Difference between revisions of "OWASP Testing Guide v3 Startup"

From OWASP
Jump to: navigation, search
m (Highlight Answers)
 
(8 intermediate revisions by 2 users not shown)
Line 7: Line 7:
 
In the OWASP Testing Guide v2 we have split the set of tests in 8 sub-categories:  
 
In the OWASP Testing Guide v2 we have split the set of tests in 8 sub-categories:  
 
* Information Gathering  
 
* Information Gathering  
* Business logic testing
+
* Business Logic Testing
 
* Authentication Testing  
 
* Authentication Testing  
 
* Session Management Testing  
 
* Session Management Testing  
Line 18: Line 18:
  
 
1) Authorization testing missing. As Jeff and Dave said many time before it's important to create a new category.<br>
 
1) Authorization testing missing. As Jeff and Dave said many time before it's important to create a new category.<br>
2) Information gathering is not a set of vulnerabilities. I think we can add a new category Infrastructural testing.<br>
+
* This should include things which were in v1 but dropped from v2, like: OWASP-AC-003 : Authorization Parameter Manipulation, OWASP-AC-004 : Authorized pages/functions
3) Web Services section needs improvement.<br>
+
2) Information gathering is not a set of vulnerabilities --> not in report --> new category: Passive mode <br>
4) AJAX Testing section needs improvement.<br>
+
3) Business logic testing --> not in report --> Passive mode  <br>
5) New category: Client side Testing: nowadays in web 2.0 applications it's really important to test for client side vulnerabilities that can introduce new type of attacks: for example a XSS on flash movie loaded on the client (see the last work of Di Paola).<br>
+
4) Infrastructural test --> new category <br>
 +
5) Web Services section needs improvement <br>
 +
6) AJAX Testing section needs improvement <br>
 +
7) New category: Client side Testing. AJAX and Flash Testing  <br>
  
For each category we describe the v2 and the possible improvement.
 
  
 +
This [http://www.owasp.org/index.php/Image:Planning_OTGv3.doc document] analyzes the OWASP Testing Guide v2 vulnerabilities and a plan for create the new v3.<br><br>
  
== Information Gathering ==
+
The following clarifications/considerations also need to be made in preparation for v3:<br>
v2: <br>
+
1) Are "OWASP-AUTHN-001 : Authentication endpoint request should be HTTPS" and "OWASP-AUTHN-003 : Credentials transport over an encrypted channel" as they were in v1 fully covered by "OWASP-IG-005 : SSL/TLS Testing"? '''--> no, we need to create a new test in authentication testing'''<br>
* Application Fingerprint <br>
+
2) Are "OWASP-AUTHN-009 : Password Structure" and "OWASP-AUTHN-010 : Blank Passwords" as they were in v1 fully covered by OWASP-AT-003 & OWASP-AT-001? '''--> Yes'''<br>
* Application Discovery <br>
+
3) Are all 5 AUTHSM references as they were in v1 fully covered by "OWASP-SM-001 : Session Management Schema"?<br>
* Spidering and googling <br>
+
4) What does "OWASP-DP-001 : Sensitive Data in HTML" fall under in v2/v3?<br>
* Collection  of error code <br>
+
5) Are all the SSL Data protection references (DP-003 through DP-007) from v1 fall under "OWASP-IG-005 : SSL/TLS Testing"?<br>
* SSL/TLS Testing<br>
+
6) Is "OWASP-DS-001 : Locking Customer Accounts" a subset of AUTHN-008 in v1 or AT-006 in v2 or is it really an item on it's own?<br>
* DB Listener Testing<br>
+
7) Are "OWASP-EH-002 : User Error Messages" and "OWASP-EH-001 : Application Error Messages" as they were in v1 meant to fall under "OWASP-IG-004 : Analysis of Error Codes"? If so where would things like overly specific authentication errors appear in the report? (If I understand correctly Information gathering isn't going to be reported) [This would be things like errors messages which actually specify "invalid username" or "invalid password" instead of "Error: the credentials provided are invalid" or similar generic messaging.] '''--> yes'''<br>
* File extensions handling<br>
+
* Old, backup and unreferenced files <br>
+

Latest revision as of 09:15, 23 May 2008

Planning the new OWASP Testing Guide v3

3rd October 2007: Startup v3
The OWASP Testing Guide v2 was a great success, with thousand download and many many Companies that have adopted it as standard for a Web Application Penetration Testing.
Now we would like to begin a new project that is based on v2 but improve it and complete it.

In the OWASP Testing Guide v2 we have split the set of tests in 8 sub-categories:

  • Information Gathering
  • Business Logic Testing
  • Authentication Testing
  • Session Management Testing
  • Data Validation Testing
  • Denial of Service Testing
  • Web Services Testing
  • AJAX Testing

The following are my thoughts about the new OWASP Testing Guide v3:

1) Authorization testing missing. As Jeff and Dave said many time before it's important to create a new category.

  • This should include things which were in v1 but dropped from v2, like: OWASP-AC-003 : Authorization Parameter Manipulation, OWASP-AC-004 : Authorized pages/functions

2) Information gathering is not a set of vulnerabilities --> not in report --> new category: Passive mode
3) Business logic testing --> not in report --> Passive mode
4) Infrastructural test --> new category
5) Web Services section needs improvement
6) AJAX Testing section needs improvement
7) New category: Client side Testing. AJAX and Flash Testing


This document analyzes the OWASP Testing Guide v2 vulnerabilities and a plan for create the new v3.

The following clarifications/considerations also need to be made in preparation for v3:
1) Are "OWASP-AUTHN-001 : Authentication endpoint request should be HTTPS" and "OWASP-AUTHN-003 : Credentials transport over an encrypted channel" as they were in v1 fully covered by "OWASP-IG-005 : SSL/TLS Testing"? --> no, we need to create a new test in authentication testing
2) Are "OWASP-AUTHN-009 : Password Structure" and "OWASP-AUTHN-010 : Blank Passwords" as they were in v1 fully covered by OWASP-AT-003 & OWASP-AT-001? --> Yes
3) Are all 5 AUTHSM references as they were in v1 fully covered by "OWASP-SM-001 : Session Management Schema"?
4) What does "OWASP-DP-001 : Sensitive Data in HTML" fall under in v2/v3?
5) Are all the SSL Data protection references (DP-003 through DP-007) from v1 fall under "OWASP-IG-005 : SSL/TLS Testing"?
6) Is "OWASP-DS-001 : Locking Customer Accounts" a subset of AUTHN-008 in v1 or AT-006 in v2 or is it really an item on it's own?
7) Are "OWASP-EH-002 : User Error Messages" and "OWASP-EH-001 : Application Error Messages" as they were in v1 meant to fall under "OWASP-IG-004 : Analysis of Error Codes"? If so where would things like overly specific authentication errors appear in the report? (If I understand correctly Information gathering isn't going to be reported) [This would be things like errors messages which actually specify "invalid username" or "invalid password" instead of "Error: the credentials provided are invalid" or similar generic messaging.] --> yes