[OWASP-TESTING] Next stage

Victor Chapela victor at sm4rt.com
Wed Jun 22 12:22:37 EDT 2005


Hi Dan,

No problem covering the points you mention. In fact, as you say, this may
turn up to be a very large section if I include all that I have on SQL
Injection. I would nevertheless add to what you suggest:
- Ways to determine DB engine type
- Oracle and DB2 injection
- IDS evasion
- Some checklist to determine injection type and risk level

What do you think I should NOT include?
- For example: I think it should NOT be a SQL injection course for
beginners, but more of a specific, incremental and step by step methodology
to get to understand the query, privileges and capabilities to assess the
potential risk. I think it should assume SQL and database specific working
knowledge.

There is also some overlap with fuzzing, code review (for the whitebox part)
and encryption. How will we coordinate our efforts so that we don't end
writing several times similar things.

-Victor 

> -----Original Message-----
> From: Daniel Cuthbert [mailto:daniel.cuthbert at owasp.org] 
> Sent: Tuesday, June 21, 2005 8:45 AM
> To: Victor Chapela
> Cc: owasp-testing at lists.sourceforge.net
> Subject: Re: [OWASP-TESTING] Next stage
> 
> Thanks Victor
> 
> SQL injection is an interesting one as the section is 
> potentially huge Would you mind making sure that the 
> following are covered if possible
> 
> - standard sql injection
> - stored procedure injection with sql 2000
> - blind sql injection
> - mysql/post gres injection
> - mitigating circumstances
> 
> 
> On 21 Jun 2005, at 12:50, Victor Chapela wrote:
> 
> >
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > Hi Dan,
> >
> > I have attached my name to all the SQL Injection related 
> sections. I 
> > can add the most value in these sections given my personal research.
> > I could help with other parts if needed (like other kinds of 
> > injection), let me know.
> >
> > Best regards,
> > Victor
> >
> >
> >> -----Original Message-----
> >> From: owasp-testing-admin at lists.sourceforge.net
> >> [mailto:owasp-testing-admin at lists.sourceforge.net] On Behalf Of 
> >> Daniel Cuthbert
> >> Sent: Tuesday, June 21, 2005 4:05 AM
> >> To: owasp-testing at lists.sourceforge.net
> >> Subject: [OWASP-TESTING] Next stage
> >>
> >> Morning all,
> >>
> >> Sorry for the short break in the testing guide progress, the real 
> >> world caught up with me.
> >> Attached are the documents needed for the next part of the 
> guide, and 
> >> they are:
> >>
> >> Testing Guide II Structure.doc
> >>
> >> This is the final TOC as we agreed and next to each 
> section, there is 
> >> the option to add your name and your e-mail address(i.e 
> you will be 
> >> writing this section)
> >>
> >> template1.htm
> >>
> >> If you could structure all your submissions using this 
> template (you 
> >> can use any format you like, word/text/xml, as long as i 
> can read it 
> >> on a mac!)
> >>
> >> Guidelines for creating sections:
> >>
> >> - DO NOT DO A STRAIGHT COPY FROM ANY OTHER SOURCES ON THE WEB!
> >> Plagiarism won't be accepted.
> >> This testing guide should reflect the experience you all have in 
> >> application testing. One of the benefits of OWASP is that 
> the wealth 
> >> of experience from the contributors enables the reader to 
> understand 
> >> the section they are reading, as it is presented in a well 
> structured 
> >> format, which unlike a large amount of research papers on the web 
> >> today, isn't normally the case.
> >>
> >> - Try and use examples where possible and also let other
> >> "non- security" individuals read what you have written. 
> This ensures 
> >> that it makes sense to everyone and not just the hardcore 
> penetration 
> >> testers out there.
> >>
> >> - I understand everyone has a life and work commitments, so please 
> >> don't select loads of sections if you know you may not be able to 
> >> commit to them in the end run.
> >>
> >> - Contact me if you have any issues during this next phase
> >>
> >>
> >> I think we should aim to have all the sections written by 
> mid August, 
> >> how does this sound for everyone?
> >>
> >> Obviously if you feel there is a section missing from the 
> TOC, by all 
> >> means contact me
> >>
> >> Look forward to seeing the work coming in
> >>
> >> Daniel Cuthbert
> >>
> >
> > -----BEGIN PGP SIGNATURE-----
> > Version: PGP 8.1
> >
> > iQA/AwUBQrf/IL6TmquzxiX9EQIwGgCff2FwSkMwAHtkVa9FE3nIBvwAHz0AoPvf
> > i69Wf8656wb/YhxRCf9VExJd
> > =OKq+
> > -----END PGP SIGNATURE-----
> >
> >
> > <Testing_Guide_II_structure.doc>
> >
> 
> 





More information about the Owasp-testing mailing list