[OWASP-TESTING] Next stage
varunuppal81 at gmail.com
Sat Jun 25 04:23:51 EDT 2005
Could i take up the section on buffer overflows i.e Heap, stack and
format. I can also help out with the code review part of buffer
On 6/24/05, Stephen Venter <stephen.venter at gmail.com> wrote:
> Hi Dan
> Before you re-publish this document with the following statement in it:
> "Token storage? (If not marked as 'secure' a cookie will be stored on
> hard disk)"
> Please can you change it, as it is NOT correct - which I tried to
> explain before:
> The storage / caching of cookies & http content can be influenced by
> the "Max-Age=" attribute of the "Set-Cookie:" header, or the
> "Pragma:", "Expires:" and "Cache-Control:" headers (for caching
> proxies) - it is NOT affected by the "secure" attribute of the
> "Set-Cookie:" header [which is intended to stop a end-user client from
> sending a cookie value over HTTP, i.e. unencrypted].
> Refer to:
> - 4.2.2 Set-Cookie Syntax
> - 4.2.3 Controlling Caching
> - 10.1.2 Expires and Max-Age
> - 10.2 Caching and HTTP/1.0
> Also, reference should be made to other RFC's, like:
> Perhaps I could be involved in / run with the "Token storage" section
> of the testing guide. Perhaps I should also put my name down for the
> "Improper use of cache control directives" section.
> I would also like to offer assistance with other sections, like SQL &
> XSS injection sections, Parameter analysis, Bypassing logon process,
> and Parameter Manipulation sections like HTTP header manipulation and
> URL parameters.
> On 6/21/05, Daniel Cuthbert <daniel.cuthbert at owasp.org> wrote:
> > Morning all,
> > Sorry for the short break in the testing guide progress, the real
> > world caught up with me.
> > Attached are the documents needed for the next part of the guide, and
> > they are:
> > Testing Guide II Structure.doc
> > This is the final TOC as we agreed and next to each section, there is
> > the option to add your name and your e-mail address(i.e you will be
> > writing this section)
> > template1.htm
> > If you could structure all your submissions using this template (you
> > can use any format you like, word/text/xml, as long as i can read it
> > on a mac!)
> > Guidelines for creating sections:
> > - DO NOT DO A STRAIGHT COPY FROM ANY OTHER SOURCES ON THE WEB!
> > Plagiarism won't be accepted.
> > This testing guide should reflect the experience you all have in
> > application testing. One of the benefits of OWASP is that the wealth
> > of experience from the contributors enables the reader to understand
> > the section they are reading, as it is presented in a well structured
> > format, which unlike a large amount of research papers on the web
> > today, isn't normally the case.
> > - Try and use examples where possible and also let other "non-
> > security" individuals read what you have written. This ensures that
> > it makes sense to everyone and not just the hardcore penetration
> > testers out there.
> > - I understand everyone has a life and work commitments, so please
> > don't select loads of sections if you know you may not be able to
> > commit to them in the end run.
> > - Contact me if you have any issues during this next phase
> > I think we should aim to have all the sections written by mid August,
> > how does this sound for everyone?
> > Obviously if you feel there is a section missing from the TOC, by all
> > means contact me
> > Look forward to seeing the work coming in
> > Daniel Cuthbert
> SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
> from IBM. Find simple to follow Roadmaps, straightforward articles,
> informative Webcasts and more! Get everything you need to get up to
> speed, fast. http://ads.osdn.com/?ad_idt77&alloc_id492&opclick
> owasp-testing mailing list
> owasp-testing at lists.sourceforge.net
More information about the Owasp-testing