Comments (17)
Hi @kingthorin , please, look at this one:
https://www.scip.ch/en/?labs.20160414
If this is accepted, I can write the chapter.
from wstg.
thanks @kingthorin I'll take this one and start working on it on the upcoming weekend
from wstg.
Sorry, team. I was hammered lately but this was still on my radar. @jzold , we could work together in the next week or if you come up with something before I'll take a look later.
from wstg.
I'm nearly finished with the first draft version and PR later this week, I'll update this issue with the link when ready. @irgoncalves please feel free to take a look and let me know your thoughts
J./
from wstg.
@irgoncalves please take a look https://github.com/jzold/OWASP-Testing-Guide-v5/blob/master/document/4%20Web%20Application%20Security%20Testing/4.12%20Client%20Side%20Testing/4.12.13%20Testing%20for%20Cross%20Site%20Script%20Inclusion%20(XSSI)(OTG-CLIENT-013).md. This is WIP and needs quite a bit formatting to meet the OWASP guidelines and content wise it still only scratches the surface. I'll be adding more (testing, remediation, etc.) during the course of this weekend to this but feel free to take a look and let me know what you think.
@kingthorin I've added XSSI to the client side testing section as a starting point even though XSSI is similar to CSRF/XSS in some aspects. What are your thoughts?
@MatOwasp @kingthorin what are the major milestones and timelines delivering V5? Considering XSSI (amongst many others) are outstanding for some time I want to double check and manage expectations - for XSSI I'm aiming for a final version and PR submitted and ready for review not later than 11th June (Tuesday) next week.
Thanks
J./
from wstg.
Awesome to hear š Will be awaiting the PR for review!
from wstg.
A good article about it.
@irgoncalves did you have one to suggest as supporting material or something?
from wstg.
@irgoncalves go for it, work on v5 has started.
from wstg.
?
from wstg.
Hi,
No activity on this one, @kingthorin @MatOwasp has this been addressed/documented/included in v5 ever since?
from wstg.
I don't see any related content.
from wstg.
Iām all for collaborative efforts!
Maybe @jzold can submit a PR and @irgoncalves can review it and make suggestions?
Or you two could share a gdoc and assemble/review content then one of you submit a PR?
Whatever, thanks for your continued interest and efforts!
from wstg.
@jzold @kingthorin , I think it should be at the same section as CSRF, which is in the Session Management Testing.
@jzold , it looks good to me. I have a few extra info to add. So, are you pushing the changes soon so I could also work on it?
from wstg.
But XSSI is not only about session management testing. I don't believe in only having XSSI in Session Management Testing.
from wstg.
@ThunderSon @irgoncalves classifying could be a tricky one, I also thought about this :) . The fact that originally this vulnerability was exploited using browser vulnerabilities (clearly there is a vulnerability on the client side) and also data is leaked through the browser's/including site context was the deciding factor for me. This fits quite well into the OWASP client-side definition if I'm trying to be pedantic:
"Client-Side testing is concerned with the execution of code on the client, typically natively within a web browser"
Re CSRF it's true that XSSI can also result in session management compromise due to auth. cookies, tokens, etc. leak but the emphasis is not on any kind of session mgmt vulnerability (even though it may exist!)
@irgoncalves will be submitting this later today and thanks for the feedback, I agree the testing section (and in fact all sections) need more content, this is only scratching the surface :)
Thanks
J./
from wstg.
PR sent - #66
from wstg.
Awesome, thank you!
from wstg.
Related Issues (20)
- Possible error in 4.4.6 Testing for Browser Cache Weaknesses HOT 6
- Possible error in 4.9.2 Testing for Padding Oracle
- Ambiguity in the summary related to the test case Testing for Bypassing Authorization Schema HOT 4
- [fix] : Typo in CONTRIBUTING.md
- [Fix] : Fix Formatting Issue in OWASP Web Security Testing Guide Document
- [fix]: Fix Formatting Issue in OWASP Web Security Testing Guide Document
- E-Book action artifact expired HOT 3
- yjh HOT 1
- fghhyg
- vbbbbbbbbbbbbbm
- jjjjjjjjjjjjjjj
- Adding "How to Test" for the WSTG Checklist [Work in Progress] HOT 17
- Adding "Test for Simultaneous sessions" in Session Management Testing HOT 2
- Provide a simplified Chinese translation version for this project HOT 1
- Cookies-Link under 4.08 #cookies points to itself HOT 1
- Invisible code parts - bright blue text on the blue background HOT 6
- Check List Translation to french and arabic HOT 3
- Update Privilege Escalation's Weak SessionID Section
- Juice Shop - Error Handling link not found HOT 1
- Grammar error HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
š Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ššš
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ā¤ļø Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from wstg.