[OWASP-TESTING] the owasp testing project1 - pre-rel-mbr.doc

Javier Fernandez-Sanguino jfernandez at germinus.com
Thu Nov 18 05:35:37 EST 2004


Curphey, Mark wrote:
>  <<the owasp testing project1 - pre-rel-mbr.doc>> I made a few minor
> changes with tracking on. The only one worth note is I tried to align
> the notion of policy, process, people and tecchnology to people, process
> and technolgy as it seems to be a widely accepted concept and to add an
> additional thing didn't seem smart. 
> 

Looks good, as for your note about Nessus & Nikto:

Nikto is just a CGI scanner it does have some modules that are able to 
do some black box testing of web servers (not really applications) 
which is 1/3 of the things that AppScan/ScanDo (which also do CGI 
scanning for server flaws, maybe with an updated database, and do user 
identification and dictionary attacks).

Nessus does include some modules (developed by DDI, IIRC) to detect 
specific web server flaws as well as to do web crawling and extract 
applications & parameters from a website. Check out
http://cgi.nessus.org/plugins/dump.php3?family=CGI%20abuses
(some are app specific, some are generic, for example, some of the XSS 
stuff). It might include an AVDL interpreter in the future (but I 
don't know if anyone is working on it) (BTW, what happened to VulnXML?)

Maybe I should have added Internet Scanner to the Commercial list as 
well, by I didn't feel they needed any free advertisement :-)

> So are we happy with this doc ? I think its great and truly a great
> basis to start the long work of How do you implement this idea. Massive
> amounts to do. 

I'm happy with the document.


> I really think a Wiki maybe the best way to get small
> incremental content such as how do I code review for SQL Injection or
> how do I test X....

Yes, that might be a good way to get that content developed...

Regards

Javier




More information about the Owasp-testing mailing list