[OWASP-TESTING] Editing

David Endler DEndler at iDefense.com
Wed Oct 23 23:36:02 EDT 2002


Mark,

Thanks for the candid feedback, looking forward to the edits.  I agree that
we need more nitty gritty how-to material on how to check for certain
things.  I also noticed that several sections read more like prevention
techniques rather than testing techniques.  I like your proposed formatting
changes, if we can all agree on them I'd like to upload a newer verison of
the document for discussion next week.  What is everyone else's initial
impressions and recommendations?

If everyone else hasn't already, please download the openoffice.org text
editor so we can move forward together as a group on this.  It's going to
take a bit of effort to get to a useable document, but we're getting closer.

Looking forward to the feedback,

-dave

p.s. PLEASEEEEE make sure your name is included in the OpenOffice
installation for editing sanity




> -----Original Message-----
> From: owasp-testing-admin at lists.sourceforge.net
> [mailto:owasp-testing-admin at lists.sourceforge.net]On Behalf Of Mark
> Curphey
> Sent: Wednesday, October 23, 2002 4:27 PM
> To: David Endler
> Cc: 'owasp-testing at lists.sourceforge.net'
> Subject: RE: [OWASP-TESTING] Editing
> 
> 
> David et all,
> 
> I am going to spend sometime over the next 48 hours to get a revised
> draft out for review. I have quite a bit of material sitting 
> in various
> places, that I think is missing from this document so far.
> 
> I will also change the table of contents quite dramatically. Right now
> this doesn't lend itself very well to a structured testing framework
> IMHO. I know its early stages, not being overly critical ;-)
> 
> I am proposing to arrange the technical testing into classic webtiers.
> 
> WebTier would include sample files, auth (only HTTP not forms), backup
> files, http server methods supported, file permissions etc
> 
> Application Tier would include the usual suspects of auth, session
> management, XSS, parameter tampering, overflows, user account 
> management
> systems etc
> 
> Data Tier - SQL injection blah blah
> 
> The document so far looks like it has quite a bit of supporting
> management type material but not a great deal of "nuts and bolts"
> testing. It was always intended that that would be the bulk of this
> project, how to actually test for things.
> 
> There is also some material that I am not sure I think is 
> relevant or is
> duplicated. I'll tackle that as well.
> 
> Give me 48 hours !
> 
> 
> On Wed, 2002-10-23 at 19:48, David Endler wrote:
> > Mark et al,
> > 
> > I think perhaps Noam's section 7.2.4.1 needs some more 
> expansion on how to
> > methodically look for XSS (attack tree?) and the 
> potentially common bad
> > characters sets to check as well as tools, etc.  The person 
> responsible for
> > SQL injection was cut form the project due to non 
> participation, so the
> > section is up for grabs (7.2.4.2).  
> > 
> > Feel free to add to or rewrite these sections  :-)  That's 
> the point of peer
> > review.
> > 
> > -dave
> > 
> > 
> > 
> > > -----Original Message-----
> > > From: owasp-testing-admin at lists.sourceforge.net
> > > [mailto:owasp-testing-admin at lists.sourceforge.net]On 
> Behalf Of Mark
> > > Curphey
> > > Sent: Wednesday, October 23, 2002 3:04 PM
> > > To: owasp-testing at lists.sourceforge.net
> > > Subject: [OWASP-TESTING] Editing
> > > 
> > > 
> > > Dave et all
> > > 
> > > I just downloaded the draft from Sourceforge to look at 
> and make some
> > > comments / revisions. Maybe its me but I can't see the 
> sections on how
> > > to test for the common problems such as XSS and SQL 
> injection that I
> > > thought were going to be core to this document. 
> > > 
> > > Am I missing a version or should I write them  ?
> > > 
> > > 
> > > 
> > > 
> > > 
> > > -------------------------------------------------------
> > > This sf.net email is sponsored by: Influence the future 
> > > of Java(TM) technology. Join the Java Community 
> > > Process(SM) (JCP(SM)) program now. 
> > > http://ads.sourceforge.net/cgi-bin/redirect.pl?sunm0002en
> > > 
> > > _______________________________________________
> > > owasp-testing mailing list
> > > owasp-testing at lists.sourceforge.net
> > > https://lists.sourceforge.net/lists/listinfo/owasp-testing
> > > 
> > 
> > 
> > -------------------------------------------------------
> > This sf.net email is sponsored by: Influence the future 
> > of Java(TM) technology. Join the Java Community 
> > Process(SM) (JCP(SM)) program now. 
> > http://ads.sourceforge.net/cgi-bin/redirect.pl?sunm0002en
> > 
> > _______________________________________________
> > owasp-testing mailing list
> > owasp-testing at lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/owasp-testing
> > 
> 
> 
> 
> 
> -------------------------------------------------------
> This sf.net email is sponsored by: Influence the future 
> of Java(TM) technology. Join the Java Community 
> Process(SM) (JCP(SM)) program now. 
> http://ads.sourceforge.net/cgi-bin/redirect.pl?sunm0002en
> 
> _______________________________________________
> owasp-testing mailing list
> owasp-testing at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/owasp-testing
> 




More information about the Owasp-testing mailing list