Transcription
Planning the OWASP TestingGuide v4Matteo Meucci, Giorgio Fedon, Pavol Luptak
AG E N DA Few words about the TGhistory and adoption bythe Companies Why we need theCommon Numberingand CommonVulnerability list Update the set of test V4 Roadmap
What is the OWASP Testing Guide?Where are we now?
Testing Guide history January 2004– "The OWASP Testing Guide", Version 1.0 July 14, 2004– "OWASP Web Application Penetration Checklist", Version 1.1 December 25, 2006– "OWASP Testing Guide", Version 2.0 December 16, 2008– "OWASP Testing Guide", Version 3.0 – Released at the OWASP Summit08
Project v2v3
OWASP Testing Guide v3 SANS Top 20 2007 NIST “Technical Guide to Information Security Testing (Draft)” Gary McGraw (CTO Cigital) says: “In my opinion it is the strongest piece of Intellectual Property in theOWASP portfolio” – OWASP Podcast by Jim Manico
Testing Guide v3: Index1. Frontispiece2. Introduction3. The OWASP Testing Framework4. Web Application Penetration Testing5. Writing Reports: value the real riskAppendix A: Testing ToolsAppendix B: Suggested ReadingAppendix C: Fuzz VectorsAppendix D: Encoded Injection
What are the difference between the OWASP TestingGuide and another book about WebApp PenTesting?
Web Application Penetration Testing OWASP Testing Guide is driven by our CommunityIt’s related to the other OWASP guides Our approach in writing this guide– Open– Collaborative Defined testing methodology– Consistent– Repeatable– Under quality9
Testing Guide Categories & vulnerability list
What we need now to improve the v3 and plan thev4?
OWASP Common Vulnerability ListWe need a common vulnerability list12
Looking at the Testing Guide Categories & vulnerability list
The new team
Andrew MullerAung KhAntCecil SuColin WatsonDaniel CuthbertGiorgio FedonJason FloodJavier Marcos de PradoJuan Galiana LaraKenan GursoyKevin HorvatLode VanstechelmanMarco MoranaMatt ChurchyMatteo MeucciMichael BomanMike HryekewiczNick FreemanNorbert SzeteiPaolo PeregoPavol LuptakPsiinonRay SchippersRobert SmithRobert WinkelRoberto Suggi LiveraniSebastien GioriaStefano Di PaolaSumit SiddharthThomas RyanTim BertelsTripurari RaiWagner Elias
Proposed v4 list: let’s discuss itCategoryInformationGatheringConfigurationand DeployManagementBusiness logicAuthenticationVulnerability nameWhere implementedSourceInformation DisclosureTG, ecc, -- linkTGInfrastructure Configuration managementweaknessApplication Configuration managementweaknessFile extensions handlingOld, backup and unreferenced filesAccess to Admin interfacesBad HTTP Methods enabled, (XST permitted:to eliminate orInformative Error MessagesDatabase credentials/connection stringsavailableBusiness LogicCredentials transport over an unencryptedchannelUser enumeration (also Guessable useraccount)Default passwordsWeak lock out mechanismAccount lockout DoSBypassing authentication schemaDirectory traversal/file includevulnerable remember passwordLogout function not properly implemented,browser cache weaknessWeak Password policyWeak username policyweak security question answerFailure to Restrict access to authenticatedresourceWeak password change functionTGTGTGTGTGTGTGTGTGTGnew TGTGTGTGTGNew TGNew AnuragNewNew Top10New Vishal
Proposed v4 list: let’s discuss it (2)AuthorizationSessionManagmentData ValidationPath TraversalBypassing authorization schemaPrivilege EscalationInsecure Direct Object ReferencesFailure to Restrict access to authorizedresourceTGTGTGTop10 2010Bypassing Session Management SchemaWeak Session TokenCookies are set not ‘HTTP Only’, ‘Secure’,and no time validityExposed sensitive session variablesCSRFSession passed over httpSession token within URLSession FixationSession token not removed on server afterlogoutPersistent session tokenSession token not restrcited properly (suchas domain or path not set properly)Reflected XSSStored XSSHTTP Verb TamperingHTTP Parameter pollutionUnvalidated Redirects and ForwardsSQL InjectionSQL FingerprintingLDAP InjectionORM InjectionXML InjectionSSI InjectionXPath InjectionSOAP InjectionIMAP/SMTP InjectionCode InjectionOS CommandingBuffer overflowIncubated vulnerabilityHTTP halVishalVishalTGTG - Vishalnew TGnew TGT10 2010: new TGTGTGTGTGTGTGTGTGTG
Proposed v4 list: let’s discuss it (3)Data Encryption? Application did not use encryptionWeak SSL/TSL Ciphers, InsufficientTransport Layer ProtectionCacheable HTTPS ResponseCache directives insecureInsecure Cryptographic StorageSensitive information sent via unencryptedchannelsXML interpreter? Weak XML StructureXML content-levelWS HTTP GET parameters/RESTWS Naughty SOAP attachmentsWS Replay TestingClient side?DOM XSSCross Site FlashingClickHijackingonly SCR guideT10 2010: new TGTGTGnew TG
Proposed v4 news from Pavol- add new opensource testing tools that appeared during last 3 years(and are missing in the OWASP Testing Guide v3)- add few useful and life-scenarios of possiblevulnerabilities in Bussiness Logic Testing (many testers have no idea whatvulnerabilities in Business Logic exactly mean)- "Brute force testing" of "session ID" is missing in "Session ManagementTesting", describe other tools for Session ID entropy analysis(e.g. Stompy)- in "Data Validation Testing" describe some basic obfuscation methods formalicious code injection including the statements how it is possible todetect it (web application obfuscation is quite succesfull in bypassingmany data validation controls)- split the phase Logout and Browser Cache Management" into two sections
Roadmap Review all the control numbers to adhere tothe OWASP Common numbering,Review all the sections in v3,Create a more readable guide, eliminating somesections that are not really useful,Insert new testing techniques: HTTP Verbtampering, HTTP Parameter Pollutions, etc.,Rationalize some sections as SessionManagement Testing,Create a new section: Client side security andFirefox extensions testing?
Questions?http://www.owasp.org/index.php/OWASP Testing Projectmatteo.meucci@owasp.orgThanks!!
Planning the OWASP Testing Guide v4 Matteo Meucci, Giorgio Fedon, Pavol Luptak Few words about the TG history and adoption by the Companies Why we need the Common Numbering . –"OWASP Testing Guide", Version 3.0 –Released at the OWASP Summi
