[OWASP-TESTING] Comment on testing guide and contrib for part 2
mauro_bregolin at yahoo.com
Thu Jul 29 16:09:12 EDT 2004
[I'm posting from a different address since my
address mauro.bregolin at tiscali.it was rejected as
its SMTP server was in the "Spamcop RBL"...
guess I should change provider]
Hi to all,
I'm one of the relatively recently added folks who
yet to contribute (needless to say, I was hit by
Murphy's law and swamped by work as soon as I
subscribed to the list...)
Now, feeling guilty:
1. Comments on testing guide
I found the guide a bit unbalanced.
I think there are different assumptions when you write
something addressed to both when you have control over
the software development life cycle and when you test
something already developed by others.
In the first case, test is a part of the development
process and is under control. You should have
documentation about requirements, architecture/design,
code, etc.; your test cases should have been prepared
according to established test plans in order to verify
adherence to requirements (including security).
Now, talking about things like "software development
life cycle", "threat models", "code reviews", etc. is
risky because there are tons of books which do this.
I'm not saying it's wrong, but it's difficult to do it
without being too naive, or simplistic.
For example, UML is one of the prominent (if not
modeling methodology in use nowadays, but it's not the
It's difficult to summarize good testing practices
in a few pages, when others have wrote piles of books
on the subject.
Things are perhaps a bit simpler with grey/black box
testing, where not much information is available, or
even with white box testing when performed
afterwards by external people (in the sense that only
available documentation is considered; you are somehow
constrained by what others have written/produced).
Just my 2c on the topic...
2. Contribution for part 2
I was wondering if you deem of interest inserting in
part two some "case studies".
With this I mean real-life situations worth of being
Personally I have one related to SQL Injection, which
is in my opinion good to show the dangers lying in
seemingly minimal exposures.
Briefly stated, I found several examples (all at
prominent organizations!) of SQL injection
vulnerabilities in authentication-related forms which
unfortunately granted no output to control where to
"union" data fetched from the DBMS via the injected
query. Moreover, the DBMS involved (DB2, Oracle)
allow fancy things like statement concatenation, nor
the invocation of a plethora of stored procedures like
MS SQL Server does.
The only available indication regarding the injection
was a binary condition, essentially whether the query
produced an empty versus a non-empty result set.
Admittedly, not much, but enough to fetch data at
I coded a little java application to automate the
process of submitting injected requests (may provide
the code as well if that's considered helpful),
with the result of:
a) automatically determining database schema
information (table, columns, datatypes etc.),
b) fetching data at will - compatibly with the DBMS
In two cases determining the schema allowed to spot a
table where credential where stored - in clear, which
allowed to grab them and access the service with
Needles to say, clients were quite impressed when they
Let me know what you think...
>-- Messaggio Originale --
>Date: Wed, 28 Jul 2004 20:05:32 -0700
>From: owasp-testing-request at lists.sourceforge.net
>Subject: owasp-testing digest, Vol 1 #247 - 1 msg
>Reply-to: owasp-testing at lists.sourceforge.net
>To: owasp-testing at lists.sourceforge.net
>Send owasp-testing mailing list submissions to
> owasp-testing at lists.sourceforge.net
>To subscribe or unsubscribe via the World Wide Web,
>or, via email, send a message with subject or body
> owasp-testing-request at lists.sourceforge.net
>You can reach the person managing the list at
> owasp-testing-admin at lists.sourceforge.net
>When replying, please edit your Subject line so it is
>than "Re: Contents of owasp-testing digest..."
> 1. Part 1 Update and Session Token Testing Request
>Date: Wed, 28 Jul 2004 21:53:47 -0400
>From: "Mark Curphey"
>Subject: [OWASP-TESTING] Part 1 Update and Session
Token Testing Request
>Can someone please send me the great work (I forget
who did it)=A0on =
>black box testing session management / session
tokens? I would like to
>add it as an Appendix to Part 1 of an example of what
will be coming in
>I spent time today reworking the main chapters about
>inspections, code review, threat modeling and pen
testing). This was =
>because when we read through it as a whole document
after the tech =
>editor had his wicked way, some sections were just
far to detailed for
>this document. They will all be able to be
re-purposed for Part 2 so its
>certainly not lost work.
>Larry and I will be updating Chapter 2 and the final
>tomorrow and we hope to then have a final draft for
you all to review by
>the end of the week.
>Finally we maybe able to release this next week!
>PS What is the status of Part 2? Who is working on
what? Is there a =
>"table of contents"?
>owasp-testing mailing list
>owasp-testing at lists.sourceforge.net
>End of owasp-testing Digest
Do you Yahoo!?
New and Improved Yahoo! Mail - 100MB free storage!
More information about the Owasp-testing