[OWASP-TESTING] Peer Review!

Dan Cuthbert dan at idsec.com
Thu Dec 5 15:50:40 EST 2002


not at all, it adds to it

will send out the combined version early next week for everyone to let me know if its on track


* David Endler (DEndler at iDefense.com) wrote:
> Thanks Mads!
> 
> Dan C., does this duplicate/add to the list of tools you were working on?
> 
> -dave
> 
> > -----Original Message-----
> > From: Mads Rasmussen [mailto:mads at opencs.com.br]
> > Sent: Thursday, December 05, 2002 2:44 PM
> > To: David Endler
> > Cc: owasp-testing at lists.sourceforge.net
> > Subject: RES: [OWASP-TESTING] Peer Review!
> > 
> > 
> > 
> > Hi David,
> > 
> > Here is a text for a description of our toolbag for testing web
> > applications, it still needs improvement
> > 
> > I will send it again included in the openOffice document as 
> > appendix, I
> > have some figures for the methodology as well, maybe tomorrow :)
> > 
> > Mads
> > 
> > --
> > Appendix II - Toolbag 
> > 
> > 1 - Test Tools
> > The following items are part of the toolbag for tests of web
> > applications. New tools can be added depending on needs 
> > according to the
> > toolbag updating methodology.
> > The items are divided into references, company, tool and if 
> > the license
> > is commercial.
> > 1.1. Assessment tools
> > These tools are used to map the architecture of the application to be
> > tested as well as its environment, scanning the hierarchy of available
> > resources at the web server, examining the contents, returning and
> > reporting where problems might be.
> > Virtual users could be used to to simulate use of the site.
> > Some tools listed will suggest solutions to encountered 
> > vulnerabilities.
> > 1.1.1.  AtStake        WAP Assessment Tool
> > 1.1.2.  AtStake        WebProxy
> > 1.1.3.  ISECOM        AssTool
> > 1.1.4.  OSSTM         Metis
> > 1.1.5.  eEye            Retina (comercial)
> > 1.1.6.  ParaSoft       WebKing Box Testing (commercial)
> > 1.2. Fuzzing
> > These tools are used to realize attacks based on variations 
> > in requests
> > (random data)
> > 1.2.1.  AtStake        Fuzzer
> > 1.2.2.  AtStake        Fuzzer Server
> > 1.3. Authentication
> > Dictionary attacks + variations and brute force at logins and 
> > passwords
> > 1.3.1.  OpenSource            Brutus
> > 1.3.2.  Immunity Security    SPIKE
> > 1.4. Cookie and HTTP Manipulation
> > Man in the middle attacks modifying the messages sent between 
> > the client
> > and the server
> > 1.4.1.  Paessler                 IE Booster (comercial)
> > 1.4.2.  AtStake                  Achilles
> > 1.5. CGI Tests
> > 1.5.1.  OpenSource            Nessus (CGI module)
> > 1.5.2.  OpenSource            Whisker
> >  1.6. Stress Tests
> > Discover pages that loads slowly and where to encounter high traffic
> > problems 
> >  1.6.1.  Paessler                 WebStress (comercial)
> > 1.6.2.  ParaSoft                 WebKing Load Testing
> >  
> > 1.7.Code Analysis
> > These tools are used to identify bad progamming techniques in various
> > languages (s.a. Java, C/C++, Perl, PHP, Python etc).in case 
> > of white box
> > testing.
> > In case of Black/Gray box testing, the functionality of the 
> > application
> > is tested based on random inputs, pre and popst conditions, 
> > verification
> > of time limited values. The format of input, buffer overflow, TOCTOU
> > (Time of Check, Time of Use), race conditions etc.
> > 1.7.1.  AtStake                  Feszer
> > 1.7.2.  David Wheeler         FlawFinder
> > 1.7.3.  Reliable Software     ITS4
> > 1.7.4.  ISECOM                  Rats
> > 1.7.5.  University Virginia     Splint
> > 1.7.6.  Parasoft                 JTest/C++Test
> > 1.7.7.  Gerald Combos         Ethereal
> > 1.7.8.  DeCafe Software      DeCafe
> > 1.8. Session Auditing
> >  1.8.1.  iDefense                 Session Auditor
> > 1.8.2.                              SPIKE
> >  1.9. J2EE
> >  1.9.1.  AdventNet              QEngine
> >  1.10. Tools for Training
> > These tools are used for training the skills needed to attack web
> > application as well as to test new tools.
> > 
> > 1.10.1.         OWASP         WebGoat
> > 1.10.2.         OWASP         WebMaven Buggy Bank
> > 
> > --
> > 
> > Mads Rasmussen
> > Open Communications Security
> > +55(11)3345-2525
> > 
> > 
> > > -----Mensagem original-----
> > > De: David Endler [mailto:DEndler at iDefense.com]
> > > Enviada em: terça-feira, 3 de dezembro de 2002 15:52
> > > Para: 'owasp-testing at lists.sourceforge.net'
> > > Assunto: [OWASP-TESTING] Peer Review!
> > > 
> > > OK folks, here it is, the latest and greatest version of the OWASP
> > Testing
> > > Methodology: http://www.owasp.org/testing/TestingPeerReview0.6.sxw .
> > > 
> > > Please take some time to rip into it and get me your document copy
> > with
> > > edits by Monday December 9th.  No section is out of bounds, please
> > feel
> > > free
> > > to add, delete, or modify content, structure, graphics, and
> > style/grammar.
> > > 
> > > To edit this document, download OpenOffice from
> > > http://www.openoffice.org/dev_docs/source/download.html
> > > Make sure you enter your name in the installation for editing
> > purposes.
> > > After you open the document, please click on
> > > 
> > > Edit->Changes->Record and
> > > Edit->Changes->Show
> > > 
> > > and edit away! Thanks again for your efforts and 
> > contributions so far
> > to
> > > this project.  There are many people in industry anxiously awaiting
> > our
> > > first cut at this, believe it or not, and there has become a small
> > buzz
> > > surrounding this project.  This document is also going to be well
> > > integrated
> > > with the webgoat project so that real live examples can be 
> > illustrated
> > of
> > > testing techniques.  Please make the effort to provide meaningful
> > feedback
> > > and edits by Monday, thanks.  Please email me with any questions or
> > > technical difficulties.
> > > 
> > > -dave
> > > 
> > > 
> > > 
> > > -------------------------------------------------------
> > > This SF.net email is sponsored by: Microsoft Visual Studio.NET
> > > comprehensive development tool, built to increase your
> > > productivity. Try a free online hosted session at:
> > > http://ads.sourceforge.net/cgi-bin/redirect.pl?micr0003en
> > > _______________________________________________
> > > owasp-testing mailing list
> > > owasp-testing at lists.sourceforge.net
> > > https://lists.sourceforge.net/lists/listinfo/owasp-testing
> > 
> 
> 
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> owasp-testing mailing list
> owasp-testing at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/owasp-testing






More information about the Owasp-testing mailing list