OWASP / wstg

The Web Security Testing Guide is a comprehensive Open Source guide to testing the security of web applications and web services.
https://owasp.org/www-project-web-security-testing-guide/
Creative Commons Attribution Share Alike 4.0 International
7.37k stars 1.34k forks source link

Hackerone and Bugcrowd Links #535

Open ThunderSon opened 4 years ago

ThunderSon commented 4 years ago

What would you like to happen? What do you think about adding to every test scenario possible bug bounty reports that are relevant and provide value. One example would be for file upload XSS since we are updating it: https://hackerone.com/reports/880099

CC: @rbsec @kingthorin

kingthorin commented 4 years ago

I'd be good with that, any reference source seems fine/logical to me.

rbsec commented 4 years ago

I could see some value to an giving some references to examples of the issue, but I think it'd need to be carefully curated. The examples would have to be well written (both in terms of technical content and style), and should be relatively straightforward examples of the issues. While it's interesting to link to really obscure or clever vulnerabilities, it's probably not very useful for most readers. A straightforward but well written example of SQL injection is much more useful that a really clever blind SQLi through a field in an Excel spreadsheet, for example.

I think it would also be good to expand it past just bug bounty reports - there are lots of really good technical writeups of vulnerabilities that are not reported on those sites. However, you'd need to make sure that people don't just use it as a way to try and show off their posts or push traffic to their sites.

I'm not sure what you'd call the section. "Vulnerability Examples"? "Example Vulnerability Writeups"?

Edit: it might also be worth reviewing the interactions between the reporters and staff as well. For example, asking "why i got low bounty for this report ?" doesn't set a great example of how to disclose things...

ThunderSon commented 4 years ago

I will provide more input on this in the coming days, hopefully with an action plan.

ThunderSon commented 4 years ago

So 3 main things to handle:

patrickceg commented 4 years ago

"Vulnerability Writeups" works (since a lot of these may not be formal reports), although the term doesn't show that it was real-world examples to someone reading the guide for the first time.

ThunderSon commented 4 years ago

@victoriadrake What do you think about this?

victoriadrake commented 4 years ago

Thanks for the tag @ThunderSon!

By taking on the curation of write ups, we should be aware that we’ll be spending as much time reviewing them for quality and accuracy as we might spend on WSTG contributions. We also can’t control the external content if it is later changed or updated.

I would suggest we take on a “push” approach rather than a “pull” approach to this. If we happen to come across stellar examples of reports, we can link them; but we should not seek out less-than-stellar reports for the purpose of filling this section on every page. I think that would cheapen the effort.

To agree with and codify what @rbsec stated, I would suggest that we accept reports or articles if they are:

As to the title, I suggest “Real-World Examples” as a term that a reader would scan the page for if they were looking for what we’re suggesting.

Phrases like “Vulnerability Writeups” are familiar to bug bounty hunters but less so to business leaders, while @patrickceg is correct that “case study” can indicate quite a different animal from your typical infosec report.

patrickceg commented 4 years ago

I think another criterion can be:

A tester or test team lead who finds the WSTG is going to want to know how they can explain (to the boss) spending resources to build and maintain the test.

victoriadrake commented 4 years ago

@patrickceg I’d list that as a nice-to-have rather than required. While they’re important considerations, I don’t know that business impact is in scope for the WSTG.

patrickceg commented 4 years ago

Will WSTG have any other way to let someone know which test to start with or to make high priority? (example: Issue #171 )

kingthorin commented 4 years ago

IMHO prioritization will depend on tasks outside the Testing Guide, such as: Threat Modelling or Risk Assessment.

github-actions[bot] commented 3 years ago

Please comment if you are still working on this issue, as it has been inactive for 30 days. To give everyone a chance to contribute, we are releasing it to new contributors.

github-actions[bot] commented 3 years ago

Please comment if you are still working on this issue, as it has been inactive for 30 days. To give everyone a chance to contribute, we are releasing it to new contributors.

github-actions[bot] commented 3 years ago

Please comment if you are still working on this issue, as it has been inactive for 30 days. To give everyone a chance to contribute, we are releasing it to new contributors.

github-actions[bot] commented 3 years ago

Please comment if you are still working on this issue, as it has been inactive for 90 days. To give everyone a chance to contribute, we are releasing it to new contributors.

github-actions[bot] commented 2 years ago

Please comment if you are still working on this issue, as it has been inactive for 90 days. To give everyone a chance to contribute, we are releasing it to new contributors.