[OWASP-TESTING] Peer Review!

David Endler DEndler at iDefense.com
Thu Dec 5 13:41:27 EST 2002


Thanks Mads!

Dan C., does this duplicate/add to the list of tools you were working on?

-dave

> -----Original Message-----
> From: Mads Rasmussen [mailto:mads at opencs.com.br]
> Sent: Thursday, December 05, 2002 2:44 PM
> To: David Endler
> Cc: owasp-testing at lists.sourceforge.net
> Subject: RES: [OWASP-TESTING] Peer Review!
> 
> 
> 
> Hi David,
> 
> Here is a text for a description of our toolbag for testing web
> applications, it still needs improvement
> 
> I will send it again included in the openOffice document as 
> appendix, I
> have some figures for the methodology as well, maybe tomorrow :)
> 
> Mads
> 
> --
> Appendix II - Toolbag 
> 
> 1 - Test Tools
> The following items are part of the toolbag for tests of web
> applications. New tools can be added depending on needs 
> according to the
> toolbag updating methodology.
> The items are divided into references, company, tool and if 
> the license
> is commercial.
> 1.1. Assessment tools
> These tools are used to map the architecture of the application to be
> tested as well as its environment, scanning the hierarchy of available
> resources at the web server, examining the contents, returning and
> reporting where problems might be.
> Virtual users could be used to to simulate use of the site.
> Some tools listed will suggest solutions to encountered 
> vulnerabilities.
> 1.1.1.  AtStake        WAP Assessment Tool
> 1.1.2.  AtStake        WebProxy
> 1.1.3.  ISECOM        AssTool
> 1.1.4.  OSSTM         Metis
> 1.1.5.  eEye            Retina (comercial)
> 1.1.6.  ParaSoft       WebKing Box Testing (commercial)
> 1.2. Fuzzing
> These tools are used to realize attacks based on variations 
> in requests
> (random data)
> 1.2.1.  AtStake        Fuzzer
> 1.2.2.  AtStake        Fuzzer Server
> 1.3. Authentication
> Dictionary attacks + variations and brute force at logins and 
> passwords
> 1.3.1.  OpenSource            Brutus
> 1.3.2.  Immunity Security    SPIKE
> 1.4. Cookie and HTTP Manipulation
> Man in the middle attacks modifying the messages sent between 
> the client
> and the server
> 1.4.1.  Paessler                 IE Booster (comercial)
> 1.4.2.  AtStake                  Achilles
> 1.5. CGI Tests
> 1.5.1.  OpenSource            Nessus (CGI module)
> 1.5.2.  OpenSource            Whisker
>  1.6. Stress Tests
> Discover pages that loads slowly and where to encounter high traffic
> problems 
>  1.6.1.  Paessler                 WebStress (comercial)
> 1.6.2.  ParaSoft                 WebKing Load Testing
>  
> 1.7.Code Analysis
> These tools are used to identify bad progamming techniques in various
> languages (s.a. Java, C/C++, Perl, PHP, Python etc).in case 
> of white box
> testing.
> In case of Black/Gray box testing, the functionality of the 
> application
> is tested based on random inputs, pre and popst conditions, 
> verification
> of time limited values. The format of input, buffer overflow, TOCTOU
> (Time of Check, Time of Use), race conditions etc.
> 1.7.1.  AtStake                  Feszer
> 1.7.2.  David Wheeler         FlawFinder
> 1.7.3.  Reliable Software     ITS4
> 1.7.4.  ISECOM                  Rats
> 1.7.5.  University Virginia     Splint
> 1.7.6.  Parasoft                 JTest/C++Test
> 1.7.7.  Gerald Combos         Ethereal
> 1.7.8.  DeCafe Software      DeCafe
> 1.8. Session Auditing
>  1.8.1.  iDefense                 Session Auditor
> 1.8.2.                              SPIKE
>  1.9. J2EE
>  1.9.1.  AdventNet              QEngine
>  1.10. Tools for Training
> These tools are used for training the skills needed to attack web
> application as well as to test new tools.
> 
> 1.10.1.         OWASP         WebGoat
> 1.10.2.         OWASP         WebMaven Buggy Bank
> 
> --
> 
> Mads Rasmussen
> Open Communications Security
> +55(11)3345-2525
> 
> 
> > -----Mensagem original-----
> > De: David Endler [mailto:DEndler at iDefense.com]
> > Enviada em: terça-feira, 3 de dezembro de 2002 15:52
> > Para: 'owasp-testing at lists.sourceforge.net'
> > Assunto: [OWASP-TESTING] Peer Review!
> > 
> > OK folks, here it is, the latest and greatest version of the OWASP
> Testing
> > Methodology: http://www.owasp.org/testing/TestingPeerReview0.6.sxw .
> > 
> > Please take some time to rip into it and get me your document copy
> with
> > edits by Monday December 9th.  No section is out of bounds, please
> feel
> > free
> > to add, delete, or modify content, structure, graphics, and
> style/grammar.
> > 
> > To edit this document, download OpenOffice from
> > http://www.openoffice.org/dev_docs/source/download.html
> > Make sure you enter your name in the installation for editing
> purposes.
> > After you open the document, please click on
> > 
> > Edit->Changes->Record and
> > Edit->Changes->Show
> > 
> > and edit away! Thanks again for your efforts and 
> contributions so far
> to
> > this project.  There are many people in industry anxiously awaiting
> our
> > first cut at this, believe it or not, and there has become a small
> buzz
> > surrounding this project.  This document is also going to be well
> > integrated
> > with the webgoat project so that real live examples can be 
> illustrated
> of
> > testing techniques.  Please make the effort to provide meaningful
> feedback
> > and edits by Monday, thanks.  Please email me with any questions or
> > technical difficulties.
> > 
> > -dave
> > 
> > 
> > 
> > -------------------------------------------------------
> > This SF.net email is sponsored by: Microsoft Visual Studio.NET
> > comprehensive development tool, built to increase your
> > productivity. Try a free online hosted session at:
> > http://ads.sourceforge.net/cgi-bin/redirect.pl?micr0003en
> > _______________________________________________
> > owasp-testing mailing list
> > owasp-testing at lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/owasp-testing
> 




More information about the Owasp-testing mailing list