[Owasp-testing] few comments on v4 content

Tomas Zatko tomas.zatko at citadelo.com
Mon Dec 16 00:10:27 UTC 2013


Hi,

I wanted to do review of actual OTGv4 state as Andrew asked. Sadly I had not enough time to check it all (yet). So I am sending just few comments.
Please correct me if I understood something incorrectly.


* OTG-AUTHN-006 vs. OTG/CRYPST-004 & OTG-CRYPST-005
AUTHN-006:	Testing for Browser cache weakness
CRYPST-004:	Testing for Cacheable HTTPS Response
CRYPST-005:	Test Cache Directives
CRYPST-005 and CRYPST-004 are empty. I think we should remove them. They would describe basically the same stuff that should be described in AUTHN-006. Wouldn’t they? It is redundant to mention the same stuff in several tests.


* OWASP-EN-001 vs. OTG-CRYPST-002
What is purpose of OWASP-EN-001? Isn’t it redundant to OTG-CRYPST-002?
Or should it contain info on general crypto stuff?
I can imagine describing there issues related to custom signing schemes or custom algorithms in general.
In the past I found such issues (weak custom signature that - offline cracking and revealing private key in short time) but described it as business logic issue. Crypto section is clearly better.


* OTG-IDENT-005 vs. OTG-IDENT-004
I thinks "Weak or unenforced username policy” (OTG-IDENT-005) does not need own test. It should be described within "Account Enumeration and Guessable User Account” (OTG-IDENT-004).
OTG-IDENT-005 in fact has same content that is already in OTG-IDENT-004.
We should:
- either remove OTG-IDENT-005
- or remove "Guessable User Account” part from OTG-IDENT-004


* OTG-CONFIG-010 vs. OTG-CLIENT-004
"Test Frame Options" (OTG-CONFIG-010) is empty but it would cover the same stuff that is already in "Testing for Clickjacking" (OTG-CLIENT-004). Wouldn’t it?
We should remove OTG-CONFIG-010.

* OTG-CLIENT-004 contained information on X-Frame-Options but did not contained info on recommended value (DENY). I added it: https://www.owasp.org/index.php?title=Testing_for_Clickjacking_%28OWASP-CS-004%29&diff=164691&oldid=140536


* OWASP OTG-INFO-010 vs. OTG-INFO-002
They are redundant. They actually contain the same content. We should remove one of them (OWASP OTG-INFO-010).


* Test Session Token Strength (OTG-SESS-006)
It is empty. I can write that one.
And also extend part about CSRF tokens - CSRF tokens should have same cryptographic strength (size and entropy) as session id.


* Testing for Weak password policy (OTG-AUTHN-007)
It is not very clear nor verbose.
I think it could be good practice to ban most used passwords, like these ones: http://stricture-group.com/files/adobe-top100.txt
I was thinking about starting project for maintained list of most used passwords. I searched for such project and found this on github: https://gist.github.com/mehlah/3128202
It is maybe worth starting owasp project for this? Maintaining the list of most used passwords observed in leaked lists from past breaches in the world? What do you think?

Regards

-- 
Tomas Zatko, CISSP, CEH
http://www.citadelo.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-testing/attachments/20131216/6b6adb49/attachment.html>


More information about the Owasp-testing mailing list