[Owasp-testing] OWASP Testing Guide V3 - Index Brainstorming - "Spidering and Googling"
kevin.horvath at gmail.com
Fri May 9 21:06:46 EDT 2008
I think this would be a good idea. There are books written on how to
do Google Hacking so having its own section would be ideal.
Additionally I would like to see the business logic testing section
more detailed. Such as requiring at least two different accounts at
each privilege level so that you can test horizontal escalation and
not just vertical and give examples of how this can be done (i.e.
changing parameter id=8001 to id=8000 within a POST request).
On Thu, May 8, 2008 at 2:22 AM, <christian.heinrich at cmlh.id.au> wrote:
> To follow on from my recent presentation at the OWASP Conference in
> Australia, can I recommend that the "Spidering and Googling" section of the
> OWASP Testing Guide V2 be split into two sections i.e. "Spiders, Robots and
> Crawlers" (before) and "Search Engine Discovery/Reconnaissance" (after) for
> the OWASP Testing Guide V3?
> The reason for this is two fold:
> 1. "Spiders, Robots and Crawlers" is a separate process (e.g. recursively
> indexing directories outside of robots.txt) and "Googlebot" is dependant on
> this technology, hence it would provide a better flow into the "Search
> Engine Discovery/Reconnaissance" section, which is why I listed it as
> "(before)" "Search Engine Discovery/Reconnaissance" in the above paragraph.
> 2. The renaming of "Googling" to "Search Engine Discovery/Reconnaissance"
> would allow for the inclusion of other search engines, such as Live, Yahoo!,
> etc. Obviously there would be sub-sections under this addressing the
> nuances of each search engine.
> Please let me know your thoughts or suggestions?
> Christian Heinrich
> OWASP Individual Member
> Sydney, Australia Chapter
> Owasp-testing mailing list
> Owasp-testing at lists.owasp.org
More information about the Owasp-testing