[Owasp-testing] Brainstorming about the new Index

Stefano Di Paola wisec at wisec.it
Tue Oct 10 16:04:39 EDT 2006


Hi all,
Some questions & thought about the new index:

where would you think we should introduce 
HTTP {request,response}  {splitting,smuggling} in the index?
Maybe it could be on a new sub-paragraph in 4.6 Data Validation Testing
as HTTP Headers Injection, or should it be described in 4.6.1.3 HTTP
Methods + XSS ?

Moreover what about WEBDAV? Maybe this one could be inserted in this
latter par. 4.6.1.3 HTTP Methods. Or into '4.8 Infrastructure and
configuration Testing'?

What about Session fixation? Of course we should introduce it in 4.5
Session Management Testing, maybe in 4.5.1 Cookie and Session token
Manipulation(reg, forg/brute force).

Then about XSS let's remember about DOM Injection as XSS of third kind
(i agree it should be described directly in  4.6.1 Cross site
scripting).

Some other attacks that comes in my mind:
DNS Pinning 
Domain Contamination
..or maybe these are a kind of 'off topic' in the guide...

Another thought about classification which is maybe a little generic
but... what about creating two big categories like 'Client side' and
'server side' or it's better to categorize as attacks types and not as
attack targets..

Yes I know..too much questions but it's brainstorming, right? :)

Regards 
Stefano



On mar, 2006-10-10 at 16:30 +0200, Matteo Meucci wrote:
> Yes, I'd like to use the same vision of the OWASP Guide, so we can use
> the same terminology and same approch of writing. Answers in line.
> 
> Thanks,
> Mat
> 
> On 10/10/06, Vicente Aguilera <vaguilera at isecauditors.com> wrote:
> > Hi all,
> >
> > I believe that we might use the already existing work realized in other
> > projects (as the Threat Classification, WASC). Of this way, we might
> > include the above mentioned threats and, in addition, to use a standard
> > terminology.
> >
> > The problem is that we do not have too much time, so I propose the
> > following changes:
> >
> > In the section "4.3 Business logic testing", I would add:
> > - Abuse of Functionality
> > - Insufficient Process Validation
> 
> Yes you are right: but you can discuss these items inside the
> paragraph 4.3. Otherwise the index become too much longer.
> May you look at this paragraph as template?
> https://www.owasp.org/index.php/How_to_perform_cookie_manipulation_test
> 
> > In the section "4.6 Data Validation Testing", I would classify XSS's
> > attacks:
> > - Stored
> > - Reflected
> 
> Right, but the same said above
> 
> > I would create a new point "4.6.3 Command Execution" that would include
> > the following ones:
> > - ORM Injection
> > - LDAP Injection
> > - XML Injection
> > - SSI Injection
> > - XPath Injection
> > - SQL Injection
> > - IMAP/SMTP Injection
> > - Code Injection
> > - OS Commanding
> 
> Ok, perfect. That is the right direction
> 
> > In the section "4.8 Infrastructure and configuration Testing" I would
> > create a point:
> > - Information disclosure
> > about this aspects:
> > - Directory indexing
> > - Information leakage
> > - Path Traversal
> > - Predictable Resource Location
> 
> I agree, may be a sub-paragraph "Information disclosure" is fine.
> 
> > What does seem to you?
> >
> > Regards,
> > -- Vicente Aguilera
> >
> >
> >
> > Matteo Meucci escribió:
> > > Hi all,
> > > What do you think about the new Index?
> > > http://www.owasp.org/index.php/OWASP_Testing_Guide_v2_Table_of_Contents
> > >
> > > 1) Look at the doc "OWASPTesting_PhaseOne"
> > > (http://sourceforge.net/project/showfiles.php?group_id=64424&package_id=62285)
> > > IMHO I think we have to insert the Chaper 2" Principle of testing" ,
> > > Chapter 3 "Testing techniques explained" and "The OWASP Testing
> > > Framework" as first chapter of this guide.
> > >
> > > 2) I'd like to rename Chapter 4 from "Manual testing techniques" to
> > > "Web Application Penetration Testing".
> > >
> > > 3) In accordance with Alberto Revelli, we think to create a new
> > > template for Chapter 4:
> > > 1 Short Description of the Issue
> > > 2 How to Test
> > >     2.1 Black Box testing and example
> > >     2.2 White Box testing and example
> > > 3 References
> > >     Whitepapers
> > >     Tools
> > > What do you think about that? More, may be we have to rename White Box
> > > in Gray box, so it is clear the difference between penetration testing
> > > (Black and Gray Box) and Code Review (White Box) that is a different
> > > OWASP Project.
> > >
> > > What are your feed back?
> > > Thanks,
> > > Mat
> > >
> > >
> > >
> >
> 
> 
-- 
...oOOo...oOOo....
Stefano Di Paola
Software Engineer

Web: www.wisec.it
..................




More information about the Owasp-testing mailing list