[Owasp-testing] Brainstorming about the new Index

Vicente Aguilera vaguilera at isecauditors.com
Tue Oct 10 10:17:58 EDT 2006

Hi all,

I believe that we might use the already existing work realized in other
projects (as the Threat Classification, WASC). Of this way, we might
include the above mentioned threats and, in addition, to use a standard

The problem is that we do not have too much time, so I propose the
following changes:

In the section "4.3 Business logic testing", I would add:
- Abuse of Functionality
- Insufficient Process Validation

In the section "4.6 Data Validation Testing", I would classify XSS's
- Stored
- Reflected

I would create a new point "4.6.3 Command Execution" that would include
the following ones:
- ORM Injection
- LDAP Injection
- XML Injection
- SSI Injection
- XPath Injection
- SQL Injection
- IMAP/SMTP Injection
- Code Injection
- OS Commanding 

In the section "4.8 Infrastructure and configuration Testing" I would
create a point:
- Information disclosure
about this aspects:
- Directory indexing
- Information leakage
- Path Traversal
- Predictable Resource Location

What does seem to you?

-- Vicente Aguilera

Matteo Meucci escribió:
> Hi all,
> What do you think about the new Index?
> http://www.owasp.org/index.php/OWASP_Testing_Guide_v2_Table_of_Contents
> 1) Look at the doc "OWASPTesting_PhaseOne"
> (http://sourceforge.net/project/showfiles.php?group_id=64424&package_id=62285)
> IMHO I think we have to insert the Chaper 2" Principle of testing" ,
> Chapter 3 "Testing techniques explained" and "The OWASP Testing
> Framework" as first chapter of this guide.
> 2) I'd like to rename Chapter 4 from "Manual testing techniques" to
> "Web Application Penetration Testing".
> 3) In accordance with Alberto Revelli, we think to create a new
> template for Chapter 4:
> 1 Short Description of the Issue
> 2 How to Test
>     2.1 Black Box testing and example
>     2.2 White Box testing and example
> 3 References
>     Whitepapers
>     Tools
> What do you think about that? More, may be we have to rename White Box
> in Gray box, so it is clear the difference between penetration testing
> (Black and Gray Box) and Code Review (White Box) that is a different
> OWASP Project.
> What are your feed back?
> Thanks,
> Mat

More information about the Owasp-testing mailing list