Permalink
Switch branches/tags
Nothing to show
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
44 lines (37 sloc) 1.67 KB
OWASP Testing Guide v5 Track at the OWASP SUMMIT 2017
-----------------------------------------------------
14-15th June, 2017
TASKS DONE:
---------------------
- Brainstorming regarding the new activities to perform to improve the guide
- Alignment with OWASP guides: Development Guide, Code Review Guide, ASVS, Top10, Testing Checklist, ZAP, Vulnerability list
- Discussion on tools
- Add the list of new tests to the v5
OUTCOME
-----------------
NEW TESTS TO WRITE:
- Server-Side Request Forgery (SSRF)
- Server-side Remote Code Execution (RCE)
- XML External Entity Attacks (XXE)
- Self Based DOM XSS
- Authorization bypass horizontal
- Authorization bypass vertical
- Server-Side Template Injection (SSTI)
- Host Header Attack
- SPARQL Injection
- Testing for Deserialization of untrusted data
- API Abuse
- Testing Content Security Policy V2 (CSP)?
- Testing for SSO?
REVIEW:
- Client Side Testing
- ORM Injection
- Authorization Testing
- Information and Config management testing
- Authentication Testing: add oauth testing
- Reporting: adding how to create security testing case for devs
- https://www.owasp.org/index.php/Test_Local_Storage_(OTG-CLIENT-012) add Client Side SQLi
Two questions for OWASP:
------------------------------------
- TOOLS discussion: in the old version of Testing Guide we cited open source and commercial ones for each type of test to perform that could help during the analysis. Would you like to cite both?
- CWE: many companies are using this standard, but at the moment not all the Testing Guide tests are mapped to a specified CWE. Is it possible to set up a working team with CWE in order to update it with all the tests we describe in the Testing Guide?