Download - APPSEC2013 OWASP Testing Guide v4 Alpha
Presenting the OWASP Testing Guide v4 ALPHA
Andrew Muller, Matteo Meucci
About Me
• Andrew works with ISO and OWASP Andrew works with ISO and OWASP developing security testing standards and developing security testing standards and guides.guides.
Director at IonizeDirector at Ionize
• Matteo has lead the OTG Project from Matteo has lead the OTG Project from version 2.version 2.
CEO at Minded SecurityCEO at Minded Security
Hosted by OWASP & the NYC ChapterHosted by OWASP & the NYC Chapter
Agenda
Hosted by OWASP & the NYC ChapterHosted by OWASP & the NYC Chapter
• What is the OTG?What is the OTG?
• History of the OTG History of the OTG
• Moving from version 3 to version 4Moving from version 3 to version 4
• Version 4 roadmapVersion 4 roadmap
V4: Index
Hosted by OWASP & the NYC ChapterHosted by OWASP & the NYC Chapter
1. Frontispiece1. Frontispiece
2. Introduction2. Introduction
3. The OWASP Testing Framework 3. The OWASP Testing Framework
4. Web Application Penetration Testing 4. Web Application Penetration Testing
5. Writing Reports: value the real risk 5. Writing Reports: value the real risk
Appendix A: Testing ToolsAppendix A: Testing Tools
Appendix B: Suggested ReadingAppendix B: Suggested Reading
Appendix C: Fuzz Vectors Appendix C: Fuzz Vectors
Appendix D: Encoded InjectionAppendix D: Encoded Injection
V4 Alpha
Hosted by OWASP & the NYC ChapterHosted by OWASP & the NYC Chapter
• NIST SP800-115 “Technical Guide to Information Security Testing and Assessment”
• Gary McGraw (CTO Cigital) says: “In my opinion it is the strongest piece of Intellectual Property in the
OWASP portfolio” – OWASP Podcast by Jim Manico
• NSA’s "Guidelines for Implementation of REST“
• Official (ISC)2 Guide to the CSSLP - Page: 70, 365
• Many books, blogs and websites
Key benefits
Hosted by OWASP & the NYC ChapterHosted by OWASP & the NYC Chapter
• OWASP Testing Guide is driven by our CommunityOWASP Testing Guide is driven by our Community
• It’s aligned with the other OWASP guides It’s aligned with the other OWASP guides
• Development GuideDevelopment Guide
• Code Review GuideCode Review Guide
• OpenSAMMOpenSAMM
• Common Numbering ProjectCommon Numbering Project
• Accepted testing methodologyAccepted testing methodology
• RelevantRelevant
• RepeatableRepeatable
• RigourousRigourous
Testing Guide History
Hosted by OWASP & the NYC ChapterHosted by OWASP & the NYC Chapter
January 2004 January 2004 – ""The OWASP Testing Guide", Version 1.0 The OWASP Testing Guide", Version 1.0
July 14, 2004 July 14, 2004 – "OWASP Web Application Penetration Checklist", Version 1.1 "OWASP Web Application Penetration Checklist", Version 1.1
December 25, 2006 December 25, 2006 – "OWASP Testing Guide", Version 2.0 "OWASP Testing Guide", Version 2.0
December 16, 2008 December 16, 2008 – "OWASP Testing Guide", Version 3.0"OWASP Testing Guide", Version 3.0
20142014– "OWASP Testing Guide", Version 4.0"OWASP Testing Guide", Version 4.0
2011 Roadmap
Hosted by OWASP & the NYC ChapterHosted by OWASP & the NYC Chapter
Review all the control numbers to adhere to the OWASP Common Review all the control numbers to adhere to the OWASP Common numbering, numbering,
Review all the sections in v3,Review all the sections in v3,
Create a more readable guide, eliminating some sections that are not Create a more readable guide, eliminating some sections that are not really useful,really useful,
Insert new testing techniques: HTTP Verb tampering, HTTP Insert new testing techniques: HTTP Verb tampering, HTTP Parameter Pollutions, etc.,Parameter Pollutions, etc.,
Rationalize some sections as Session Management Testing,Rationalize some sections as Session Management Testing,
Create a new section: Client side security and Firefox extensions Create a new section: Client side security and Firefox extensions testing?testing?
OWASP TG Complexity
Hosted by OWASP & the NYC ChapterHosted by OWASP & the NYC Chapter
V1 V1.1 V2 V3 V40
100
200
300
400
500
600
Nu
mb
er
of p
ag
es
Version
V3 vs. V4 Chapters
Hosted by OWASP & the NYC ChapterHosted by OWASP & the NYC Chapter
Hosted by OWASP & the NYC ChapterHosted by OWASP & the NYC Chapter
Information Gathering
Hosted by OWASP & the NYC ChapterHosted by OWASP & the NYC Chapter
Configuration Management
Hosted by OWASP & the NYC ChapterHosted by OWASP & the NYC Chapter
Identity Management
Hosted by OWASP & the NYC ChapterHosted by OWASP & the NYC Chapter
Authentication Testing
Hosted by OWASP & the NYC ChapterHosted by OWASP & the NYC Chapter
Authorization Testing
Hosted by OWASP & the NYC ChapterHosted by OWASP & the NYC Chapter
Session Management Testing
Hosted by OWASP & the NYC ChapterHosted by OWASP & the NYC Chapter
Data Validation Testing
Hosted by OWASP & the NYC ChapterHosted by OWASP & the NYC Chapter
Error handling
Hosted by OWASP & the NYC ChapterHosted by OWASP & the NYC Chapter
Cryptography Testing
Hosted by OWASP & the NYC ChapterHosted by OWASP & the NYC Chapter
Logging Testing
Hosted by OWASP & the NYC ChapterHosted by OWASP & the NYC Chapter
Denial of Service
Hosted by OWASP & the NYC ChapterHosted by OWASP & the NYC Chapter
Web Service Testing
Hosted by OWASP & the NYC ChapterHosted by OWASP & the NYC Chapter
Client Side Testing
Hosted by OWASP & the NYC ChapterHosted by OWASP & the NYC Chapter
V4 Authors
Amro AlolaqiAlexander AntukhAlexander Vavousis Anant ShrivastavaAndrew Muller Babu ArokiadasBen Walther Cecil SuChristian HeinrichClerkendweller David FernDavide DanelonDenis Vinny Eduardo CastellanosEoin KearyIsmael Rocha Goncalves
Jeff WilliamsJohn AbrahamJuan Galiana Juan Manuel Bahamonde Kevin JohnsonLuca CarettoniMatteo MeucciPavol LuptakRick MitchellRob Barnes Robert WinkelRyan DewhurstSimone OnofriStefano Di PaolaThomas Kalamaris Tom Eston
2013 Roadmap
Hosted by OWASP & the NYC ChapterHosted by OWASP & the NYC Chapter
• We are at the final stage of the new versionWe are at the final stage of the new version
• 11stst deadline for a first draft of the articles: 30 deadline for a first draft of the articles: 30thth November November 20132013
• 1515thth December : final deadline for writing the articles December : final deadline for writing the articles
• 1515thth January: 1 January: 1stst review review
• End of January: Beta version (we hope! Good luck boys! End of January: Beta version (we hope! Good luck boys! Welcome to hell!)Welcome to hell!)
Future Improvements
Managing contributions via GithubManaging contributions via Github
Split Guide into Application, Web Service, and Mobile Split Guide into Application, Web Service, and Mobile Testing Guides Testing Guides
Jack Mannino has started the Mobile Testing ProjectJack Mannino has started the Mobile Testing Project
https://www.owasp.org/index.php/Projects/https://www.owasp.org/index.php/Projects/OWASP_Mobile_Security_Project_-_Security_TestingOWASP_Mobile_Security_Project_-_Security_Testing
Hosted by OWASP & the NYC ChapterHosted by OWASP & the NYC Chapter
Questions?
http://www.owasp.org/index.php/OWASP_Testing_Projecthttp://www.owasp.org/index.php/OWASP_Testing_Project
Hosted by OWASP & the NYC ChapterHosted by OWASP & the NYC Chapter
[email protected]@owasp.org
@Andrew__Muller@Andrew__Muller
[email protected]@owasp.org
@matteo_meucci@matteo_meucci