OWASP Testing Guide v3 Startup - Revision history

Kingthorin: Highlight Answers

2008-05-23T14:15:29Z

Highlight Answers

Mmeucci at 05:56, 20 May 2008

2008-05-20T05:56:25Z

Kingthorin at 12:00, 29 April 2008

2008-04-29T12:00:27Z

Kingthorin at 11:55, 29 April 2008

2008-04-29T11:55:56Z

Kingthorin at 11:57, 8 April 2008

2008-04-08T11:57:27Z

Mmeucci at 00:20, 7 October 2007

2007-10-07T00:20:52Z

Mmeucci at 00:20, 7 October 2007

2007-10-07T00:20:31Z

Mmeucci at 00:16, 7 October 2007

2007-10-07T00:16:00Z

Mmeucci at 22:27, 3 October 2007

2007-10-03T22:27:04Z

Mmeucci at 21:28, 3 October 2007

2007-10-03T21:28:40Z

@@ Line 30: / Line 30: @@
 The following clarifications/considerations also need to be made in preparation for v3:<br>
-) Are "OWASP-AUTHN-001 : Authentication endpoint request should be HTTPS" and "OWASP-AUTHN-003 : Credentials transport over an encrypted channel" as they were in v1 fully covered by "OWASP-IG-005 : SSL/TLS Testing"? --> no, we need to create a new test in authentication testing<br>
+) Are "OWASP-AUTHN-001 : Authentication endpoint request should be HTTPS" and "OWASP-AUTHN-003 : Credentials transport over an encrypted channel" as they were in v1 fully covered by "OWASP-IG-005 : SSL/TLS Testing"? '''--> no, we need to create a new test in authentication testing'''<br>
-) Are "OWASP-AUTHN-009 : Password Structure" and "OWASP-AUTHN-010 : Blank Passwords" as they were in v1 fully covered by OWASP-AT-003 & OWASP-AT-001? --> Yes<br>
+) Are "OWASP-AUTHN-009 : Password Structure" and "OWASP-AUTHN-010 : Blank Passwords" as they were in v1 fully covered by OWASP-AT-003 & OWASP-AT-001? '''--> Yes'''<br>
 ) Are all 5 AUTHSM references as they were in v1 fully covered by "OWASP-SM-001 : Session Management Schema"?<br>
 ) What does "OWASP-DP-001 : Sensitive Data in HTML" fall under in v2/v3?<br>
 ) Are all the SSL Data protection references (DP-003 through DP-007) from v1 fall under "OWASP-IG-005 : SSL/TLS Testing"?<br>
 ) Is "OWASP-DS-001 : Locking Customer Accounts" a subset of AUTHN-008 in v1 or AT-006 in v2 or is it really an item on it's own?<br>
-) Are "OWASP-EH-002 : User Error Messages" and "OWASP-EH-001 : Application Error Messages" as they were in v1 meant to fall under "OWASP-IG-004 : Analysis of Error Codes"? If so where would things like overly specific authentication errors appear in the report? (If I understand correctly Information gathering isn't going to be reported) [This would be things like errors messages which actually specify "invalid username" or "invalid password" instead of "Error: the credentials provided are invalid" or similar generic messaging.] --> yes<br>
+) Are "OWASP-EH-002 : User Error Messages" and "OWASP-EH-001 : Application Error Messages" as they were in v1 meant to fall under "OWASP-IG-004 : Analysis of Error Codes"? If so where would things like overly specific authentication errors appear in the report? (If I understand correctly Information gathering isn't going to be reported) [This would be things like errors messages which actually specify "invalid username" or "invalid password" instead of "Error: the credentials provided are invalid" or similar generic messaging.] '''--> yes'''<br>

@@ Line 30: / Line 30: @@
 The following clarifications/considerations also need to be made in preparation for v3:<br>
-) Are "OWASP-AUTHN-001 : Authentication endpoint request should be HTTPS" and "OWASP-AUTHN-003 : Credentials transport over an encrypted channel" as they were in v1 fully covered by "OWASP-IG-005 : SSL/TLS Testing"?<br>
+) Are "OWASP-AUTHN-001 : Authentication endpoint request should be HTTPS" and "OWASP-AUTHN-003 : Credentials transport over an encrypted channel" as they were in v1 fully covered by "OWASP-IG-005 : SSL/TLS Testing"? --> no, we need to create a new test in authentication testing<br>
-) Are "OWASP-AUTHN-009 : Password Structure" and "OWASP-AUTHN-010 : Blank Passwords" as they were in v1 fully covered by OWASP-AT-003 & OWASP-AT-001?<br>
+) Are "OWASP-AUTHN-009 : Password Structure" and "OWASP-AUTHN-010 : Blank Passwords" as they were in v1 fully covered by OWASP-AT-003 & OWASP-AT-001? --> Yes<br>
 ) Are all 5 AUTHSM references as they were in v1 fully covered by "OWASP-SM-001 : Session Management Schema"?<br>
 ) What does "OWASP-DP-001 : Sensitive Data in HTML" fall under in v2/v3?<br>
 ) Are all the SSL Data protection references (DP-003 through DP-007) from v1 fall under "OWASP-IG-005 : SSL/TLS Testing"?<br>
 ) Is "OWASP-DS-001 : Locking Customer Accounts" a subset of AUTHN-008 in v1 or AT-006 in v2 or is it really an item on it's own?<br>
-) Are "OWASP-EH-002 : User Error Messages" and "OWASP-EH-001 : Application Error Messages" as they were in v1 meant to fall under "OWASP-IG-004 : Analysis of Error Codes"? If so where would things like overly specific authentication errors appear in the report? (If I understand correctly Information gathering isn't going to be reported) [This would be things like errors messages which actually specify "invalid username" or "invalid password" instead of "Error: the credentials provided are invalid" or similar generic messaging.]<br>
+) Are "OWASP-EH-002 : User Error Messages" and "OWASP-EH-001 : Application Error Messages" as they were in v1 meant to fall under "OWASP-IG-004 : Analysis of Error Codes"? If so where would things like overly specific authentication errors appear in the report? (If I understand correctly Information gathering isn't going to be reported) [This would be things like errors messages which actually specify "invalid username" or "invalid password" instead of "Error: the credentials provided are invalid" or similar generic messaging.] --> yes<br>

← Older revision		Revision as of 12:00, 29 April 2008
Line 27:		Line 27:


−	This [http://www.owasp.org/index.php/Image:Planning_OTGv3.doc document] analyzes the OWASP Testing Guide v2 vulnerabilities and a plan for create the new v3.<br>	+	This [http://www.owasp.org/index.php/Image:Planning_OTGv3.doc document] analyzes the OWASP Testing Guide v2 vulnerabilities and a plan for create the new v3.<br><br>

	The following clarifications/considerations also need to be made in preparation for v3:<br>		The following clarifications/considerations also need to be made in preparation for v3:<br>

@@ Line 18: / Line 18: @@
 ) Authorization testing missing. As Jeff and Dave said many time before it's important to create a new category.<br>
 )	Information gathering is not a set of vulnerabilities --> not in report --> new category: Passive mode <br>
 )	Business logic testing --> not in report --> Passive mode  <br>
@@ Line 26: / Line 27: @@
-This [http://www.owasp.org/index.php/Image:Planning_OTGv3.doc document] analyze the OWASP Testing Guide v2 vulnerabilities and a plan for create the new v3.
+This [http://www.owasp.org/index.php/Image:Planning_OTGv3.doc document] analyzes the OWASP Testing Guide v2 vulnerabilities and a plan for create the new v3.<br>

@@ Line 7: / Line 7: @@
 In the OWASP Testing Guide v2 we have split the set of tests in 8 sub-categories:
 * Information Gathering
-* Business logic testing
+* Business Logic Testing
 * Authentication Testing
 * Session Management Testing

← Older revision		Revision as of 00:20, 7 October 2007
Line 26:		Line 26:


−	This ~~document~~ [http://www.owasp.org/index.php/Image:Planning_OTGv3.doc document] analyze the OWASP Testing Guide v2 vulnerabilities and a plan for create the new v3.	+	This [http://www.owasp.org/index.php/Image:Planning_OTGv3.doc document] analyze the OWASP Testing Guide v2 vulnerabilities and a plan for create the new v3.

@@ Line 18: / Line 18: @@
 ) Authorization testing missing. As Jeff and Dave said many time before it's important to create a new category.<br>
-) Information gathering is not a set of vulnerabilities. I think we can add a new category Infrastructural testing.<br>
+)	Information gathering is not a set of vulnerabilities --> not in report --> new category: Passive mode <br>
-) Web Services section needs improvement.<br>
+)	Business logic testing --> not in report --> Passive mode  <br>
-) AJAX Testing section needs improvement.<br>
+)	Infrastructural test --> new category <br>
-) New category: Client side Testing: nowadays in web 2.0 applications it's really important to test for client side vulnerabilities that can introduce new type of attacks: for example a XSS on flash movie loaded on the client (see the last work of Di Paola).<br>
+)	Web Services section needs improvement <br>
+In this document we analyze the OWASP Testing Guide (OTG) v2 vulnerabilities and a plan for an improving for the v3.
-== Information Gathering ==
+[[image:Planning_OTGv3.doc]]

← Older revision		Revision as of 22:27, 3 October 2007
Line 23:		Line 23:
	5) New category: Client side Testing: nowadays in web 2.0 applications it's really important to test for client side vulnerabilities that can introduce new type of attacks: for example a XSS on flash movie loaded on the client (see the last work of Di Paola).<br>		5) New category: Client side Testing: nowadays in web 2.0 applications it's really important to test for client side vulnerabilities that can introduce new type of attacks: for example a XSS on flash movie loaded on the client (see the last work of Di Paola).<br>

−	For each category we describe the v2 and the possible ~~improvement~~.	+	For each category we describe the v2 and the possible improvements.