SlideShare une entreprise Scribd logo

Owasp testing guide owasp summit 2011 (matteo meucci)

Matteo Meucci
Matteo Meucci

Presentation of the OWASP Testing Guide v4 @ OWASP Summit 2011

Technologie
1  sur  21
Planning the OWASP Testing Guide v4 Matteo Meucci, Giorgio Fedon, Pavol Luptak
AG E N DA • Few words about the TG history and adoption by the Companies • Why we need the Common Numbering and Common Vulnerability list • Update the set of test • V4 Roadmap
What is the OWASP Testing Guide? Where are we now?
Testing Guide history • January 2004 – "The OWASP Testing Guide", Version 1.0 • July 14, 2004 – "OWASP Web Application Penetration Checklist", Version 1.1 • December 25, 2006 – "OWASP Testing Guide", Version 2.0 • December 16, 2008 – "OWASP Testing Guide", Version 3.0 – Released at the OWASP Summit 08
Project Complexity Pages 400 350 300 250 200 Pages 150 100 50 0 v1 v1.1 v2 v3
OWASP Testing Guide v3 • SANS Top 20 2007 • NIST “Technical Guide to Information Security Testing (Draft)” • Gary McGraw (CTO Cigital) says: “In my opinion it is the strongest piece of Intellectual Property in the OWASP portfolio” – OWASP Podcast by Jim Manico
Testing Guide v3: Index 1. Frontispiece 2. Introduction 3. The OWASP Testing Framework 4. Web Application Penetration Testing 5. Writing Reports: value the real risk Appendix A: Testing Tools Appendix B: Suggested Reading Appendix C: Fuzz Vectors Appendix D: Encoded Injection
What are the difference between the OWASP Testing Guide and another book about WebApp PenTesting?
Web Application Penetration Testing • OWASP Testing Guide is driven by our Community • It’s related to the other OWASP guides • Our approach in writing this guide – Open – Collaborative • Defined testing methodology – Consistent – Repeatable – Under quality 9
Testing Guide Categories & vulnerability list
What we need now to improve the v3 and plan the v4?
OWASP Common Vulnerability List We need a common vulnerability list 12
Looking at the Testing Guide Categories & vulnerability list
The new team
Andrew Muller Mike Hryekewicz Aung KhAnt Nick Freeman Cecil Su Norbert Szetei Colin Watson Paolo Perego Daniel Cuthbert Pavol Luptak Giorgio Fedon Psiinon Jason Flood Ray Schippers Javier Marcos de Prado Robert Smith Juan Galiana Lara Robert Winkel Kenan Gursoy Roberto Suggi Liverani Kevin Horvat Sebastien Gioria Lode Vanstechelman Stefano Di Paola Marco Morana Sumit Siddharth Matt Churchy Thomas Ryan Matteo Meucci Tim Bertels Michael Boman Tripurari Rai Wagner Elias
Proposed v4 list: let’s discuss it Category Vulnerability name Where implemented Source Information Gathering Information Disclosure TG, ecc, --> link TG Configuration and Deploy Infrastructure Configuration management Management weakness TG Application Configuration management weakness TG File extensions handling TG Old, backup and unreferenced files TG Access to Admin interfaces TG Bad HTTP Methods enabled, (XST permitted: to eliminate or TG Informative Error Messages Database credentials/connection strings available Business logic Business Logic TG Credentials transport over an unencrypted Authentication channel TG User enumeration (also Guessable user account) TG Default passwords TG Weak lock out mechanism new TG Account lockout DoS Bypassing authentication schema TG Directory traversal/file include TG vulnerable remember password TG Logout function not properly implemented, browser cache weakness TG Weak Password policy New TG Weak username policy New Anurag weak security question answer New Failure to Restrict access to authenticated resource New Top10 Weak password change function New Vishal
Proposed v4 list: let’s discuss it (2) Authorization Path Traversal TG Bypassing authorization schema TG Privilege Escalation TG Insecure Direct Object References Top10 2010 Failure to Restrict access to authorized resource TG Session Managment Bypassing Session Management Schema TG Weak Session Token TG Cookies are set not ‘HTTP Only’, ‘Secure’, and no time validity TG Exposed sensitive session variables TG CSRF Session passed over http Vishal Session token within URL Vishal Session Fixation Vishal Session token not removed on server after logout Vishal Persistent session token Vishal Session token not restrcited properly (such as domain or path not set properly) Vishal Data Validation Reflected XSS TG Stored XSS TG - Vishal HTTP Verb Tampering new TG HTTP Parameter pollution new TG Unvalidated Redirects and Forwards T10 2010: new TG SQL Injection TG SQL Fingerprinting LDAP Injection TG ORM Injection TG XML Injection TG SSI Injection TG XPath Injection TG SOAP Injection IMAP/SMTP Injection TG Code Injection TG OS Commanding TG Buffer overflow Incubated vulnerability HTTP Splitting/Smuggling
Proposed v4 list: let’s discuss it (3) Data Encryption? Application did not use encryption Weak SSL/TSL Ciphers, Insufficient Transport Layer Protection Cacheable HTTPS Response Cache directives insecure Insecure Cryptographic Storage only SCR guide T10 2010: new TG Sensitive information sent via unencrypted channels XML interpreter? Weak XML Structure XML content-level WS HTTP GET parameters/REST WS Naughty SOAP attachments WS Replay Testing Client side? DOM XSS TG Cross Site Flashing TG ClickHijacking new TG
Proposed v4 news from Pavol - add new opensource testing tools that appeared during last 3 years (and are missing in the OWASP Testing Guide v3) - add few useful and life-scenarios of possible vulnerabilities in Bussiness Logic Testing (many testers have no idea what vulnerabilities in Business Logic exactly mean) - "Brute force testing" of "session ID" is missing in "Session Management Testing", describe other tools for Session ID entropy analysis (e.g. Stompy) - in "Data Validation Testing" describe some basic obfuscation methods for malicious code injection including the statements how it is possible to detect it (web application obfuscation is quite succesfull in bypassing many data validation controls) - split the phase Logout and Browser Cache Management" into two sections
Roadmap • Review all the control numbers to adhere to the OWASP Common numbering, • Review all the sections in v3, • Create a more readable guide, eliminating some sections that are not really useful, • Insert new testing techniques: HTTP Verb tampering, HTTP Parameter Pollutions, etc., • Rationalize some sections as Session Management Testing, • Create a new section: Client side security and Firefox extensions testing?
Questions? http://www.owasp.org/index.php/OWASP_Testing_Project matteo.meucci@owasp.org Thanks!!

Recommandé

Supplement V1.2
Supplement V1.2Supplement V1.2
Supplement V1.2cissp taiwan
 
Ayo 4 Abc Dlogos 07
Ayo 4 Abc Dlogos 07Ayo 4 Abc Dlogos 07
Ayo 4 Abc Dlogos 07diana.escuelas
 
Proyecto nti
Proyecto ntiProyecto nti
Proyecto nticesar padilla
 
Photo Journey to the Munich Residenz
Photo Journey to the Munich ResidenzPhoto Journey to the Munich Residenz
Photo Journey to the Munich ResidenzLaurel Robbins
 
Buscar ciclos formativos
Buscar ciclos formativosBuscar ciclos formativos
Buscar ciclos formativosteflang
 
Dominik Ghirlandaio
Dominik GhirlandaioDominik Ghirlandaio
Dominik GhirlandaioArkadiusz Stęplowski
 
Evolucion de la Tecnlogia Educativa
Evolucion de la Tecnlogia Educativa Evolucion de la Tecnlogia Educativa
Evolucion de la Tecnlogia Educativa AdryCando
 
Trabajo sobre luis caballero
Trabajo sobre luis caballeroTrabajo sobre luis caballero
Trabajo sobre luis caballerosantySNA
 

Recommandé

Supplement V1.2
Supplement V1.2Supplement V1.2
Supplement V1.2cissp taiwan
 
Ayo 4 Abc Dlogos 07
Ayo 4 Abc Dlogos 07Ayo 4 Abc Dlogos 07
Ayo 4 Abc Dlogos 07diana.escuelas
 
Proyecto nti
Proyecto ntiProyecto nti
Proyecto nticesar padilla
 
Photo Journey to the Munich Residenz
Photo Journey to the Munich ResidenzPhoto Journey to the Munich Residenz
Photo Journey to the Munich ResidenzLaurel Robbins
 
Buscar ciclos formativos
Buscar ciclos formativosBuscar ciclos formativos
Buscar ciclos formativosteflang
 
Dominik Ghirlandaio
Dominik GhirlandaioDominik Ghirlandaio
Dominik GhirlandaioArkadiusz Stęplowski
 
Evolucion de la Tecnlogia Educativa
Evolucion de la Tecnlogia Educativa Evolucion de la Tecnlogia Educativa
Evolucion de la Tecnlogia Educativa AdryCando
 
Trabajo sobre luis caballero
Trabajo sobre luis caballeroTrabajo sobre luis caballero
Trabajo sobre luis caballerosantySNA
 
Trabajo project
Trabajo projectTrabajo project
Trabajo projectjhbm2412
 
XD sharing : TECHNIQUES
XD sharing : TECHNIQUESXD sharing : TECHNIQUES
XD sharing : TECHNIQUESYuliang Hsu
 
Elaboración de un Informe
Elaboración de un InformeElaboración de un Informe
Elaboración de un Informejornadajulio2012
 
GTMS. Abordatge i seguiment del pacient crònic complex a l’atenció continuada
GTMS. Abordatge i seguiment del pacient crònic complex a l’atenció continuadaGTMS. Abordatge i seguiment del pacient crònic complex a l’atenció continuada
GTMS. Abordatge i seguiment del pacient crònic complex a l’atenció continuadaInstitut Català de la Salut
 
Trabajos día san gil 2ºb
Trabajos día san gil 2ºbTrabajos día san gil 2ºb
Trabajos día san gil 2ºbrobertoreyesteban
 
Jumper Trailer Analysis
Jumper Trailer AnalysisJumper Trailer Analysis
Jumper Trailer Analysisalexbrend
 
Xogos de madeira
Xogos de madeiraXogos de madeira
Xogos de madeiraaaronlagoa
 
III Conferencia apoyo a las mujeres saharauis, celebrada en El Aaiún ocupado
III Conferencia apoyo a las mujeres saharauis, celebrada en El Aaiún ocupadoIII Conferencia apoyo a las mujeres saharauis, celebrada en El Aaiún ocupado
III Conferencia apoyo a las mujeres saharauis, celebrada en El Aaiún ocupadoCrónicas del despojo
 
Domremy la pucelle
Domremy la pucelleDomremy la pucelle
Domremy la pucelleRabolliot
 
Jpi june 2011
Jpi june 2011Jpi june 2011
Jpi june 2011International advisers
 
~Buscadores~
~Buscadores~~Buscadores~
~Buscadores~DaniielaNataly
 
Proyecto incluyendo socialización rica y tic
Proyecto incluyendo socialización rica y ticProyecto incluyendo socialización rica y tic
Proyecto incluyendo socialización rica y ticYolandaPinaLeon
 
Syllabus matlab i
Syllabus matlab i Syllabus matlab i
Syllabus matlab i Ariano Huamani
 
Ved du, hvor dine data er - og hvem, der har adgang til dem? Ron Ben Natan, I...
Ved du, hvor dine data er - og hvem, der har adgang til dem? Ron Ben Natan, I...Ved du, hvor dine data er - og hvem, der har adgang til dem? Ron Ben Natan, I...
Ved du, hvor dine data er - og hvem, der har adgang til dem? Ron Ben Natan, I...IBM Danmark
 
Web application penetration testing
Web application penetration testingWeb application penetration testing
Web application penetration testingImaginea
 
50357 a enu-module02
50357 a enu-module0250357 a enu-module02
50357 a enu-module02Bố Su
 
Security best practices
Security best practicesSecurity best practices
Security best practicesAVEVA
 
Gtb Dlp & Irm Solution Product And Deployment Overview
Gtb Dlp & Irm Solution Product And Deployment OverviewGtb Dlp & Irm Solution Product And Deployment Overview
Gtb Dlp & Irm Solution Product And Deployment Overviewgtbsalesindia
 
Admin Tech Ed Presentation Hardening Sql Server
Admin Tech Ed Presentation Hardening Sql ServerAdmin Tech Ed Presentation Hardening Sql Server
Admin Tech Ed Presentation Hardening Sql Serverrsnarayanan
 
Istio: Using nginMesh as the service proxy
Istio: Using nginMesh as the service proxyIstio: Using nginMesh as the service proxy
Istio: Using nginMesh as the service proxyLee Calcote
 
Test driven development for infrastructure as-a-code, the future trend_Gianfr...
Test driven development for infrastructure as-a-code, the future trend_Gianfr...Test driven development for infrastructure as-a-code, the future trend_Gianfr...
Test driven development for infrastructure as-a-code, the future trend_Gianfr...Katherine Golovinova
 
NET RIA Services - Building Data-Driven Applications with Microsoft Silverlig...
NET RIA Services - Building Data-Driven Applications with Microsoft Silverlig...NET RIA Services - Building Data-Driven Applications with Microsoft Silverlig...
NET RIA Services - Building Data-Driven Applications with Microsoft Silverlig...goodfriday
 

Contenu connexe

En vedette

Trabajo project
Trabajo projectTrabajo project
Trabajo projectjhbm2412
 
XD sharing : TECHNIQUES
XD sharing : TECHNIQUESXD sharing : TECHNIQUES
XD sharing : TECHNIQUESYuliang Hsu
 
Elaboración de un Informe
Elaboración de un InformeElaboración de un Informe
Elaboración de un Informejornadajulio2012
 
GTMS. Abordatge i seguiment del pacient crònic complex a l’atenció continuada
GTMS. Abordatge i seguiment del pacient crònic complex a l’atenció continuadaGTMS. Abordatge i seguiment del pacient crònic complex a l’atenció continuada
GTMS. Abordatge i seguiment del pacient crònic complex a l’atenció continuadaInstitut Català de la Salut
 
Jumper Trailer Analysis
Jumper Trailer AnalysisJumper Trailer Analysis
Jumper Trailer Analysisalexbrend
 
Xogos de madeira
Xogos de madeiraXogos de madeira
Xogos de madeiraaaronlagoa
 
III Conferencia apoyo a las mujeres saharauis, celebrada en El Aaiún ocupado
III Conferencia apoyo a las mujeres saharauis, celebrada en El Aaiún ocupadoIII Conferencia apoyo a las mujeres saharauis, celebrada en El Aaiún ocupado
III Conferencia apoyo a las mujeres saharauis, celebrada en El Aaiún ocupadoCrónicas del despojo
 
Domremy la pucelle
Domremy la pucelleDomremy la pucelle
Domremy la pucelleRabolliot
 
Proyecto incluyendo socialización rica y tic
Proyecto incluyendo socialización rica y ticProyecto incluyendo socialización rica y tic
Proyecto incluyendo socialización rica y ticYolandaPinaLeon
 

En vedette (13)

Trabajo project
Trabajo projectTrabajo project
Trabajo project
 
XD sharing : TECHNIQUES
XD sharing : TECHNIQUESXD sharing : TECHNIQUES
XD sharing : TECHNIQUES
 
Elaboración de un Informe
Elaboración de un InformeElaboración de un Informe
Elaboración de un Informe
 
GTMS. Abordatge i seguiment del pacient crònic complex a l’atenció continuada
GTMS. Abordatge i seguiment del pacient crònic complex a l’atenció continuadaGTMS. Abordatge i seguiment del pacient crònic complex a l’atenció continuada
GTMS. Abordatge i seguiment del pacient crònic complex a l’atenció continuada
 
Trabajos día san gil 2ºb
Trabajos día san gil 2ºbTrabajos día san gil 2ºb
Trabajos día san gil 2ºb
 
Jumper Trailer Analysis
Jumper Trailer AnalysisJumper Trailer Analysis
Jumper Trailer Analysis
 
Xogos de madeira
Xogos de madeiraXogos de madeira
Xogos de madeira
 
III Conferencia apoyo a las mujeres saharauis, celebrada en El Aaiún ocupado
III Conferencia apoyo a las mujeres saharauis, celebrada en El Aaiún ocupadoIII Conferencia apoyo a las mujeres saharauis, celebrada en El Aaiún ocupado
III Conferencia apoyo a las mujeres saharauis, celebrada en El Aaiún ocupado
 
Domremy la pucelle
Domremy la pucelleDomremy la pucelle
Domremy la pucelle
 
Jpi june 2011
Jpi june 2011Jpi june 2011
Jpi june 2011
 
~Buscadores~
~Buscadores~~Buscadores~
~Buscadores~
 
Proyecto incluyendo socialización rica y tic
Proyecto incluyendo socialización rica y ticProyecto incluyendo socialización rica y tic
Proyecto incluyendo socialización rica y tic
 
Syllabus matlab i
Syllabus matlab i Syllabus matlab i
Syllabus matlab i
 

Similaire à Owasp testing guide owasp summit 2011 (matteo meucci)

Ved du, hvor dine data er - og hvem, der har adgang til dem? Ron Ben Natan, I...
Ved du, hvor dine data er - og hvem, der har adgang til dem? Ron Ben Natan, I...Ved du, hvor dine data er - og hvem, der har adgang til dem? Ron Ben Natan, I...
Ved du, hvor dine data er - og hvem, der har adgang til dem? Ron Ben Natan, I...IBM Danmark
 
Web application penetration testing
Web application penetration testingWeb application penetration testing
Web application penetration testingImaginea
 
50357 a enu-module02
50357 a enu-module0250357 a enu-module02
50357 a enu-module02Bố Su
 
Security best practices
Security best practicesSecurity best practices
Security best practicesAVEVA
 
Gtb Dlp & Irm Solution Product And Deployment Overview
Gtb Dlp & Irm Solution Product And Deployment OverviewGtb Dlp & Irm Solution Product And Deployment Overview
Gtb Dlp & Irm Solution Product And Deployment Overviewgtbsalesindia
 
Admin Tech Ed Presentation Hardening Sql Server
Admin Tech Ed Presentation Hardening Sql ServerAdmin Tech Ed Presentation Hardening Sql Server
Admin Tech Ed Presentation Hardening Sql Serverrsnarayanan
 
Istio: Using nginMesh as the service proxy
Istio: Using nginMesh as the service proxyIstio: Using nginMesh as the service proxy
Istio: Using nginMesh as the service proxyLee Calcote
 
Test driven development for infrastructure as-a-code, the future trend_Gianfr...
Test driven development for infrastructure as-a-code, the future trend_Gianfr...Test driven development for infrastructure as-a-code, the future trend_Gianfr...
Test driven development for infrastructure as-a-code, the future trend_Gianfr...Katherine Golovinova
 
NET RIA Services - Building Data-Driven Applications with Microsoft Silverlig...
NET RIA Services - Building Data-Driven Applications with Microsoft Silverlig...NET RIA Services - Building Data-Driven Applications with Microsoft Silverlig...
NET RIA Services - Building Data-Driven Applications with Microsoft Silverlig...goodfriday
 
Cybersecurity - Mobile Application Security
Cybersecurity - Mobile Application SecurityCybersecurity - Mobile Application Security
Cybersecurity - Mobile Application SecurityEryk Budi Pratama
 
Kerberos, Token and Hadoop
Kerberos, Token and HadoopKerberos, Token and Hadoop
Kerberos, Token and HadoopKai Zheng
 
Secure Cloud Computing for the Health Enterprise
Secure Cloud Computing for the Health EnterpriseSecure Cloud Computing for the Health Enterprise
Secure Cloud Computing for the Health EnterpriseJoel Amoussou
 
Openstack@ebay: Practical SDN deployment with Quantum
Openstack@ebay: Practical SDN deployment with QuantumOpenstack@ebay: Practical SDN deployment with Quantum
Openstack@ebay: Practical SDN deployment with QuantumJean-Christophe "JC" Martin
 
Large Scale Deployment of SOA-P
Large Scale Deployment of SOA-PLarge Scale Deployment of SOA-P
Large Scale Deployment of SOA-PC2B2 Consulting
 
Best Practices for Securing Active Directory v2.0
Best Practices for Securing Active Directory v2.0Best Practices for Securing Active Directory v2.0
Best Practices for Securing Active Directory v2.0Danny Wong
 
Webinar issues we_find_slideshare
Webinar issues we_find_slideshareWebinar issues we_find_slideshare
Webinar issues we_find_slideshareSOASTA
 
2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...
2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...
2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...APIsecure_ Official
 
Why Assertion-based Access Token is preferred to Handle-based one?
Why Assertion-based Access Token is preferred to Handle-based one?Why Assertion-based Access Token is preferred to Handle-based one?
Why Assertion-based Access Token is preferred to Handle-based one?Hitachi, Ltd. OSS Solution Center.
 
Kubernetes Summit 2021: Multi-Cluster - The Good, the Bad and the Ugly
Kubernetes Summit 2021: Multi-Cluster - The Good, the Bad and the UglyKubernetes Summit 2021: Multi-Cluster - The Good, the Bad and the Ugly
Kubernetes Summit 2021: Multi-Cluster - The Good, the Bad and the Uglysmalltown
 
Pangolin Datasheet
Pangolin DatasheetPangolin Datasheet
Pangolin Datasheetmattotamhe
 

Similaire à Owasp testing guide owasp summit 2011 (matteo meucci) (20)

Ved du, hvor dine data er - og hvem, der har adgang til dem? Ron Ben Natan, I...
Ved du, hvor dine data er - og hvem, der har adgang til dem? Ron Ben Natan, I...Ved du, hvor dine data er - og hvem, der har adgang til dem? Ron Ben Natan, I...
Ved du, hvor dine data er - og hvem, der har adgang til dem? Ron Ben Natan, I...
 
Web application penetration testing
Web application penetration testingWeb application penetration testing
Web application penetration testing
 
50357 a enu-module02
50357 a enu-module0250357 a enu-module02
50357 a enu-module02
 
Security best practices
Security best practicesSecurity best practices
Security best practices
 
Gtb Dlp & Irm Solution Product And Deployment Overview
Gtb Dlp & Irm Solution Product And Deployment OverviewGtb Dlp & Irm Solution Product And Deployment Overview
Gtb Dlp & Irm Solution Product And Deployment Overview
 
Admin Tech Ed Presentation Hardening Sql Server
Admin Tech Ed Presentation Hardening Sql ServerAdmin Tech Ed Presentation Hardening Sql Server
Admin Tech Ed Presentation Hardening Sql Server
 
Istio: Using nginMesh as the service proxy
Istio: Using nginMesh as the service proxyIstio: Using nginMesh as the service proxy
Istio: Using nginMesh as the service proxy
 
Test driven development for infrastructure as-a-code, the future trend_Gianfr...
Test driven development for infrastructure as-a-code, the future trend_Gianfr...Test driven development for infrastructure as-a-code, the future trend_Gianfr...
Test driven development for infrastructure as-a-code, the future trend_Gianfr...
 
NET RIA Services - Building Data-Driven Applications with Microsoft Silverlig...
NET RIA Services - Building Data-Driven Applications with Microsoft Silverlig...NET RIA Services - Building Data-Driven Applications with Microsoft Silverlig...
NET RIA Services - Building Data-Driven Applications with Microsoft Silverlig...
 
Cybersecurity - Mobile Application Security
Cybersecurity - Mobile Application SecurityCybersecurity - Mobile Application Security
Cybersecurity - Mobile Application Security
 
Kerberos, Token and Hadoop
Kerberos, Token and HadoopKerberos, Token and Hadoop
Kerberos, Token and Hadoop
 
Secure Cloud Computing for the Health Enterprise
Secure Cloud Computing for the Health EnterpriseSecure Cloud Computing for the Health Enterprise
Secure Cloud Computing for the Health Enterprise
 
Openstack@ebay: Practical SDN deployment with Quantum
Openstack@ebay: Practical SDN deployment with QuantumOpenstack@ebay: Practical SDN deployment with Quantum
Openstack@ebay: Practical SDN deployment with Quantum
 
Large Scale Deployment of SOA-P
Large Scale Deployment of SOA-PLarge Scale Deployment of SOA-P
Large Scale Deployment of SOA-P
 
Best Practices for Securing Active Directory v2.0
Best Practices for Securing Active Directory v2.0Best Practices for Securing Active Directory v2.0
Best Practices for Securing Active Directory v2.0
 
Webinar issues we_find_slideshare
Webinar issues we_find_slideshareWebinar issues we_find_slideshare
Webinar issues we_find_slideshare
 
2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...
2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...
2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...
 
Why Assertion-based Access Token is preferred to Handle-based one?
Why Assertion-based Access Token is preferred to Handle-based one?Why Assertion-based Access Token is preferred to Handle-based one?
Why Assertion-based Access Token is preferred to Handle-based one?
 
Kubernetes Summit 2021: Multi-Cluster - The Good, the Bad and the Ugly
Kubernetes Summit 2021: Multi-Cluster - The Good, the Bad and the UglyKubernetes Summit 2021: Multi-Cluster - The Good, the Bad and the Ugly
Kubernetes Summit 2021: Multi-Cluster - The Good, the Bad and the Ugly
 
Pangolin Datasheet
Pangolin DatasheetPangolin Datasheet
Pangolin Datasheet
 

Dernier

Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfOrbitshub
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Victor Rentea
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Angeliki Cooney
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDropbox
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Zilliz
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistandanishmna97
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsNanddeep Nachan
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Orbitshub
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelDeepika Singh
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Bhuvaneswari Subramani
 

Dernier (20)

Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 

Owasp testing guide owasp summit 2011 (matteo meucci)

  • 1. Planning the OWASP Testing Guide v4 Matteo Meucci, Giorgio Fedon, Pavol Luptak
  • 2. AG E N DA • Few words about the TG history and adoption by the Companies • Why we need the Common Numbering and Common Vulnerability list • Update the set of test • V4 Roadmap
  • 3. What is the OWASP Testing Guide? Where are we now?
  • 4. Testing Guide history • January 2004 – "The OWASP Testing Guide", Version 1.0 • July 14, 2004 – "OWASP Web Application Penetration Checklist", Version 1.1 • December 25, 2006 – "OWASP Testing Guide", Version 2.0 • December 16, 2008 – "OWASP Testing Guide", Version 3.0 – Released at the OWASP Summit 08
  • 5. Project Complexity Pages 400 350 300 250 200 Pages 150 100 50 0 v1 v1.1 v2 v3
  • 6. OWASP Testing Guide v3 • SANS Top 20 2007 • NIST “Technical Guide to Information Security Testing (Draft)” • Gary McGraw (CTO Cigital) says: “In my opinion it is the strongest piece of Intellectual Property in the OWASP portfolio” – OWASP Podcast by Jim Manico
  • 7. Testing Guide v3: Index 1. Frontispiece 2. Introduction 3. The OWASP Testing Framework 4. Web Application Penetration Testing 5. Writing Reports: value the real risk Appendix A: Testing Tools Appendix B: Suggested Reading Appendix C: Fuzz Vectors Appendix D: Encoded Injection
  • 8. What are the difference between the OWASP Testing Guide and another book about WebApp PenTesting?
  • 9. Web Application Penetration Testing • OWASP Testing Guide is driven by our Community • It’s related to the other OWASP guides • Our approach in writing this guide – Open – Collaborative • Defined testing methodology – Consistent – Repeatable – Under quality 9
  • 10. Testing Guide Categories & vulnerability list
  • 11. What we need now to improve the v3 and plan the v4?
  • 12. OWASP Common Vulnerability List We need a common vulnerability list 12
  • 13. Looking at the Testing Guide Categories & vulnerability list
  • 15. Andrew Muller Mike Hryekewicz Aung KhAnt Nick Freeman Cecil Su Norbert Szetei Colin Watson Paolo Perego Daniel Cuthbert Pavol Luptak Giorgio Fedon Psiinon Jason Flood Ray Schippers Javier Marcos de Prado Robert Smith Juan Galiana Lara Robert Winkel Kenan Gursoy Roberto Suggi Liverani Kevin Horvat Sebastien Gioria Lode Vanstechelman Stefano Di Paola Marco Morana Sumit Siddharth Matt Churchy Thomas Ryan Matteo Meucci Tim Bertels Michael Boman Tripurari Rai Wagner Elias
  • 16. Proposed v4 list: let’s discuss it Category Vulnerability name Where implemented Source Information Gathering Information Disclosure TG, ecc, --> link TG Configuration and Deploy Infrastructure Configuration management Management weakness TG Application Configuration management weakness TG File extensions handling TG Old, backup and unreferenced files TG Access to Admin interfaces TG Bad HTTP Methods enabled, (XST permitted: to eliminate or TG Informative Error Messages Database credentials/connection strings available Business logic Business Logic TG Credentials transport over an unencrypted Authentication channel TG User enumeration (also Guessable user account) TG Default passwords TG Weak lock out mechanism new TG Account lockout DoS Bypassing authentication schema TG Directory traversal/file include TG vulnerable remember password TG Logout function not properly implemented, browser cache weakness TG Weak Password policy New TG Weak username policy New Anurag weak security question answer New Failure to Restrict access to authenticated resource New Top10 Weak password change function New Vishal
  • 17. Proposed v4 list: let’s discuss it (2) Authorization Path Traversal TG Bypassing authorization schema TG Privilege Escalation TG Insecure Direct Object References Top10 2010 Failure to Restrict access to authorized resource TG Session Managment Bypassing Session Management Schema TG Weak Session Token TG Cookies are set not ‘HTTP Only’, ‘Secure’, and no time validity TG Exposed sensitive session variables TG CSRF Session passed over http Vishal Session token within URL Vishal Session Fixation Vishal Session token not removed on server after logout Vishal Persistent session token Vishal Session token not restrcited properly (such as domain or path not set properly) Vishal Data Validation Reflected XSS TG Stored XSS TG - Vishal HTTP Verb Tampering new TG HTTP Parameter pollution new TG Unvalidated Redirects and Forwards T10 2010: new TG SQL Injection TG SQL Fingerprinting LDAP Injection TG ORM Injection TG XML Injection TG SSI Injection TG XPath Injection TG SOAP Injection IMAP/SMTP Injection TG Code Injection TG OS Commanding TG Buffer overflow Incubated vulnerability HTTP Splitting/Smuggling
  • 18. Proposed v4 list: let’s discuss it (3) Data Encryption? Application did not use encryption Weak SSL/TSL Ciphers, Insufficient Transport Layer Protection Cacheable HTTPS Response Cache directives insecure Insecure Cryptographic Storage only SCR guide T10 2010: new TG Sensitive information sent via unencrypted channels XML interpreter? Weak XML Structure XML content-level WS HTTP GET parameters/REST WS Naughty SOAP attachments WS Replay Testing Client side? DOM XSS TG Cross Site Flashing TG ClickHijacking new TG
  • 19. Proposed v4 news from Pavol - add new opensource testing tools that appeared during last 3 years (and are missing in the OWASP Testing Guide v3) - add few useful and life-scenarios of possible vulnerabilities in Bussiness Logic Testing (many testers have no idea what vulnerabilities in Business Logic exactly mean) - "Brute force testing" of "session ID" is missing in "Session Management Testing", describe other tools for Session ID entropy analysis (e.g. Stompy) - in "Data Validation Testing" describe some basic obfuscation methods for malicious code injection including the statements how it is possible to detect it (web application obfuscation is quite succesfull in bypassing many data validation controls) - split the phase Logout and Browser Cache Management" into two sections
  • 20. Roadmap • Review all the control numbers to adhere to the OWASP Common numbering, • Review all the sections in v3, • Create a more readable guide, eliminating some sections that are not really useful, • Insert new testing techniques: HTTP Verb tampering, HTTP Parameter Pollutions, etc., • Rationalize some sections as Session Management Testing, • Create a new section: Client side security and Firefox extensions testing?