-
-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Adding sections (description, impact...) for reports #1006
Comments
The summary contains a description of what IDOR is - but it's aimed at the tester rather than a non-technical manager, because the whole WSTG is intended to be used by testers. And while there could potentially be a less technical version of it added, the high level description you give in a pentest report should explain the issue in the context of the environment - which needs to be bespoke text. It's true that there's no recommendation - many of the other sections in the WSTG have (brief) recommendations, so that one might just be an oversight. Although IDOR issues are often bespoke enough that generic recommendations aren't too useful But what is the CIA impact of IDOR? It could be anything from minor information leakage, to allowing users to steal money on a banking application, to physical destruction and loss of life on a SCADA application. Impact and likelihood can only really be assessed in the context of the application and environment that you're testing - you can't just take generic text and values for them. There's also the problem that there isn't a 1:1 mapping between sections in the WSTG and issues in a report. For example, what would the impact and likelihood be for the Test Payment Functionality page? You could have a dozen or more issues from that section alone, so trying to add all those sections for every possible issue related to the guide wouldn't really work. Ultimately, I think this comes down to a question about the scope of the project (which is more one for @kingthorin and @ThunderSon). There's certainly value to a "common issues" type database (although there's also a lot of problems with it), and it's always slightly irked me how every pentesting company makes their own, with huge duplication of effort. But I'm not sure that would be part of the the Web Security Testing Guide. I wonder if a public common issues/vulnerabilities database would make sense as its own OWASP project? I'm sure that there would be some argument about the format of them, but if your company is interested in open-sourcing their database then I'm sure there would be interest in that from the community. |
I agree that this Web security testing guide might not be the project for such requests, but its the closest I could find, that's why I opened the issue here.
Yes that's true, but the goal is not to provide the perfect description, but rather a template so that less writing is needed, and also to avoid repeating the same vulnerabilty descriptions every time.
I haven't reach out to them with these ideas, therefore I can't share many details, but I'm sure an example won't violate any policy: We have a big spreadsheet with manual-made description, impact, remediation, OWASP ID, CWE and so on. In each row we have each vulnerabilty, and the columns represent said sections (you can see the exact columns belows). One example: OWASP WSTG: WSTG-CONF-04 Editing files may leave automatic backup copies of type .bak, .sav, .old, or ~. The web server does not have by default defined an interpretation for this type of files, so the result is usually either to display their contents or to proceed to download them. In this case, the identified file [EXPLAIN]" IMPACT: REMEDIATION: Additionally, for extra precaution it is recommended to configure the web server to be able to interpret these extensions, so as not to cause the file to be downloaded or the browser to display the contents of the file. File system snapshots should not be accessible via web if the document root is on a file system that uses this technology. Configure your web server to deny access to such directories, for example, in Apache a location directive like this should be used: <Location ~ "".snapshot"">
" RECOMMENDED CVSSv3.1: This project is far from being perfect for various reasons:
However, it is very useful for us. We have a tool that parses the spreadsheet and fills a docx with the information of the spreadsheet. As you can see, some sections contains annotations such as "In this case, [EXPLAIN]", which means that we have to manually write what was it about regarding the context, but at least we skip the general description. I really think that a big spreadsheet like such, maintained by community, is much better than one made internally. |
While I agree that there's arguably a need to simplify or centralize those details I don't think the WSTG is the place for it. |
@kingthorin are you aware of any OWASP (or non-OWASP) projects that this might fit in? Or is it perhaps something that could/should be a new one? |
Hmmm good question(s), I’ll put some thought into that. |
ping @kingthorin @rbsec |
I haven’t been able to come up with another project this fits into. |
I've released the spreasheet with all the vulns here: https://github.com/JulianGR/OWASP_WSTG_ASVS Maybe you want to check it out and see if you can take benefit from it to WSTG or ASVS =) |
Hello,
Context:
I work as a penetration tester and when we finish an audit we have to hand in a report. In such report we aim a lesser technical profile (managers) and a more technical profile (developers or other pentesters). When writing the details of each vulnerability, we are expected to provide a description, impact, exploitation steps, remediation recommendations, references...
The issue:
Here in section 3.2 Finding details, the guide recommends what to report (title, impact, description and so on). However, these sections are not present in the vulnerabilites themselves: taking IDOR as an example, while it's true that there is a summary section, there is no high-level description, no impact, no remediation recommendations and so on.
What I request:
After being in a couple of companies, I can see that each of them uses an internal database with such sections, so that pentesters dont need to write them every single time they report. Could more sections be added?
I can make the work if you let/ want me to. The idea would be to add to each vulnerability at least:
Thanks and keep it up with the amazing kob =)
The text was updated successfully, but these errors were encountered: