Welcome & OWASP Testing Guide v4

-


Welcome.

This is my first post. I´d like to share with you some of my experience and thoughts about security, mainly (but not limited to) related with web application security.
Here is a place to discuss things related to penetration testing, web security, OWASP, standards, laws, code reviews etc.
Feel free to drop me an email and to comment the posts.
Well, let´s talk about the new version of Owasp Testing Guide.
OWASP Testing Guide is a framework to help people to perform security testing in their applications, especially web applications. It also provides a methodology to risk assessment (e.g. How critical is a XSS flaw in your app?).
The current stable version of the project is the third version from 2008.
Since 2008 a lot of things changed in application security like new issues, new HTTP readers, new techniques and  for sure we need a new version of this guide.
Now the community is working on a new version with some improvements and new testing such as:
        - Testing for Web Service (comprehensive set of tests)
        - Testing for HTML5
        - Testing HTTP Verb Tampering
        - Testing for Content Security Policy Weakness
        - Testing for NoSQL Injection
        - Testing for Clickjacking
The guide is expected to be released in 2013, January.
For more information about the upcoming testing guide you can check OWASP TestingGuide V4 Table of Contents.

Comments

Post a Comment

Popular posts from this blog

The forgotten JBOSS Admin Console and CVE 2010-1871

-
Image
Well, we are in 2013 and It’s amazing how many JBOSS administration interfaces (jmx-console, web-console, invokers etc) are still exposed on the internet, however we are not going to talk about it. A couple of days ago I was performing a penetration testing and I found an environment with JBOSS AS 6. The JMX-Console wasn’t password protected but one console in special attracted my attention: the Admin Console. It seems that this console, I do not know the reason, is kind of forgotten by the security community as an attack vector. The default access credential for this console is admin/admin and it is also built upon a vulnerable version of Seam framework CVE 2010-1871 . This console provides a powerful JBOSS administration allowing a user to check the server’s configuration, to deploy and to delete applications, to read datasources etc. I checked out for the default credential but they were changed. There were other ways to hack this JBOSS but I was quite interes
Read more

Man in the middle attack through a web shell

-
Hello all. Let’s talk today about Man in the middle attack . No, this isn’t a post talking about what it is and how to perform a MITM attack. The proposal of this blog is to share experience with you, then most of the posts (at least until now) are about things that happened in real environments. Recently performing a penetration testing it was possible to get a web shell through a combination of vulnerabilities.   That’s good… a web shell right? But how about to going deep and explore more of the environment? Yes, if you thought about reverse web shell you are right, but, in this case, I couldn’t establish an outbound connection (this is a subject for another post). I did a lot of things in such environment and one of the things done was a MITM attack through a web shell. Let’s go to some important details. First of all, it was a Windows box. There are some tools you can perform a MITM attack on Windows box such as Cain & Abel , but remember, we had a web shell and thi
Read more