[Owasp-testing] v5 Plan?

Benjamin Robinson benjamin.robinson at gmail.com
Tue Jun 6 16:52:01 UTC 2017


I just submitted a pull request that added some headings to structure
workload identification and put a candidate new test out there--Server-Side
Template Injection (SSTI).

On Tue, Jun 6, 2017 at 5:09 AM, Matteo Meucci <matteo.meucci at owasp.org>
wrote:

> Hi,
>
> sorry for the late.
>
> Thanks to Dinis we have now a Github repository here:
>
> https://github.com/OWASP/OWASP-Testing-Guide-v5
>
> Please let's start to contribute with the new ideas!
>
> Who will be present next week at the OWASP Summit?
>
> Thanks,
> Mat
>
> On 30/05/2017 12:42, Safuat Hamdy wrote:
>
> Hello Matteo,
>
>
>
> I wonder what is happening according to v5 deadlines. I can’t see any
> activity (at least here on the list). I applied for an OWASP account for
> the wiki but didn’t receive any reaction, so I can’t upload anything (I
> can’t see any activity in the wiki, anyway). So I would like to know how to
> proceed.
>
>
>
> As I told you some time ago I have compiled a mapping between several
> methodologies (such as OTGv4, ASVS L1, and Web App Hacker’s Handbook) and
> weakness and attack enumerations (such as Top Ten, CWE/SANS Top 25 and
> CAPEC). Based on that I wrote a proposal outline for v5. (I am currently
> conducting a web app test based on the proposal, as a proof of concept.)
> Now, what should I do with this and how is OTGv5 going to proceed? Shall I
> send my proposal to you so that you can post it somewhere? Especially,
> since I cannot attend the OWASP Summit there needs to be a hand-over (if
> you’re interested).
>
>
>
> Let me highlight some features of my proposal:
>
>
>
> 1. I do not distinguish between greybox and blackbox testing - in my view
> tests with more insight are ASVS, and the Testing Guide should be strictly
> for pentesting. There is no need to duplicate content between the two
> (although ASVS 3.0.1 L1 overlaps greatly with OTGv4, and as far as I
> understand ASVS 3.1 L1 and OTGv5 could perfectly match)
>
>
>
> 2. INFO is pure information gathering/discovery/reconnaissance/enumeration...
> whatever you want to call it. Every "standard check" that a pentester would
> reasonably make to explore an application is in INFO, including discovery
> on authentication, input handling, error handling and others. No verdicts
> or judgements in INFO - the results are used/evaluated in the sections
> following INFO.
>
>
>
> 3. Each section has a -099 item which is like "in this section but none of
> the above" (as MathRev does it), e.g. AUTHN-099, AUTHZ-099, etc. The
> purpose is to provide a catch-all for things that constitute a finding but
> appear in general quite rarely or are findings that are specific for an
> individual application. This way "exotic" findings don't need their own
> items but still have a space.
>
>
>
> 4. I tried to find relevant CWE-entries for each (non-INFO) testing item -
> after all, if there is no weakness behind an item, where is the point of
> testing it? Yet, to my surprise, some obvious items don't have a CWE (e.g.
> using components with known weaknesses).
>
>
>
>
>
> Regards
>
> S. Hamdy
>
>
>
> --------------------------------------------------------
>
>
>
> Dr. Safuat Hamdy
>
> Security Consulting
>
>
>
> Secorvo Security Consulting GmbH
>
> Ettlinger Strasse 12-14, D-76137 Karlsruhe
>
> Tel. +49 721 255171-304 <+49%20721%20255171304>, Fax +49 721 255171-100
> <+49%20721%20255171100>
>
> safuat.hamdy at secorvo.de, http://www.secorvo.de
>
> PGP: 6A83 EC49 8474 D77C 1258  AE91 4BB4 8DEE 952A 2506
>
>
>
> Mannheim HRB 108319, Geschaeftsfuehrer: Dirk Fox
>
>
>
> _______________________________________________
> Owasp-testing mailing list
> Owasp-testing at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-testing
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-testing/attachments/20170606/40aaa729/attachment.html>


More information about the Owasp-testing mailing list