This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "OWASP Testing Guide v2 Review Panel"

From OWASP
Jump to: navigation, search
Line 49: Line 49:
 
</nowiki>
 
</nowiki>
 
_________________________________________________________________________________________________________________________
 
_________________________________________________________________________________________________________________________
* '''Introduction -->...'''
+
* '''Introduction --> reviewed by Eoin Keary'''
1 of 1 article to be reviewed  -> reviewed by Eoin Keary
+
'''[OK]'''
  
 
_________________________________________________________________________________________________________________________
 
_________________________________________________________________________________________________________________________
Line 58: Line 58:
 
_________________________________________________________________________________________________________________________
 
_________________________________________________________________________________________________________________________
 
* '''4.1 Introduction and objectives -->.EK'''
 
* '''4.1 Introduction and objectives -->.EK'''
 
+
'''[OK]'''
 
_________________________________________________________________________________________________________________________
 
_________________________________________________________________________________________________________________________
 
* '''4.2 Information Gathering (Reviewed by EK) --> Keary'''
 
* '''4.2 Information Gathering (Reviewed by EK) --> Keary'''
9 of 10 articles to be reviewed -> <BR>  
+
9 of 10 articles reviewed -> <BR>  
 
* '''Application Discovery''':  
 
* '''Application Discovery''':  
 
** Reviewed + updated(EK) (Maybe we should include HTTP methods for application descovery, such as HTTP HEAD command?)<BR>
 
** Reviewed + updated(EK) (Maybe we should include HTTP methods for application descovery, such as HTTP HEAD command?)<BR>
Line 85: Line 85:
 
_________________________________________________________________________________________________________________________
 
_________________________________________________________________________________________________________________________
 
* '''4.3 Business logic testing --> Meucci'''
 
* '''4.3 Business logic testing --> Meucci'''
1 of 1 article to be reviewed  
+
1 of 1 article reviewed  
 
+
'''[OK]'''
 
_________________________________________________________________________________________________________________________
 
_________________________________________________________________________________________________________________________
 
* '''4.4 Authentication Testing --> Roxberry (articles have been edited)'''
 
* '''4.4 Authentication Testing --> Roxberry (articles have been edited)'''
 
0 of 7 articles to be reviewed  
 
0 of 7 articles to be reviewed  
 +
'''[OK]'''
 
** 4.4 Authentication Testing (95%) : Reviewed by MR [http://www.markroxberry.net/archive/2006/11/14/Authentication-Testing-Index-Page.aspx Authentication Testing Index]
 
** 4.4 Authentication Testing (95%) : Reviewed by MR [http://www.markroxberry.net/archive/2006/11/14/Authentication-Testing-Index-Page.aspx Authentication Testing Index]
 
** 4.4.1 Default or guessable (dictionary) user account (80%) : Reviewed by MR [http://www.markroxberry.net/archive/2006/11/14/Default-or-Guessable-User-Account-Testing-AoC.aspx Default or guessable user account review]
 
** 4.4.1 Default or guessable (dictionary) user account (80%) : Reviewed by MR [http://www.markroxberry.net/archive/2006/11/14/Default-or-Guessable-User-Account-Testing-AoC.aspx Default or guessable user account review]
Line 97: Line 98:
 
** 4.4.5 Vulnerable remember password and pwd reset (90%) Reviewed by MR [http://www.markroxberry.net/archive/2006/11/14/Vulnerable-Remember-Password-and-Pwd-Reset-AoC.aspx Vulnerable Reset Password review]
 
** 4.4.5 Vulnerable remember password and pwd reset (90%) Reviewed by MR [http://www.markroxberry.net/archive/2006/11/14/Vulnerable-Remember-Password-and-Pwd-Reset-AoC.aspx Vulnerable Reset Password review]
 
** 4.4.6 Logout and Browser Cache Management Testing (100%) Reviewed by MR [http://www.markroxberry.net/archive/2006/11/14/Logout-and-Browser-Cache-Management-Testing-AoC.aspx Logout and Browser Cache Management Testing review]
 
** 4.4.6 Logout and Browser Cache Management Testing (100%) Reviewed by MR [http://www.markroxberry.net/archive/2006/11/14/Logout-and-Browser-Cache-Management-Testing-AoC.aspx Logout and Browser Cache Management Testing review]
 
  
 
_________________________________________________________________________________________________________________________
 
_________________________________________________________________________________________________________________________
Line 112: Line 112:
 
* '''4.6 Data Validation Testing --> Meucci'''
 
* '''4.6 Data Validation Testing --> Meucci'''
 
18 articles reviewed (3 are at 0%)
 
18 articles reviewed (3 are at 0%)
 +
'''[OK]'''
 
** 4.6 Data Validation Testing : Reviewed by EK
 
** 4.6 Data Validation Testing : Reviewed by EK
 
** 4.6.1 Cross site scripting: Reviewed by EK (Reformatted it slightly with wiki tags). '''Not completed'''
 
** 4.6.1 Cross site scripting: Reviewed by EK (Reformatted it slightly with wiki tags). '''Not completed'''
Line 142: Line 143:
 
* '''4.7 Denial of Service Testing--> Revelli'''
 
* '''4.7 Denial of Service Testing--> Revelli'''
 
8 of 8 articles Reviewed
 
8 of 8 articles Reviewed
 +
'''[OK]'''
 
** 4.7 Denial of Service Testing 100% Reviewed by Revelli
 
** 4.7 Denial of Service Testing 100% Reviewed by Revelli
 
** 4.7.1 Locking Customer Accounts 100% Reviewd by Revelli
 
** 4.7.1 Locking Customer Accounts 100% Reviewd by Revelli
Line 154: Line 156:
 
* '''4.8 Web Services Testing --> Matteo Meucci'''
 
* '''4.8 Web Services Testing --> Matteo Meucci'''
 
6 of 6 articles reviewed
 
6 of 6 articles reviewed
 +
'''[OK]'''
 
** 4.8 Web Services Testing (100%) Reviewed by Meucci
 
** 4.8 Web Services Testing (100%) Reviewed by Meucci
 
** 4.8.1 XML Structural Testing (100%) Reviewed by Meucci
 
** 4.8.1 XML Structural Testing (100%) Reviewed by Meucci

Revision as of 21:22, 15 November 2006

[Table of Contents]

Update: 15th November, 16.00 (GMT+1)

**********************
Reviewing planning
**********************

The reviewers are: Mark Roxberry, Alberto Revelli, Daniel Cuthbert, Antonio Parata, Matteo G.P. Flora, Matteo Meucci, Eoin Keary, Stefano Di Paola, James Kist, Vicente Aguilera, Mauro Bregolin, Syed Mohamed A

We can begin the 1st reviewing phase by review all 63 articles (nearly 13 articles per person). The deadline is 15th November at 20.00 (GMT+1) because we have 15th November as 1st deadline for the Autumn of Code Project.

*********************************************
We are waiting for the following articles
*********************************************

4.2.2 Spidering and googling (40%, Tom Brennan, Tom Ryan)
4.2.4.2 DB Listener Testing TD (Maybe Eoin?)
4.5.5 HTTP Exploit (0%, Arian J.Evans)
4.6.2.2 Oracle testing TD
4.6.4 ORM Injection (0%, Mark Roxberry)
5. Writing Reports: value the real risk
5.1 How to value the real risk (50%, Daniel Cuthbert, Matteo Meucci, Sebastien Deleersnyder, Marco Morana)
5.2 How to write the report of the testing (0%, Daniel Cuthbert, Tom Brennan, Tom Ryan)

*********************************************************
Here is the complete list of articles to be reviewed:
********************************************************* _________________________________________________________________________________________________________________________

  • Introduction --> reviewed by Eoin Keary

[OK]

_________________________________________________________________________________________________________________________

  • The OWASP Testing Framework -->...

1 of 1 article to be reviewed

_________________________________________________________________________________________________________________________

  • 4.1 Introduction and objectives -->.EK

[OK] _________________________________________________________________________________________________________________________

  • 4.2 Information Gathering (Reviewed by EK) --> Keary

9 of 10 articles reviewed ->

  • Application Discovery:
    • Reviewed + updated(EK) (Maybe we should include HTTP methods for application descovery, such as HTTP HEAD command?)
  • Analysis of error codes:
    • Reviewed + updated(EK)
  • Infrastructure configuration management testing AoC:
    • Reviewed by EK. Not in typical guide structure
  • SSL/TLS Testing AoC:
    • Reviewed + updated(EK)
  • DB Listener Testing:
    • Incomplete
  • Application configuration management testing:
    • Reviewed by EK. Not typical guide structure
    • This is generally a "white box" section. There are no examples of testing the configuration from a remote perspective. If this was the aim of the document, thats fine. - Need feedback on this one!!
    • Sample/known files and directories: might be good to refer to http://www.owasp.org/index.php/Old_file_testing_AoC ??
    • Logging: Timestamp is also important
  • File extensions handling
    • contains the text: "...To review and expand..." - Is this complete??
    • Need a second opinion on this one!! :)
  • Old file testing: Reviewed by EK


_________________________________________________________________________________________________________________________

  • 4.3 Business logic testing --> Meucci

1 of 1 article reviewed [OK] _________________________________________________________________________________________________________________________

  • 4.4 Authentication Testing --> Roxberry (articles have been edited)

0 of 7 articles to be reviewed [OK]

_________________________________________________________________________________________________________________________

  • 4.5 Session Management Testing --> Syed Mohamed A

5 of 6 articles to be reviewed

    • 4.5 Session Management Testing (95%)
    • 4.5.1 Analysis of the Session Management Schema (90%)
    • 4.5.2 Cookie and Session token Manipulation (100%)
    • 4.5.3 Exposed session variables (90%)
    • 4.5.4 Session Riding (XSRF) (80%)
    • 4.5.5 HTTP Exploit (0%)

_________________________________________________________________________________________________________________________

  • 4.6 Data Validation Testing --> Meucci

18 articles reviewed (3 are at 0%) [OK]

    • 4.6 Data Validation Testing : Reviewed by EK
    • 4.6.1 Cross site scripting: Reviewed by EK (Reformatted it slightly with wiki tags). Not completed
    • 4.6.1.1 HTTP Methods and XST Reviewed by MM. Reviewed by AP.
    • 4.6.2 SQL Injection (90%) Reviewed by MM. Reviewed by EK. Reviewed by AP.
      • Not sure about "inferential" injection definition in "Description of Issue"
      • Added some reference to Oracle. Corrected English.
      • Updated
    • 4.6.2.1 Stored procedure injection (40%) TD (not enough informations)
    • 4.6.2.2 Oracle testing (0%) TD (not enough informations)
    • 4.6.2.3 MySQL testing (100%) Reviewed by MM
    • 4.6.2.4 SQL Server testing (95%) Reviewed by MM. tools?
    • 4.6.3 LDAP Injection (90%) Reviewed by MM added wp and tools
    • 4.6.4 ORM Injection (0%) TD (not enough informations)
    • 4.6.5 XML Injection (90%) Reviwed and updated by MM. Updated by AP. WP and tools?
    • 4.6.6 SSI Injection (95%) Reviewed by MM
    • 4.6.7 XPath Injection (80%) Reviewed by MM. Gray box section is to complete?
    • 4.6.8 IMAP/SMTP Injection (95%)Reviewed by MM
    • 4.6.9 Code Injection (70%) Reviewed by MM. Not completed
    • 4.6.10 OS Commanding (70%) Reviewed by MM. Not completed
    • 4.6.11 Buffer overflow Testing (100%) Reviewed by MM. Note: these tests are not usual web app tests
    • 4.6.11.1 Heap overflow (100%) Reviewed by MM
    • 4.6.11.2 Stack overflow (100%)Reviewed by MM
    • 4.6.11.3 Format string (100%)Reviewed by MM
    • 4.6.12 Incubated vulnerability testing (95%) Reviewed by MM, whitepapers?

_________________________________________________________________________________________________________________________


  • 4.7 Denial of Service Testing--> Revelli

8 of 8 articles Reviewed [OK]

    • 4.7 Denial of Service Testing 100% Reviewed by Revelli
    • 4.7.1 Locking Customer Accounts 100% Reviewd by Revelli
    • 4.7.2 Buffer Overflows 100% Reviewd by Revelli
    • 4.7.3 User Specified Object Allocation 100% Reviewd by Revelli
    • 4.7.4 User Input as a Loop Counter 100% Reviewd by Revelli
    • 4.7.5 Writing User Provided Data to Disk 100% Reviewd by Revelli
    • 4.7.6 Failure to Release Resources 100% Reviewd by Revelli
    • 4.7.7 Storing too Much Data in Session 100% Reviewd by Revelli

_________________________________________________________________________________________________________________________

  • 4.8 Web Services Testing --> Matteo Meucci

6 of 6 articles reviewed [OK]

    • 4.8 Web Services Testing (100%) Reviewed by Meucci
    • 4.8.1 XML Structural Testing (100%) Reviewed by Meucci
    • 4.8.2 XML content-level Testing (90%) Reviewed by Meucci
    • 4.8.3 HTTP GET parameters/REST Testing (100%) Reviewed by Meucci
    • 4.8.4 Naughty SOAP attachments (95%) Reviewed by Meucci
    • 4.8.5 Replay Testing (95%) Reviewed by Meucci. Need to add code examples, images and proof of impersonation

_________________________________________________________________________________________________________________________

  • 4.9 AJAX Testing --> Roxberry

3 of 3 articles to be reviewed

    • 4.9 AJAX Testing (70%)
    • 4.9.1 Vulnerabilities (60%)
    • 4.9.2 How to test (60%)

_________________________________________________________________________________________________________________________

  • 5. Writing Reports: value the real risk

We have to write about it. I consider it not yet finished. O of 3 articles to be reviewed.

_________________________________________________________________________________________________________________________

  • Appendix A: Testing Tools -->...

1 article of 1: need to update it searching all the guide for paragraps: tools

_________________________________________________________________________________________________________________________

  • Appendix B: Suggested Reading -->...

1 article of 1: need to update it searching all the guide for paragraps: tools

_________________________________________________________________________________________________________________________

  • Appendix C: Fuzz Vectors --> Stefano Di Paola

1 article of 1: Need to be updated

_________________________________________________________________________________________________________________________

*************************
Reviewers Rules
*************************

1) Check the english language
2) Check the template: the articles on chapter 4 should have the following:

In some articles we don't need to talk about Gray Box Testing or other, so we can eliminate it.

3) Check the reference style. (I'd like to have all the referenced URLs visible because I have to produce also a pdf document of the Guide). I agree with Stefano, we have to use a reference like that:

== References ==

'''Whitepapers'''<br>

* [1] Author1, Author2: "Title" - http://www.ietf.org/rfc/rfc2254.txt<br>

* [2]...<br>

'''Tools'''<br>

* Francois Larouche: "Multiple DBMS Sql Injection tool" - http://www.sqlpowerinjector.com/index.htm <br>

4) Check the reference with the other articles of the guide or with the other OWASP Project.

5) Other?

Retrieved from "https://wiki.owasp.org/index.php?title=OWASP_Testing_Guide_v2_Review_Panel&oldid=12814"