SlideShare a Scribd company logo

Owasp testing guide owasp summit 2011 (matteo meucci)

Matteo Meucci
Matteo Meucci

Presentation of the OWASP Testing Guide v4 @ OWASP Summit 2011

Technology
1 of 21
Planning the OWASP Testing Guide v4 Matteo Meucci, Giorgio Fedon, Pavol Luptak
AG E N DA • Few words about the TG history and adoption by the Companies • Why we need the Common Numbering and Common Vulnerability list • Update the set of test • V4 Roadmap
What is the OWASP Testing Guide? Where are we now?
Testing Guide history • January 2004 – "The OWASP Testing Guide", Version 1.0 • July 14, 2004 – "OWASP Web Application Penetration Checklist", Version 1.1 • December 25, 2006 – "OWASP Testing Guide", Version 2.0 • December 16, 2008 – "OWASP Testing Guide", Version 3.0 – Released at the OWASP Summit 08
Project Complexity Pages 400 350 300 250 200 Pages 150 100 50 0 v1 v1.1 v2 v3
OWASP Testing Guide v3 • SANS Top 20 2007 • NIST “Technical Guide to Information Security Testing (Draft)” • Gary McGraw (CTO Cigital) says: “In my opinion it is the strongest piece of Intellectual Property in the OWASP portfolio” – OWASP Podcast by Jim Manico
Testing Guide v3: Index 1. Frontispiece 2. Introduction 3. The OWASP Testing Framework 4. Web Application Penetration Testing 5. Writing Reports: value the real risk Appendix A: Testing Tools Appendix B: Suggested Reading Appendix C: Fuzz Vectors Appendix D: Encoded Injection
What are the difference between the OWASP Testing Guide and another book about WebApp PenTesting?
Web Application Penetration Testing • OWASP Testing Guide is driven by our Community • It’s related to the other OWASP guides • Our approach in writing this guide – Open – Collaborative • Defined testing methodology – Consistent – Repeatable – Under quality 9
Testing Guide Categories & vulnerability list
What we need now to improve the v3 and plan the v4?
OWASP Common Vulnerability List We need a common vulnerability list 12
Looking at the Testing Guide Categories & vulnerability list
The new team
Andrew Muller Mike Hryekewicz Aung KhAnt Nick Freeman Cecil Su Norbert Szetei Colin Watson Paolo Perego Daniel Cuthbert Pavol Luptak Giorgio Fedon Psiinon Jason Flood Ray Schippers Javier Marcos de Prado Robert Smith Juan Galiana Lara Robert Winkel Kenan Gursoy Roberto Suggi Liverani Kevin Horvat Sebastien Gioria Lode Vanstechelman Stefano Di Paola Marco Morana Sumit Siddharth Matt Churchy Thomas Ryan Matteo Meucci Tim Bertels Michael Boman Tripurari Rai Wagner Elias
Proposed v4 list: let’s discuss it Category Vulnerability name Where implemented Source Information Gathering Information Disclosure TG, ecc, --> link TG Configuration and Deploy Infrastructure Configuration management Management weakness TG Application Configuration management weakness TG File extensions handling TG Old, backup and unreferenced files TG Access to Admin interfaces TG Bad HTTP Methods enabled, (XST permitted: to eliminate or TG Informative Error Messages Database credentials/connection strings available Business logic Business Logic TG Credentials transport over an unencrypted Authentication channel TG User enumeration (also Guessable user account) TG Default passwords TG Weak lock out mechanism new TG Account lockout DoS Bypassing authentication schema TG Directory traversal/file include TG vulnerable remember password TG Logout function not properly implemented, browser cache weakness TG Weak Password policy New TG Weak username policy New Anurag weak security question answer New Failure to Restrict access to authenticated resource New Top10 Weak password change function New Vishal
Proposed v4 list: let’s discuss it (2) Authorization Path Traversal TG Bypassing authorization schema TG Privilege Escalation TG Insecure Direct Object References Top10 2010 Failure to Restrict access to authorized resource TG Session Managment Bypassing Session Management Schema TG Weak Session Token TG Cookies are set not ‘HTTP Only’, ‘Secure’, and no time validity TG Exposed sensitive session variables TG CSRF Session passed over http Vishal Session token within URL Vishal Session Fixation Vishal Session token not removed on server after logout Vishal Persistent session token Vishal Session token not restrcited properly (such as domain or path not set properly) Vishal Data Validation Reflected XSS TG Stored XSS TG - Vishal HTTP Verb Tampering new TG HTTP Parameter pollution new TG Unvalidated Redirects and Forwards T10 2010: new TG SQL Injection TG SQL Fingerprinting LDAP Injection TG ORM Injection TG XML Injection TG SSI Injection TG XPath Injection TG SOAP Injection IMAP/SMTP Injection TG Code Injection TG OS Commanding TG Buffer overflow Incubated vulnerability HTTP Splitting/Smuggling
Proposed v4 list: let’s discuss it (3) Data Encryption? Application did not use encryption Weak SSL/TSL Ciphers, Insufficient Transport Layer Protection Cacheable HTTPS Response Cache directives insecure Insecure Cryptographic Storage only SCR guide T10 2010: new TG Sensitive information sent via unencrypted channels XML interpreter? Weak XML Structure XML content-level WS HTTP GET parameters/REST WS Naughty SOAP attachments WS Replay Testing Client side? DOM XSS TG Cross Site Flashing TG ClickHijacking new TG
Proposed v4 news from Pavol - add new opensource testing tools that appeared during last 3 years (and are missing in the OWASP Testing Guide v3) - add few useful and life-scenarios of possible vulnerabilities in Bussiness Logic Testing (many testers have no idea what vulnerabilities in Business Logic exactly mean) - "Brute force testing" of "session ID" is missing in "Session Management Testing", describe other tools for Session ID entropy analysis (e.g. Stompy) - in "Data Validation Testing" describe some basic obfuscation methods for malicious code injection including the statements how it is possible to detect it (web application obfuscation is quite succesfull in bypassing many data validation controls) - split the phase Logout and Browser Cache Management" into two sections
Roadmap • Review all the control numbers to adhere to the OWASP Common numbering, • Review all the sections in v3, • Create a more readable guide, eliminating some sections that are not really useful, • Insert new testing techniques: HTTP Verb tampering, HTTP Parameter Pollutions, etc., • Rationalize some sections as Session Management Testing, • Create a new section: Client side security and Firefox extensions testing?
Questions? http://www.owasp.org/index.php/OWASP_Testing_Project matteo.meucci@owasp.org Thanks!!

Recommended

Supplement V1.2
Supplement V1.2Supplement V1.2
Supplement V1.2
cissp taiwan
 
Ayo 4 Abc Dlogos 07
Ayo 4 Abc Dlogos 07Ayo 4 Abc Dlogos 07
Ayo 4 Abc Dlogos 07
diana.escuelas
 
Proyecto nti
Proyecto ntiProyecto nti
Proyecto nti
cesar padilla
 
Photo Journey to the Munich Residenz
Photo Journey to the Munich ResidenzPhoto Journey to the Munich Residenz
Photo Journey to the Munich Residenz
Laurel Robbins
 
Buscar ciclos formativos
Buscar ciclos formativosBuscar ciclos formativos
Buscar ciclos formativos
teflang
 
Dominik Ghirlandaio
Dominik GhirlandaioDominik Ghirlandaio
Dominik Ghirlandaio
Arkadiusz Stęplowski
 
Evolucion de la Tecnlogia Educativa
Evolucion de la Tecnlogia Educativa Evolucion de la Tecnlogia Educativa
Evolucion de la Tecnlogia Educativa
AdryCando
 
Trabajo sobre luis caballero
Trabajo sobre luis caballeroTrabajo sobre luis caballero
Trabajo sobre luis caballero
santySNA
 

Recommended

Supplement V1.2
Supplement V1.2Supplement V1.2
Supplement V1.2
cissp taiwan
 
Ayo 4 Abc Dlogos 07
Ayo 4 Abc Dlogos 07Ayo 4 Abc Dlogos 07
Ayo 4 Abc Dlogos 07
diana.escuelas
 
Proyecto nti
Proyecto ntiProyecto nti
Proyecto nti
cesar padilla
 
Photo Journey to the Munich Residenz
Photo Journey to the Munich ResidenzPhoto Journey to the Munich Residenz
Photo Journey to the Munich Residenz
Laurel Robbins
 
Buscar ciclos formativos
Buscar ciclos formativosBuscar ciclos formativos
Buscar ciclos formativos
teflang
 
Dominik Ghirlandaio
Dominik GhirlandaioDominik Ghirlandaio
Dominik Ghirlandaio
Arkadiusz Stęplowski
 
Evolucion de la Tecnlogia Educativa
Evolucion de la Tecnlogia Educativa Evolucion de la Tecnlogia Educativa
Evolucion de la Tecnlogia Educativa
AdryCando
 
Trabajo sobre luis caballero
Trabajo sobre luis caballeroTrabajo sobre luis caballero
Trabajo sobre luis caballero
santySNA
 
Trabajo project
Trabajo projectTrabajo project
Trabajo project
jhbm2412
 
XD sharing : TECHNIQUES
XD sharing : TECHNIQUESXD sharing : TECHNIQUES
XD sharing : TECHNIQUES
Yuliang Hsu
 
Elaboración de un Informe
Elaboración de un InformeElaboración de un Informe
Elaboración de un Informe
jornadajulio2012
 
GTMS. Abordatge i seguiment del pacient crònic complex a l’atenció continuada
GTMS. Abordatge i seguiment del pacient crònic complex a l’atenció continuadaGTMS. Abordatge i seguiment del pacient crònic complex a l’atenció continuada
GTMS. Abordatge i seguiment del pacient crònic complex a l’atenció continuada
Institut Català de la Salut
 
Trabajos día san gil 2ºb
Trabajos día san gil 2ºbTrabajos día san gil 2ºb
Trabajos día san gil 2ºb
robertoreyesteban
 
Jumper Trailer Analysis
Jumper Trailer AnalysisJumper Trailer Analysis
Jumper Trailer Analysis
alexbrend
 
Xogos de madeira
Xogos de madeiraXogos de madeira
Xogos de madeira
aaronlagoa
 
III Conferencia apoyo a las mujeres saharauis, celebrada en El Aaiún ocupado
III Conferencia apoyo a las mujeres saharauis, celebrada en El Aaiún ocupadoIII Conferencia apoyo a las mujeres saharauis, celebrada en El Aaiún ocupado
III Conferencia apoyo a las mujeres saharauis, celebrada en El Aaiún ocupado
Crónicas del despojo
 
Domremy la pucelle
Domremy la pucelleDomremy la pucelle
Domremy la pucelle
Rabolliot
 
Jpi june 2011
Jpi june 2011Jpi june 2011
Jpi june 2011
International advisers
 
~Buscadores~
~Buscadores~~Buscadores~
~Buscadores~
DaniielaNataly
 
Proyecto incluyendo socialización rica y tic
Proyecto incluyendo socialización rica y ticProyecto incluyendo socialización rica y tic
Proyecto incluyendo socialización rica y tic
YolandaPinaLeon
 
Syllabus matlab i
Syllabus matlab i Syllabus matlab i
Syllabus matlab i
Ariano Huamani
 
Ved du, hvor dine data er - og hvem, der har adgang til dem? Ron Ben Natan, I...
Ved du, hvor dine data er - og hvem, der har adgang til dem? Ron Ben Natan, I...Ved du, hvor dine data er - og hvem, der har adgang til dem? Ron Ben Natan, I...
Ved du, hvor dine data er - og hvem, der har adgang til dem? Ron Ben Natan, I...
IBM Danmark
 
Web application penetration testing
Web application penetration testingWeb application penetration testing
Web application penetration testing
Imaginea
 
50357 a enu-module02
50357 a enu-module0250357 a enu-module02
50357 a enu-module02
Bố Su
 
Security best practices
Security best practicesSecurity best practices
Security best practices
AVEVA
 
Gtb Dlp & Irm Solution Product And Deployment Overview
Gtb Dlp & Irm Solution Product And Deployment OverviewGtb Dlp & Irm Solution Product And Deployment Overview
Gtb Dlp & Irm Solution Product And Deployment Overview
gtbsalesindia
 
Admin Tech Ed Presentation Hardening Sql Server
Admin Tech Ed Presentation Hardening Sql ServerAdmin Tech Ed Presentation Hardening Sql Server
Admin Tech Ed Presentation Hardening Sql Server
rsnarayanan
 
Istio: Using nginMesh as the service proxy
Istio: Using nginMesh as the service proxyIstio: Using nginMesh as the service proxy
Istio: Using nginMesh as the service proxy
Lee Calcote
 
Test driven development for infrastructure as-a-code, the future trend_Gianfr...
Test driven development for infrastructure as-a-code, the future trend_Gianfr...Test driven development for infrastructure as-a-code, the future trend_Gianfr...
Test driven development for infrastructure as-a-code, the future trend_Gianfr...
Katherine Golovinova
 
NET RIA Services - Building Data-Driven Applications with Microsoft Silverlig...
NET RIA Services - Building Data-Driven Applications with Microsoft Silverlig...NET RIA Services - Building Data-Driven Applications with Microsoft Silverlig...
NET RIA Services - Building Data-Driven Applications with Microsoft Silverlig...
goodfriday
 

More Related Content

Viewers also liked

Trabajo project
Trabajo projectTrabajo project
Trabajo project
jhbm2412
 
Elaboración de un Informe
Elaboración de un InformeElaboración de un Informe
Elaboración de un Informe
jornadajulio2012
 
Jumper Trailer Analysis
Jumper Trailer AnalysisJumper Trailer Analysis
Jumper Trailer Analysis
alexbrend
 
Xogos de madeira
Xogos de madeiraXogos de madeira
Xogos de madeira
aaronlagoa
 
III Conferencia apoyo a las mujeres saharauis, celebrada en El Aaiún ocupado
III Conferencia apoyo a las mujeres saharauis, celebrada en El Aaiún ocupadoIII Conferencia apoyo a las mujeres saharauis, celebrada en El Aaiún ocupado
III Conferencia apoyo a las mujeres saharauis, celebrada en El Aaiún ocupado
Crónicas del despojo
 
Domremy la pucelle
Domremy la pucelleDomremy la pucelle
Domremy la pucelle
Rabolliot
 

Viewers also liked (13)

Trabajo project
Trabajo projectTrabajo project
Trabajo project
 
XD sharing : TECHNIQUES
XD sharing : TECHNIQUESXD sharing : TECHNIQUES
XD sharing : TECHNIQUES
 
Elaboración de un Informe
Elaboración de un InformeElaboración de un Informe
Elaboración de un Informe
 
GTMS. Abordatge i seguiment del pacient crònic complex a l’atenció continuada
GTMS. Abordatge i seguiment del pacient crònic complex a l’atenció continuadaGTMS. Abordatge i seguiment del pacient crònic complex a l’atenció continuada
GTMS. Abordatge i seguiment del pacient crònic complex a l’atenció continuada
 
Trabajos día san gil 2ºb
Trabajos día san gil 2ºbTrabajos día san gil 2ºb
Trabajos día san gil 2ºb
 
Jumper Trailer Analysis
Jumper Trailer AnalysisJumper Trailer Analysis
Jumper Trailer Analysis
 
Xogos de madeira
Xogos de madeiraXogos de madeira
Xogos de madeira
 
III Conferencia apoyo a las mujeres saharauis, celebrada en El Aaiún ocupado
III Conferencia apoyo a las mujeres saharauis, celebrada en El Aaiún ocupadoIII Conferencia apoyo a las mujeres saharauis, celebrada en El Aaiún ocupado
III Conferencia apoyo a las mujeres saharauis, celebrada en El Aaiún ocupado
 
Domremy la pucelle
Domremy la pucelleDomremy la pucelle
Domremy la pucelle
 
Jpi june 2011
Jpi june 2011Jpi june 2011
Jpi june 2011
 
~Buscadores~
~Buscadores~~Buscadores~
~Buscadores~
 
Proyecto incluyendo socialización rica y tic
Proyecto incluyendo socialización rica y ticProyecto incluyendo socialización rica y tic
Proyecto incluyendo socialización rica y tic
 
Syllabus matlab i
Syllabus matlab i Syllabus matlab i
Syllabus matlab i
 

Similar to Owasp testing guide owasp summit 2011 (matteo meucci)

Web application penetration testing
Web application penetration testingWeb application penetration testing
Web application penetration testing
Imaginea
 
50357 a enu-module02
50357 a enu-module0250357 a enu-module02
50357 a enu-module02
Bố Su
 
Gtb Dlp & Irm Solution Product And Deployment Overview
Gtb Dlp & Irm Solution Product And Deployment OverviewGtb Dlp & Irm Solution Product And Deployment Overview
Gtb Dlp & Irm Solution Product And Deployment Overview
gtbsalesindia
 
Admin Tech Ed Presentation Hardening Sql Server
Admin Tech Ed Presentation Hardening Sql ServerAdmin Tech Ed Presentation Hardening Sql Server
Admin Tech Ed Presentation Hardening Sql Server
rsnarayanan
 
Istio: Using nginMesh as the service proxy
Istio: Using nginMesh as the service proxyIstio: Using nginMesh as the service proxy
Istio: Using nginMesh as the service proxy
Lee Calcote
 
Secure Cloud Computing for the Health Enterprise
Secure Cloud Computing for the Health EnterpriseSecure Cloud Computing for the Health Enterprise
Secure Cloud Computing for the Health Enterprise
Joel Amoussou
 
Openstack@ebay: Practical SDN deployment with Quantum
Openstack@ebay: Practical SDN deployment with QuantumOpenstack@ebay: Practical SDN deployment with Quantum
Openstack@ebay: Practical SDN deployment with Quantum
Jean-Christophe "JC" Martin
 
Best Practices for Securing Active Directory v2.0
Best Practices for Securing Active Directory v2.0Best Practices for Securing Active Directory v2.0
Best Practices for Securing Active Directory v2.0
Danny Wong
 

Similar to Owasp testing guide owasp summit 2011 (matteo meucci) (20)

Ved du, hvor dine data er - og hvem, der har adgang til dem? Ron Ben Natan, I...
Ved du, hvor dine data er - og hvem, der har adgang til dem? Ron Ben Natan, I...Ved du, hvor dine data er - og hvem, der har adgang til dem? Ron Ben Natan, I...
Ved du, hvor dine data er - og hvem, der har adgang til dem? Ron Ben Natan, I...
 
Web application penetration testing
Web application penetration testingWeb application penetration testing
Web application penetration testing
 
50357 a enu-module02
50357 a enu-module0250357 a enu-module02
50357 a enu-module02
 
Security best practices
Security best practicesSecurity best practices
Security best practices
 
Gtb Dlp & Irm Solution Product And Deployment Overview
Gtb Dlp & Irm Solution Product And Deployment OverviewGtb Dlp & Irm Solution Product And Deployment Overview
Gtb Dlp & Irm Solution Product And Deployment Overview
 
Admin Tech Ed Presentation Hardening Sql Server
Admin Tech Ed Presentation Hardening Sql ServerAdmin Tech Ed Presentation Hardening Sql Server
Admin Tech Ed Presentation Hardening Sql Server
 
Istio: Using nginMesh as the service proxy
Istio: Using nginMesh as the service proxyIstio: Using nginMesh as the service proxy
Istio: Using nginMesh as the service proxy
 
Test driven development for infrastructure as-a-code, the future trend_Gianfr...
Test driven development for infrastructure as-a-code, the future trend_Gianfr...Test driven development for infrastructure as-a-code, the future trend_Gianfr...
Test driven development for infrastructure as-a-code, the future trend_Gianfr...
 
NET RIA Services - Building Data-Driven Applications with Microsoft Silverlig...
NET RIA Services - Building Data-Driven Applications with Microsoft Silverlig...NET RIA Services - Building Data-Driven Applications with Microsoft Silverlig...
NET RIA Services - Building Data-Driven Applications with Microsoft Silverlig...
 
Cybersecurity - Mobile Application Security
Cybersecurity - Mobile Application SecurityCybersecurity - Mobile Application Security
Cybersecurity - Mobile Application Security
 
Kerberos, Token and Hadoop
Kerberos, Token and HadoopKerberos, Token and Hadoop
Kerberos, Token and Hadoop
 
Secure Cloud Computing for the Health Enterprise
Secure Cloud Computing for the Health EnterpriseSecure Cloud Computing for the Health Enterprise
Secure Cloud Computing for the Health Enterprise
 
Openstack@ebay: Practical SDN deployment with Quantum
Openstack@ebay: Practical SDN deployment with QuantumOpenstack@ebay: Practical SDN deployment with Quantum
Openstack@ebay: Practical SDN deployment with Quantum
 
Large Scale Deployment of SOA-P
Large Scale Deployment of SOA-PLarge Scale Deployment of SOA-P
Large Scale Deployment of SOA-P
 
Best Practices for Securing Active Directory v2.0
Best Practices for Securing Active Directory v2.0Best Practices for Securing Active Directory v2.0
Best Practices for Securing Active Directory v2.0
 
Webinar issues we_find_slideshare
Webinar issues we_find_slideshareWebinar issues we_find_slideshare
Webinar issues we_find_slideshare
 
2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...
2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...
2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...
 
Why Assertion-based Access Token is preferred to Handle-based one?
Why Assertion-based Access Token is preferred to Handle-based one?Why Assertion-based Access Token is preferred to Handle-based one?
Why Assertion-based Access Token is preferred to Handle-based one?
 
Kubernetes Summit 2021: Multi-Cluster - The Good, the Bad and the Ugly
Kubernetes Summit 2021: Multi-Cluster - The Good, the Bad and the UglyKubernetes Summit 2021: Multi-Cluster - The Good, the Bad and the Ugly
Kubernetes Summit 2021: Multi-Cluster - The Good, the Bad and the Ugly
 
Pangolin Datasheet
Pangolin DatasheetPangolin Datasheet
Pangolin Datasheet
 

Recently uploaded

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Roshan Dwivedi
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Principled Technologies
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 

Recently uploaded (20)

A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 

Owasp testing guide owasp summit 2011 (matteo meucci)

  • 1. Planning the OWASP Testing Guide v4 Matteo Meucci, Giorgio Fedon, Pavol Luptak
  • 2. AG E N DA • Few words about the TG history and adoption by the Companies • Why we need the Common Numbering and Common Vulnerability list • Update the set of test • V4 Roadmap
  • 3. What is the OWASP Testing Guide? Where are we now?
  • 4. Testing Guide history • January 2004 – "The OWASP Testing Guide", Version 1.0 • July 14, 2004 – "OWASP Web Application Penetration Checklist", Version 1.1 • December 25, 2006 – "OWASP Testing Guide", Version 2.0 • December 16, 2008 – "OWASP Testing Guide", Version 3.0 – Released at the OWASP Summit 08
  • 5. Project Complexity Pages 400 350 300 250 200 Pages 150 100 50 0 v1 v1.1 v2 v3
  • 6. OWASP Testing Guide v3 • SANS Top 20 2007 • NIST “Technical Guide to Information Security Testing (Draft)” • Gary McGraw (CTO Cigital) says: “In my opinion it is the strongest piece of Intellectual Property in the OWASP portfolio” – OWASP Podcast by Jim Manico
  • 7. Testing Guide v3: Index 1. Frontispiece 2. Introduction 3. The OWASP Testing Framework 4. Web Application Penetration Testing 5. Writing Reports: value the real risk Appendix A: Testing Tools Appendix B: Suggested Reading Appendix C: Fuzz Vectors Appendix D: Encoded Injection
  • 8. What are the difference between the OWASP Testing Guide and another book about WebApp PenTesting?
  • 9. Web Application Penetration Testing • OWASP Testing Guide is driven by our Community • It’s related to the other OWASP guides • Our approach in writing this guide – Open – Collaborative • Defined testing methodology – Consistent – Repeatable – Under quality 9
  • 10. Testing Guide Categories & vulnerability list
  • 11. What we need now to improve the v3 and plan the v4?
  • 12. OWASP Common Vulnerability List We need a common vulnerability list 12
  • 13. Looking at the Testing Guide Categories & vulnerability list
  • 15. Andrew Muller Mike Hryekewicz Aung KhAnt Nick Freeman Cecil Su Norbert Szetei Colin Watson Paolo Perego Daniel Cuthbert Pavol Luptak Giorgio Fedon Psiinon Jason Flood Ray Schippers Javier Marcos de Prado Robert Smith Juan Galiana Lara Robert Winkel Kenan Gursoy Roberto Suggi Liverani Kevin Horvat Sebastien Gioria Lode Vanstechelman Stefano Di Paola Marco Morana Sumit Siddharth Matt Churchy Thomas Ryan Matteo Meucci Tim Bertels Michael Boman Tripurari Rai Wagner Elias
  • 16. Proposed v4 list: let’s discuss it Category Vulnerability name Where implemented Source Information Gathering Information Disclosure TG, ecc, --> link TG Configuration and Deploy Infrastructure Configuration management Management weakness TG Application Configuration management weakness TG File extensions handling TG Old, backup and unreferenced files TG Access to Admin interfaces TG Bad HTTP Methods enabled, (XST permitted: to eliminate or TG Informative Error Messages Database credentials/connection strings available Business logic Business Logic TG Credentials transport over an unencrypted Authentication channel TG User enumeration (also Guessable user account) TG Default passwords TG Weak lock out mechanism new TG Account lockout DoS Bypassing authentication schema TG Directory traversal/file include TG vulnerable remember password TG Logout function not properly implemented, browser cache weakness TG Weak Password policy New TG Weak username policy New Anurag weak security question answer New Failure to Restrict access to authenticated resource New Top10 Weak password change function New Vishal
  • 17. Proposed v4 list: let’s discuss it (2) Authorization Path Traversal TG Bypassing authorization schema TG Privilege Escalation TG Insecure Direct Object References Top10 2010 Failure to Restrict access to authorized resource TG Session Managment Bypassing Session Management Schema TG Weak Session Token TG Cookies are set not ‘HTTP Only’, ‘Secure’, and no time validity TG Exposed sensitive session variables TG CSRF Session passed over http Vishal Session token within URL Vishal Session Fixation Vishal Session token not removed on server after logout Vishal Persistent session token Vishal Session token not restrcited properly (such as domain or path not set properly) Vishal Data Validation Reflected XSS TG Stored XSS TG - Vishal HTTP Verb Tampering new TG HTTP Parameter pollution new TG Unvalidated Redirects and Forwards T10 2010: new TG SQL Injection TG SQL Fingerprinting LDAP Injection TG ORM Injection TG XML Injection TG SSI Injection TG XPath Injection TG SOAP Injection IMAP/SMTP Injection TG Code Injection TG OS Commanding TG Buffer overflow Incubated vulnerability HTTP Splitting/Smuggling
  • 18. Proposed v4 list: let’s discuss it (3) Data Encryption? Application did not use encryption Weak SSL/TSL Ciphers, Insufficient Transport Layer Protection Cacheable HTTPS Response Cache directives insecure Insecure Cryptographic Storage only SCR guide T10 2010: new TG Sensitive information sent via unencrypted channels XML interpreter? Weak XML Structure XML content-level WS HTTP GET parameters/REST WS Naughty SOAP attachments WS Replay Testing Client side? DOM XSS TG Cross Site Flashing TG ClickHijacking new TG
  • 19. Proposed v4 news from Pavol - add new opensource testing tools that appeared during last 3 years (and are missing in the OWASP Testing Guide v3) - add few useful and life-scenarios of possible vulnerabilities in Bussiness Logic Testing (many testers have no idea what vulnerabilities in Business Logic exactly mean) - "Brute force testing" of "session ID" is missing in "Session Management Testing", describe other tools for Session ID entropy analysis (e.g. Stompy) - in "Data Validation Testing" describe some basic obfuscation methods for malicious code injection including the statements how it is possible to detect it (web application obfuscation is quite succesfull in bypassing many data validation controls) - split the phase Logout and Browser Cache Management" into two sections
  • 20. Roadmap • Review all the control numbers to adhere to the OWASP Common numbering, • Review all the sections in v3, • Create a more readable guide, eliminating some sections that are not really useful, • Insert new testing techniques: HTTP Verb tampering, HTTP Parameter Pollutions, etc., • Rationalize some sections as Session Management Testing, • Create a new section: Client side security and Firefox extensions testing?