Scribd
Upload
48 views

Matteo Meucci OWASP Testing Guide Lead

The document provides an overview and agenda for the OWASP Testing Guide version 3 project led by Matteo Meucci. It discusses the objectives to improve and update version 2, create a new focused project on web application penetration testing, and describe the OWASP testing methodology. It outlines what's new in version 3, including 36 new articles and expanding the categories from 8 to 10 with a total of 66 controls. The status and future steps are to discuss integration with other guides and improve client side security.

Uploaded by

rio_harcan
Copyright
© © All Rights Reserved
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
48 views

Matteo Meucci OWASP Testing Guide Lead

The document provides an overview and agenda for the OWASP Testing Guide version 3 project led by Matteo Meucci. It discusses the objectives to improve and update version 2, create a new focused project on web application penetration testing, and describe the OWASP testing methodology. It outlines what's new in version 3, including 36 new articles and expanding the categories from 8 to 10 with a total of 66 controls. The status and future steps are to discuss integration with other guides and improve client side security.

Uploaded by

rio_harcan
Copyright
© © All Rights Reserved
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
You are on page 1/ 13

OWASP Testing Guide

V3

Matteo Meucci

OWASP Testing Guide Lead


Agenda

• Welcome to the OWASP Testing Guide v3!

• Objectives

• Roadmap to v3

• What’s new?

• Next step
Who am I?

•OWASP
•OWASP-Italy Chair
•OWASP Testing Guide Lead

•Work
• CEO @ Minded Security
Application Security Consulting
• 7+ years on Information Security
focusing on Application Security
Welcome to the OWASP Testing Guide
v3!

• July 14, 2004


   "OWASP Web Application Penetration Checklist", Version 1.0

• December 25, 2006


   "OWASP Testing Guide", Version 2.0

• November, 2008
   "OWASP Testing Guide", Version 3.0

http://www.owasp.org/index.php/Category:OWASP_Testing_Project
Objectives

Improve, update, complete v2


Create a complete new project focused on Web Application
Penetration Testing
Create a reference for application testing
Describe the OWASP Testing methodology
Testing Guide Project Roadmap

26th April 2008: start the new project


 OWASP Leaders brainstorming
 Call for participation  21 authors (-18!)
 Index brainstorming
 Discuss the article content
20th May 2008 New draft Index
1st June 2008  Let's start writing!
27th August 2008  started the reviewing phase  4 Reviewers (-
16!)
October 2008  Review all the Guide
End of November 2008 Published the Guide! (347pages +80!)
Testing Guide v3: Index

1. Frontispiece
2. Introduction
3. The OWASP Testing Framework
4. Web Application Penetration Testing
5. Writing Reports: value the real risk
Appendix A: Testing Tools
Appendix B: Suggested Reading
Appendix C: Fuzz Vectors
Appendix D: Encoded Injection
What’s new?
• V2 8 sub-categories (for a total amount of 48 controls)
• V3 10 sub-categories (for a total amount of 66 controls)
• 36 new articles!

Information Gathering
Config. Management Testing
Information Gathering
Business Logic Testing
Business Logic Testing
Authentication Testing
Authentication Testing
Authorization Testing
Session Management Testing
Session Management Testing
Data Validation Testing
Data Validation Testing
Denial of Service Testing
Denial of Service Testing
Web Services Testing
Web Services Testing
Ajax Testing
Ajax Testing
Encoded Appendix
Testing paragraph template

• Brief Summary
Describe in "natural language" what we want to test. The target of this section is
non-technical people (e.g.: client executive)

• Description of the Issue


Short Description of the Issue: Topic and Explanation

• Black Box testing and example


•How to test for vulnerabilities:
•Result Expected:
...
• Gray Box testing and example
•How to test for vulnerabilities:
•Result Expected:
...
• References
•Whitepapers
•Tools
Some new articles
4.1.1 Testing Checklist 4.7.2 Testing for Cookies attributes
4.2.3 Identify application entry points 4.8.1 Testing for Reflected Cross Site Scripting
4.3.3 Infrastructure Configuration 4.8.2 Testing for Stored Cross Site Scripting
Management Testing 4.8.3 Testing for DOM based Cross Site Scripting
4.5.1 Credentials transport over an 4.8.4 Testing for Cross Site Flashing
encrypted channel
4.8.5.4 MS Access Testing
4.5.2 Testing for user enumeration
4.8.5.5 Testing PostgreSQL (from OWASP BSP)
4.5.8 Testing for CAPTCHA
4.9.1 Testing for SQL Wildcard Attacks
4.5.9 Testing Multiple Factors Authentication
4.10.1 WS Information Gathering
4.6.1 Testing for path traversal
4.10.2 Testing WSDL
4.6.2 Testing for bypassing authorization schema
4.6.3 Testing for Privilege Escalation
Checklist PDF
4.7.1 Testing for Session Management Schema
Status and Future Steps
• Discuss how to integrate the Develop, Code Review, Testing and ASDR Guide

Code Review
Building Guide Testing Guide
Guide

Application Security Desk Reference (ASDR)

• Improve Client Side Security

• Let’s talk at the WORKING SESSION!


Obrigado!

V3 Authors

Anurag Agarwwal 
Kevin Horvath 
Matteo Meucci

Daniele Bellucci 
Gianrico Ingrosso 
Marco Morana

Arian Coronel 
Roberto Suggi Liverani 
Antonio Parata

Stefano Di Paola 
Alex Kuza 
Cecil Su

Giorgio Fedon 
Pavol Luptak 
Harish Skanda Sureddy

Adan Goodman 
Ferruh Mavituna 
Mark Roxberry

Christian Heinrich 
Marco Mella 
Andrew Van der Stock

V3 Reviewers

Marco Cova 
Kevin Fuller 
Nam Nguyen
Questions?

http://www.owasp.org

http://www.owasp.org/index.php/OWASP_Testing_Project

[email protected]

You might also like