OWASP Testing Guide V3 Matteo Meucci OWASP Testing Guide Lead

OWASP Testing Guide V3 Matteo Meucci OWASP Testing Guide Lead

Agenda Welcome to the OWASP Testing Guide v3! Objectives Roadmap to v3 What’s new? Next step

Who am I? OWASP OWASP-Italy Chair OWASP Testing Guide Lead Work CEO @ Minded Security Application Security Consulting 7 years on Information Security focusing on Application Security

Welcome to the OWASP Testing Guide v3! July 14, 2004 "OWASP Web Application Penetration Checklist", Version 1.0 December 25, 2006 "OWASP Testing Guide", Version 2.0 November, 2008 "OWASP Testing Guide", Version 3.0 http://www.owasp.org/index.php/ Category:OWASP Testing Project

Objectives Improve, update, complete v2 Create a complete new project focused on Web Application Penetration Testing Create a reference for application testing Describe the OWASP Testing methodology

Testing Guide Project Roadmap 26th April 2008: start the new project OWASP Leaders brainstorming Call for participation 21 authors (-18!) Index brainstorming Discuss the article content 20th May 2008 New draft Index 1st June 2008 Let's start writing! 27th August 2008 started the reviewing phase 4 Reviewers (-16!) October 2008 Review all the Guide End of November 2008 Published the Guide! (347pages 80!)

Testing Guide v3: Index 1. Frontispiece 2. Introduction 3. The OWASP Testing Framework 4. Web Application Penetration Testing 5. Writing Reports: value the real risk Appendix A: Testing Tools Appendix B: Suggested Reading Appendix C: Fuzz Vectors Appendix D: Encoded Injection

What’s new? V2 8 sub-categories (for a total amount of 48 controls) V3 10 sub-categories (for a total amount of 66 controls) 36 new articles! Information Gathering Business Logic Testing Authentication Testing Session Management Testing Data Validation Testing Denial of Service Testing Web Services Testing Ajax Testing Information Gathering Config. Management Testing Business Logic Testing Authentication Testing Authorization Testing Session Management Testing Data Validation Testing Denial of Service Testing Web Services Testing Ajax Testing Encoded Appendix

Testing paragraph template Brief Summary Describe in "natural language" what we want to test. The target of this section is non-technical people (e.g.: client executive) Description of the Issue Short Description of the Issue: Topic and Explanation Black Box testing and example Gray Box testing and example References How to test for vulnerabilities: Result Expected: . How to test for vulnerabilities: Result Expected: . Whitepapers Tools

Some new articles 4.1.1 Testing Checklist 4.2.3 Identify application entry points 4.3.3 Infrastructure Configuration Management Testing 4.5.1 Credentials transport over an encrypted channel 4.5.2 Testing for user enumeration 4.5.8 Testing for CAPTCHA 4.5.9 4.6.1 4.6.2 4.6.3 4.7.1 Testing Testing Testing Testing Testing 4.7.2 4.8.1 4.8.2 4.8.3 4.8.4 Testing Testing Testing Testing Testing for for for for for Cookies attributes Reflected Cross Site Scripting Stored Cross Site Scripting DOM based Cross Site Scripting Cross Site Flashing 4.8.5.4 MS Access Testing 4.8.5.5 Testing PostgreSQL (from OWASP BSP) 4.9.1 Testing for SQL Wildcard Attacks Multiple Factors Authentication 4.10.1 WS Information Gathering for path traversal 4.10.2 Testing WSDL for bypassing authorization schema for Privilege Escalation Checklist PDF for Session Management Schema

Status and Future Steps Discuss how to integrate the Develop, Code Review, Testing and ASDR Guide Building Guide Code Review Guide Testing Guide Application Security Desk Reference (ASDR) Improve Client Side Security Let’s talk at the WORKING SESSION!

Obrigado! V3 Authors Anurag Agarwwal Kevin Horvath Matteo Meucci Daniele Bellucci Gianrico Ingrosso Marco Morana Arian Coronel Roberto Suggi Liverani Antonio Parata Stefano Di Paola Alex Kuza Cecil Su Giorgio Fedon Pavol Luptak Harish Skanda Sureddy Adan Goodman Ferruh Mavituna Mark Roxberry Christian Heinrich Marco Mella Andrew Van der Stock V3 Reviewers Marco Cova Kevin Fuller Nam Nguyen

Questions? http://www.owasp.org http://www.owasp.org/index.php/OWASP Testing Proj ect [email protected]