[Owasp-testing] New testing cases proposal for section: 4.3 Configuration and Deployment Management Testing

Safuat Hamdy safuat.hamdy at secorvo.de
Thu Aug 10 08:47:04 UTC 2017


Hello,

I like the idea (I had this in mind as well), but I suggest to combine all test cases that check server headers into one test item. Except headers concerned with cross-domain/-origin policies, this is a specific issue that has (and deserves) its own test item. Moreover, I propose to move the check for cache control headers to the header checks as well, right now this is in AUTHN where it is IMHO misplaced. (My take on AUTHN is that it should be concerned strictly with the authentication and account recovery processes.)


Best Regards


--------------------------------------------------------
ISMS ready2go  -   Mit dem Secorvo "Komplettsystem" in
kürzester Zeit zur Zertifizierung: www.ISMSready2go.de<http://www.ISMSready2go.de>
--------------------------------------------------------

Dr. Safuat Hamdy
Security Consulting

Secorvo Security Consulting GmbH
Ettlinger Strasse 12-14, D-76137 Karlsruhe
Tel. +49 721 255171-304, Fax +49 721 255171-100
safuat.hamdy at secorvo.de, http://www.secorvo.de
PGP: 6A83 EC49 8474 D77C 1258  AE91 4BB4 8DEE 952A 2506

Mannheim HRB 108319, Geschaeftsfuehrer: Dirk Fox

Von: owasp-testing-bounces+safuat.hamdy=secorvo.de at lists.owasp.org [mailto:owasp-testing-bounces+safuat.hamdy=secorvo.de at lists.owasp.org] Im Auftrag von Tal Argoni
Gesendet: Mittwoch, 9. August 2017 22:10
An: owasp-testing at lists.owasp.org; Jim Manico <jim at owasp.org>; Matteo Meucci <matteo.meucci at owasp.org>
Betreff: [Owasp-testing] New testing cases proposal for section: 4.3 Configuration and Deployment Management Testing

Hi,
I propose to add to version 5 new test cases based on OWASP Secure Headers Project: https://www.owasp.org/index.php/OWASP_Secure_Headers_Project
What do you think ?
Response Headers

OTG test

HTTP Strict Transport Security (HSTS)<https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#hsts>

(OTG-CONFIG-007)<https://www.owasp.org/index.php/Test_HTTP_Strict_Transport_Security_(OTG-CONFIG-007)>

Public Key Pinning Extension for HTTP (HPKP)<https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#hpkp>

(OTG-CONFIG-010)

X-Frame-Options<https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#xfo>

(OTG-CONFIG-011)

X-XSS-Protection<https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#xxxsp>

(OTG-CONFIG-012)

X-Content-Type-Options<https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#xcto>

(OTG-CONFIG-013)

Content-Security-Policy<https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#csp>

(OTG-CONFIG-014)

X-Permitted-Cross-Domain-Policies<https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#xpcdp>

(OTG-CONFIG-015)

Referrer-Policy<https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#rp>

(OTG-CONFIG-016)


Cheers,

Tal Argoni, Co-Founder & Senior Application Security Expert
       [Das Bild wurde vom Absender entfernt.]  "Redefining Cyber Safety"

Mobile, +972-58-778-1213<tel:%2B972-58-778-1213>

eMail, Tal at triadsec.com<mailto:tal at triadsec.com>

Linkedin, https://www.linkedin.com/in/talargoni

Website, www.triadsec.com
<http://www.triadsec.com/>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-testing/attachments/20170810/22b8ab39/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 368 bytes
Desc: image001.jpg
URL: <http://lists.owasp.org/pipermail/owasp-testing/attachments/20170810/22b8ab39/attachment-0001.jpg>


More information about the Owasp-testing mailing list