[OWASP-TESTING] Timeline for 2nd phase

Matteo Meucci matteo.meucci at gmail.com
Fri Jun 24 06:24:19 EDT 2005


I understand your opinion but I think that is important:
- to distinguish the Network PT from WebApp PT (or VA): 
I think PT is more suitable for the Network level, VA is more suitable
 for the Application level.
- give a document that will be the standard "de facto": if the term
WAVA is more diffused than WAPT, I think we have to choose the first
one.

Mat



On 6/24/05, Daniel Cuthbert <daniel.cuthbert at owasp.org> wrote:
> Here is how the two terms have always been seen in the industry:
> 
> vulnerability assessment -> find the security hole BUT do not exploit
> the hole to prove its exploitable
> penetration test -> find the security hole and try and exploit/gain
> access as much as possible
> 
> Are we saying that this guide will only give the 1st steps for
> finding the hole, but not how to gain further access into the
> application
> 
> an example would be:
> 
> input form vulnerable to sql injection
> --> add %27 to determine impact
>   --> add ; exec master..xp_cmdShell 'net user OWASP /add' --
>    --> then execute ; exec master..xp_cmdShell 'net localgroup
> administrators OWASP /add' --
>    --> and then add the user with admin priv's within the db itself
> 
> See if we are only going to show how to do the 1st step, then how
> would someone actually know if it was possible to exploit the app
> 
> The problem today is that there are way too many consultants out
> there who are "vulnerability assessors", but actually have no clue on
> how to take the test to the next step
> 
> 
> On 24 Jun 2005, at 10:15, Matteo Meucci wrote:
> 
> > Ok Daniel,
> > I've two questions:
> > 1) The title: "OWASP Guide to Web Application Penetration Testing"
> > Why not: "OWASP Guide to Web Application Vulnerability Assessment"
> > I think "WAVA" is more suitable.
> > 2) Time line: in Italy from 1st August to 15th everything is closed,
> > and also all the people are in vacation...
> >
> > Just my thought.
> > Mat
> >
> >
> > On 6/23/05, Daniel Cuthbert <daniel.cuthbert at owasp.org> wrote:
> >
> >> Thanks to Javier, here is the timeline:
> >>
> >> --------------------------------------------------------
> >> August 1st - first version of the volunteered sections
> >> [ peer review of sections, detection of who is not active, decission
> >> to offer up sections to others if people are overloaded, etc ]
> >>
> >> August 15th - final version of the sections
> >> [ peer review of sections, editorial changes ]
> >>
> >> August 31st - first document draft (all sections put together)
> >>
> >> [ peer review of the document]
> >>
> >> September 30th - final release of section 2
> >> ---------------------------------------------------------------
> >>
> >> You will notice the date of release has been extended, as i know it
> >> will not be done in 2 weeks :0)
> >>
> >> Also.. the name of this guide will become the OWASP Guide to Web
> >> Application Penetration Testing. For us to even try and call it a
> >> testing guide, when in reality it has always been a penetration test
> >> guide, is just mad. We don't, and won't, cover all aspects of web
> >> application testing and this document should represent that.
> >>
> >> I will be sending out an updated structure doc with everyones
> >> names soon
> >>
> >> Daniel
> >>
> >>
> >>
> >> -------------------------------------------------------
> >> SF.Net email is sponsored by: Discover Easy Linux Migration
> >> Strategies
> >> from IBM. Find simple to follow Roadmaps, straightforward articles,
> >> informative Webcasts and more! Get everything you need to get up to
> >> speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
> >> _______________________________________________
> >> owasp-testing mailing list
> >> owasp-testing at lists.sourceforge.net
> >> https://lists.sourceforge.net/lists/listinfo/owasp-testing
> >>
> >>
> >
> >
> > -------------------------------------------------------
> > SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
> > from IBM. Find simple to follow Roadmaps, straightforward articles,
> > informative Webcasts and more! Get everything you need to get up to
> > speed, fast. http://ads.osdn.com/?ad_idt77&alloc_id492&op=click
> > _______________________________________________
> > owasp-testing mailing list
> > owasp-testing at lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/owasp-testing
> >
> >
> 
> 
> 
> -------------------------------------------------------
> SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
> from IBM. Find simple to follow Roadmaps, straightforward articles,
> informative Webcasts and more! Get everything you need to get up to
> speed, fast. http://ads.osdn.com/?ad_idt77&alloc_id492&opclick
> _______________________________________________
> owasp-testing mailing list
> owasp-testing at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/owasp-testing
>




More information about the Owasp-testing mailing list