[Owasp-testing] Article content

Stefano Di Paola wisec at wisec.it
Thu Oct 12 12:54:10 EDT 2006


Daniel and all,
this is the right direction IMHO, too.

as Matteo  pointed in his first mail:
_snip_
" ....
3) In accordance with Alberto Revelli, we think to create a new
template for Chapter 4:
1 Short Description of the Issue
2 How to Test
    2.1 Black Box testing and example
    2.2 White Box testing and example
3 References
    Whitepapers
    Tools 
...."
_snip_

Apart from 2.2, which maybe could be redirected to code review, it seems
to me the same practical approach.

I agree that a very light and pragmatic reference guide with links to
attack theory and tools is what we need.


Very good idea for 'Result Expected:' !

Maybe some antifiltering/metachars attack related list or reference
( where a list would be too long ) could be useful as a sub paragraf of
the attack technique.

IMHO, of course...

Stefano

On gio, 2006-10-12 at 16:39 +0200, Matteo Meucci wrote:
> Wow,
> I like it...that's very cool, practical and pragmatic as Eoin said.
> 
> Mat
> 
> 
> On 10/12/06, Daniel Cuthbert <daniel.cuthbert at owasp.org> wrote:
> > examples are good. Ideally they should give an introduction of what
> > the tester is testing for, a brief explanation and the actual method
> > used to test and desired output
> >
> >
> > =======================================================
> > Topic:
> >
> > XSS IFRAME Test
> >
> > Explanation:
> >
> > HTML frames allow authors to present documents in multiple views,
> > which may be independent windows or subwindows. These are commonly
> > found to be vulnerable, and if the web application allows iframes,
> > there could be further XSS vulnerabilities present
> >
> > Testing for IFRAME vulnerabilities:
> > Using a proxy, recreate the IFRAME code with following code
> > <IFRAME SRC="javascript:alert(;'OWASP IFRAME XSS Test');"></IFRAME>
> >
> > Result Expected:
> > A alert box with the caption "OWASP IFRAME XSS Test" should appear
> >
> > =======================================================
> >
> >
> >
> >
> > On 12 Oct 2006, at 21:21, Matteo Meucci wrote:
> >
> > > Yep,
> > > Eoin is right. We don't need to write down all the theory about a
> > > particular attack, but just a brief description. The added value of
> > > this guide is our experience on how to test. Focus on real
> > > case-studies will be great. IMHO this concept has to be our guideline
> > > in writing new articles.
> > > Other feed back?
> > >
> > > Mat
> > >
> > > On 10/12/06, Eoin <eoin.keary at owasp.org> wrote:
> > >> Guys,
> > >>
> > >> when doing these articles can we ensure that the articles are
> > >> practical and
> > >> pragmatic?
> > >> I.e. Examples of the test discussed and less academic theory.
> > >> Just that, there are many books out there on the "theory" but what
> > >> we need
> > >> is examples of "how to test"..
> > >>
> > >> What do y'all think?
> > >>
> > >>
> > >> --
> > >> Eoin Keary OWASP - Ireland
> > >> http://www.owasp.org/local/ireland.html
> > >>  http://www.owasp.org/index.php/OWASP_Testing_Project
> > >> http://www.owasp.org/index.php/OWASP_Code_Review_Project
> > >
> > >
> > > --
> > > Matteo Meucci
> > > OWASP-Italy Chair, CISSP, CISA
> > > site: http://www.owasp.org/index.php/Italy
> > > mail: matteo.meucci at owasp.org
> > > ml: http://lists.owasp.org/mailman/listinfo/owasp-italy
> > > _______________________________________________
> > > Owasp-testing mailing list
> > > Owasp-testing at lists.owasp.org
> > > http://lists.owasp.org/mailman/listinfo/owasp-testing
> >
> >
> 
> 




More information about the Owasp-testing mailing list