[Owasp-testing] OWASP Testing Guide v2: Status report 3rd Dec

Matteo Meucci matteo.meucci at gmail.com
Sun Dec 3 16:29:14 EST 2006


Hey all,
here is the progress status of the OWASP Testing Guide.

1) Articles
************
Thanks to our OWASP Chair, we have now a Forward by Jeff Williams

The Testing Guide comprises 74 articles:
* 60 articles are completed (81%)
* 14 article need a last effort to be completed (19%)

2) Review
************
At the moment chapter 4.9 need to be reviewed.

3) Progress Status of the Guide
*************************************

Forward

1. Frontispiece (ok)

2. Introduction (ok)

3. The OWASP Testing Framework (ok)

4. Web Application Penetration Testing

4.1 Introduction and objectives (ok)

4.2 Information Gathering
4.2.3 Spidering and googling (60%,Tom Brennan, Tom Ryan)
4.2.5.2 DB Listener Testing (60%, Eoin Keary, Matteo Meucci)
4.2.6 Application configuration management testing (90%)

4.3 Business logic testing  (ok)

4.4 Authentication Testing (ok)

4.5 Session Management Testing
4.5.5 HTTP Exploit (0%, Arian J.Evans) Alberto Revelli is writing it.

4.6 Data Validation Testing
4.6.2.1 Stored procedure injection (40%,Gary Burns)
4.6.10 OS Commanding (70%, Gary Burns)
4.6.12 Incubated vulnerability testing (95%,Ariel Waissbein, Laura Nuñez)

4.7 Denial of Service Testing (ok)

4.8 Web Services Testing (ok)

4.9 AJAX Testing (70%, Dan Cornell, Giorgio Fedon, Stefano Di Paola)
4.9.1 Vulnerabilities (90%, Anush Shetty)
4.9.2 How to test (60%)

5. Writing Reports: value the real risk
5.1 How to value the real risk (90%, Daniel Cuthbert, Matteo Meucci,
Sebastien Deleersnyder, Marco Morana)
5.2 How to write the report of the testing (Daniel Cuthbert, Tom Brennan)

Appendix A: Testing Tools

Appendix B: Suggested Reading (80%)

Appendix C: Fuzz Vectors (80%)


Thanks,
Mat


-- 
Matteo Meucci
OWASP-Italy Chair, CISSP, CISA
http://www.owasp.org/index.php/Italy
OWASP Testing Guide AoC lead
http://www.owasp.org/index.php/OWASP_Autumn_of_Code_2006_-_Projects:_Testing_Guide


More information about the Owasp-testing mailing list