[Owasp-testing] Brainstorming about the new Index

Eoin Keary eoinkeary at hotmail.com
Wed Oct 11 17:13:42 EDT 2006


Hi Eoin here (got to get rid of this hotmail acocunt, its so uncool :)

>From: Stefano Di Paola <wisec at wisec.it>
>To: owasp-testing at lists.owasp.org
>Subject: Re: [Owasp-testing] Brainstorming about the new Index
>Date: Tue, 10 Oct 2006 22:04:39 +0200
>
>Hi all,
>Some questions & thought about the new index:
>
>where would you think we should introduce
>HTTP {request,response}  {splitting,smuggling} in the index?
>Maybe it could be on a new sub-paragraph in 4.6 Data Validation Testing
>as HTTP Headers Injection, or should it be described in 4.6.1.3 HTTP
>Methods + XSS ?
>

Eoin: If you think about it many many things could go into the DV section.
It would be best to  put it in a HTTP section.

>Moreover what about WEBDAV? Maybe this one could be inserted in this
>latter par. 4.6.1.3 HTTP Methods. Or into '4.8 Infrastructure and
>configuration Testing'?
>

Eoin: WEBDAV, I would say this would also go under HTTP as it is HTTP 
extensions.

>What about Session fixation? Of course we should introduce it in 4.5
>Session Management Testing, maybe in 4.5.1 Cookie and Session token
>Manipulation(reg, forg/brute force).
>
Eoin: Keep Session fixation in session mgt. when doc is done depending on 
the flow we may move it.

>Then about XSS let's remember about DOM Injection as XSS of third kind
>(i agree it should be described directly in  4.6.1 Cross site
>scripting).
>

Eoin: Agreed, keep all the XSS together. It shall be easier to find this 
way. We should think about the book as a reference.

>Some other attacks that comes in my mind:
>DNS Pinning
>Domain Contamination
>..or maybe these are a kind of 'off topic' in the guide...
>

Eoin: A Little off topic but if required in an explanation refer to the 
wikipedia definition or some such ref.

>Another thought about classification which is maybe a little generic
>but... what about creating two big categories like 'Client side' and
>'server side' or it's better to categorize as attacks types and not as
>attack targets..
>

Eoin: Lets go with attack types. but we could Tag them in the future as 
Client or backend.
>Yes I know..too much questions but it's brainstorming, right? :)
>
>Regards
>Stefano
>
>
>
>On mar, 2006-10-10 at 16:30 +0200, Matteo Meucci wrote:
> > Yes, I'd like to use the same vision of the OWASP Guide, so we can use
> > the same terminology and same approch of writing. Answers in line.
> >
> > Thanks,
> > Mat
> >
> > On 10/10/06, Vicente Aguilera <vaguilera at isecauditors.com> wrote:
> > > Hi all,
> > >
> > > I believe that we might use the already existing work realized in 
>other
> > > projects (as the Threat Classification, WASC). Of this way, we might
> > > include the above mentioned threats and, in addition, to use a 
>standard
> > > terminology.
> > >
> > > The problem is that we do not have too much time, so I propose the
> > > following changes:
> > >
> > > In the section "4.3 Business logic testing", I would add:
> > > - Abuse of Functionality
> > > - Insufficient Process Validation
> >
> > Yes you are right: but you can discuss these items inside the
> > paragraph 4.3. Otherwise the index become too much longer.
> > May you look at this paragraph as template?
> > https://www.owasp.org/index.php/How_to_perform_cookie_manipulation_test
> >
> > > In the section "4.6 Data Validation Testing", I would classify XSS's
> > > attacks:
> > > - Stored
> > > - Reflected
> >
> > Right, but the same said above
> >
> > > I would create a new point "4.6.3 Command Execution" that would 
>include
> > > the following ones:
> > > - ORM Injection
> > > - LDAP Injection
> > > - XML Injection
> > > - SSI Injection
> > > - XPath Injection
> > > - SQL Injection
> > > - IMAP/SMTP Injection
> > > - Code Injection
> > > - OS Commanding
> >
> > Ok, perfect. That is the right direction
> >
> > > In the section "4.8 Infrastructure and configuration Testing" I would
> > > create a point:
> > > - Information disclosure
> > > about this aspects:
> > > - Directory indexing
> > > - Information leakage
> > > - Path Traversal
> > > - Predictable Resource Location
> >
> > I agree, may be a sub-paragraph "Information disclosure" is fine.
> >
> > > What does seem to you?
> > >
> > > Regards,
> > > -- Vicente Aguilera
> > >
> > >
> > >
> > > Matteo Meucci escribió:
> > > > Hi all,
> > > > What do you think about the new Index?
> > > > 
>http://www.owasp.org/index.php/OWASP_Testing_Guide_v2_Table_of_Contents
> > > >
> > > > 1) Look at the doc "OWASPTesting_PhaseOne"
> > > > 
>(http://sourceforge.net/project/showfiles.php?group_id=64424&package_id=62285)
> > > > IMHO I think we have to insert the Chaper 2" Principle of testing" ,
> > > > Chapter 3 "Testing techniques explained" and "The OWASP Testing
> > > > Framework" as first chapter of this guide.
> > > >
> > > > 2) I'd like to rename Chapter 4 from "Manual testing techniques" to
> > > > "Web Application Penetration Testing".
> > > >
> > > > 3) In accordance with Alberto Revelli, we think to create a new
> > > > template for Chapter 4:
> > > > 1 Short Description of the Issue
> > > > 2 How to Test
> > > >     2.1 Black Box testing and example
> > > >     2.2 White Box testing and example
> > > > 3 References
> > > >     Whitepapers
> > > >     Tools
> > > > What do you think about that? More, may be we have to rename White 
>Box
> > > > in Gray box, so it is clear the difference between penetration 
>testing
> > > > (Black and Gray Box) and Code Review (White Box) that is a different
> > > > OWASP Project.
> > > >
> > > > What are your feed back?
> > > > Thanks,
> > > > Mat
> > > >
> > > >
> > > >
> > >
> >
> >
>--
>...oOOo...oOOo....
>Stefano Di Paola
>Software Engineer
>
>Web: www.wisec.it
>..................
>
>_______________________________________________
>Owasp-testing mailing list
>Owasp-testing at lists.owasp.org
>http://lists.owasp.org/mailman/listinfo/owasp-testing

_________________________________________________________________
Find accommodation FAST with MSN Search! http://search.msn.ie/




More information about the Owasp-testing mailing list