[Owasp-testing] V4 Update ideas

Alessandro Gai alessandro.gai at mediaservice.net
Fri Sep 21 10:12:08 UTC 2012

Hello everybody.
as we have promised here there are some consideration about some updates.

********** Chapter 3 (The OWASP Testing Framework)
Update and add contents whit primary focus on the SAMM framework and
test/task in the various phases of SDLC.
Add a references part.

********** Chapter 4.2 (Information Gathering)
Update and add contents in the next subchapter:

4.2.1 Spiders, Robots and Crawlers (OWASP-IG-001)
    Add material about Spiders and Crawlers (not only robots.txt)
    Add robots techniques for "not html" files (swf / silverlightl /
jsfx / java class / ...)

4.2.2 Search Engine Discovery/Reconnaissance (OWASP-IG-002)
     Add Search Engine on social (linkedin / facebook / twitter / ...)
     Obtain information from the web by helpdesk, config files, help
files, ...
     How to use googling for our test (search particular variables name,
db name, path, ...)
     Search inside the Metadata (Foca tool?)
     Search information inside default files like "thunmbs.db",
".dstrore" ...?
4.2.4 Testing Web Application Fingerprint (OWASP-IG-004) --> update +
parte identificazione framework client / applicativi + cms
    Identify default application, client framework, development
framework, ...
    Identify optional components on CMS
    Use http://www.shodanhq.com/ ?
4.2.5 Application Discovery (OWASP-IG-005)
    HTTPS hostname to find virtual host
    dns brute forcing
    default directory, banner, ...
4.2.x Add a chapter about infoleaks from vulnerability (db info from
sqlinj, server info from ldapinj, ...) ?
4.2.x Add a chapter about how to obtain info from the application code
(variables names, directory structure, parameters, application step, ...) ?
********** Chapter 4.7 (Business Logic Testing)

This chapter has to be enlarged, we need more example to help the tester
to identify logic testing problems. Some new examples can be related to:
- cheats examples
- service abuse: sms flood / recharge, mail bombing etc
- use 3rd part attack vector to interact with the web app, for example:
XSS/SQL Injection via SMS, call center, twitter, etc
- understand that application can work with other components in the
infrastructure, maybe a XSS can't be used directly on the tested
application but can be used to others customer application that
visualize the data

********** Other chapters that are missing:

- Identification and bypass of WAF: an introduction about WAF, how to
identify the presence of them and a short description of fundamental
bypass technique.
- "Akamai" service and identification of real web server (www-org
- JSON Testing: short description of JSON and testing.
- AMF Testing: short description of AMF and testing.
- ViewState Testing: description of Viewstate, how it work and what a
tester need to check for the correct implementation.
- Maybe a section about the MS padding oracle problem?

An idea is also to introduce the idea of the "vertical privilege
escalation" and "horizontal privilege escalation"
(http://en.wikipedia.org/wiki/Privilege_escalation) in all the testing
guide. Maybe the idea can be explained with some graph too.

We'll wait for ur feedback.


More information about the Owasp-testing mailing list