[Owasp-testing] Brainstorming about the new Index

Mark Roxberry mark.roxberry at mpi.us.com
Wed Oct 11 21:43:42 EDT 2006

In terms of a purely Penetration testing framework viewpoint -

Unit Testing can be very useful in the Discovery phase (Plan, Discover, Attack,
Report) - I can use a tool like JAD, .NET Reflector, et al to decompile a web
app - function by function.  Then using JUNIT or NUNIT or any other testing
suite, automate the unit test per function and fuzz for vulnerabilities.  That,
to me, is an appropriate penetration testing exercise.

About hybrid attacks,  I've heard of contests where the cracker who used the
most types of attacks won.  For example, here's a bunch of different attacks in
a session:  breach a firewall, arp poison a router, buffer overflow a server,
rootkit the server, sniff the network, steal userids and passwords, send
e-mails from within the mail network, and on and on.  It's the antithesis to
risk analysis and layering defense ;)  It would be helpful to identify patterns
- not sure if I've seen any public work on Web attack patterns.


Mark Roxberry, CISSP, CEH
Principal Architect

Meridian Pact Incorporated
Phone: (800) 241-1560
Fax: (800) 241-1560

-----Original Message-----
From: Ariel Waissbein [mailto:wata.34mt at coresecurity.com] 
Sent: Wednesday, October 11, 2006 6:02 PM
To: Eoin Keary
Cc: stephen at corsaire.com; mark.roxberry at mpi.us.com;
owasp-testing at lists.owasp.org
Subject: Re: [Owasp-testing] Brainstorming about the new Index

Hi all,

my first post and 2 cents here:

I guess we should make a difference between the techniques of unit
testing and the results of UT. Even if UT can be used to... e.g.,
discover BO or SQL-injection vulns.

Although, I noticed that there is an Appendix for fuzzing which is
another technique for discovering (some) vulnerabilities.

A new question: imagine the following situation: The pen tester
discovers a SQL-injection vulnerability in a webapp he is auditing. This
vuln. allows him to store some javascript in the Db and therefore
perpetrate a XSS attack (incubated) on the users of this webapp.  My
question is where do we describe this attacks? (I think they are
important enough to be included somewhere.)


Eoin Keary wrote:
> Hi,
> Question:
> Do we want to get into Unit Testing and SDLC methodology in this guide?
> I thought they would be more suite to Andrews dev guide or the code
> review project.
> unit testing is related to testing small blocks of a syaytem
> individually and hence a development phase done prior to system and
> integration testing.
> The Guide currently focuses on penetration testing which is "After the
> Fact" testing and not really one until the system in developed.
> What y'all think?
> Eoin

More information about the Owasp-testing mailing list