[Owasp-testing] Testing Guide V4 - Start up

Eoin Keary eoin.keary at owasp.org
Wed Sep 12 10:58:22 UTC 2012


Have we considered internal (authenticated) vs external (public) XSS.
they are quite different risks also depending on the role in which the
vulnerable function is visible. say Admin function that is XSS is worse
than an lesser role.



On Wed, Sep 12, 2012 at 11:30 AM, Ismael Rocha <
ismaelrocha.projetos at gmail.com> wrote:

> Hello Jim.
>
> I'm thinking about a good way to add it because the risk I've put in the
> table is also calculated based on business impact, then a XSS flaw once
> exploited for example has a different impact according to the business.
>
> Regards.
>
> Ismael Gonçalves
>
>
> On Sun, Sep 9, 2012 at 5:02 PM, Jim Manico <jim.manico at owasp.org> wrote:
>
>> Can you add the risk column to the cheat sheet?? :)
>>
>> --
>> Jim Manico
>> VP, Security Architecture
>> WhiteHat Security
>> (808) 652-3805
>>
>> On Sep 9, 2012, at 7:52 AM, Ismael Rocha <ismaelrocha.projetos at gmail.com>
>> wrote:
>>
>> Hello David.
>>
>> I worked in the Top Ten Cheatsheet to make the link between Top Ten and
>> Testing Guide.
>> https://www.owasp.org/index.php/OWASP_Top_Ten_Cheat_Sheet
>>
>> Here is a table I've been providing in reports about analysis based on
>> Top Ten. The calculations of the risk are also based on OWASP Testing Guide
>> - Risk Methodology and the business impact factors are adapted according to
>> the customer.
>>
>>
>>   *Item OWASP Top Ten*
>>
>> *Id *
>>
>> *Vulnerability*
>>
>> *OWASP Testing Guide Iten
>> *
>>
>> *Risk*
>>
>> A1 – Injection
>>
>> 01
>>
>> SQL Injection
>>
>> OWASP-DV-005
>>
>> Critical
>>
>> A2 – *Cross-Site-Scripting*
>>
>> 02
>>
>> *Cross-site-scripting*
>>
>> OWASP-DV-001
>>
>> Medium
>>
>> A6 – Security misconfiguration
>>
>>
>>
>> 03
>>
>> Old version PHP
>>
>> OWASP-CM-003
>>
>> High
>>
>> 04
>>
>> Server* *vulnerable to *Slow* HTTP
>>
>> OWASP-CM-003
>>
>> High
>>
>> 05
>>
>> Administrative interfaces found
>>
>> OWASP-CM-007
>>
>> High
>>
>> A7 – Insecure cryptographic storage
>>
>> 06
>>
>> Password stored with hash and without salt
>>
>> -
>>
>> Medium
>>
>> A9 – Insufficient Transport Layer Protection
>>
>> 07
>>
>> Insecure channel for authentication
>>
>> OWASP-AT-001
>>
>> High
>>
>>
>> Regards.
>>
>> Ismael Gonçalves
>>
>> On Sat, Sep 8, 2012 at 7:32 PM, David Fern <dfern at verizon.net> wrote:
>> > I agree here are some process items I have from v3:
>> >
>> > Section 1 – Testing Techniques Explained – Page 19
>> >             Although Black, Grey, white Box testing is addressed in the
>> > document and are
>> >             common terms should they be defined?
>> >
>> >             Should the concept of Automated Static and dynamic testing
>> be
>> > addressed?
>> > Section 1 – Testing Techniques Explained - Page 20 Threat Modeling
>> >
>> > Should this link to the OWASP Threat Risk Modeling page?
>> > https://www.owasp.org/index.php/Threat_Risk_Modeling
>> >
>> > Section 1 – Testing Techniques Explained – Page 26 – Security
>> Requirements
>> > Validation
>> > Could it be mentioned that the list of controls in Section 4 Could be
>> used
>> > as “Global” requirements in addition to the “specific” requirements
>> > specified in the application requirements. All may not be applicable
>> for all
>> > applications.
>> >
>> > Section 1 – Testing Techniques Explained – Page 36
>> >
>> >             Would this be a good place to discuss the OWASP Risk Rating
>> >
>> https://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology
>> >             Which is included in page 325 in detail
>> >
>> > Section 3 – The OWASP Testing Framework – Page 40
>> >
>> >             Should Open SAMM be mentioned here
>> >
>> >
>> https://www.owasp.org/index.php/Category:Software_Assurance_Maturity_Model
>> >
>> > Section 3 – The OWASP Testing Framework – Phase 2: During Definition and
>> > Design - Page 41
>> >
>> >             Should ESAPI be mentioned here as a best practice?
>> >
>> > https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API
>> >
>> >             Should the references to coding standards be given, for
>> example:
>> > CERT -
>> >
>> https://www.securecoding.cert.org/confluence/display/seccode/CERT+Secure+Coding+Standards;jsessionid=A9B9B2080B83DEEB21CE15B1415CEDD9
>> >
>> >
>> >
>> https://www.securecoding.cert.org/confluence/display/seccode/CERT+C+Secure+Coding+Standard
>> >
>> >
>> >
>> https://www.securecoding.cert.org/confluence/display/seccode/Top+10+Secure+Coding+Practices
>> > Section 3 – The OWASP Testing Framework – The Phases especially 4 and 5
>> page
>> > 43
>> >
>> >             I would like to see some more details, guidance and
>> checklists
>> > or what exactly to do and
>> > check
>> >
>> > Section 3 – The OWASP Testing Framework – OWASP Testing Framework Work
>> Flow
>> > – Page 45
>> >
>> > All work tasks do not seem to be included in this section, for example
>> the
>> > section details do not include “Unit and System Tests” and “Acceptance
>> > Tests” in the Deployment part of this section on page 43 or 44.
>> >
>> > Section 4 - Web Application Penetration Testing – Chart - page 47
>> >
>> >             Would it be possible to add another column  linking to the
>> > specific OWASP top 10. My reasoning is that someone may say they will
>> test
>> > to the OWASP top 10. So they need a good list.
>> >
>> > Section 4 - Web Application Penetration Testing
>> >
>> >             It seems like the test types have Grey box, White box and
>> Black
>> > Box but it is not consistent. I think all should probably include all 3
>> > types and if it is not applicable state it.
>> >
>> > Appendix A: Testing Tools
>> >
>> >             Should WebInspect be added to the Commercial Black Box
>> Testing
>> > Tools?
>> >
>> > Should there be an acceptance Testing Tools – Commercial section for
>> tools
>> > such as:
>> >             HP Quick Test Professional
>> >                         IBM Rational Robot
>> >                         Etc.
>> >
>> >             Should the BuildSecurityin web site be added to the “Useful
>> > Websites” section?
>> >
>> https://buildsecurityin.us-cert.gov/bsi/home.html
>> >
>> >             Should Web Service testing tool soapUI be added?
>> >
>> http://www.soapui.org/Security/getting-started.html
>> >
>> > Thanks,
>> > David :)
>> >
>> > From: Ismael Rocha <ismaelrocha.projetos at gmail.com>
>> > To: Matteo Meucci <matteo.meucci at owasp.org>
>> > Cc: owasp-testing at lists.owasp.org
>> > Sent: Friday, September 7, 2012 6:26 PM
>> >
>> > Subject: Re: [Owasp-testing] Testing Guide V4 - Start up
>> >
>> > Hello.
>> > I know we've been focused on testing list but I have some comments for
>> other
>> > sections.
>> > a) About the Web Application Penetration Testing
>> > Talking about the Web Application Penetration Testing (chapter 4), I
>> suggest
>> > we improve the section with some explanations.
>> > 4. Web Application Penetration testing
>> > 4.1 Introduction and Objectives
>> >  -> Introduce about typical penetration test phases
>> >   Here we would have an overview of a typical pen-test, divided into 4
>> > phases.
>> >   1) Plan
>> >    This part basically talks about how to plan a penetration test
>> >    -> Types of the Test (maybe the explanation about types of test
>> could be
>> > fit in a section in the beginning of the testing guide)
>> >     -> Black Box
>> >     -> White Box
>> >     -> Gray Box
>> >    -> Viewpoint
>> >     -> External
>> >     -> Internal
>> >    -> Scope
>> >     -> http://www.targetedapp.com
>> >    -> Restrictions
>> >     -> List of all restrictions (e.g. do not perform DoS, social
>> > engineering)
>> >   2) Discovery
>> >    -> Information Gathering
>> >    -> Vulnerability Analysis
>> >   3) Attack
>> >    -> Attack itself
>> >   4) Report
>> >    -> Last Phase of a penetration test (chapter 5 writing report)
>> >
>> >
>> > b) About the paragraph of the testing cases:
>> > One of the goals of this version is to make the Testing Guide more
>> readable.
>> > I think we need to define commons subsections present in all testing
>> cases.
>> > Then, all testing cases would have the same sections and formats. I
>> already
>> > suggest to have the checklist (questions) in a pre-defined subsection
>> inside
>> > each
>> > testing case. If we have a checklist in a table format, we could get
>> them
>> > and put them into a big table that could be printed and checked.
>> > For example:
>> > 4.5.4 Testing for Exposed Session Variables (OWASP-SM-004)
>> >  4.5.4.2   Brief Summary
>> >  4.5.4.3   Description of the issue
>> >  4.5.4.4   Related security activities
>> >  4.5.4.5   Threats
>> >  4.5.4.6   Countermesures
>> >  4.5.4.7   Testing
>> >     -> Black Box
>> >             -> Technique 1
>> >             -> Results expected
>> >     -> Gray Box
>> >              ....
>> >     -> White Box
>> >              ....
>> >  4.5.4.8   Checklist
>> >
>> >
>> -------------------------------------------------------------------------------------------------------
>> >    | OWASP-SM-004                                      | Black Box |
>> White
>> > Box | Gray Box |
>> >
>> >
>> -------------------------------------------------------------------------------------------------------
>> >    | 1. Cache-control definied to no-cache      |           |
>> |
>> > |                    |
>> >
>> >
>> -------------------------------------------------------------------------------------------------------
>> >    | 2. Different session token after login        |           |
>>     |
>> > |                    |
>> >
>> >
>> -------------------------------------------------------------------------------------------------------
>> >  4.5.4.9    References
>> >  4.5.4.10  Tools
>> > We can also have a box called tips in each section with some tips
>> > highlighted.
>> > Regards.
>> >
>> > Ismael Gonçalves
>> >
>> > On Thu, Sep 6, 2012 at 4:22 AM, Matteo Meucci <matteo.meucci at owasp.org>
>> > wrote:
>> >
>> > Great Luca!
>> >
>> > Thanks,
>> > Mat
>> >
>> > On 09/04/2012 07:29 PM, Luca Carettoni wrote:
>> >> On Thu, 2012-08-30 at 22:44 +0200, Matteo Meucci wrote:
>> >>> My idea is also to contact the authors of the new testing techniques
>> >>> asking for their contributes.
>> >>>
>> >>> So for example I wish that for HTTP Verb Tampering, Arshan could help
>> >>> and for HTTP Parameter pollution, Stefano and Luca can give us the
>> >>> better contents.
>> >>
>> >> Sure! Feel free to add my name on the list.
>> >> Actually, me and Stefano have already something drafted on HPP that has
>> >> been written during our research.
>> >>
>> >> Cheers,
>> >> Luca
>> >>
>> >
>> > _______________________________________________
>> > Owasp-testing mailing list
>> > Owasp-testing at lists.owasp.org
>> > https://lists.owasp.org/mailman/listinfo/owasp-testing
>> >
>> >
>> >
>> >
>> > --
>> > Ismael Gonçalves
>> >
>> > _______________________________________________
>> > Owasp-testing mailing list
>> > Owasp-testing at lists.owasp.org
>> > https://lists.owasp.org/mailman/listinfo/owasp-testing
>> >
>> >
>>
>>
>>
>> --
>> Ismael Gonçalves
>>
>> _______________________________________________
>> Owasp-testing mailing list
>> Owasp-testing at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-testing
>>
>>
>
>
> --
> Ismael Gonçalves
>
> _______________________________________________
> Owasp-testing mailing list
> Owasp-testing at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-testing
>
>


-- 
Global Board Member (Vice Chair)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-testing/attachments/20120912/5e4b0c01/attachment-0001.html>


More information about the Owasp-testing mailing list