Difference between revisions of "Testing for Credentials Transported over an Encrypted Channel (OWASP-AT-001)"

From OWASP
Jump to: navigation, search
(New page: {{Template:OWASP Testing Guide v3}} '''This is a draft of a section of the new Testing Guide v3''' == Brief Summary == <br> ..here: we describe in "natural language" what we want to test...)
 
(Brief Summary)
Line 5: Line 5:
 
== Brief Summary ==
 
== Brief Summary ==
 
<br>
 
<br>
..here: we describe in "natural language" what we want to test.
+
The problem we are going to discuss is to verify that authentication datas that we are sending are actually transferred via en encrypted channel to avoid being intercepted by some malicious user. The analysis focus simply on trying to understand if our datas travel unencrypted from our web browser to the server or if the web application takes the appropriate security measures using a protocol like HTTPS. This protocol, like others that use encryption, is built on TLS/SSL to encrypt the data that we want to transmit and to ensure that we are sending them towards the desired site. Clearly, the fact that our traffic is encrypted does not necessarily means that it's safe. The security also depends from the encryption algorithm used and from the robustness of the keys that we are using. But this particular topic will not be addressed in this section, for a more detailed discussion on testing the safety of our TLS/SSL channel you can refer to chapter (INSERT CHAPTER LINK). We will just try to understand if the data that we put into the web form, in order to log into a web site, are transmitted using sure protocols that protect them from an attacker or not. To do this we will consider various examples.
 
<br>
 
<br>
 +
 
== Description of the Issue ==  
 
== Description of the Issue ==  
 
<br>
 
<br>

Revision as of 08:33, 30 June 2008

OWASP Testing Guide v3 Table of Contents

This article is part of the OWASP Testing Guide v3. The entire OWASP Testing Guide v3 can be downloaded here.

OWASP at the moment is working at the OWASP Testing Guide v4: you can browse the Guide here

Contents


This is a draft of a section of the new Testing Guide v3

Brief Summary


The problem we are going to discuss is to verify that authentication datas that we are sending are actually transferred via en encrypted channel to avoid being intercepted by some malicious user. The analysis focus simply on trying to understand if our datas travel unencrypted from our web browser to the server or if the web application takes the appropriate security measures using a protocol like HTTPS. This protocol, like others that use encryption, is built on TLS/SSL to encrypt the data that we want to transmit and to ensure that we are sending them towards the desired site. Clearly, the fact that our traffic is encrypted does not necessarily means that it's safe. The security also depends from the encryption algorithm used and from the robustness of the keys that we are using. But this particular topic will not be addressed in this section, for a more detailed discussion on testing the safety of our TLS/SSL channel you can refer to chapter (INSERT CHAPTER LINK). We will just try to understand if the data that we put into the web form, in order to log into a web site, are transmitted using sure protocols that protect them from an attacker or not. To do this we will consider various examples.

Description of the Issue


...here: Short Description of the Issue: Topic and Explanation

Black Box testing and example

Testing for Topic X vulnerabilities:
...
Result Expected:
...

Gray Box testing and example

Testing for Topic X vulnerabilities:
...
Result Expected:
...

References

Whitepapers
...
Tools
...