> >>>
> >>> So for example I wish that for HTTP Verb Tampering, Arshan could help
> >>> and for HTTP Parameter pollution, Stefano and Luca can give us the
> >>> better contents.
> >>
> >> Sure! Feel free to add my name on the list.
> >> Actually, me and Stefano have already something drafted on HPP that has
> >> been written during our research.
> >>
> >> Cheers,
> >> Luca
> >>
> >
> > _______________________________________________
> > Owasp-testing mailing list
> > Owasp-testing at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/owasp-testing
> >
> >
> >
> >
> > --
> > Ismael Gonçalves
> >
> > _______________________________________________
> > Owasp-testing mailing list
> > Owasp-testing at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/owasp-testing
> >
> >
>
>
>
> --
> Ismael Gonçalves
>
> _______________________________________________
> Owasp-testing mailing list
> Owasp-testing at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-testing
>
>


-- 
Ismael Gonçalves
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-testing/attachments/20120912/425c3d29/attachment-0001.html>


More information about the Owasp-testing mailing list