Add Testing For Cross-Site Script Inclusion about wstg HOT 17 CLOSED

Hi @kingthorin , please, look at this one:
https://www.scip.ch/en/?labs.20160414
If this is accepted, I can write the chapter.

from wstg.

thanks @kingthorin I'll take this one and start working on it on the upcoming weekend

from wstg.

Sorry, team. I was hammered lately but this was still on my radar. @jzold , we could work together in the next week or if you come up with something before I'll take a look later.

from wstg.

I'm nearly finished with the first draft version and PR later this week, I'll update this issue with the link when ready. @irgoncalves please feel free to take a look and let me know your thoughts

J./

from wstg.

@irgoncalves please take a look https://github.com/jzold/OWASP-Testing-Guide-v5/blob/master/document/4%20Web%20Application%20Security%20Testing/4.12%20Client%20Side%20Testing/4.12.13%20Testing%20for%20Cross%20Site%20Script%20Inclusion%20(XSSI)(OTG-CLIENT-013).md. This is WIP and needs quite a bit formatting to meet the OWASP guidelines and content wise it still only scratches the surface. I'll be adding more (testing, remediation, etc.) during the course of this weekend to this but feel free to take a look and let me know what you think.

@kingthorin I've added XSSI to the client side testing section as a starting point even though XSSI is similar to CSRF/XSS in some aspects. What are your thoughts?

@MatOwasp @kingthorin what are the major milestones and timelines delivering V5? Considering XSSI (amongst many others) are outstanding for some time I want to double check and manage expectations - for XSSI I'm aiming for a final version and PR submitted and ready for review not later than 11th June (Tuesday) next week.

Thanks
J./

from wstg.

Awesome to hear 😄 Will be awaiting the PR for review!

from wstg.

A good article about it.

@irgoncalves did you have one to suggest as supporting material or something?

from wstg.

@irgoncalves go for it, work on v5 has started.

from wstg.

?

from wstg.

Hi,

No activity on this one, @kingthorin @MatOwasp has this been addressed/documented/included in v5 ever since?

from wstg.

I don't see any related content.

from wstg.

I’m all for collaborative efforts!

Maybe @jzold can submit a PR and @irgoncalves can review it and make suggestions?
Or you two could share a gdoc and assemble/review content then one of you submit a PR?
Whatever, thanks for your continued interest and efforts!

from wstg.

@jzold @kingthorin , I think it should be at the same section as CSRF, which is in the Session Management Testing.
@jzold , it looks good to me. I have a few extra info to add. So, are you pushing the changes soon so I could also work on it?

from wstg.

But XSSI is not only about session management testing. I don't believe in only having XSSI in Session Management Testing.

from wstg.

@ThunderSon @irgoncalves classifying could be a tricky one, I also thought about this :) . The fact that originally this vulnerability was exploited using browser vulnerabilities (clearly there is a vulnerability on the client side) and also data is leaked through the browser's/including site context was the deciding factor for me. This fits quite well into the OWASP client-side definition if I'm trying to be pedantic:

"Client-Side testing is concerned with the execution of code on the client, typically natively within a web browser"

Re CSRF it's true that XSSI can also result in session management compromise due to auth. cookies, tokens, etc. leak but the emphasis is not on any kind of session mgmt vulnerability (even though it may exist!)

@irgoncalves will be submitting this later today and thanks for the feedback, I agree the testing section (and in fact all sections) need more content, this is only scratching the surface :)

Thanks
J./

from wstg.

PR sent - #66

from wstg.

Awesome, thank you!

from wstg.