[OWASP-TESTING] Editing

Mark Curphey mark at curphey.com
Wed Oct 23 16:26:41 EDT 2002


David et all,

I am going to spend sometime over the next 48 hours to get a revised
draft out for review. I have quite a bit of material sitting in various
places, that I think is missing from this document so far.

I will also change the table of contents quite dramatically. Right now
this doesn't lend itself very well to a structured testing framework
IMHO. I know its early stages, not being overly critical ;-)

I am proposing to arrange the technical testing into classic webtiers.

WebTier would include sample files, auth (only HTTP not forms), backup
files, http server methods supported, file permissions etc

Application Tier would include the usual suspects of auth, session
management, XSS, parameter tampering, overflows, user account management
systems etc

Data Tier - SQL injection blah blah

The document so far looks like it has quite a bit of supporting
management type material but not a great deal of "nuts and bolts"
testing. It was always intended that that would be the bulk of this
project, how to actually test for things.

There is also some material that I am not sure I think is relevant or is
duplicated. I'll tackle that as well.

Give me 48 hours !


On Wed, 2002-10-23 at 19:48, David Endler wrote:
> Mark et al,
> 
> I think perhaps Noam's section 7.2.4.1 needs some more expansion on how to
> methodically look for XSS (attack tree?) and the potentially common bad
> characters sets to check as well as tools, etc.  The person responsible for
> SQL injection was cut form the project due to non participation, so the
> section is up for grabs (7.2.4.2).  
> 
> Feel free to add to or rewrite these sections  :-)  That's the point of peer
> review.
> 
> -dave
> 
> 
> 
> > -----Original Message-----
> > From: owasp-testing-admin at lists.sourceforge.net
> > [mailto:owasp-testing-admin at lists.sourceforge.net]On Behalf Of Mark
> > Curphey
> > Sent: Wednesday, October 23, 2002 3:04 PM
> > To: owasp-testing at lists.sourceforge.net
> > Subject: [OWASP-TESTING] Editing
> > 
> > 
> > Dave et all
> > 
> > I just downloaded the draft from Sourceforge to look at and make some
> > comments / revisions. Maybe its me but I can't see the sections on how
> > to test for the common problems such as XSS and SQL injection that I
> > thought were going to be core to this document. 
> > 
> > Am I missing a version or should I write them  ?
> > 
> > 
> > 
> > 
> > 
> > -------------------------------------------------------
> > This sf.net email is sponsored by: Influence the future 
> > of Java(TM) technology. Join the Java Community 
> > Process(SM) (JCP(SM)) program now. 
> > http://ads.sourceforge.net/cgi-bin/redirect.pl?sunm0002en
> > 
> > _______________________________________________
> > owasp-testing mailing list
> > owasp-testing at lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/owasp-testing
> > 
> 
> 
> -------------------------------------------------------
> This sf.net email is sponsored by: Influence the future 
> of Java(TM) technology. Join the Java Community 
> Process(SM) (JCP(SM)) program now. 
> http://ads.sourceforge.net/cgi-bin/redirect.pl?sunm0002en
> 
> _______________________________________________
> owasp-testing mailing list
> owasp-testing at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/owasp-testing
> 






More information about the Owasp-testing mailing list