[OWASP-TESTING] Timeline for 2nd phase

Daniel Cuthbert daniel.cuthbert at owasp.org
Fri Jun 24 05:25:53 EDT 2005


Here is how the two terms have always been seen in the industry:

vulnerability assessment -> find the security hole BUT do not exploit  
the hole to prove its exploitable
penetration test -> find the security hole and try and exploit/gain  
access as much as possible

Are we saying that this guide will only give the 1st steps for  
finding the hole, but not how to gain further access into the  
application

an example would be:

input form vulnerable to sql injection
--> add %27 to determine impact
   --> add ; exec master..xp_cmdShell 'net user OWASP /add' --
    --> then execute ; exec master..xp_cmdShell 'net localgroup  
administrators OWASP /add' --
    --> and then add the user with admin priv's within the db itself

See if we are only going to show how to do the 1st step, then how  
would someone actually know if it was possible to exploit the app

The problem today is that there are way too many consultants out  
there who are "vulnerability assessors", but actually have no clue on  
how to take the test to the next step


On 24 Jun 2005, at 10:15, Matteo Meucci wrote:

> Ok Daniel,
> I've two questions:
> 1) The title: "OWASP Guide to Web Application Penetration Testing"
> Why not: "OWASP Guide to Web Application Vulnerability Assessment"
> I think "WAVA" is more suitable.
> 2) Time line: in Italy from 1st August to 15th everything is closed,
> and also all the people are in vacation...
>
> Just my thought.
> Mat
>
>
> On 6/23/05, Daniel Cuthbert <daniel.cuthbert at owasp.org> wrote:
>
>> Thanks to Javier, here is the timeline:
>>
>> --------------------------------------------------------
>> August 1st - first version of the volunteered sections
>> [ peer review of sections, detection of who is not active, decission
>> to offer up sections to others if people are overloaded, etc ]
>>
>> August 15th - final version of the sections
>> [ peer review of sections, editorial changes ]
>>
>> August 31st - first document draft (all sections put together)
>>
>> [ peer review of the document]
>>
>> September 30th - final release of section 2
>> ---------------------------------------------------------------
>>
>> You will notice the date of release has been extended, as i know it
>> will not be done in 2 weeks :0)
>>
>> Also.. the name of this guide will become the OWASP Guide to Web
>> Application Penetration Testing. For us to even try and call it a
>> testing guide, when in reality it has always been a penetration test
>> guide, is just mad. We don't, and won't, cover all aspects of web
>> application testing and this document should represent that.
>>
>> I will be sending out an updated structure doc with everyones  
>> names soon
>>
>> Daniel
>>
>>
>>
>> -------------------------------------------------------
>> SF.Net email is sponsored by: Discover Easy Linux Migration  
>> Strategies
>> from IBM. Find simple to follow Roadmaps, straightforward articles,
>> informative Webcasts and more! Get everything you need to get up to
>> speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
>> _______________________________________________
>> owasp-testing mailing list
>> owasp-testing at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/owasp-testing
>>
>>
>
>
> -------------------------------------------------------
> SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
> from IBM. Find simple to follow Roadmaps, straightforward articles,
> informative Webcasts and more! Get everything you need to get up to
> speed, fast. http://ads.osdn.com/?ad_idt77&alloc_id492&op=click
> _______________________________________________
> owasp-testing mailing list
> owasp-testing at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/owasp-testing
>
>





More information about the Owasp-testing mailing list