[Owasp-testing] Brainstorming about the new Index
daniel.cuthbert at owasp.org
Thu Oct 12 05:58:29 EDT 2006
The whole bag of fun that is XSS needs to be thought about in a clear
Are we going to talk about ever possible xss mutation, such as:
HTML Quote Encapsulation
Or are we going to concentrate on the basics?
On 12 Oct 2006, at 16:51, Matteo Meucci wrote:
> I think you are right: this paragraph already exists.
> look at:
> 4.6 Data Validation Testing 0% TD
> 4.6.1 Cross site scripting 0% TD
> 126.96.36.199 Incubated attacks 0% TD
> Ariel may be says that Incubated attacks are a combination of SQL Inj
> and XSS, but we can reasonably affirm that is a particular XSS attack.
> In the same paragraph we can show an example that how a XSS Inc Attack
> works exploiting an SQL Inj vulnerability.
> On 10/12/06, Eoin <eoinkeary at gmail.com> wrote:
>> incubated attacks are important enough to warrant a section under
>> XSS. It is
>> another varient of XSS.
>> Metteo what do you think?
>> On 11/10/06, Ariel Waissbein <wata.34mt at coresecurity.com> wrote:
>>> Hi all,
>>> my first post and 2 cents here:
>>> I guess we should make a difference between the techniques of unit
>>> testing and the results of UT. Even if UT can be used to... e.g.,
>>> discover BO or SQL-injection vulns.
>>> Although, I noticed that there is an Appendix for fuzzing which is
>>> another technique for discovering (some) vulnerabilities.
>>> A new question: imagine the following situation: The pen tester
>>> discovers a SQL-injection vulnerability in a webapp he is
>>> auditing. This
>>> perpetrate a XSS attack (incubated) on the users of this webapp. My
>>> question is where do we describe this attacks? (I think they are
>>> important enough to be included somewhere.)
>>> Eoin Keary wrote:
>>>> Do we want to get into Unit Testing and SDLC methodology in this
>>>> I thought they would be more suite to Andrews dev guide or the code
>>>> review project.
>>>> unit testing is related to testing small blocks of a syaytem
>>>> individually and hence a development phase done prior to system and
>>>> integration testing.
>>>> The Guide currently focuses on penetration testing which is
>>>> "After the
>>>> Fact" testing and not really one until the system in developed.
>>>> What y'all think?
>>> Owasp-testing mailing list
>>> Owasp-testing at lists.owasp.org
>> Eoin Keary OWASP - Ireland
>> Owasp-testing mailing list
>> Owasp-testing at lists.owasp.org
> Matteo Meucci
> OWASP-Italy Chair, CISSP, CISA
> site: http://www.owasp.org/index.php/Italy
> mail: matteo.meucci at owasp.org
> ml: http://lists.owasp.org/mailman/listinfo/owasp-italy
> Owasp-testing mailing list
> Owasp-testing at lists.owasp.org
More information about the Owasp-testing