[Owasp-testing] Brainstorming about the new Index

Matteo Meucci matteo.meucci at gmail.com
Thu Oct 12 06:14:19 EDT 2006


Yes, that's the focal point of the project.
As Eoin sayd, we have a finite time (31th dec for a complete guide).
The fact is that today we have written nearly nothing about XSS and
many other items.

So the idea is:
- 5th November: 1st dead line to cover the basic and create link to whitepapers
- Then review all, finish the par. not yet completed
- Then if we have time, we can go in details on each par.

That make sense?
Mat

On 10/12/06, Daniel Cuthbert <daniel.cuthbert at owasp.org> wrote:
> The whole bag of fun that is XSS needs to be thought about in a clear
> manner.
> Are we going to talk about ever possible xss mutation, such as:
>
> Basic
> HTML element
> Character Encoding
> Embedded Character
> Event handlers
> HTML Quote Encapsulation
> URL obfuscation
>
> Or are we going to concentrate on the basics?
>
>
> On 12 Oct 2006, at 16:51, Matteo Meucci wrote:
>
> > Yes,
> > I think you are right: this paragraph already exists.
> > look at:
> > (http://www.owasp.org/index.php/
> > OWASP_Testing_Guide_v2_Table_of_Contents)
> > 4.6 Data Validation Testing 0% TD
> > 4.6.1 Cross site scripting 0% TD
> > 4.6.1.1 Incubated attacks 0% TD
> >
> > Ariel may be says that Incubated attacks are a combination of SQL Inj
> > and XSS, but we can reasonably affirm that is a particular XSS attack.
> > In the same paragraph we can show an example that how a XSS Inc Attack
> > works exploiting an SQL Inj vulnerability.
> > Right?
> >
> > Mat
> >
> >
> >
> > On 10/12/06, Eoin <eoinkeary at gmail.com> wrote:
> >> Hi,
> >> incubated attacks are important enough to warrant a section under
> >> XSS. It is
> >> another varient of XSS.
> >> Metteo what do you think?
> >>
> >>
> >>
> >> On 11/10/06, Ariel Waissbein <wata.34mt at coresecurity.com> wrote:
> >>> Hi all,
> >>>
> >>> my first post and 2 cents here:
> >>>
> >>> I guess we should make a difference between the techniques of unit
> >>> testing and the results of UT. Even if UT can be used to... e.g.,
> >>> discover BO or SQL-injection vulns.
> >>>
> >>> Although, I noticed that there is an Appendix for fuzzing which is
> >>> another technique for discovering (some) vulnerabilities.
> >>>
> >>>
> >>> A new question: imagine the following situation: The pen tester
> >>> discovers a SQL-injection vulnerability in a webapp he is
> >>> auditing. This
> >>> vuln. allows him to store some javascript in the Db and therefore
> >>> perpetrate a XSS attack (incubated) on the users of this webapp.  My
> >>> question is where do we describe this attacks? (I think they are
> >>> important enough to be included somewhere.)
> >>>
> >>> Cheers,
> >>> Ariel
> >>>
> >>> Eoin Keary wrote:
> >>>> Hi,
> >>>>
> >>>> Question:
> >>>> Do we want to get into Unit Testing and SDLC methodology in this
> >>>> guide?
> >>>> I thought they would be more suite to Andrews dev guide or the code
> >>>> review project.
> >>>> unit testing is related to testing small blocks of a syaytem
> >>>> individually and hence a development phase done prior to system and
> >>>> integration testing.
> >>>> The Guide currently focuses on penetration testing which is
> >>>> "After the
> >>>> Fact" testing and not really one until the system in developed.
> >>>>
> >>>> What y'all think?
> >>>>
> >>>> Eoin
> >>>>
> >>> _______________________________________________
> >>> Owasp-testing mailing list
> >>> Owasp-testing at lists.owasp.org
> >>> http://lists.owasp.org/mailman/listinfo/owasp-testing
> >>>
> >>
> >>
> >>
> >> --
> >> Eoin Keary OWASP - Ireland
> >> http://www.owasp.org/local/ireland.html
> >>  http://www.owasp.org/index.php/OWASP_Testing_Project
> >> http://www.owasp.org/index.php/OWASP_Code_Review_Project
> >> _______________________________________________
> >> Owasp-testing mailing list
> >> Owasp-testing at lists.owasp.org
> >> http://lists.owasp.org/mailman/listinfo/owasp-testing
> >>
> >>
> >>
> >
> >
> > --
> > Matteo Meucci
> > OWASP-Italy Chair, CISSP, CISA
> > site: http://www.owasp.org/index.php/Italy
> > mail: matteo.meucci at owasp.org
> > ml: http://lists.owasp.org/mailman/listinfo/owasp-italy
> > _______________________________________________
> > Owasp-testing mailing list
> > Owasp-testing at lists.owasp.org
> > http://lists.owasp.org/mailman/listinfo/owasp-testing
>
> _______________________________________________
> Owasp-testing mailing list
> Owasp-testing at lists.owasp.org
> http://lists.owasp.org/mailman/listinfo/owasp-testing
>


-- 
Matteo Meucci
OWASP-Italy Chair, CISSP, CISA
site: http://www.owasp.org/index.php/Italy
mail: matteo.meucci at owasp.org
ml: http://lists.owasp.org/mailman/listinfo/owasp-italy



More information about the Owasp-testing mailing list