[OWASP-TESTING] Paper review

zeno zeno at cgisecurity.net
Tue Dec 3 19:54:04 EST 2002


"Regulatory requirements"

You wanted some examples of country regulations. Why don't we mention crypto export limitations?
Great example that should be covered. Maybe something about the bill passed in the 1990's about
illegal export of strong encryption outside the USA bla bla bla .

Moving on (nice graphs BTW :p)

The image looks fine near the Intro to owaps testing methodology. Anyone else object?

Interviewing the stakeholders is a nice touch.

*maybe* have a flowchart containing "Obtaining documentation".
 People like perty easy to understand pictures :)

 Under obtaining source code perhaps mention that gaining sourcecode via blackboxing may be possible.
A simple example could be exploiting a perl script and having it load itself bah.pl?file=../bah.pl.
This can happen with other interprated languages also like ASP, perl, python, etc..
Nothing to talk to much in detail though.

Under preparing tools in that list maybe we should mention something in regards to checking
for permissions of files? File handle monitors seems broad like "I am monitoring what is used" but
doesn't immediatly ring the bell of "should check permissions in regards to local, roaming, and public(everyone) users.

Under listening http ports

You give tips for checking ports 80 and 443. Perhaps mention 8080 since it usually is a proxy port,
or alt webserver port. Perhaps "test for proxy usage" *maybe*

Under server versioning I would include "http banner order, default error pages, max connections, etc..)
I'm actually working on a NICE big detailed paper on fingerprinting webservers. It will cover manually
and Ihope fr it to be rather extensive. (also see whitehatsec.com blahat server fingerprinter tool)

HTTP Server extensions

Also add apache modulkes to this. Seems a little to IIS'ish to me.

HTTP Methods supported

You ask if we should provide examples on each. Obviously it could be helpful. Perhaps include
HEAD, GET, and POST. As much as I'd like to learn more about TRACE this document is a web security paper
and unless we dedicate
alot of time (like lan mapping/cache networks) perhaps we should limit it to the 3 most popular/used methods.

Old, Backup or un-referenced files

Include that smome editors create files like file.txt~ when being edited. Perhaps include a general "editor" reference.

File extension Handling

It mentions http://www.host.com. May want to do http://host/ for legal reasons? Same with rest of document.

Unsafe modules

Everything from SQL access, usernames/passwords to sections of your site, to paths to important files can be obtained both locally, and in some cases(when specifically allowed) remotely.

perhaps make (when specifically allowed, or misconfigured). People don't say "Hey why don't I misconfigure
my machine for people to hack me with".

Page 38

n this example we are going to send a request to a news application which includes data from other file and displays it.

I assume is

"includes data from another file and displays it"

Direct OS commands

Nice use of showing which functions to watch out for. 

I would also perhaps add more flowcharts or something along those lines. Yeah it sounds silly but
when I'm reading a 60+ page document flowcharts are a nice break and re etterate what I just read.
If I'm sounding like a moron just let me know I'm tired :p

- bob

ps: looks good

More information about the Owasp-testing mailing list