[Owasp-testing] Brainstorming about the new Index

Ariel Waissbein wata.34mt at coresecurity.com
Wed Oct 11 18:01:38 EDT 2006


Hi all,

my first post and 2 cents here:

I guess we should make a difference between the techniques of unit
testing and the results of UT. Even if UT can be used to... e.g.,
discover BO or SQL-injection vulns.

Although, I noticed that there is an Appendix for fuzzing which is
another technique for discovering (some) vulnerabilities.


A new question: imagine the following situation: The pen tester
discovers a SQL-injection vulnerability in a webapp he is auditing. This
vuln. allows him to store some javascript in the Db and therefore
perpetrate a XSS attack (incubated) on the users of this webapp.  My
question is where do we describe this attacks? (I think they are
important enough to be included somewhere.)

Cheers,
Ariel

Eoin Keary wrote:
> Hi,
> 
> Question:
> Do we want to get into Unit Testing and SDLC methodology in this guide?
> I thought they would be more suite to Andrews dev guide or the code
> review project.
> unit testing is related to testing small blocks of a syaytem
> individually and hence a development phase done prior to system and
> integration testing.
> The Guide currently focuses on penetration testing which is "After the
> Fact" testing and not really one until the system in developed.
> 
> What y'all think?
> 
> Eoin
> 



More information about the Owasp-testing mailing list