OWASP - User contributions [en]

Credential Stuffing Prevention Cheat Sheet

2016-09-20T16:37:40Z

Bradcausey:

= DRAFT CHEAT SHEET - WORK IN PROGRESS =

This document is a work in progress.

== Introduction ==

Credential stuffing is the automated injection of breached username/password pairs in order to fraudulently gain access to user accounts. This is a subset of the brute force attack category: large numbers of spilled credentials are automatically entered into websites until they are potentially matched to an existing account, which the attacker can then hijack for their own purposes.

[https://www.owasp.org/index.php/Credential_stuffing[https://www.owasp.org/index.php/Credential_stuffing]]

=Authors and Primary Editors=

TODO
=Primary Defenses=

It should be noted that defense mechanisms are intended to be used in a layered approach. In most cases, a single defense option would be inadequate to stop most Credential Stuffing attacks.

In many cases, brute force protections will overlap with credential stuffing defenses.

==Defense Option 1: Multi-Factor Authentication ==
TODO

==Defense Option 2: Multi-Step Login Process ==

''Most of the automated account validation we've seen is using single step validation and checking for a success conditions. By forcing the client to render the response and include that in the next request (and including Synchronizer (CSRF) Tokens) we are just eliminating the basic attempts. It's not comprehensive.''

==Defense Option 3: IP blacklists ==
Because the attacker requests will likely originate from a few (or one) IP, addresses attempting to log into multiple accounts can be blocked or sandboxed.

Further, login monitoring with IP tracking could be used to eliminate (most) false positives. Use the last several IPs that the user's account logged in from and compare them to the suspected "bad" IP.

Making the IP bans temporary, say 15 minutes, would reduce the negative impact to the customer and business services (who would have to fix false positives) significantly.

==Defense Option 3: Device Fingerprinting ==
By running some simple javascript device information collections, you can learn certain things about the device(s) used to log into each account. If a Windows(OS)/English(Language)/Chrome(Browser) device logged in the last 5 times, and we have a new geolocation source with Linux/FireFox/Spanish, then we can be pretty certain that the user is not the original one. (other options include timezones, last login times, user agents, java version, flash, etc)

The most simple implementation, while minimizing reduction in effectiveness, would be Operating System + Geolocation + Language.

How you deal with mismatches is also a major consideration. If you are performing complex device fingerprinting, using many variables, then more severe actions might be taken, such as locking the account.

Using simple fingerprinting, with maybe 2 or 3 variables would require that less stringent actions be taken, due to it's higher likelihood of a false positive. In this case, maybe the source IP is blocked if it attempts more than 3 user IDs.

==Defense Option 4: Disallow Email Addresses as User IDs ==
In many cases, credential reuse is an issue because user IDs are the same on multiple sites. In most cases, they are the email address of the user, for usability. This is an obvious problem when considering Credential Stuffing. One possible approach is to avoid use of email addresses as userids.

== Other Cheatsheets ==
{{Cheatsheet_Navigation}}

[[Category:Cheatsheets]]

Credential Stuffing Prevention Cheat Sheet

2016-09-20T16:29:20Z

Bradcausey:

= DRAFT CHEAT SHEET - WORK IN PROGRESS =

This document is a work in progress.

== Introduction ==

Credential stuffing is the automated injection of breached username/password pairs in order to fraudulently gain access to user accounts. This is a subset of the brute force attack category: large numbers of spilled credentials are automatically entered into websites until they are potentially matched to an existing account, which the attacker can then hijack for their own purposes.

[https://www.owasp.org/index.php/Credential_stuffing[https://www.owasp.org/index.php/Credential_stuffing]]

=Authors and Primary Editors=

TODO
=Primary Defenses=

It should be noted that defense mechanisms are intended to be used in a layered approach. In most cases, a single defense option would be inadequate to stop most Credential Stuffing attacks.

In many cases, brute force protections will overlap with credential stuffing defenses.

==Defense Option 1: Multi-Factor Authentication ==
TODO

==Defense Option 2: Multi-Step Login Process ==

''Most of the automated account validation we've seen is using single step validation and checking for a success conditions. By forcing the client to render the response and include that in the next request (and including Synchronizer (CSRF) Tokens) we are just eliminating the basic attempts. It's not comprehensive.''

==Defense Option 3: IP blacklists ==
Because the attacker requests will likely originate from a few (or one) IP, addresses attempting to log into multiple accounts can be blocked or sandboxed.

Further, login monitoring with IP tracking could be used to eliminate (most) false positives. Use the last several IPs that the user's account logged in from and compare them to the suspected "bad" IP.

Making the IP bans temporary, say 15 minutes, would reduce the negative impact to the customer and business services (who would have to fix false positives) significantly.

==Defense Option 3: Device Fingerprinting ==
By running some simple javascript device information collections, you can learn certain things about the device(s) used to log into each account. If a Windows(OS)/Engish(Language)/Chrome(Browser) device logged in the last 5 times, and we have a new geolocation source with Linux/FireFox/Spanish, then we can be pretty certain that the user is not the original one. (other options include timezones, last login times, user agents, java version, flash, etc)

The most simple implementation, while minimizing reduction in effectiveness, would be Operating System + Geo Location + Language.

== Other Cheatsheets ==
{{Cheatsheet_Navigation}}

[[Category:Cheatsheets]]

File:Causey, Brad.png

2013-06-19T18:17:03Z

Bradcausey: uploaded a new version of "File:Causey, Brad.png": Reverted to version as of 22:24, 15 February 2011

File:Causey, Brad.png

2013-06-19T18:15:55Z

Bradcausey: uploaded a new version of "File:Causey, Brad.png"

OWASP Testing Guide v4 Table of Contents

2012-08-30T16:22:51Z

Bradcausey:

__NOTOC__

'''This is DRAFT of the table of content of the New Testing Guide v4.''' 
 You can download the stable version [http://www.owasp.org/images/5/56/OWASP_Testing_Guide_v3.pdf here] 

Back to the OWASP Testing Guide Project:
http://www.owasp.org/index.php/OWASP_Testing_Project

'''Updated: 28th August 2012'''

The following are the main improvements we have to realize: 

(1) - Add new testing techniques and OWASP Top10 update: 
- Testing for HTTP Verb tampering 
- Testing for HTTP Parameter Pollutions 
- Testing for URL Redirection 
- Testing for Insecure Direct Object References 
- Testing for Insecure Cryptographic Storage 
- Testing for Failure to Restrict URL Access 
- Testing for Insufficient Transport Layer Protection 
- Testing for Unvalidated Redirects and Forwards. 
 
(2) - Review and improve all the sections in v3, 
 
(3) - Create a more readable guide, eliminating some sections that are not
really useful, Rationalize some sections as Session Management Testing.

(4) Pavol says: - add new opensource testing tools that appeared during last 3 years
(and are missing in the OWASP Testing Guide v3)

- add few useful and life-scenarios of possible
vulnerabilities in Bussiness Logic Testing (many testers have no idea what
vulnerabilities in Business Logic exactly mean)

- "Brute force testing" of "session ID" is missing in "Session Management
Testing", describe other tools for Session ID entropy analysis
(e.g. Stompy)

- in "Data Validation Testing" describe some basic obfuscation methods for
malicious code injection including the statements how it is possible to
detect it (web application obfuscation is quite succesfull in bypassing
many data validation controls)

- split the phase Logout and Browser Cache Management" into two sections
 
The following is a DRAFT of the Toc based on the feedback already received.

 
'''T A B L E o f C O N T E N T S (DRAFT)'''
----

==[[Testing Guide Foreword|Foreword by OWASP Chair]]== [To review--> OWASP Chair]

==[[Testing Guide Frontispiece |1. Frontispiece]]== [To review--> Mat]

'''[[Testing Guide Frontispiece|1.1 About the OWASP Testing Guide Project]]''' [To review--> Mat]

'''[[About The Open Web Application Security Project|1.2 About The Open Web Application Security Project]]''' [To review--> ]

==[[Testing Guide Introduction|2. Introduction]]==

'''2.1 The OWASP Testing Project'''

'''2.2 Principles of Testing'''

'''2.3 Testing Techniques Explained'''

2.4 [https://www.owasp.org/index.php/Testing_Guide_Introduction#Security_Requirements_Test_Derivation Security requirements test derivation],[https://www.owasp.org/index.php/Testing_Guide_Introduction#Functional_and_Non_Functional_Test_Requirements functional and non functional test requirements], and [https://www.owasp.org/index.php/Testing_Guide_Introduction#Test_Cases_Through_Use_and_Misuse_Cases test cases through use and misuse cases]

2.5 [https://www.owasp.org/index.php/Testing_Guide_Introduction#Security_Test_Data_Analysis_and_Reporting Security test data analysis and reporting: root cause identification and business/role case test data reporting]

==[[The OWASP Testing Framework|3. The OWASP Testing Framework]]==

'''3.1. Overview'''

'''3.2. Phase 1: Before Development Begins '''

'''3.3. Phase 2: During Definition and Design'''

'''3.4. Phase 3: During Development'''

'''3.5. Phase 4: During Deployment'''

'''3.6. Phase 5: Maintenance and Operations'''

'''3.7. A Typical SDLC Testing Workflow '''

==[[Web Application Penetration Testing |4. Web Application Penetration Testing ]]==

[[Testing: Introduction and objectives|'''4.1 Introduction and Objectives''']] [To review--> Mat]

[[Testing Checklist| 4.1.1 Testing Checklist]] [To review at the end of brainstorming --> Mat]

[[Testing: Information Gathering|'''4.2 Information Gathering ''']] [To review--> contributor here]

[[Testing for configuration management|'''4.3 Configuration and Deploy Management Testing ''']]

Infrastructure Configuration management weakness 
Application Configuration management weakness 
File extensions handling 
Old, backup and unreferenced files 
Access to Admin interfaces 
Bad HTTP Methods enabled, [new] 
Informative Error Messages 
Database credentials/connection strings available 

[[Testing for authentication|'''4.4 Authentication Testing ''']]

Credentials transport over an unencrypted channel 
User enumeration (also Guessable user account) 
Default passwords 
Weak lock out mechanism [New!] 
Account lockout DoS [New!] 
Bypassing authentication schema 
Directory traversal/file include 
vulnerable remember password 
Logout function not properly implemented 
browser cache weakness [New!] 
Weak Password policy [New!] 
Weak username policy [New!] 
weak security question answer [New!] 
Failure to Restrict access to authenticated resource [New!] 
Weak password change function [New!] 

[[Testing for Session Management|'''4.5 Session Management Testing''']]

Bypassing Session Management Schema 
Weak Session Token 
Cookies are set not ‘HTTP Only’, ‘Secure’, and no time validity 
Exposed sensitive session variables 
CSRF 
Session passed over http [New!] 
Session token within URL [New!] 
Session Fixation 
Session token not removed on server after logout [New!] 
Persistent session token [New!] 
Session token not restrcited properly (such as domain or path not set properly) [New!] 

[[Testing for Authorization|'''4.6 Authorization Testing''']]

Bypassing authorization schema 
Privilege Escalation 
Insecure Direct Object References 
Failure to Restrict access to authorized resource [New!] 

[[Testing for business logic (OWASP-BL-001)|'''4.7 Business Logic Testing (OWASP-BL-001)''']] [To review--> contributor here]
Business Logic 

[[Testing for Data Validation|'''4.8 Data Validation Testing''']]

Reflected XSS 
Stored XSS 
HTTP Verb Tampering [Brad Causey] 
HTTP Parameter pollution [Brad Causey] 
Unvalidated Redirects and Forwards [Brad Causey] 
SQL Injection [Brad Causey] 
LDAP Injection 
ORM Injection 
XML Injection 
SSI Injection 
XPath Injection 
SOAP Injection 
IMAP/SMTP Injection 
Code Injection 
OS Commanding 
Buffer overflow 
Incubated vulnerability 
HTTP Splitting/Smuggling 

[[Testing for Data Encryption (New!)]]

Application did not use encryption 
Weak SSL/TSL Ciphers, Insufficient 
Transport Layer Protection 
Cacheable HTTPS Response 
Cache directives insecure 
Insecure Cryptographic Storage [mainly CR Guide] 
Sensitive information sent via unencrypted
channels 

[[ XML Interpreter? (New!)]]

Weak XML Structure
XML content-level
WS HTTP GET parameters/REST
WS Naughty SOAP attachments
WS Replay Testing

[[ Client Side Testing (New!) ]]

DOM XSS 
Cross Site Flashing 
ClickHijacking 

==[[Writing Reports: value the real risk |5. Writing Reports: value the real risk ]]==

[[How to value the real risk |5.1 How to value the real risk]] [To review--> contributor here]

[[How to write the report of the testing |5.2 How to write the report of the testing]] [To review--> contributor here]

==[[Appendix A: Testing Tools |Appendix A: Testing Tools ]]==

* Black Box Testing Tools [To review--> contributor here]
* Source Code Analyzers [To review--> contributor here]
* Other Tools [To review--> contributor here]

==[[OWASP Testing Guide Appendix B: Suggested Reading | Appendix B: Suggested Reading]]==
* Whitepapers [To review--> contributor here]
* Books [To review--> contributor here]
* Useful Websites [To review--> contributor here]

==[[OWASP Testing Guide Appendix C: Fuzz Vectors | Appendix C: Fuzz Vectors]]==

* Fuzz Categories [To review--> contributor here]

==[[OWASP Testing Guide Appendix D: Encoded Injection | Appendix D: Encoded Injection]]==

[To review--> contributor here]

----

[[Category:OWASP Testing Project]]

OWASP Testing Guide v4 Table of Contents

2012-08-30T16:22:23Z

Bradcausey:

__NOTOC__

'''This is DRAFT of the table of content of the New Testing Guide v4.''' 
 You can download the stable version [http://www.owasp.org/images/5/56/OWASP_Testing_Guide_v3.pdf here] 

Back to the OWASP Testing Guide Project:
http://www.owasp.org/index.php/OWASP_Testing_Project

'''Updated: 28th August 2012'''

The following are the main improvements we have to realize: 

(1) - Add new testing techniques and OWASP Top10 update: 
- Testing for HTTP Verb tampering 
- Testing for HTTP Parameter Pollutions 
- Testing for URL Redirection 
- Testing for Insecure Direct Object References 
- Testing for Insecure Cryptographic Storage 
- Testing for Failure to Restrict URL Access 
- Testing for Insufficient Transport Layer Protection 
- Testing for Unvalidated Redirects and Forwards. 
 
(2) - Review and improve all the sections in v3, 
 
(3) - Create a more readable guide, eliminating some sections that are not
really useful, Rationalize some sections as Session Management Testing.

(4) Pavol says: - add new opensource testing tools that appeared during last 3 years
(and are missing in the OWASP Testing Guide v3)

- add few useful and life-scenarios of possible
vulnerabilities in Bussiness Logic Testing (many testers have no idea what
vulnerabilities in Business Logic exactly mean)

- "Brute force testing" of "session ID" is missing in "Session Management
Testing", describe other tools for Session ID entropy analysis
(e.g. Stompy)

- in "Data Validation Testing" describe some basic obfuscation methods for
malicious code injection including the statements how it is possible to
detect it (web application obfuscation is quite succesfull in bypassing
many data validation controls)

- split the phase Logout and Browser Cache Management" into two sections
 
The following is a DRAFT of the Toc based on the feedback already received.

 
'''T A B L E o f C O N T E N T S (DRAFT)'''
----

==[[Testing Guide Foreword|Foreword by OWASP Chair]]== [To review--> OWASP Chair]

==[[Testing Guide Frontispiece |1. Frontispiece]]== [To review--> Mat]

'''[[Testing Guide Frontispiece|1.1 About the OWASP Testing Guide Project]]''' [To review--> Mat]

'''[[About The Open Web Application Security Project|1.2 About The Open Web Application Security Project]]''' [To review--> ]

==[[Testing Guide Introduction|2. Introduction]]==

'''2.1 The OWASP Testing Project'''

'''2.2 Principles of Testing'''

'''2.3 Testing Techniques Explained'''

2.4 [https://www.owasp.org/index.php/Testing_Guide_Introduction#Security_Requirements_Test_Derivation Security requirements test derivation],[https://www.owasp.org/index.php/Testing_Guide_Introduction#Functional_and_Non_Functional_Test_Requirements functional and non functional test requirements], and [https://www.owasp.org/index.php/Testing_Guide_Introduction#Test_Cases_Through_Use_and_Misuse_Cases test cases through use and misuse cases]

2.5 [https://www.owasp.org/index.php/Testing_Guide_Introduction#Security_Test_Data_Analysis_and_Reporting Security test data analysis and reporting: root cause identification and business/role case test data reporting]

==[[The OWASP Testing Framework|3. The OWASP Testing Framework]]==

'''3.1. Overview'''

'''3.2. Phase 1: Before Development Begins '''

'''3.3. Phase 2: During Definition and Design'''

'''3.4. Phase 3: During Development'''

'''3.5. Phase 4: During Deployment'''

'''3.6. Phase 5: Maintenance and Operations'''

'''3.7. A Typical SDLC Testing Workflow '''

==[[Web Application Penetration Testing |4. Web Application Penetration Testing ]]==

[[Testing: Introduction and objectives|'''4.1 Introduction and Objectives''']] [To review--> Mat]

[[Testing Checklist| 4.1.1 Testing Checklist]] [To review at the end of brainstorming --> Mat]

[[Testing: Information Gathering|'''4.2 Information Gathering ''']] [To review--> contributor here]

[[Testing for configuration management|'''4.3 Configuration and Deploy Management Testing ''']]

Infrastructure Configuration management weakness 
Application Configuration management weakness 
File extensions handling 
Old, backup and unreferenced files 
Access to Admin interfaces 
Bad HTTP Methods enabled, [new] 
Informative Error Messages 
Database credentials/connection strings available 

[[Testing for authentication|'''4.4 Authentication Testing ''']]

Credentials transport over an unencrypted channel 
User enumeration (also Guessable user account) 
Default passwords 
Weak lock out mechanism [New!] 
Account lockout DoS [New!] 
Bypassing authentication schema 
Directory traversal/file include 
vulnerable remember password 
Logout function not properly implemented 
browser cache weakness [New!] 
Weak Password policy [New!] 
Weak username policy [New!] 
weak security question answer [New!] 
Failure to Restrict access to authenticated resource [New!] 
Weak password change function [New!] 

[[Testing for Session Management|'''4.5 Session Management Testing''']]

Bypassing Session Management Schema 
Weak Session Token 
Cookies are set not ‘HTTP Only’, ‘Secure’, and no time validity 
Exposed sensitive session variables 
CSRF 
Session passed over http [New!] 
Session token within URL [New!] 
Session Fixation 
Session token not removed on server after logout [New!] 
Persistent session token [New!] 
Session token not restrcited properly (such as domain or path not set properly) [New!] 

[[Testing for Authorization|'''4.6 Authorization Testing''']]

Bypassing authorization schema 
Privilege Escalation 
Insecure Direct Object References 
Failure to Restrict access to authorized resource [New!] 

[[Testing for business logic (OWASP-BL-001)|'''4.7 Business Logic Testing (OWASP-BL-001)''']] [To review--> contributor here]
Business Logic 

[[Testing for Data Validation|'''4.8 Data Validation Testing''']]

Reflected XSS 
Stored XSS 
HTTP Verb Tampering [Brad Causey] 
HTTP Parameter pollution [Brad Causey] 
Unvalidated Redirects and Forwards [Brad Causey] 
SQL Injection <Brad Causey>
LDAP Injection 
ORM Injection 
XML Injection 
SSI Injection 
XPath Injection 
SOAP Injection 
IMAP/SMTP Injection 
Code Injection 
OS Commanding 
Buffer overflow 
Incubated vulnerability 
HTTP Splitting/Smuggling 

[[Testing for Data Encryption (New!)]]

Application did not use encryption 
Weak SSL/TSL Ciphers, Insufficient 
Transport Layer Protection 
Cacheable HTTPS Response 
Cache directives insecure 
Insecure Cryptographic Storage [mainly CR Guide] 
Sensitive information sent via unencrypted
channels 

[[ XML Interpreter? (New!)]]

Weak XML Structure
XML content-level
WS HTTP GET parameters/REST
WS Naughty SOAP attachments
WS Replay Testing

[[ Client Side Testing (New!) ]]

DOM XSS 
Cross Site Flashing 
ClickHijacking 

==[[Writing Reports: value the real risk |5. Writing Reports: value the real risk ]]==

[[How to value the real risk |5.1 How to value the real risk]] [To review--> contributor here]

[[How to write the report of the testing |5.2 How to write the report of the testing]] [To review--> contributor here]

==[[Appendix A: Testing Tools |Appendix A: Testing Tools ]]==

* Black Box Testing Tools [To review--> contributor here]
* Source Code Analyzers [To review--> contributor here]
* Other Tools [To review--> contributor here]

==[[OWASP Testing Guide Appendix B: Suggested Reading | Appendix B: Suggested Reading]]==
* Whitepapers [To review--> contributor here]
* Books [To review--> contributor here]
* Useful Websites [To review--> contributor here]

==[[OWASP Testing Guide Appendix C: Fuzz Vectors | Appendix C: Fuzz Vectors]]==

* Fuzz Categories [To review--> contributor here]

==[[OWASP Testing Guide Appendix D: Encoded Injection | Appendix D: Encoded Injection]]==

[To review--> contributor here]

----

[[Category:OWASP Testing Project]]

Global Projects and Tools Committee - Application 7

2012-07-14T03:38:15Z

Bradcausey:

[[How to Join a Committee|Click here to return to 'How to Join a Committee' page]]

----

{| style="width:100%" border="0" align="center"
|-
! colspan="2" align="center" style="background:#4058A0; color:white" | '''COMMITTEE APPLICATION FORM'''
|-
| style="width:25%; background:#7B8ABD" align="center" | '''Applicant's Name'''
| colspan="1" style="width:85%; background:#cccccc" align="left" | Nishi Kumar
|-
| style="width:25%; background:#7B8ABD" align="center" | '''Current and past OWASP Roles'''
| colspan="1" style="width:85%; background:#cccccc" align="left" | OWASP CBT Project Lead and Past member of Global Industry Committee
|-
| style="width:25%; background:#7B8ABD" align="center" | '''Committee Applying for'''
| colspan="1" style="width:85%; background:#cccccc" align="left" | Global Projects and Tools Committee
|}

----

 

----

Please be aware that for an application to be considered by the board, '''you MUST have 5 recommendations'''. An incomplete application will not be considered for vote.

----

 

----

{| style="width:100%" border="0" align="center"
|-
! colspan="8" align="center" style="background:#4058A0; color:white" | '''COMMITTEE RECOMMENDATIONS'''
|-
! align="center" style="background:white; color:white" | 
! align="center" style="background:#7B8ABD; color:white" | '''Who Recommends/Name'''
! align="center" style="background:#7B8ABD; color:white" | '''Role in OWASP'''
! align="center" style="background:#7B8ABD; color:white" | '''Recommendation Content'''
|-
| style="width:3%; background:#cccccc" align="center" | '''1'''
| style="width:20%; background:#cccccc" align="center" | Dan Cornell
| style="width:20%; background:#cccccc" align="center" | Member, Global Membership Committee, Chapter Leader, San Antonio
| style="width:57%; background:#cccccc" align="center" | Nishi has been a long-time OWASP contributor since before the 2008 Summit and has worked on projects such as the OWASP CBT project. She would be an excellent contributor to the OWASP Global Projects and Tools Committee.
|-
| style="width:3%; background:#cccccc" align="center" | '''2'''
| style="width:20%; background:#cccccc" align="center" | Josh Sokol
| style="width:20%; background:#cccccc" align="center" | Chair, Global Chapters Committee & Chapter Leader, Austin
| style="width:57%; background:#cccccc" align="center" | I've known Nishi for many years now as a contributor in the OWASP Austin Chapter. She has been a huge assistance with speaker wrangling for LASCON the past couple years and the Global Projects and Tools Committee would be lucky to have her as a contributor.
|-
| style="width:3%; background:#cccccc" align="center" | '''3'''
| style="width:20%; background:#cccccc" align="center" | Dinis Cruz
| style="width:20%; background:#cccccc" align="center" | O2 Platform Project Leader
| style="width:57%; background:#cccccc" align="center" | I know Nishi since the first Summit and she has done great work on multiple OWASP projects, namely the CBT. Let see if she can inject some Design and Energy into the GPC
|-
| style="width:3%; background:#cccccc" align="center" | '''4'''
| style="width:20%; background:#cccccc" align="center" | Jim Manico
| style="width:20%; background:#cccccc" align="center" | Chair, Connections Committee
| style="width:57%; background:#cccccc" align="center" | Nishi is the perfect combination of smart, fierce and sensitive to the OWASP non-profit mission. We would be lucky to have her participation on the Projects committee!
|-
| style="width:3%; background:#cccccc" align="center" | '''5'''
| style="width:20%; background:#cccccc" align="center" | Brad Causey
| style="width:20%; background:#cccccc" align="center" | Global Projects and Tools Committee
| style="width:57%; background:#cccccc" align="center" | Having worked closely with Nishi for years in my involvement with OWASP, and appreciating her contributions and dedications to it's mission, I cannot imagine a more suitable candidate for the GPC. I would absolutely welcome and appreciate her input and hard work in this important committee within OWASP.

|}

----

Global Conferences Committee - Application 10

2011-05-04T17:21:55Z

2010-10-28T02:01:11Z

Bradcausey:

Summit 2011

2010-10-28T02:00:25Z

Bradcausey:

__NOTOC__

==== Welcome ====

[[Image:Summit Group 4.jpg|border|OWASP Summit 2008 in Portugal]]

Dear OWASP Leaders and appsec community,

January/February 2011 it's time for the Global OWASP Summit. The place where appsec experts meet, discuss, work, socialize, and set the roadmap for OWASP.

=== The Summit Activates *You* ===

Whereas the OWASP AppSec conferences are great places to listen to interesting talks, go for training, and meet with OWASP people, the Global Summit is the place where we all sit down together and take the time to discuss and work out plans, projects and solutions for the appsec future.

Examples of topics:

*How should we support the OWASP projects?
*How can we work with browser vendors to enhance security (see "Browser Day" tab above)?
*How should the community reach out to developers and education institutions?
*How often should we publish the OWASP Top 10?
*How can OWASP support your chapter?

=== Organizing Committee ===

A group of very experienced and passionate OWASPers have joined the organizing committee for Global Summit 2011.

*Lorna Alamri
*Brad Causey
*Justin Clarke
*Paulo Coimbra
*Dinis Cruz
*Martin Knobloch
*Dave Wichers
*John Wilander
*Jason Li
*Tara Causey
*Sarah Baso

=== Who's Invited? ===

As an OWASP leader you are automatically invited to the summit, but we also welcome leading experts from industry and academia. Together we can create a more secure web. Check the "How Do I Join?" tab above for more info.

==== Operational guidelines ====

Following the first meeting of the Summit 2011 Organizational team, here are the current proposed operational guidelines:

#the summit is an annual event
#outside OWASP conference
#the summit should take place in January not later then begin of February
#the summit takes 3 to 4 days
#budget aim is US$ 150'000 US$ where 50'000 from OWASP and US$100'000 from sponsors
#attendees targets are:
##OWASP Funded:
###Board
###Committee Members
##Chapter / sponsor Funded:
###Chapter Leaders
##Project Leaders
#venue / location criteria (no decision on the venue)
##1 key organizer in close contact with the venue
##hosting 30 to 100 people
##US$2'000 a head (flight/accommodation/food/beers)
##conference facilities
###multiple meeting rooms
###one big meeting room e.g. auditorium
###hotel with the conference facilities or conference venue within walking distance
###apartments if possible (to share apartments/rooms and save money)
###4 to 5 star hotel
###local food supplier for apartment crashing
###has to be negotiated with the hotel
###max 50 km's form international airport
###sufficient Internet access!

'''Attendees that qualify to be sponsored by OWASP''' Some leaders that are active within OWASP may qualify to have all or partial transportation and lodging paid for by OWASP. To be considered for qualification, you must meet one or more of the following criteria:

#Member of the OWASP Board
#Member of a global committee that has been active in the last 6 months. This will be verified by the leader(s) of the committee.
#Key personnel that are integral to the operation of the summit

If you feel you might qualify, please contact [[Bradcausey@owasp.org|Brad Causey]] or [[Jasonli@owasp.org|Jason Li]]. If you do not meet these criteria, and still feel that you should be sponsored, please contact [[Bradcausey@owasp.org|Brad Causey]] or [[Jasonli@owasp.org|Jason Li]].

'''Success factors (what indicates the summit as success)'''

#break even
#the summits are the place to go to discus about and working on Web Application Security
#review of the past year
#working sessions on committees, projects and industry sectors (e.g. browsers and frameworks)
##universities / education sessions
##committee member election
##board election
##strategic OWASP issues
##road map and action plans for the next 12 month

Other local Summit(s):

*The conferences are free to organize small, conference bound summit
*this are not sponsored by OWASP of OWASP summit budget

==== Browser Day! ====

One of the great challenges of application security is browser security.

Therefore we will spend '''a full day working together with the leading browser vendors''' to penetrate current problems, new ideas, and how security fits in alongside other requirements from developers and endusers.

Do not miss this chance to define what's important in browser security in the coming years.

=== Agenda ===

Please '''edit this tab and enter topics we should cover''' during the Browser Day. If you want you can add your name after each suggestion and we can work out the details with you.

*How should browsers signal invalid SSL certs to the enduser? Are we helping security right now? /John Wilander
*[Your topic here]

==== XSS Eradication ====

We will have a '''half day working session on Cross Site Scripting''' - specifically how OWASP can make 2011 the year of XSS... going away. How we help bring this about through contributing our knowledge to cornerstone projects, how we can raise the awareness through advocacy, and what we can do to ensure that OWASP and other freely available resources and made available to the wider community, and that they are aware of them.

=== Agenda ===

Please '''edit this tab and enter topics we should cover''' during the XSS session. If you want you can add your name after each suggestion and we can work out the details with you.

*Outreach to frameworks/other constituent parties /Justin Clarke
*OWASP XSS Awareness resources and partner freely available resources /Justin Clarke
*[Your topic here]

==== OWASP Projects ====

We will have a session on how OWASP should support, grow, and manage projects. This includes:

*Assessment criteria
*Orphaned projects
*Funding
*Marketing
*Commercial services

As an OWASP leader you have most probably seen some of the above topics discussed on the leaders list. Now is the time to boil down to consensus.

==== OWASP Around the World ====

OWASP is a fast growing global community. How should we support and manage this growth? During this session we'll look into issues of:

*[http://www.owasp.org/index.php/OWASP_Internationalization Internationalization]
*The [http://www.owasp.org/index.php/OWASP_Jobs global job board]
*New OWASP chapters in parts of the world where we have not spread much yet

==== More Topics ====

You know how OWASP works – it's all up to you. Please '''edit this tab and enter topics we should cover''' during the Global Summit 2011! If you want you can add your name after each suggestion and we can work out the details with you.

*Discussion on Douglas Crockford's bold statement that we should stop HTML5 development, fix XSS, and then start over. Is he right? How is OWASP active in the HTML5 development? Check [http://blip.tv/file/3755495 this webcast], jump to 20:50 to hear the XSS part. /John Wilander
*[Your topic here]

==== How Do I Join? / Mailing list ====

As an OWASP leader you are automatically invited to the summit.

The first thing to do is to join the [https://lists.owasp.org/mailman/listinfo/owasp-summit-2011 Summit 2011 mailing list].

On the mailing list you'll get first hand information on how to register, exact dates, updates to the agenda, funding for your trip etc.

If you are a leading appsec expert from industry or academia but not yet an OWASP leader you can just contact John.Wilander at owasp.org and we'll try to get you in.

==== Social Events ====

It goes without saying – the summit is all about meeting people. So there will be a constant mixture of workshops, dinners, beers and wine. We like to think of the summit as a very social event in itself.

==== Venue ====

Hotel Quinta da Marinha Resort

[[Image:2011venue.jpg]]

Between city and nature, between the beach and the mountain, Hotel Quinta da Marinha Resort - located in the excellent area of Cascais / Sintra, a mere 25 km from Lisbon - is the perfect setting to feel like all your wishes always come true. Discover one of the finest Resorts in Portugal.

*Total Rooms: 11
*“All In One” with 474 m2
*Capacity for 450 persons
*Moveable walls in 4 rooms (“All in One”)
*Wireless Internet access in all rooms and public areas
*Available Av systems, top of the line, for rent
*9 rooms with natural light
*Air conditioning

==== Sponsoring ====

We will welcome a few sponsors of this very special event, typically organization that participate in the summit. If you are interested in supporting the global summit, please contact Lorna.Alamri at owasp.org.

 

'''Attendees that qualify to be sponsored by OWASP Some leaders that are active within OWASP may qualify to have all or partial transportation and lodging paid for by OWASP. To be considered for qualification, you must meet one or more of the following criteria:'''

#Member of the OWASP Board
#Member of a global committee that has been active in the last 6 months. This will be verified by the leader(s) of the committee.
#Key personnel that are integral to the operation of the summit

If you feel you might qualify, please contact Brad Causey or Jason Li. If you do not meet these criteria, and still feel that you should be sponsored, please contact Brad Causey or Jason Li.

<headertabs />

Summit 2011

2010-10-28T01:56:23Z

Bradcausey:

__NOTOC__

==== Welcome ====

[[Image:Summit Group 4.jpg|border|OWASP Summit 2008 in Portugal]]

Dear OWASP Leaders and appsec community,

January/February 2011 it's time for the Global OWASP Summit. The place where appsec experts meet, discuss, work, socialize, and set the roadmap for OWASP.

=== The Summit Activates *You* ===

Whereas the OWASP AppSec conferences are great places to listen to interesting talks, go for training, and meet with OWASP people, the Global Summit is the place where we all sit down together and take the time to discuss and work out plans, projects and solutions for the appsec future.

Examples of topics:

*How should we support the OWASP projects?
*How can we work with browser vendors to enhance security (see "Browser Day" tab above)?
*How should the community reach out to developers and education institutions?
*How often should we publish the OWASP Top 10?
*How can OWASP support your chapter?

=== Organizing Committee ===

A group of very experienced and passionate OWASPers have joined the organizing committee for Global Summit 2011.

*Lorna Alamri
*Brad Causey
*Justin Clarke
*Paulo Coimbra
*Dinis Cruz
*Martin Knobloch
*Dave Wichers
*John Wilander
*Jason Li
*Tara Causey
*Sarah Baso

=== Who's Invited? ===

As an OWASP leader you are automatically invited to the summit, but we also welcome leading experts from industry and academia. Together we can create a more secure web. Check the "How Do I Join?" tab above for more info.

==== Operational guidelines ====

Following the first meeting of the Summit 2011 Organizational team, here are the current proposed operational guidelines:

#the summit is an annual event
#outside OWASP conference
#the summit should take place in January not later then begin of February
#the summit takes 3 to 4 days
#budget aim is US$ 150'000 US$ where 50'000 from OWASP and US$100'000 from sponsors
#attendees targets are:
##OWASP Funded:
###Board
###Committee Members
##Chapter / sponsor Funded:
###Chapter Leaders
##Project Leaders
#venue / location criteria (no decision on the venue)
##1 key organizer in close contact with the venue
##hosting 30 to 100 people
##US$2'000 a head (flight/accommodation/food/beers)
##conference facilities
###multiple meeting rooms
###one big meeting room e.g. auditorium
###hotel with the conference facilities or conference venue within walking distance
###apartments if possible (to share apartments/rooms and save money)
###4 to 5 star hotel
###local food supplier for apartment crashing
###has to be negotiated with the hotel
###max 50 km's form international airport
###sufficient Internet access!

'''Attendees that qualify to be sponsored by OWASP''' Some leaders that are active within OWASP may qualify to have all or partial transportation and lodging paid for by OWASP. To be considered for qualification, you must meet one or more of the following criteria:

#Member of the OWASP Board
#Member of a global committee that has been active in the last 6 months. This will be verified by the leader(s) of the committee.
#Key personnel that are integral to the operation of the summit

If you feel you might qualify, please contact [[Bradcausey@owasp.org|Brad Causey]] or [[Jasonli@owasp.org|Jason Li]]. If you do not meet these criteria, and still feel that you should be sponsored, please contact [[Bradcausey@owasp.org|Brad Causey]] or [[Jasonli@owasp.org|Jason Li]].

'''Success factors (what indicates the summit as success)'''

#break even
#the summits are the place to go to discus about and working on Web Application Security
#review of the past year
#working sessions on committees, projects and industry sectors (e.g. browsers and frameworks)
##universities / education sessions
##committee member election
##board election
##strategic OWASP issues
##road map and action plans for the next 12 month

Other local Summit(s):

*The conferences are free to organize small, conference bound summit
*this are not sponsored by OWASP of OWASP summit budget

==== Browser Day! ====

One of the great challenges of application security is browser security.

Therefore we will spend '''a full day working together with the leading browser vendors''' to penetrate current problems, new ideas, and how security fits in alongside other requirements from developers and endusers.

Do not miss this chance to define what's important in browser security in the coming years.

=== Agenda ===

Please '''edit this tab and enter topics we should cover''' during the Browser Day. If you want you can add your name after each suggestion and we can work out the details with you.

*How should browsers signal invalid SSL certs to the enduser? Are we helping security right now? /John Wilander
*[Your topic here]

==== XSS Eradication ====

We will have a '''half day working session on Cross Site Scripting''' - specifically how OWASP can make 2011 the year of XSS... going away. How we help bring this about through contributing our knowledge to cornerstone projects, how we can raise the awareness through advocacy, and what we can do to ensure that OWASP and other freely available resources and made available to the wider community, and that they are aware of them.

=== Agenda ===

Please '''edit this tab and enter topics we should cover''' during the XSS session. If you want you can add your name after each suggestion and we can work out the details with you.

*Outreach to frameworks/other constituent parties /Justin Clarke
*OWASP XSS Awareness resources and partner freely available resources /Justin Clarke
*[Your topic here]

==== OWASP Projects ====

We will have a session on how OWASP should support, grow, and manage projects. This includes:

*Assessment criteria
*Orphaned projects
*Funding
*Marketing
*Commercial services

As an OWASP leader you have most probably seen some of the above topics discussed on the leaders list. Now is the time to boil down to consensus.

==== OWASP Around the World ====

OWASP is a fast growing global community. How should we support and manage this growth? During this session we'll look into issues of:

*[http://www.owasp.org/index.php/OWASP_Internationalization Internationalization]
*The [http://www.owasp.org/index.php/OWASP_Jobs global job board]
*New OWASP chapters in parts of the world where we have not spread much yet

==== More Topics ====

You know how OWASP works – it's all up to you. Please '''edit this tab and enter topics we should cover''' during the Global Summit 2011! If you want you can add your name after each suggestion and we can work out the details with you.

*Discussion on Douglas Crockford's bold statement that we should stop HTML5 development, fix XSS, and then start over. Is he right? How is OWASP active in the HTML5 development? Check [http://blip.tv/file/3755495 this webcast], jump to 20:50 to hear the XSS part. /John Wilander
*[Your topic here]

==== How Do I Join? / Mailing list ====

As an OWASP leader you are automatically invited to the summit.

The first thing to do is to join the [https://lists.owasp.org/mailman/listinfo/owasp-summit-2011 Summit 2011 mailing list].

On the mailing list you'll get first hand information on how to register, exact dates, updates to the agenda, funding for your trip etc.

If you are a leading appsec expert from industry or academia but not yet an OWASP leader you can just contact John.Wilander at owasp.org and we'll try to get you in.

==== Social Events ====

It goes without saying – the summit is all about meeting people. So there will be a constant mixture of workshops, dinners, beers and wine. We like to think of the summit as a very social event in itself.

==== Venue ====

[[Image:2011venue.jpg]]

We are currently checking out three locations discussing prices and space for all our activities. Check the "How Do I Join?" tab on how to get the latest info in your inbox.

==== Sponsoring ====

We will welcome a few sponsors of this very special event, typically organization that participate in the summit. If you are interested in supporting the global summit, please contact Lorna.Alamri at owasp.org.

 

'''Attendees that qualify to be sponsored by OWASP Some leaders that are active within OWASP may qualify to have all or partial transportation and lodging paid for by OWASP. To be considered for qualification, you must meet one or more of the following criteria:'''

#Member of the OWASP Board
#Member of a global committee that has been active in the last 6 months. This will be verified by the leader(s) of the committee.
#Key personnel that are integral to the operation of the summit

If you feel you might qualify, please contact Brad Causey or Jason Li. If you do not meet these criteria, and still feel that you should be sponsored, please contact Brad Causey or Jason Li.

<headertabs />

2010-02-22T20:23:15Z

Bradcausey:

{{Chapter Template|chaptername=Alabama|extra=The chapter leader is [mailto:bradcausey@gmail.com Brad Causey]|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-Alabama|emailarchives=http://lists.owasp.org/pipermail/owasp-Alabama}}

==== Local News ====

<paypal>Alabama</paypal>

==== Chapter Meetings ====
'''Meeting Location'''
We are currently meeting at:

15 20th Street South in Birmingham in the 'Birmingham Room' every third Thursday of the month.
We typically meet from 8-12 with the main presentation from 9-11
Breakfast will typically be provided, when I can afford to buy it. =)

http://maps.google.com/maps?hl=en&q=15%2020th%20Street%20South%2C%20Birmingham%2C%20AL

Everyone is welcome to join us at our chapter meetings.

[[File: Alabama_Chapter-HTTP_Fuzzing.pdf]]

==== Alabama OWASP Chapter Leaders ====

__NOTOC__
<headertabs/>

[[Category:OWASP Chapter]]

2010-01-14T00:37:21Z

Bradcausey: /* Mapping to Top 10 2010 IDs */

== Introduction ==

Here is the generally agreed-upon new numbering scheme. Additional explanatory text coming soon. Questions/Comments? Email [mailto:mike.boberski@owasp.org Mike].

OWASP-06
OWASP-06-DEPRECATED
OWASP-0604
OWASP-0604-DEPRECATED
OWASP-0604-DG
OWASP-0604-DG-01
OWASP-0604-TG
OWASP-0604-TG-DV-005
OWASP-0604-TG-DV-005-DEPRECATED

0123456789012345678901234567890123456789
1 2 3

*0-4 OWASP
*6-7 Detailed requirement identifier (major)
*8-9 Detailed requirement identifier (minor)
*11-12 Document code (DG=Development Guide, TG=Testing Guide, CG=Code Review Guide, AR, ED, RM, OR, others reserved)
*14-40 (Optional: DEPRECATED, or # for iterations, or legacy identifiers)

 
== Primary COVN Table (DRAFT) ==
This table outlines the Common OWASP Vulnerability Numbers (COVN)

{| class="prettytable"
|-
| <center>'''COVN Number'''</center>
| <center>'''Description'''</center>
|-
| '''Information Gathering'''
| '''OWASP-01'''
|-
| OWASP-0101
| Spiders, Robots and Crawlers
|-
| OWASP-0102
| Search Engine Discovery/Reconnaissance
|-
| OWASP-0103
| Identify application entry points
|-
| OWASP-0104
| Testing for Web Application Fingerprint
|-
| OWASP-0105
| Application Discovery
|-
| OWASP-0106
| Analysis of Error Codes
|-
|'''Configuration Management Testing'''
|'''OWASP-02'''
|-
| OWASP-0201
| SSL/TLS Testing (SSL Version, Algorithms, Key length, Digital Cert. Validity)
|-
| OWASP-0202
| DB Listener Testing
|-
| OWASP-0203
| Infrastructure Configuration Management Testing
|-
| OWASP-0204
| Application Configuration Management Testing
|-
| OWASP-0205
| Testing for File Extensions Handling
|-
| OWASP-0206
| Old, backup and unreferenced files
|-
| OWASP-0207
| Infrastructure and Application Admin Interfaces
|-
| OWASP-0208
| Testing for HTTP Methods and XST
|-
| OWASP-0209
| Insecure Cryptographic Storage
|-
|'''Authentication Testing'''
|'''OWASP-03'''
|-
| OWASP-0301
| Credentials transport over an encrypted channel
|-
| OWASP-0302
| Testing for user enumeration
|-
| OWASP-0303
| Testing for Guessable (Dictionary) User Account
|-
| OWASP-0304
| Brute Force Testing
|-
| OWASP-0305
| Testing for bypassing authentication schema
|-
| OWASP-0306
| Testing for vulnerable remember password and pwd reset
|-
| OWASP-0307
| Testing for Logout and Browser Cache Management
|-
| OWASP-0308
| Testing for CAPTCHA
|-
| OWASP-0309
| Testing Multiple Factors Authentication
|-
| OWASP-0310
| Testing for Race Conditions
|-
|'''Session Management'''
|'''OWASP-04'''
|-
| OWASP-0401
| Testing for Session Management Schema
|-
| OWASP-0402
| Testing for Cookies attributes
|-
| OWASP-0403
| Testing for Session Fixation
|-
| OWASP-0404
| Testing for Exposed Session Variables
|-
| OWASP-0405
| Testing for CSRF
|-
|'''Authorization Testing'''
|'''OWASP-05'''
|-
| OWASP-0501
| Testing for Path Traversal
|-
| OWASP-0502
| Testing for bypassing authorization schema
|-
| OWASP-0503
| Testing for Privilege Escalation
|-
|'''Business logic testing'''
|'''OWASP-06'''
|-
| OWASP-0601
| Testing for business logic
|-
|'''Data Validation Testing'''
|'''OWASP-07'''
|-
| OWASP-0701
| Testing for Reflected Cross Site Scripting
|-
| OWASP-0702
| Testing for Stored Cross Site Scripting
|-
| OWASP-0703
| Testing for DOM based Cross Site Scripting
|-
| OWASP-0704
| Testing for Cross Site Flashing
|-
| OWASP-0705
| SQL Injection
|-
| OWASP-0706
| LDAP Injection
|-
| OWASP-0707
| ORM Injection
|-
| OWASP-0708
| XML Injection
|-
| OWASP-0709
| SSI Injection
|-
| OWASP-0710
| XPath Injection
|-
| OWASP-0711
| IMAP/SMTP Injection
|-
| OWASP-0712
| Code Injection
|-
| OWASP-0713
| OS Commanding
|-
| OWASP-0714
| Buffer overflow
|-
| OWASP-0715
| Incubated vulnerability Testing
|-
| OWASP-0716
| Testing for HTTP Splitting/Smuggling
|-
| OWASP-0717
| Unvalidated Redirects and Forwards
|-
|'''Denial of Service Testing'''
|'''OWASP-08'''
|-
| OWASP-0801
| Testing for SQL Wildcard Attacks
|-
| OWASP-0802
| Locking User Accounts
|-
| OWASP-0803
| Testing for DoS Buffer Overflows
|-
| OWASP-0804
| User Specified Object Allocation
|-
| OWASP-0805
| User Input as a Loop Counter
|-
| OWASP-0806
| Writing User Provided Data to Disk
|-
| OWASP-0807
| Failure to Release Resources
|-
| OWASP-0808
| Storing too Much Data in Session
|-
|'''Web Services Testing'''
|'''OWASP-09'''
|-
| OWASP-0901
| WS Information Gathering
|-
| OWASP-0902
| Testing WSDL
|-
| OWASP-0903
| XML Structural Testing
|-
| OWASP-0904
| XML content-level Testing
|-
| OWASP-0905
| HTTP GET parameters/REST Testing
|-
| OWASP-0906
| Malicious SOAP attachments
|-
| OWASP-0907
| Replay Testing
|-
| '''OWASP-10'''
|'''AJAX Testing'''
|-
| OWASP-1001
| AJAX Vulnerabilities
|-
| OWASP-1002
| AJAX Testing
|}

== Mapping to Legacy Testing Guide IDs ==

{| class="prettytable"
|-
| <center>'''Ref. Number'''</center>
| <center>'''Test Name'''</center>
| <center>'''New Common Ref.'''</center>
|-
| colspan="3" align="center" | '''Information Gathering - OWASP-01'''
|-
| OWASP-IG-001
| Spiders, Robots and Crawlers
| OWASP-0101
|-
| OWASP-IG-002
| Search Engine Discovery/Reconnaissance
| OWASP-0102
|-
| OWASP-IG-003
| Identify application entry points
| OWASP-0103
|-
| OWASP-IG-004
| Testing for Web Application Fingerprint
| OWASP-0104
|-
| OWASP-IG-005
| Application Discovery
| OWASP-0105
|-
| OWASP-IG-006
| Analysis of Error Codes
| OWASP-0106
|-
| colspan="3" align="center" | '''Configuration Management Testing - OWASP-02'''
|-
| OWASP-CM-001
| SSL/TLS Testing (SSL Version, Algorithms, Key length, Digital Cert. Validity)
| OWASP-0201
|-
| OWASP-CM-002
| DB Listener Testing
| OWASP-0202
|-
| OWASP-CM-003
| Infrastructure Configuration Management Testing
| OWASP-0203
|-
| OWASP-CM-004
| Application Configuration Management Testing
| OWASP-0204
|-
| OWASP-CM-005
| Testing for File Extensions Handling
| OWASP-0205
|-
| OWASP-CM-006
| Old, backup and unreferenced files
| OWASP-0206
|-
| OWASP-CM-007
| Infrastructure and Application Admin Interfaces
| OWASP-0207
|-
| OWASP-CM-008
| Testing for HTTP Methods and XST
| OWASP-0208
|-
| colspan="3" align="center" | '''Authentication Testing - OWASP-03'''
|-
| OWASP-AT-001
| Credentials transport over an encrypted channel
| OWASP-0301
|-
| OWASP-AT-002
| Testing for user enumeration
| OWASP-0302
|-
| OWASP-AT-003
| Testing for Guessable (Dictionary) User Account
| OWASP-0303
|-
| OWASP-AT-004
| Brute Force Testing
| OWASP-0304
|-
| OWASP-AT-005
| Testing for bypassing authentication schema
| OWASP-0305
|-
| OWASP-AT-006
| Testing for vulnerable remember password and pwd reset
| OWASP-0306
|-
| OWASP-AT-007
| Testing for Logout and Browser Cache Management
| OWASP-0307
|-
| OWASP-AT-008
| Testing for CAPTCHA
| OWASP-0308
|-
| OWASP-AT-009
| Testing Multiple Factors Authentication
| OWASP-0309
|-
| OWASP-AT-010
| Testing for Race Conditions
| OWASP-0310
|-
| colspan="3" align="center" | '''Session Management - OWASP-04'''
|-
| OWASP-SM-001
| Testing for Session Management Schema
| OWASP-0401
|-
| OWASP-SM-002
| Testing for Cookies attributes
| OWASP-0402
|-
| OWASP-SM-003
| Testing for Session Fixation
| OWASP-0403
|-
| OWASP-SM-004
| Testing for Exposed Session Variables
| OWASP-0404
|-
| OWASP-SM-005
| Testing for CSRF
| OWASP-0405
|-
| colspan="3" align="center" | '''Authorization Testing - OWASP-05'''
|-
| OWASP-AZ-001
| Testing for Path Traversal
| OWASP-0501
|-
| OWASP-AZ-002
| Testing for bypassing authorization schema
| OWASP-0502
|-
| OWASP-AZ-003
| Testing for Privilege Escalation
| OWASP-0503
|-
| colspan="3" align="center" | '''Business logic testing - OWASP-06'''
|-
| OWASP-BL-001
| Testing for business logic
| OWASP-0601
|-
| colspan="3" align="center" | '''Data Validation Testing - OWASP-07'''
|-
| OWASP-DV-001
| Testing for Reflected Cross Site Scripting
| OWASP-0701
|-
| OWASP-DV-002
| Testing for Stored Cross Site Scripting
| OWASP-0702
|-
| OWASP-DV-003
| Testing for DOM based Cross Site Scripting
| OWASP-0703
|-
| OWASP-DV-004
| Testing for Cross Site Flashing
| OWASP-0704
|-
| OWASP-DV-005
| SQL Injection
| OWASP-0705
|-
| OWASP-DV-006
| LDAP Injection
| OWASP-0706
|-
| OWASP-DV-007
| ORM Injection
| OWASP-0707
|-
| OWASP-DV-008
| XML Injection
| OWASP-0708
|-
| OWASP-DV-009
| SSI Injection
| OWASP-0709
|-
| OWASP-DV-010
| XPath Injection
| OWASP-0710
|-
| OWASP-DV-011
| IMAP/SMTP Injection
| OWASP-0711
|-
| OWASP-DV-012
| Code Injection
| OWASP-0712
|-
| OWASP-DV-013
| OS Commanding
| OWASP-0713
|-
| OWASP-DV-014
| Buffer overflow
| OWASP-0714
|-
| OWASP-DV-015
| Incubated vulnerability Testing
| OWASP-0715
|-
| OWASP-DV-016
| Testing for HTTP Splitting/Smuggling
| OWASP-0716
|-
| colspan="3" align="center" | '''Denial of Service Testing - OWASP-08'''
|-
| OWASP-DS-001
| Testing for SQL Wildcard Attacks
| OWASP-0801
|-
| OWASP-DS-002
| Locking Customer Accounts
| OWASP-0802
|-
| OWASP-DS-003
| Testing for DoS Buffer Overflows
| OWASP-0803
|-
| OWASP-DS-004
| User Specified Object Allocation
| OWASP-0804
|-
| OWASP-DS-005
| User Input as a Loop Counter
| OWASP-0805
|-
| OWASP-DS-006
| Writing User Provided Data to Disk
| OWASP-0806
|-
| OWASP-DS-007
| Failure to Release Resources
| OWASP-0807
|-
| OWASP-DS-008
| Storing too Much Data in Session
| OWASP-0808
|-
| colspan="3" align="center" | '''Web Services Testing - OWASP-09'''
|-
| OWASP-WS-001
| WS Information Gathering
| OWASP-0901
|-
| OWASP-WS-002
| Testing WSDL
| OWASP-0902
|-
| OWASP-WS-003
| XML Structural Testing
| OWASP-0903
|-
| OWASP-WS-004
| XML content-level Testing
| OWASP-0904
|-
| OWASP-WS-005
| HTTP GET parameters/REST Testing
| OWASP-0905
|-
| OWASP-WS-006
| Naughty SOAP attachments
| OWASP-0906
|-
| OWASP-WS-007
| Replay Testing
| OWASP-0907
|-
| colspan="3" align="center" | '''AJAX Testing - OWASP-10'''
|-
| OWASP-AJ-001
| AJAX Vulnerabilities
| OWASP-1001
|-
| OWASP-AJ-002
| AJAX Testing
| OWASP-1002
|}
== Mapping to Top 10 2010 IDs ==

{| class="prettytable"
|-
| <center>'''Ref. Number'''</center>
| <center>'''Name'''</center>
| <center>'''New Common Ref.'''</center>
| align="center" colspan="3" |
|-
| A1
| Injection
| OWASP-0705
OWASP-0706

OWASP-0707

OWASP-0708

OWASP-0709

OWASP-0710

OWASP-0711

OWASP-0712
|-
| A2
| Cross Site Scripting
| OWASP-0701
OWASP-0702

OWASP-0703

OWASP-0704

|-
| A3
| Broken Authentication and Session Management
| OWASP-03

OWASP-04
|-
| A4
| Insecure Direct Object References
| OWASP-0502
|-
| A5
| Cross Site Request Forgery
| OWASP-0405
|-
| A6
| Security Misconfiguration
| OWASP-0203

OWASP-0204
|-
| A7
| Failure to Restrict URL Access
| OWASP-05
|-
| A8
| Unvalidated Redirects and Forwards
| OWASP-0717
|-
| A9
| Insecure Cryptographic Storage
| OWASP-0209
|-
| A10
| Insufficient Transport Layer Protection
| OWASP-0201
|}

== References ==

*adding the (release) year into the numbering scheme can be problematic, because the document has a life cycle that goes over years ....
*One should rather try to accommodate a versioning scheme that is human readable in the reference number as well (e.g. V02, or RevA, or...)

----

*don't try to encode any information into the ID that is likely to change or be subject to debate. In the olden days of CVE, we used to have "CAN-1999-0067" which would change into "CVE-1999-0067" once the item was considered stable and sufficiently verified. That made the ID hard to use. Right now, OWASP-DV-001 encodes the term "data validation" in the DV acronym, but what happens if in a couple of years, some new and better term occurs, or the focus changes from validation to something else? (As an example, it's only recently that the "data validation" term itself has become popular.)

*carefully consider the range of values that your ID space supports, and if possible, allow it to expand. CVE has a "CVE-10K" problem because we never expected that we would ever come close to tracking 10,000 vulnerabilities a year. Red Hat had to change their advisory numbering scheme a couple years ago. etc.

*don't change the fundamental meaning of the ID once you've assigned it. This causes confusion, and more importantly, it immediately invalidates almost everyone's mappings to that ID - including people who you don't even know are using that ID.

*closely monitor the mappings that get made. Typos and misunderstandings are rarely caught. People may make assumptions about what "the item" really is, based only on a quick scan of a short name or title. Since you're dealing with diverse sources, there are likely to be many-to-many relationships in dealing with mappings.

*determine some kind of procedure for handling duplicates. They're gonna happen.

*the more you distribute the process of creating and assigning IDs between multiple people, the more inconsistencies and duplicates you will wind up with. This may be unavoidable, since the job is usually bigger than one person.

*determine some kind of procedure for deprecating IDs, i.e., "retiring" them and discouraging their use by others. This will probably happen for reasons other than duplicates. There should be some final record, somewhere, of what happened to the deprecated item - i.e., it shouldn't just disappear off the face of the earth.

----

Much of the discussion surrounding the establishment of "Common OWASP Numbering" can be found on the various [https://lists.owasp.org/mailman/listinfo OWASP mailing lists]. (For your convenience here is a direct link to the [https://lists.owasp.org/pipermail/owasp-testing/ OWASP Testing Guide Mailing List Archive].)

[[Category:OWASP_Application_Security_Verification_Standard_Project]] [[Category:How_To]]