[OWASP-TESTING] Paper review

Dan Cuthbert dan at idsec.com
Thu Dec 5 03:39:22 EST 2002


i was going to have a look at it today, is anyone else _really_ good at
the sql injection side of things, so that we dont duplicate efforts?



On Wed, 2002-12-04 at 21:45, David Endler wrote:
> Good feedback here far as well.  Sounds like you're saying we need more
> pretty pictures to keep people interested ;-)
> 
> On another topic, does anyone feel comfortable making an attempt at SQL
> injection?  
> 
> -dave
> 
> > -----Original Message-----
> > From: owasp-testing-admin at lists.sourceforge.net
> > [mailto:owasp-testing-admin at lists.sourceforge.net]On Behalf Of zeno
> > Sent: Tuesday, December 03, 2002 7:54 PM
> > To: David Endler
> > Cc: 'owasp-testing at lists.sourceforge.net'
> > Subject: [OWASP-TESTING] Paper review
> > 
> > 
> > Hola,
> > 
> > 
> > "Regulatory requirements"
> > 
> > You wanted some examples of country regulations. Why don't we 
> > mention crypto export limitations?
> > Great example that should be covered. Maybe something about 
> > the bill passed in the 1990's about
> > illegal export of strong encryption outside the USA bla bla bla .
> > 
> > 
> > Moving on (nice graphs BTW :p)
> > 
> > The image looks fine near the Intro to owaps testing 
> > methodology. Anyone else object?
> > 
> > Interviewing the stakeholders is a nice touch.
> > 
> > *maybe* have a flowchart containing "Obtaining documentation".
> >  People like perty easy to understand pictures :)
> > 
> >  Under obtaining source code perhaps mention that gaining 
> > sourcecode via blackboxing may be possible.
> > A simple example could be exploiting a perl script and having 
> > it load itself bah.pl?file=../bah.pl.
> > This can happen with other interprated languages also like 
> > ASP, perl, python, etc..
> > Nothing to talk to much in detail though.
> > 
> > Under preparing tools in that list maybe we should mention 
> > something in regards to checking
> > for permissions of files? File handle monitors seems broad 
> > like "I am monitoring what is used" but
> > doesn't immediatly ring the bell of "should check permissions 
> > in regards to local, roaming, and public(everyone) users.
> > 
> > Under listening http ports
> > 
> > You give tips for checking ports 80 and 443. Perhaps mention 
> > 8080 since it usually is a proxy port,
> > or alt webserver port. Perhaps "test for proxy usage" *maybe*
> > 
> > Under server versioning I would include "http banner order, 
> > default error pages, max connections, etc..)
> > I'm actually working on a NICE big detailed paper on 
> > fingerprinting webservers. It will cover manually
> > and Ihope fr it to be rather extensive. (also see 
> > whitehatsec.com blahat server fingerprinter tool)
> > 
> > 
> > HTTP Server extensions
> > 
> > Also add apache modulkes to this. Seems a little to IIS'ish to me.
> > 
> > 
> > HTTP Methods supported
> > 
> > You ask if we should provide examples on each. Obviously it 
> > could be helpful. Perhaps include
> > HEAD, GET, and POST. As much as I'd like to learn more about 
> > TRACE this document is a web security paper
> > and unless we dedicate
> > alot of time (like lan mapping/cache networks) perhaps we 
> > should limit it to the 3 most popular/used methods.
> > 
> > 
> > Old, Backup or un-referenced files
> > 
> > Include that smome editors create files like file.txt~ when 
> > being edited. Perhaps include a general "editor" reference.
> > 
> > 
> > File extension Handling
> > 
> > It mentions http://www.host.com. May want to do http://host/
> > for legal reasons? Same with rest of document.
> > 
> > 
> > Unsafe modules
> > 
> > Everything from SQL access, usernames/passwords to sections 
> > of your site, to paths to important files can be obtained 
> > both locally, and in some cases(when specifically allowed) remotely.
> > 
> > perhaps make (when specifically allowed, or misconfigured). 
> > People don't say "Hey why don't I misconfigure
> > my machine for people to hack me with".
> > 
> > 
> > Page 38
> > 
> > n this example we are going to send a request to a news 
> > application which includes data from other file and displays it.
> > 
> > I assume is
> > 
> > "includes data from another file and displays it"
> > 
> > 
> > Direct OS commands
> > 
> > Nice use of showing which functions to watch out for. 
> > 
> > 
> > 
> > I would also perhaps add more flowcharts or something along 
> > those lines. Yeah it sounds silly but
> > when I'm reading a 60+ page document flowcharts are a nice 
> > break and re etterate what I just read.
> > If I'm sounding like a moron just let me know I'm tired :p
> > 
> > - bob
> > 
> > ps: looks good
> > 
> > 
> > 
> > -------------------------------------------------------
> > This SF.net email is sponsored by: Microsoft Visual Studio.NET 
> > comprehensive development tool, built to increase your 
> > productivity. Try a free online hosted session at:
> > http://ads.sourceforge.net/cgi-bin/redirect.pl?micr0003en
> > _______________________________________________
> > owasp-testing mailing list
> > owasp-testing at lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/owasp-testing
> > 
> 
> 
> -------------------------------------------------------
> This SF.net email is sponsored by: Microsoft Visual Studio.NET 
> comprehensive development tool, built to increase your 
> productivity. Try a free online hosted session at:
> http://ads.sourceforge.net/cgi-bin/redirect.pl?micr0003en
> _______________________________________________
> owasp-testing mailing list
> owasp-testing at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/owasp-testing





More information about the Owasp-testing mailing list