This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "OWASP Common Numbering Project"

From OWASP
Jump to: navigation, search
(Mapping to Top 10 2010 IDs)
(Mapping to Top 10 2010 IDs)
Line 377: Line 377:
 
|-
 
|-
 
| A8
 
| A8
| Security Misconfiguration
+
| Unvalidated Redirects and Forwards
| OWASP-0203
+
| OWASP-0717 (NOT DEFINED YET)
 
|-
 
|-
 
| A9
 
| A9
| Security Misconfiguration
+
| Insecure Cryptographic Storage
| OWASP-0203
+
| OWASP-0209 (NOT DEFINED YET)
 
|-
 
|-
 
| A10
 
| A10
| Security Misconfiguration
+
| Insufficient Transport Layer Protection
| OWASP-0203
+
| OWASP-0201
 
|}
 
|}
  

Revision as of 21:56, 13 January 2010

Introduction

Here is the generally agreed-upon new numbering scheme. Additional explanatory text coming soon. Questions/Comments? Email Mike.

OWASP-06
OWASP-06-DEPRECATED 
OWASP-0604
OWASP-0604-DEPRECATED
OWASP-0604-DG
OWASP-0604-DG-01
OWASP-0604-TG
OWASP-0604-TG-DV-005
OWASP-0604-TG-DV-005-DEPRECATED
0123456789012345678901234567890123456789
          1         2         3
  • 0-4 OWASP
  • 6-7 Detailed requirement identifier (major)
  • 8-9 Detailed requirement identifier (minor)
  • 11-12 Document code (DG=Development Guide, TG=Testing Guide, CG=Code Review Guide, AR, ED, RM, OR, others reserved)
  • 14-40 (Optional: DEPRECATED, or # for iterations, or legacy identifiers)


Mapping to Legacy Testing Guide IDs

Ref. Number
Test Name
New Common Ref.
Information Gathering - OWASP-01
OWASP-IG-001 Spiders, Robots and Crawlers OWASP-0101
OWASP-IG-002 Search Engine Discovery/Reconnaissance OWASP-0102
OWASP-IG-003 Identify application entry points OWASP-0103
OWASP-IG-004 Testing for Web Application Fingerprint OWASP-0104
OWASP-IG-005 Application Discovery OWASP-0105
OWASP-IG-006 Analysis of Error Codes OWASP-0106
Configuration Management Testing - OWASP-02
OWASP-CM-001 SSL/TLS Testing (SSL Version, Algorithms, Key length, Digital Cert. Validity) OWASP-0201
OWASP-CM-002 DB Listener Testing OWASP-0202
OWASP-CM-003 Infrastructure Configuration Management Testing OWASP-0203
OWASP-CM-004 Application Configuration Management Testing OWASP-0204
OWASP-CM-005 Testing for File Extensions Handling OWASP-0205
OWASP-CM-006 Old, backup and unreferenced files OWASP-0206
OWASP-CM-007 Infrastructure and Application Admin Interfaces OWASP-0207
OWASP-CM-008 Testing for HTTP Methods and XST OWASP-0208
Authentication Testing - OWASP-03
OWASP-AT-001 Credentials transport over an encrypted channel OWASP-0301
OWASP-AT-002 Testing for user enumeration OWASP-0302
OWASP-AT-003 Testing for Guessable (Dictionary) User Account OWASP-0303
OWASP-AT-004 Brute Force Testing OWASP-0304
OWASP-AT-005 Testing for bypassing authentication schema OWASP-0305
OWASP-AT-006 Testing for vulnerable remember password and pwd reset OWASP-0306
OWASP-AT-007 Testing for Logout and Browser Cache Management OWASP-0307
OWASP-AT-008 Testing for CAPTCHA OWASP-0308
OWASP-AT-009 Testing Multiple Factors Authentication OWASP-0309
OWASP-AT-010 Testing for Race Conditions OWASP-0310
Session Management - OWASP-04
OWASP-SM-001 Testing for Session Management Schema OWASP-0401
OWASP-SM-002 Testing for Cookies attributes OWASP-0402
OWASP-SM-003 Testing for Session Fixation OWASP-0403
OWASP-SM-004 Testing for Exposed Session Variables OWASP-0404
OWASP-SM-005 Testing for CSRF OWASP-0405
Authorization Testing - OWASP-05
OWASP-AZ-001 Testing for Path Traversal OWASP-0501
OWASP-AZ-002 Testing for bypassing authorization schema OWASP-0502
OWASP-AZ-003 Testing for Privilege Escalation OWASP-0503
Business logic testing - OWASP-06
OWASP-BL-001 Testing for business logic OWASP-0601
Data Validation Testing - OWASP-07
OWASP-DV-001 Testing for Reflected Cross Site Scripting OWASP-0701
OWASP-DV-002 Testing for Stored Cross Site Scripting OWASP-0702
OWASP-DV-003 Testing for DOM based Cross Site Scripting OWASP-0703
OWASP-DV-004 Testing for Cross Site Flashing OWASP-0704
OWASP-DV-005 SQL Injection OWASP-0705
OWASP-DV-006 LDAP Injection OWASP-0706
OWASP-DV-007 ORM Injection OWASP-0707
OWASP-DV-008 XML Injection OWASP-0708
OWASP-DV-009 SSI Injection OWASP-0709
OWASP-DV-010 XPath Injection OWASP-0710
OWASP-DV-011 IMAP/SMTP Injection OWASP-0711
OWASP-DV-012 Code Injection OWASP-0712
OWASP-DV-013 OS Commanding OWASP-0713
OWASP-DV-014 Buffer overflow OWASP-0714
OWASP-DV-015 Incubated vulnerability Testing OWASP-0715
OWASP-DV-016 Testing for HTTP Splitting/Smuggling OWASP-0716
Denial of Service Testing - OWASP-08
OWASP-DS-001 Testing for SQL Wildcard Attacks OWASP-0801
OWASP-DS-002 Locking Customer Accounts OWASP-0802
OWASP-DS-003 Testing for DoS Buffer Overflows OWASP-0803
OWASP-DS-004 User Specified Object Allocation OWASP-0804
OWASP-DS-005 User Input as a Loop Counter OWASP-0805
OWASP-DS-006 Writing User Provided Data to Disk OWASP-0806
OWASP-DS-007 Failure to Release Resources OWASP-0807
OWASP-DS-008 Storing too Much Data in Session OWASP-0808
Web Services Testing - OWASP-09
OWASP-WS-001 WS Information Gathering OWASP-0901
OWASP-WS-002 Testing WSDL OWASP-0902
OWASP-WS-003 XML Structural Testing OWASP-0903
OWASP-WS-004 XML content-level Testing OWASP-0904
OWASP-WS-005 HTTP GET parameters/REST Testing OWASP-0905
OWASP-WS-006 Naughty SOAP attachments OWASP-0906
OWASP-WS-007 Replay Testing OWASP-0907
AJAX Testing - OWASP-10
OWASP-AJ-001 AJAX Vulnerabilities OWASP-1001
OWASP-AJ-002 AJAX Testing OWASP-1002

Mapping to Top 10 2010 IDs

Ref. Number
Name
New Common Ref.
A1 Injection OWASP-0705

OWASP-0706

OWASP-0707

OWASP-0708

OWASP-0709

OWASP-0710

OWASP-0711

OWASP-0712

A2 Cross Site Scripting OWASP-0701

OWASP-0702

OWASP-0703

OWASP-0704

A3 Broken Authentication and Session Management OWASP-03

OWASP-04

A4 Insecure Direct Object References OWASP-0502
A5 Cross Site Request Forgery OWASP-0405
A6 Security Misconfiguration OWASP-0203

OWASP-0204

A7 Failure to Restrict URL Access OWASP-05
A8 Unvalidated Redirects and Forwards OWASP-0717 (NOT DEFINED YET)
A9 Insecure Cryptographic Storage OWASP-0209 (NOT DEFINED YET)
A10 Insufficient Transport Layer Protection OWASP-0201

References

  • adding the (release) year into the numbering scheme can be problematic, because the document has a life cycle that goes over years ....
  • One should rather try to accommodate a versioning scheme that is human readable in the reference number as well (e.g. V02, or RevA, or...)

  • don't try to encode any information into the ID that is likely to change or be subject to debate. In the olden days of CVE, we used to have "CAN-1999-0067" which would change into "CVE-1999-0067" once the item was considered stable and sufficiently verified. That made the ID hard to use. Right now, OWASP-DV-001 encodes the term "data validation" in the DV acronym, but what happens if in a couple of years, some new and better term occurs, or the focus changes from validation to something else? (As an example, it's only recently that the "data validation" term itself has become popular.)
  • carefully consider the range of values that your ID space supports, and if possible, allow it to expand. CVE has a "CVE-10K" problem because we never expected that we would ever come close to tracking 10,000 vulnerabilities a year. Red Hat had to change their advisory numbering scheme a couple years ago. etc.
  • don't change the fundamental meaning of the ID once you've assigned it. This causes confusion, and more importantly, it immediately invalidates almost everyone's mappings to that ID - including people who you don't even know are using that ID.
  • closely monitor the mappings that get made. Typos and misunderstandings are rarely caught. People may make assumptions about what "the item" really is, based only on a quick scan of a short name or title. Since you're dealing with diverse sources, there are likely to be many-to-many relationships in dealing with mappings.
  • determine some kind of procedure for handling duplicates. They're gonna happen.
  • the more you distribute the process of creating and assigning IDs between multiple people, the more inconsistencies and duplicates you will wind up with. This may be unavoidable, since the job is usually bigger than one person.
  • determine some kind of procedure for deprecating IDs, i.e., "retiring" them and discouraging their use by others. This will probably happen for reasons other than duplicates. There should be some final record, somewhere, of what happened to the deprecated item - i.e., it shouldn't just disappear off the face of the earth.

Much of the discussion surrounding the establishment of "Common OWASP Numbering" can be found on the various OWASP mailing lists. (For your convenience here is a direct link to the OWASP Testing Guide Mailing List Archive.)