[Owasp-testing] OWASP Testing Guide v4 Final Call

Andrew Muller andrew.muller at owasp.org
Sun Dec 1 13:17:03 UTC 2013

Hi folks,
  Matteo and I are in the final stages of collating articles for v4 of the
Testing Guide. On the *15th December* *2013 *we'll be conducting a final
review of all test cases and making decisions about which articles will
make it to v4 and which won't. The community (hey, that's YOU) has put a
HUGE amount of effort into updating the Guide and over the next two weeks
we need to drive it home.

While most articles are taking shape nicely, due to work or personal
commitments, some are struggling. The following articles are candidates for
being cut from v4 and we need folks to adopt them to bring them back from
the brink. If you have the knowledge, time and commitment to write these
articles, then we want to hear from you! Alternatively, if you think they
shouldn't make it to v4, then let us know that too!

4.6.5 Testing for Insecure Direct Object References (OTG-AUTHZ-005)
4.6.6 Testing for Failure to Restrict access to authorized resource
4.6.7 Test privileges of server components (OTG-AUTHZ-007) (e.g. indexing
service, reporting interface, file generator)
4.6.8 Test enforcement of application entry points (OTG-AUTHZ-008)
(including exposure of objects)
4.6.9 Testing for failure to restrict access to authenticated resource
4.7.6 Test Session Token Strength (OTG-SESS-006)
4.7.7 Testing for logout functionality (OTG-SESS-007)
4.7.8 Testing for Session puzzling (OWASP-SM-008)
4.7.8 Test Session Timeout (OTG-SESS-008)
4.7.9 Test multiple concurrent sessions (OTG-SESS-009)
4.8.5 Testing for Unvalidated Redirects and Forwards (OTG-INPVAL-005) Testing for Remote File Inclusion
4.10.4 Testing for Cacheable HTTPS Response (OTG-CRYPST-004)
4.10.5 Test Cache Directives (OTG-CRYPST-005)
4.10.6 Testing for Insecure Cryptographic Storage (OTG-CRYPST-006)
4.10.7 Testing for Sensitive information sent via unencrypted channels
4.10.8 Test Cryptographic Key Management (OTG-CRYPST-008)
4.14.2 WS Information Gathering (OTG-WEBSVC-002)
4.14.3 WS Authentication Testing (OTG-WEBSVC-003)
4.14.4 WS Management Interface Testing (OTG-WEBSVC-004)
4.14.5 Weak XML Structure Testing (OTG-WEBSVC-005)
4.14.6 XML Content-Level Testing (OTG-WEBSVC-006)
4.14.7 WS HTTP GET Parameters/REST Testing (OTG-WEBSVC-007)
4.14.8 WS Naughty SOAP Attachment Testing (OTG-WEBSVC-008)
4.14.9 WS Replay/MiTM Testing (OTG-WEBSVC-009)
4.14.10 WS BEPL Testing (OTG-WEBSVC-010)

Remember, we need you to complete articles by *15th December 2013*, so just
take on what you can comfortably handle. The complete list of articles and
their progress can be found in the Paragraph Management spreadsheet on
Google Docs (
Let us know if you'd like access to edit it and we'll help you out.

We're immensely grateful to the folks that have contributed to the Guide.
Its not been easy, but the outcome will be a product that continues to be
used by appsec testers the world over. As a result of the AppSecUSA Project
Summit we're looking at better ways to manage the Testing Guide, like using
Github to manage the project. So if you've got ideas, then get involved!

thanks folks!

Andrew & Matteo
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-testing/attachments/20131202/4c74f834/attachment.html>

More information about the Owasp-testing mailing list