SlideShare ist ein Scribd-Unternehmen logo

Planning the OWASP Testing Guide v4 Update

•
•
OWASP (Open Web Application Security Project)
OWASP (Open Web Application Security Project)

Planning the OWASP Testing Guide v4 Matteo Meucci, Giorgio Fedon, Pavol LuptĂĄk

Technologie
1 von 21
Downloaden Sie, um offline zu lesen
Planning the OWASP Testing Guide v4 Matteo Meucci, Giorgio Fedon, Pavol Luptak
AG E N DA • Few words about the TG history and adoption by the Companies • Why we need the Common Numbering and Common Vulnerability list • Update the set of test • V4 Roadmap
What is the OWASP Testing Guide? Where are we now?
Testing Guide history • January 2004 – "The OWASP Testing Guide", Version 1.0 • July 14, 2004 – "OWASP Web Application Penetration Checklist", Version 1.1 • December 25, 2006 – "OWASP Testing Guide", Version 2.0 • December 16, 2008 – "OWASP Testing Guide", Version 3.0 – Released at the OWASP Summit 08
Project Complexity Pages 400 350 300 250 200 Pages 150 100 50 0 v1 v1.1 v2 v3
OWASP Testing Guide v3 • SANS Top 20 2007 • NIST “Technical Guide to Information Security Testing (Draft)” • Gary McGraw (CTO Cigital) says: “In my opinion it is the strongest piece of Intellectual Property in the OWASP portfolio” – OWASP Podcast by Jim Manico
Testing Guide v3: Index 1. Frontispiece 2. Introduction 3. The OWASP Testing Framework 4. Web Application Penetration Testing 5. Writing Reports: value the real risk Appendix A: Testing Tools Appendix B: Suggested Reading Appendix C: Fuzz Vectors Appendix D: Encoded Injection
What are the difference between the OWASP Testing Guide and another book about WebApp PenTesting?
Web Application Penetration Testing • OWASP Testing Guide is driven by our Community • It’s related to the other OWASP guides • Our approach in writing this guide – Open – Collaborative • Defined testing methodology – Consistent – Repeatable – Under quality 9
Testing Guide Categories & vulnerability list
What we need now to improve the v3 and plan the v4?
OWASP Common Vulnerability List We need a common vulnerability list 12
Looking at the Testing Guide Categories & vulnerability list
The new team
Andrew Muller Mike Hryekewicz Aung KhAnt Nick Freeman Cecil Su Norbert Szetei Colin Watson Paolo Perego Daniel Cuthbert Pavol Luptak Giorgio Fedon Psiinon Jason Flood Ray Schippers Javier Marcos de Prado Robert Smith Juan Galiana Lara Robert Winkel Kenan Gursoy Roberto Suggi Liverani Kevin Horvat Sebastien Gioria Lode Vanstechelman Stefano Di Paola Marco Morana Sumit Siddharth Matt Churchy Thomas Ryan Matteo Meucci Tim Bertels Michael Boman Tripurari Rai Wagner Elias
Proposed v4 list: let’s discuss it Category Vulnerability name Where implemented Source Information Gathering Information Disclosure TG, ecc, --> link TG Configuration and Deploy Infrastructure Configuration management Management weakness TG Application Configuration management weakness TG File extensions handling TG Old, backup and unreferenced files TG Access to Admin interfaces TG Bad HTTP Methods enabled, (XST permitted: to eliminate or TG Informative Error Messages Database credentials/connection strings available Business logic Business Logic TG Credentials transport over an unencrypted Authentication channel TG User enumeration (also Guessable user account) TG Default passwords TG Weak lock out mechanism new TG Account lockout DoS Bypassing authentication schema TG Directory traversal/file include TG vulnerable remember password TG Logout function not properly implemented, browser cache weakness TG Weak Password policy New TG Weak username policy New Anurag weak security question answer New Failure to Restrict access to authenticated resource New Top10 Weak password change function New Vishal
Proposed v4 list: let’s discuss it (2) Authorization Path Traversal TG Bypassing authorization schema TG Privilege Escalation TG Insecure Direct Object References Top10 2010 Failure to Restrict access to authorized resource TG Session Managment Bypassing Session Management Schema TG Weak Session Token TG Cookies are set not ‘HTTP Only’, ‘Secure’, and no time validity TG Exposed sensitive session variables TG CSRF Session passed over http Vishal Session token within URL Vishal Session Fixation Vishal Session token not removed on server after logout Vishal Persistent session token Vishal Session token not restrcited properly (such as domain or path not set properly) Vishal Data Validation Reflected XSS TG Stored XSS TG - Vishal HTTP Verb Tampering new TG HTTP Parameter pollution new TG Unvalidated Redirects and Forwards T10 2010: new TG SQL Injection TG SQL Fingerprinting LDAP Injection TG ORM Injection TG XML Injection TG SSI Injection TG XPath Injection TG SOAP Injection IMAP/SMTP Injection TG Code Injection TG OS Commanding TG Buffer overflow Incubated vulnerability HTTP Splitting/Smuggling
Proposed v4 list: let’s discuss it (3) Data Encryption? Application did not use encryption Weak SSL/TSL Ciphers, Insufficient Transport Layer Protection Cacheable HTTPS Response Cache directives insecure Insecure Cryptographic Storage only SCR guide T10 2010: new TG Sensitive information sent via unencrypted channels XML interpreter? Weak XML Structure XML content-level WS HTTP GET parameters/REST WS Naughty SOAP attachments WS Replay Testing Client side? DOM XSS TG Cross Site Flashing TG ClickHijacking new TG
Proposed v4 news from Pavol - add new opensource testing tools that appeared during last 3 years (and are missing in the OWASP Testing Guide v3) - add few useful and life-scenarios of possible vulnerabilities in Bussiness Logic Testing (many testers have no idea what vulnerabilities in Business Logic exactly mean) - "Brute force testing" of "session ID" is missing in "Session Management Testing", describe other tools for Session ID entropy analysis (e.g. Stompy) - in "Data Validation Testing" describe some basic obfuscation methods for malicious code injection including the statements how it is possible to detect it (web application obfuscation is quite succesfull in bypassing many data validation controls) - split the phase Logout and Browser Cache Management" into two sections
Roadmap • Review all the control numbers to adhere to the OWASP Common numbering, • Review all the sections in v3, • Create a more readable guide, eliminating some sections that are not really useful, • Insert new testing techniques: HTTP Verb tampering, HTTP Parameter Pollutions, etc., • Rationalize some sections as Session Management Testing, • Create a new section: Client side security and Firefox extensions testing?
Questions? http://www.owasp.org/index.php/OWASP_Testing_Project matteo.meucci@owasp.org Thanks!!

Empfohlen

OTG-Recon
OTG-ReconOTG-Recon
OTG-ReconSedthakit Prasanphanich
 
OWASP OTG-configuration (OWASP Thailand chapter november 2015)
OWASP OTG-configuration (OWASP Thailand chapter november 2015)OWASP OTG-configuration (OWASP Thailand chapter november 2015)
OWASP OTG-configuration (OWASP Thailand chapter november 2015)Noppadol Songsakaew
 
Matteo Meucci OWASP Testing Guide v4
Matteo Meucci OWASP Testing Guide v4Matteo Meucci OWASP Testing Guide v4
Matteo Meucci OWASP Testing Guide v4Matteo Meucci
 
SANS @Night Talk: SQL Injection Exploited
SANS @Night Talk: SQL Injection ExploitedSANS @Night Talk: SQL Injection Exploited
SANS @Night Talk: SQL Injection ExploitedMicah Hoffman
 
[OWASP Poland Day] Application frameworks' vulnerabilities
[OWASP Poland Day] Application frameworks' vulnerabilities[OWASP Poland Day] Application frameworks' vulnerabilities
[OWASP Poland Day] Application frameworks' vulnerabilitiesOWASP
 
[Wroclaw #7] Security test automation
[Wroclaw #7] Security test automation[Wroclaw #7] Security test automation
[Wroclaw #7] Security test automationOWASP
 
Application Security Tools
Application Security ToolsApplication Security Tools
Application Security ToolsLalit Kale
 
[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security Headers[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security HeadersOWASP
 

Empfohlen

OTG-Recon
OTG-ReconOTG-Recon
OTG-ReconSedthakit Prasanphanich
 
OWASP OTG-configuration (OWASP Thailand chapter november 2015)
OWASP OTG-configuration (OWASP Thailand chapter november 2015)OWASP OTG-configuration (OWASP Thailand chapter november 2015)
OWASP OTG-configuration (OWASP Thailand chapter november 2015)Noppadol Songsakaew
 
Matteo Meucci OWASP Testing Guide v4
Matteo Meucci OWASP Testing Guide v4Matteo Meucci OWASP Testing Guide v4
Matteo Meucci OWASP Testing Guide v4Matteo Meucci
 
SANS @Night Talk: SQL Injection Exploited
SANS @Night Talk: SQL Injection ExploitedSANS @Night Talk: SQL Injection Exploited
SANS @Night Talk: SQL Injection ExploitedMicah Hoffman
 
[OWASP Poland Day] Application frameworks' vulnerabilities
[OWASP Poland Day] Application frameworks' vulnerabilities[OWASP Poland Day] Application frameworks' vulnerabilities
[OWASP Poland Day] Application frameworks' vulnerabilitiesOWASP
 
[Wroclaw #7] Security test automation
[Wroclaw #7] Security test automation[Wroclaw #7] Security test automation
[Wroclaw #7] Security test automationOWASP
 
Application Security Tools
Application Security ToolsApplication Security Tools
Application Security ToolsLalit Kale
 
[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security Headers[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security HeadersOWASP
 
Is code review the solution?
Is code review the solution?Is code review the solution?
Is code review the solution?Tiago Mendo
 
Advanced SQL Injection Attack & Defenses
Advanced SQL Injection Attack & DefensesAdvanced SQL Injection Attack & Defenses
Advanced SQL Injection Attack & DefensesTiago Mendo
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing TechniquesAvinash Thapa
 
Zap vs burp
Zap vs burpZap vs burp
Zap vs burpTomasz Fajks
 
[Wroclaw #7] Why So Serial?
[Wroclaw #7] Why So Serial?[Wroclaw #7] Why So Serial?
[Wroclaw #7] Why So Serial?OWASP
 
Tw noche geek quito webappsec
Tw noche geek quito webappsecTw noche geek quito webappsec
Tw noche geek quito webappsecThoughtworks
 
[Wroclaw #7] AWS (in)security - the devil is in the detail
[Wroclaw #7] AWS (in)security - the devil is in the detail[Wroclaw #7] AWS (in)security - the devil is in the detail
[Wroclaw #7] AWS (in)security - the devil is in the detailOWASP
 
Java Secure Coding Practices
Java Secure Coding PracticesJava Secure Coding Practices
Java Secure Coding PracticesOWASPKerala
 
Anatomy of a Cloud Hack
Anatomy of a Cloud HackAnatomy of a Cloud Hack
Anatomy of a Cloud HackNotSoSecure Global Services
 
Cyber ppt
Cyber pptCyber ppt
Cyber pptkarthik menon
 
CloudFlare vs Incapsula: Round 2
CloudFlare vs Incapsula: Round 2CloudFlare vs Incapsula: Round 2
CloudFlare vs Incapsula: Round 2Zero Science Lab
 
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...CODE BLUE
 
[Wroclaw #5] OWASP Projects: beyond Top 10
[Wroclaw #5] OWASP Projects: beyond Top 10[Wroclaw #5] OWASP Projects: beyond Top 10
[Wroclaw #5] OWASP Projects: beyond Top 10OWASP
 
Bsides-Philly-2016-Finding-A-Companys-BreakPoint
Bsides-Philly-2016-Finding-A-Companys-BreakPointBsides-Philly-2016-Finding-A-Companys-BreakPoint
Bsides-Philly-2016-Finding-A-Companys-BreakPointZack Meyers
 
Oracle Database 12c Attack Vectors
Oracle Database 12c Attack VectorsOracle Database 12c Attack Vectors
Oracle Database 12c Attack VectorsMartin Toshev
 
Automating Security Testing with the OWTF
Automating Security Testing with the OWTFAutomating Security Testing with the OWTF
Automating Security Testing with the OWTFJerod Brennen
 
Web Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or SucceedWeb Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or SucceedPrathan Phongthiproek
 
[OWASP Poland Day] Web App Security Architectures
[OWASP Poland Day] Web App Security Architectures[OWASP Poland Day] Web App Security Architectures
[OWASP Poland Day] Web App Security ArchitecturesOWASP
 
Web Application Firewalls Detection, Bypassing And Exploitation
Web Application Firewalls Detection, Bypassing And ExploitationWeb Application Firewalls Detection, Bypassing And Exploitation
Web Application Firewalls Detection, Bypassing And ExploitationSandro Gauci
 
Detection Rules Coverage
Detection Rules CoverageDetection Rules Coverage
Detection Rules CoverageSunny Neo
 
Magento 2 product import export
Magento 2 product import exportMagento 2 product import export
Magento 2 product import exportBenno Lippert
 
INTERSPORT e-Commerce with Divante
INTERSPORT e-Commerce with DivanteINTERSPORT e-Commerce with Divante
INTERSPORT e-Commerce with DivanteDivante
 

Weitere ähnliche Inhalte

Was ist angesagt?

Is code review the solution?
Is code review the solution?Is code review the solution?
Is code review the solution?Tiago Mendo
 
Advanced SQL Injection Attack & Defenses
Advanced SQL Injection Attack & DefensesAdvanced SQL Injection Attack & Defenses
Advanced SQL Injection Attack & DefensesTiago Mendo
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing TechniquesAvinash Thapa
 
[Wroclaw #7] Why So Serial?
[Wroclaw #7] Why So Serial?[Wroclaw #7] Why So Serial?
[Wroclaw #7] Why So Serial?OWASP
 
Tw noche geek quito webappsec
Tw noche geek quito webappsecTw noche geek quito webappsec
Tw noche geek quito webappsecThoughtworks
 
[Wroclaw #7] AWS (in)security - the devil is in the detail
[Wroclaw #7] AWS (in)security - the devil is in the detail[Wroclaw #7] AWS (in)security - the devil is in the detail
[Wroclaw #7] AWS (in)security - the devil is in the detailOWASP
 
Java Secure Coding Practices
Java Secure Coding PracticesJava Secure Coding Practices
Java Secure Coding PracticesOWASPKerala
 
CloudFlare vs Incapsula: Round 2
CloudFlare vs Incapsula: Round 2CloudFlare vs Incapsula: Round 2
CloudFlare vs Incapsula: Round 2Zero Science Lab
 
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...CODE BLUE
 
[Wroclaw #5] OWASP Projects: beyond Top 10
[Wroclaw #5] OWASP Projects: beyond Top 10[Wroclaw #5] OWASP Projects: beyond Top 10
[Wroclaw #5] OWASP Projects: beyond Top 10OWASP
 
Bsides-Philly-2016-Finding-A-Companys-BreakPoint
Bsides-Philly-2016-Finding-A-Companys-BreakPointBsides-Philly-2016-Finding-A-Companys-BreakPoint
Bsides-Philly-2016-Finding-A-Companys-BreakPointZack Meyers
 
Oracle Database 12c Attack Vectors
Oracle Database 12c Attack VectorsOracle Database 12c Attack Vectors
Oracle Database 12c Attack VectorsMartin Toshev
 
Automating Security Testing with the OWTF
Automating Security Testing with the OWTFAutomating Security Testing with the OWTF
Automating Security Testing with the OWTFJerod Brennen
 
Web Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or SucceedWeb Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or SucceedPrathan Phongthiproek
 
[OWASP Poland Day] Web App Security Architectures
[OWASP Poland Day] Web App Security Architectures[OWASP Poland Day] Web App Security Architectures
[OWASP Poland Day] Web App Security ArchitecturesOWASP
 
Web Application Firewalls Detection, Bypassing And Exploitation
Web Application Firewalls Detection, Bypassing And ExploitationWeb Application Firewalls Detection, Bypassing And Exploitation
Web Application Firewalls Detection, Bypassing And ExploitationSandro Gauci
 
Detection Rules Coverage
Detection Rules CoverageDetection Rules Coverage
Detection Rules CoverageSunny Neo
 

Was ist angesagt? (20)

Is code review the solution?
Is code review the solution?Is code review the solution?
Is code review the solution?
 
Advanced SQL Injection Attack & Defenses
Advanced SQL Injection Attack & DefensesAdvanced SQL Injection Attack & Defenses
Advanced SQL Injection Attack & Defenses
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing Techniques
 
Zap vs burp
Zap vs burpZap vs burp
Zap vs burp
 
[Wroclaw #7] Why So Serial?
[Wroclaw #7] Why So Serial?[Wroclaw #7] Why So Serial?
[Wroclaw #7] Why So Serial?
 
Tw noche geek quito webappsec
Tw noche geek quito webappsecTw noche geek quito webappsec
Tw noche geek quito webappsec
 
[Wroclaw #7] AWS (in)security - the devil is in the detail
[Wroclaw #7] AWS (in)security - the devil is in the detail[Wroclaw #7] AWS (in)security - the devil is in the detail
[Wroclaw #7] AWS (in)security - the devil is in the detail
 
Java Secure Coding Practices
Java Secure Coding PracticesJava Secure Coding Practices
Java Secure Coding Practices
 
Anatomy of a Cloud Hack
Anatomy of a Cloud HackAnatomy of a Cloud Hack
Anatomy of a Cloud Hack
 
Cyber ppt
Cyber pptCyber ppt
Cyber ppt
 
CloudFlare vs Incapsula: Round 2
CloudFlare vs Incapsula: Round 2CloudFlare vs Incapsula: Round 2
CloudFlare vs Incapsula: Round 2
 
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
 
[Wroclaw #5] OWASP Projects: beyond Top 10
[Wroclaw #5] OWASP Projects: beyond Top 10[Wroclaw #5] OWASP Projects: beyond Top 10
[Wroclaw #5] OWASP Projects: beyond Top 10
 
Bsides-Philly-2016-Finding-A-Companys-BreakPoint
Bsides-Philly-2016-Finding-A-Companys-BreakPointBsides-Philly-2016-Finding-A-Companys-BreakPoint
Bsides-Philly-2016-Finding-A-Companys-BreakPoint
 
Oracle Database 12c Attack Vectors
Oracle Database 12c Attack VectorsOracle Database 12c Attack Vectors
Oracle Database 12c Attack Vectors
 
Automating Security Testing with the OWTF
Automating Security Testing with the OWTFAutomating Security Testing with the OWTF
Automating Security Testing with the OWTF
 
Web Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or SucceedWeb Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or Succeed
 
[OWASP Poland Day] Web App Security Architectures
[OWASP Poland Day] Web App Security Architectures[OWASP Poland Day] Web App Security Architectures
[OWASP Poland Day] Web App Security Architectures
 
Web Application Firewalls Detection, Bypassing And Exploitation
Web Application Firewalls Detection, Bypassing And ExploitationWeb Application Firewalls Detection, Bypassing And Exploitation
Web Application Firewalls Detection, Bypassing And Exploitation
 
Detection Rules Coverage
Detection Rules CoverageDetection Rules Coverage
Detection Rules Coverage
 

Andere mochten auch

Magento 2 product import export
Magento 2 product import exportMagento 2 product import export
Magento 2 product import exportBenno Lippert
 
INTERSPORT e-Commerce with Divante
INTERSPORT e-Commerce with DivanteINTERSPORT e-Commerce with Divante
INTERSPORT e-Commerce with DivanteDivante
 
E-Commerce Technology
E-Commerce TechnologyE-Commerce Technology
E-Commerce TechnologyDivante
 
Magento implementation - by Divante.co
Magento implementation - by Divante.coMagento implementation - by Divante.co
Magento implementation - by Divante.coDivante
 
E-Commerce Case Studies
E-Commerce Case StudiesE-Commerce Case Studies
E-Commerce Case StudiesDivante
 
e-Commerce Trends from 2014 to 2015 by Divante.co
e-Commerce Trends from 2014 to 2015 by Divante.coe-Commerce Trends from 2014 to 2015 by Divante.co
e-Commerce Trends from 2014 to 2015 by Divante.coDivante
 

Andere mochten auch (6)

Magento 2 product import export
Magento 2 product import exportMagento 2 product import export
Magento 2 product import export
 
INTERSPORT e-Commerce with Divante
INTERSPORT e-Commerce with DivanteINTERSPORT e-Commerce with Divante
INTERSPORT e-Commerce with Divante
 
E-Commerce Technology
E-Commerce TechnologyE-Commerce Technology
E-Commerce Technology
 
Magento implementation - by Divante.co
Magento implementation - by Divante.coMagento implementation - by Divante.co
Magento implementation - by Divante.co
 
E-Commerce Case Studies
E-Commerce Case StudiesE-Commerce Case Studies
E-Commerce Case Studies
 
e-Commerce Trends from 2014 to 2015 by Divante.co
e-Commerce Trends from 2014 to 2015 by Divante.coe-Commerce Trends from 2014 to 2015 by Divante.co
e-Commerce Trends from 2014 to 2015 by Divante.co
 

Ähnlich wie Planning the OWASP Testing Guide v4 Update

Ved du, hvor dine data er - og hvem, der har adgang til dem? Ron Ben Natan, I...
Ved du, hvor dine data er - og hvem, der har adgang til dem? Ron Ben Natan, I...Ved du, hvor dine data er - og hvem, der har adgang til dem? Ron Ben Natan, I...
Ved du, hvor dine data er - og hvem, der har adgang til dem? Ron Ben Natan, I...IBM Danmark
 
Web application penetration testing
Web application penetration testingWeb application penetration testing
Web application penetration testingImaginea
 
50357 a enu-module02
50357 a enu-module0250357 a enu-module02
50357 a enu-module02Bố Su
 
Security best practices
Security best practicesSecurity best practices
Security best practicesAVEVA
 
Gtb Dlp & Irm Solution Product And Deployment Overview
Gtb Dlp & Irm Solution Product And Deployment OverviewGtb Dlp & Irm Solution Product And Deployment Overview
Gtb Dlp & Irm Solution Product And Deployment Overviewgtbsalesindia
 
Admin Tech Ed Presentation Hardening Sql Server
Admin Tech Ed Presentation Hardening Sql ServerAdmin Tech Ed Presentation Hardening Sql Server
Admin Tech Ed Presentation Hardening Sql Serverrsnarayanan
 
Istio: Using nginMesh as the service proxy
Istio: Using nginMesh as the service proxyIstio: Using nginMesh as the service proxy
Istio: Using nginMesh as the service proxyLee Calcote
 
Test driven development for infrastructure as-a-code, the future trend_Gianfr...
Test driven development for infrastructure as-a-code, the future trend_Gianfr...Test driven development for infrastructure as-a-code, the future trend_Gianfr...
Test driven development for infrastructure as-a-code, the future trend_Gianfr...Katherine Golovinova
 
Supplement V1.2
Supplement V1.2Supplement V1.2
Supplement V1.2cissp taiwan
 
NET RIA Services - Building Data-Driven Applications with Microsoft Silverlig...
NET RIA Services - Building Data-Driven Applications with Microsoft Silverlig...NET RIA Services - Building Data-Driven Applications with Microsoft Silverlig...
NET RIA Services - Building Data-Driven Applications with Microsoft Silverlig...goodfriday
 
Cybersecurity - Mobile Application Security
Cybersecurity - Mobile Application SecurityCybersecurity - Mobile Application Security
Cybersecurity - Mobile Application SecurityEryk Budi Pratama
 
Kerberos, Token and Hadoop
Kerberos, Token and HadoopKerberos, Token and Hadoop
Kerberos, Token and HadoopKai Zheng
 
Secure Cloud Computing for the Health Enterprise
Secure Cloud Computing for the Health EnterpriseSecure Cloud Computing for the Health Enterprise
Secure Cloud Computing for the Health EnterpriseJoel Amoussou
 
Openstack@ebay: Practical SDN deployment with Quantum
Openstack@ebay: Practical SDN deployment with QuantumOpenstack@ebay: Practical SDN deployment with Quantum
Openstack@ebay: Practical SDN deployment with QuantumJean-Christophe "JC" Martin
 
Large Scale Deployment of SOA-P
Large Scale Deployment of SOA-PLarge Scale Deployment of SOA-P
Large Scale Deployment of SOA-PC2B2 Consulting
 
Best Practices for Securing Active Directory v2.0
Best Practices for Securing Active Directory v2.0Best Practices for Securing Active Directory v2.0
Best Practices for Securing Active Directory v2.0Danny Wong
 
Webinar issues we_find_slideshare
Webinar issues we_find_slideshareWebinar issues we_find_slideshare
Webinar issues we_find_slideshareSOASTA
 
2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...
2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...
2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...APIsecure_ Official
 
Why Assertion-based Access Token is preferred to Handle-based one?
Why Assertion-based Access Token is preferred to Handle-based one?Why Assertion-based Access Token is preferred to Handle-based one?
Why Assertion-based Access Token is preferred to Handle-based one?Hitachi, Ltd. OSS Solution Center.
 
Kubernetes Summit 2021: Multi-Cluster - The Good, the Bad and the Ugly
Kubernetes Summit 2021: Multi-Cluster - The Good, the Bad and the UglyKubernetes Summit 2021: Multi-Cluster - The Good, the Bad and the Ugly
Kubernetes Summit 2021: Multi-Cluster - The Good, the Bad and the Uglysmalltown
 

Ähnlich wie Planning the OWASP Testing Guide v4 Update (20)

Ved du, hvor dine data er - og hvem, der har adgang til dem? Ron Ben Natan, I...
Ved du, hvor dine data er - og hvem, der har adgang til dem? Ron Ben Natan, I...Ved du, hvor dine data er - og hvem, der har adgang til dem? Ron Ben Natan, I...
Ved du, hvor dine data er - og hvem, der har adgang til dem? Ron Ben Natan, I...
 
Web application penetration testing
Web application penetration testingWeb application penetration testing
Web application penetration testing
 
50357 a enu-module02
50357 a enu-module0250357 a enu-module02
50357 a enu-module02
 
Security best practices
Security best practicesSecurity best practices
Security best practices
 
Gtb Dlp & Irm Solution Product And Deployment Overview
Gtb Dlp & Irm Solution Product And Deployment OverviewGtb Dlp & Irm Solution Product And Deployment Overview
Gtb Dlp & Irm Solution Product And Deployment Overview
 
Admin Tech Ed Presentation Hardening Sql Server
Admin Tech Ed Presentation Hardening Sql ServerAdmin Tech Ed Presentation Hardening Sql Server
Admin Tech Ed Presentation Hardening Sql Server
 
Istio: Using nginMesh as the service proxy
Istio: Using nginMesh as the service proxyIstio: Using nginMesh as the service proxy
Istio: Using nginMesh as the service proxy
 
Test driven development for infrastructure as-a-code, the future trend_Gianfr...
Test driven development for infrastructure as-a-code, the future trend_Gianfr...Test driven development for infrastructure as-a-code, the future trend_Gianfr...
Test driven development for infrastructure as-a-code, the future trend_Gianfr...
 
Supplement V1.2
Supplement V1.2Supplement V1.2
Supplement V1.2
 
NET RIA Services - Building Data-Driven Applications with Microsoft Silverlig...
NET RIA Services - Building Data-Driven Applications with Microsoft Silverlig...NET RIA Services - Building Data-Driven Applications with Microsoft Silverlig...
NET RIA Services - Building Data-Driven Applications with Microsoft Silverlig...
 
Cybersecurity - Mobile Application Security
Cybersecurity - Mobile Application SecurityCybersecurity - Mobile Application Security
Cybersecurity - Mobile Application Security
 
Kerberos, Token and Hadoop
Kerberos, Token and HadoopKerberos, Token and Hadoop
Kerberos, Token and Hadoop
 
Secure Cloud Computing for the Health Enterprise
Secure Cloud Computing for the Health EnterpriseSecure Cloud Computing for the Health Enterprise
Secure Cloud Computing for the Health Enterprise
 
Openstack@ebay: Practical SDN deployment with Quantum
Openstack@ebay: Practical SDN deployment with QuantumOpenstack@ebay: Practical SDN deployment with Quantum
Openstack@ebay: Practical SDN deployment with Quantum
 
Large Scale Deployment of SOA-P
Large Scale Deployment of SOA-PLarge Scale Deployment of SOA-P
Large Scale Deployment of SOA-P
 
Best Practices for Securing Active Directory v2.0
Best Practices for Securing Active Directory v2.0Best Practices for Securing Active Directory v2.0
Best Practices for Securing Active Directory v2.0
 
Webinar issues we_find_slideshare
Webinar issues we_find_slideshareWebinar issues we_find_slideshare
Webinar issues we_find_slideshare
 
2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...
2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...
2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...
 
Why Assertion-based Access Token is preferred to Handle-based one?
Why Assertion-based Access Token is preferred to Handle-based one?Why Assertion-based Access Token is preferred to Handle-based one?
Why Assertion-based Access Token is preferred to Handle-based one?
 
Kubernetes Summit 2021: Multi-Cluster - The Good, the Bad and the Ugly
Kubernetes Summit 2021: Multi-Cluster - The Good, the Bad and the UglyKubernetes Summit 2021: Multi-Cluster - The Good, the Bad and the Ugly
Kubernetes Summit 2021: Multi-Cluster - The Good, the Bad and the Ugly
 

Mehr von OWASP (Open Web Application Security Project)

Mehr von OWASP (Open Web Application Security Project) (16)

Paralelni polisweb
Paralelni poliswebParalelni polisweb
Paralelni polisweb
 
Nethemba - Writing exploits
Nethemba - Writing exploitsNethemba - Writing exploits
Nethemba - Writing exploits
 
Preco sa rozhodnut pre spolocnost Nethemba
Preco sa rozhodnut pre spolocnost NethembaPreco sa rozhodnut pre spolocnost Nethemba
Preco sa rozhodnut pre spolocnost Nethemba
 
Bypassing Web Application Firewalls
Bypassing Web Application FirewallsBypassing Web Application Firewalls
Bypassing Web Application Firewalls
 
Nethemba metasploit
Nethemba metasploitNethemba metasploit
Nethemba metasploit
 
Sms ticket-hack4
Sms ticket-hack4Sms ticket-hack4
Sms ticket-hack4
 
Se linux course1
Se linux course1Se linux course1
Se linux course1
 
Real web-attack-scenario
Real web-attack-scenarioReal web-attack-scenario
Real web-attack-scenario
 
Practical web-attacks2
Practical web-attacks2Practical web-attacks2
Practical web-attacks2
 
Php sec
Php secPhp sec
Php sec
 
Nove trendy-zranitelnosti
Nove trendy-zranitelnostiNove trendy-zranitelnosti
Nove trendy-zranitelnosti
 
New web attacks-nethemba
New web attacks-nethembaNew web attacks-nethemba
New web attacks-nethemba
 
Nethemba profil
Nethemba profilNethemba profil
Nethemba profil
 
Mifare classic-slides
Mifare classic-slidesMifare classic-slides
Mifare classic-slides
 
1.nove trendy-zranitelnosti luptak
1.nove trendy-zranitelnosti luptak1.nove trendy-zranitelnosti luptak
1.nove trendy-zranitelnosti luptak
 
Nethemba profil
Nethemba profilNethemba profil
Nethemba profil
 

KĂźrzlich hochgeladen

The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 

KĂźrzlich hochgeladen (20)

The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 

Planning the OWASP Testing Guide v4 Update

  • 1. Planning the OWASP Testing Guide v4 Matteo Meucci, Giorgio Fedon, Pavol Luptak
  • 2. AG E N DA • Few words about the TG history and adoption by the Companies • Why we need the Common Numbering and Common Vulnerability list • Update the set of test • V4 Roadmap
  • 3. What is the OWASP Testing Guide? Where are we now?
  • 4. Testing Guide history • January 2004 – "The OWASP Testing Guide", Version 1.0 • July 14, 2004 – "OWASP Web Application Penetration Checklist", Version 1.1 • December 25, 2006 – "OWASP Testing Guide", Version 2.0 • December 16, 2008 – "OWASP Testing Guide", Version 3.0 – Released at the OWASP Summit 08
  • 5. Project Complexity Pages 400 350 300 250 200 Pages 150 100 50 0 v1 v1.1 v2 v3
  • 6. OWASP Testing Guide v3 • SANS Top 20 2007 • NIST “Technical Guide to Information Security Testing (Draft)” • Gary McGraw (CTO Cigital) says: “In my opinion it is the strongest piece of Intellectual Property in the OWASP portfolio” – OWASP Podcast by Jim Manico
  • 7. Testing Guide v3: Index 1. Frontispiece 2. Introduction 3. The OWASP Testing Framework 4. Web Application Penetration Testing 5. Writing Reports: value the real risk Appendix A: Testing Tools Appendix B: Suggested Reading Appendix C: Fuzz Vectors Appendix D: Encoded Injection
  • 8. What are the difference between the OWASP Testing Guide and another book about WebApp PenTesting?
  • 9. Web Application Penetration Testing • OWASP Testing Guide is driven by our Community • It’s related to the other OWASP guides • Our approach in writing this guide – Open – Collaborative • Defined testing methodology – Consistent – Repeatable – Under quality 9
  • 10. Testing Guide Categories & vulnerability list
  • 11. What we need now to improve the v3 and plan the v4?
  • 12. OWASP Common Vulnerability List We need a common vulnerability list 12
  • 13. Looking at the Testing Guide Categories & vulnerability list
  • 15. Andrew Muller Mike Hryekewicz Aung KhAnt Nick Freeman Cecil Su Norbert Szetei Colin Watson Paolo Perego Daniel Cuthbert Pavol Luptak Giorgio Fedon Psiinon Jason Flood Ray Schippers Javier Marcos de Prado Robert Smith Juan Galiana Lara Robert Winkel Kenan Gursoy Roberto Suggi Liverani Kevin Horvat Sebastien Gioria Lode Vanstechelman Stefano Di Paola Marco Morana Sumit Siddharth Matt Churchy Thomas Ryan Matteo Meucci Tim Bertels Michael Boman Tripurari Rai Wagner Elias
  • 16. Proposed v4 list: let’s discuss it Category Vulnerability name Where implemented Source Information Gathering Information Disclosure TG, ecc, --> link TG Configuration and Deploy Infrastructure Configuration management Management weakness TG Application Configuration management weakness TG File extensions handling TG Old, backup and unreferenced files TG Access to Admin interfaces TG Bad HTTP Methods enabled, (XST permitted: to eliminate or TG Informative Error Messages Database credentials/connection strings available Business logic Business Logic TG Credentials transport over an unencrypted Authentication channel TG User enumeration (also Guessable user account) TG Default passwords TG Weak lock out mechanism new TG Account lockout DoS Bypassing authentication schema TG Directory traversal/file include TG vulnerable remember password TG Logout function not properly implemented, browser cache weakness TG Weak Password policy New TG Weak username policy New Anurag weak security question answer New Failure to Restrict access to authenticated resource New Top10 Weak password change function New Vishal
  • 17. Proposed v4 list: let’s discuss it (2) Authorization Path Traversal TG Bypassing authorization schema TG Privilege Escalation TG Insecure Direct Object References Top10 2010 Failure to Restrict access to authorized resource TG Session Managment Bypassing Session Management Schema TG Weak Session Token TG Cookies are set not ‘HTTP Only’, ‘Secure’, and no time validity TG Exposed sensitive session variables TG CSRF Session passed over http Vishal Session token within URL Vishal Session Fixation Vishal Session token not removed on server after logout Vishal Persistent session token Vishal Session token not restrcited properly (such as domain or path not set properly) Vishal Data Validation Reflected XSS TG Stored XSS TG - Vishal HTTP Verb Tampering new TG HTTP Parameter pollution new TG Unvalidated Redirects and Forwards T10 2010: new TG SQL Injection TG SQL Fingerprinting LDAP Injection TG ORM Injection TG XML Injection TG SSI Injection TG XPath Injection TG SOAP Injection IMAP/SMTP Injection TG Code Injection TG OS Commanding TG Buffer overflow Incubated vulnerability HTTP Splitting/Smuggling
  • 18. Proposed v4 list: let’s discuss it (3) Data Encryption? Application did not use encryption Weak SSL/TSL Ciphers, Insufficient Transport Layer Protection Cacheable HTTPS Response Cache directives insecure Insecure Cryptographic Storage only SCR guide T10 2010: new TG Sensitive information sent via unencrypted channels XML interpreter? Weak XML Structure XML content-level WS HTTP GET parameters/REST WS Naughty SOAP attachments WS Replay Testing Client side? DOM XSS TG Cross Site Flashing TG ClickHijacking new TG
  • 19. Proposed v4 news from Pavol - add new opensource testing tools that appeared during last 3 years (and are missing in the OWASP Testing Guide v3) - add few useful and life-scenarios of possible vulnerabilities in Bussiness Logic Testing (many testers have no idea what vulnerabilities in Business Logic exactly mean) - "Brute force testing" of "session ID" is missing in "Session Management Testing", describe other tools for Session ID entropy analysis (e.g. Stompy) - in "Data Validation Testing" describe some basic obfuscation methods for malicious code injection including the statements how it is possible to detect it (web application obfuscation is quite succesfull in bypassing many data validation controls) - split the phase Logout and Browser Cache Management" into two sections
  • 20. Roadmap • Review all the control numbers to adhere to the OWASP Common numbering, • Review all the sections in v3, • Create a more readable guide, eliminating some sections that are not really useful, • Insert new testing techniques: HTTP Verb tampering, HTTP Parameter Pollutions, etc., • Rationalize some sections as Session Management Testing, • Create a new section: Client side security and Firefox extensions testing?