[Owasp-testing] Brainstorming about the new Index
matteo.meucci at gmail.com
Thu Oct 12 05:51:07 EDT 2006
I think you are right: this paragraph already exists.
4.6 Data Validation Testing 0% TD
4.6.1 Cross site scripting 0% TD
220.127.116.11 Incubated attacks 0% TD
Ariel may be says that Incubated attacks are a combination of SQL Inj
and XSS, but we can reasonably affirm that is a particular XSS attack.
In the same paragraph we can show an example that how a XSS Inc Attack
works exploiting an SQL Inj vulnerability.
On 10/12/06, Eoin <eoinkeary at gmail.com> wrote:
> incubated attacks are important enough to warrant a section under XSS. It is
> another varient of XSS.
> Metteo what do you think?
> On 11/10/06, Ariel Waissbein <wata.34mt at coresecurity.com> wrote:
> > Hi all,
> > my first post and 2 cents here:
> > I guess we should make a difference between the techniques of unit
> > testing and the results of UT. Even if UT can be used to... e.g.,
> > discover BO or SQL-injection vulns.
> > Although, I noticed that there is an Appendix for fuzzing which is
> > another technique for discovering (some) vulnerabilities.
> > A new question: imagine the following situation: The pen tester
> > discovers a SQL-injection vulnerability in a webapp he is auditing. This
> > perpetrate a XSS attack (incubated) on the users of this webapp. My
> > question is where do we describe this attacks? (I think they are
> > important enough to be included somewhere.)
> > Cheers,
> > Ariel
> > Eoin Keary wrote:
> > > Hi,
> > >
> > > Question:
> > > Do we want to get into Unit Testing and SDLC methodology in this guide?
> > > I thought they would be more suite to Andrews dev guide or the code
> > > review project.
> > > unit testing is related to testing small blocks of a syaytem
> > > individually and hence a development phase done prior to system and
> > > integration testing.
> > > The Guide currently focuses on penetration testing which is "After the
> > > Fact" testing and not really one until the system in developed.
> > >
> > > What y'all think?
> > >
> > > Eoin
> > >
> > _______________________________________________
> > Owasp-testing mailing list
> > Owasp-testing at lists.owasp.org
> > http://lists.owasp.org/mailman/listinfo/owasp-testing
> Eoin Keary OWASP - Ireland
> Owasp-testing mailing list
> Owasp-testing at lists.owasp.org
OWASP-Italy Chair, CISSP, CISA
mail: matteo.meucci at owasp.org
More information about the Owasp-testing