[Owasp-testing] Brainstorming about the new Index

Eoin Keary eoinkeary at hotmail.com
Fri Oct 13 16:14:14 EDT 2006


Dan if you create a new account the problem will go away.

>From: Daniel Cuthbert <daniel.cuthbert at owasp.org>
>To: owasp-testing at lists.owasp.org
>CC: owasp-leaders at lists.owasp.org
>Subject: Re: [Owasp-testing] Brainstorming about the new Index
>Date: Fri, 13 Oct 2006 21:20:53 +0700
>
>nope, seems something isnt happy with our version of wiki and mac  support
>
>Andrew, you use a mac, you seen this before?
>On 13 Oct 2006, at 20:11, Eoin wrote:
>
>>Yep, had this before, dont turn on "remember me" and clear your cache.
>>that seems to solve the problem
>>
>>On 13/10/06, Daniel Cuthbert < daniel.cuthbert at owasp.org> wrote:
>>Anyone else having a issue with the Wiki?
>>seems once i go through the authentication process, the site returns
>>a blank page
>>
>>confused!
>>On 13 Oct 2006, at 18:10, Matteo Meucci wrote:
>>
>> > I've talked about "4.2 Information Gathering" and " 4.8  Infrastructure
>> > and configuration Testing" with Carlo and Stefano.
>> > (http://www.owasp.org/index.php/
>> > OWASP_Testing_Guide_v2_Table_of_Contents)
>> >
>> > May be we can merge these like that (deleting par.4.8):
>> >
>> > 4.2 Information Gathering
>> > 4.2.1 Spidering and googling
>> > 4.2.2 Analisys of error code
>> > 4.2.3 Infrastructure configuration management testing
>> > SSL/TLS Testing
>> > 4.2.4 Application configuration management testing
>> > File extensions handling
>> > Old, backup and unreferenced files
>> >
>> > What is your opinion?
>> > Mat
>> >
>> >
>> > On 10/13/06, Matteo Meucci <matteo.meucci at gmail.com> wrote:
>> >> Perfect.
>> >> Thank you Stefano, I've added:
>> >> 4.4.4 Directory traversal/file include
>> >>
>> >> What about your second idea...where can we insert this item?
>> >>
>> >> Mat
>> >>
>> >> On 10/13/06, Stefano Di Paola <wisec at wisec.it > wrote:
>> >>> Just a couple of things that come to my mind (thanks to Matteo and
>> >>> Alberto)...
>> >>>
>> >>> Data Validation Testing chapter misses a little par. about
>> >>> directory traversal/local file include and remote file include.
>> >>>
>> >>> Another point is about athentication and authorization chapter,
>> >>> on pages
>> >>> which miss to exit on a redirection when they find the login/
>> >>> passwd are
>> >>> wrong.
>> >>> An example below in Php:
>> >>> <?
>> >>> if(islogged())
>> >>> header("Location : redir.php")
>> >>> // without exit and then login page follows
>> >>> logged-in code..-.
>> >>> ?>
>> >>>
>> >>> Maybe in this cases a paragraph is worth writing to cover the
>> >>> issue and
>> >>> to point out the use of command line raw requests like curl and
>> >>> related.
>> >>>
>> >>> Stefano
>> >>>
>> >>>
>> >>>
>> >>> On gio, 2006-10-12 at 11:51 +0200, Matteo Meucci wrote:
>> >>>> Yes,
>> >>>> I think you are right: this paragraph already exists.
>> >>>> look at:
>> >>>> (http://www.owasp.org/index.php/
>> >>>> OWASP_Testing_Guide_v2_Table_of_Contents)
>> >>>> 4.6 Data Validation Testing 0% TD
>> >>>> 4.6.1 Cross site scripting 0% TD
>> >>>> 4.6.1.1 Incubated attacks 0% TD
>> >>>>
>> >>>> Ariel may be says that Incubated attacks are a combination of
>> >>>> SQL Inj
>> >>>> and XSS, but we can reasonably affirm that is a particular XSS
>> >>>> attack.
>> >>>> In the same paragraph we can show an example that how a XSS Inc
>> >>>> Attack
>> >>>> works exploiting an SQL Inj vulnerability.
>> >>>> Right?
>> >>>>
>> >>>> Mat
>> >>>>
>> >>>>
>> >>>>
>> >>>> On 10/12/06, Eoin <eoinkeary at gmail.com> wrote:
>> >>>>> Hi,
>> >>>>> incubated attacks are important enough to warrant a section
>> >>>>> under XSS. It is
>> >>>>> another varient of XSS.
>> >>>>> Metteo what do you think?
>> >>>>>
>> >>>>>
>> >>>>>
>> >>>>> On 11/10/06, Ariel Waissbein < wata.34mt at coresecurity.com>  wrote:
>> >>>>>> Hi all,
>> >>>>>>
>> >>>>>> my first post and 2 cents here:
>> >>>>>>
>> >>>>>> I guess we should make a difference between the techniques of
>> >>>>>> unit
>> >>>>>> testing and the results of UT. Even if UT can be used to...  e.g.,
>> >>>>>> discover BO or SQL-injection vulns.
>> >>>>>>
>> >>>>>> Although, I noticed that there is an Appendix for fuzzing
>> >>>>>> which is
>> >>>>>> another technique for discovering (some) vulnerabilities.
>> >>>>>>
>> >>>>>>
>> >>>>>> A new question: imagine the following situation: The pen tester
>> >>>>>> discovers a SQL-injection vulnerability in a webapp he is
>> >>>>>> auditing. This
>> >>>>>> vuln. allows him to store some javascript in the Db and  therefore
>> >>>>>> perpetrate a XSS attack (incubated) on the users of this
>> >>>>>> webapp.  My
>> >>>>>> question is where do we describe this attacks? (I think they  are
>> >>>>>> important enough to be included somewhere.)
>> >>>>>>
>> >>>>>> Cheers,
>> >>>>>> Ariel
>> >>>>>>
>> >>>>>> Eoin Keary wrote:
>> >>>>>>> Hi,
>> >>>>>>>
>> >>>>>>> Question:
>> >>>>>>> Do we want to get into Unit Testing and SDLC methodology in
>> >>>>>>> this guide?
>> >>>>>>> I thought they would be more suite to Andrews dev guide or
>> >>>>>>> the code
>> >>>>>>> review project.
>> >>>>>>> unit testing is related to testing small blocks of a syaytem
>> >>>>>>> individually and hence a development phase done prior to
>> >>>>>>> system and
>> >>>>>>> integration testing.
>> >>>>>>> The Guide currently focuses on penetration testing which is
>> >>>>>>> "After the
>> >>>>>>> Fact" testing and not really one until the system in  developed.
>> >>>>>>>
>> >>>>>>> What y'all think?
>> >>>>>>>
>> >>>>>>> Eoin
>> >>>>>>>
>> >>>>>> _______________________________________________
>> >>>>>> Owasp-testing mailing list
>> >>>>>> Owasp-testing at lists.owasp.org
>> >>>>>> http://lists.owasp.org/mailman/listinfo/owasp-testing
>> >>>>>>
>> >>>>>
>> >>>>>
>> >>>>>
>> >>>>> --
>> >>>>> Eoin Keary OWASP - Ireland
>> >>>>> http://www.owasp.org/local/ireland.html
>> >>>>>  http://www.owasp.org/index.php/OWASP_Testing_Project
>> >>>>> http://www.owasp.org/index.php/OWASP_Code_Review_Project
>> >>>>> _______________________________________________
>> >>>>> Owasp-testing mailing list
>> >>>>> Owasp-testing at lists.owasp.org
>> >>>>> http://lists.owasp.org/mailman/listinfo/owasp-testing
>> >>>>>
>> >>>>>
>> >>>>>
>> >>>>
>> >>>
>> >>>
>> >>>
>> >>
>> >>
>> >> --
>> >> Matteo Meucci
>> >> OWASP-Italy Chair, CISSP, CISA
>> >> site: http://www.owasp.org/index.php/Italy
>> >> mail: matteo.meucci at owasp.org
>> >> ml: http://lists.owasp.org/mailman/listinfo/owasp-italy
>> >>
>> >
>> >
>> > --
>> > Matteo Meucci
>> > OWASP-Italy Chair, CISSP, CISA
>> > site: http://www.owasp.org/index.php/Italy
>> > mail: matteo.meucci at owasp.org
>> > ml: http://lists.owasp.org/mailman/listinfo/owasp-italy
>> > _______________________________________________
>> > Owasp-testing mailing list
>> > Owasp-testing at lists.owasp.org
>> > http://lists.owasp.org/mailman/listinfo/owasp-testing
>>
>>_______________________________________________
>>Owasp-testing mailing list
>>Owasp-testing at lists.owasp.org
>>http://lists.owasp.org/mailman/listinfo/owasp-testing
>>
>>
>>
>>--
>>Eoin Keary OWASP - Ireland
>>http://www.owasp.org/local/ireland.html
>>http://www.owasp.org/index.php/OWASP_Testing_Project
>>http://www.owasp.org/index.php/OWASP_Code_Review_Project
>


>_______________________________________________
>Owasp-testing mailing list
>Owasp-testing at lists.owasp.org
>http://lists.owasp.org/mailman/listinfo/owasp-testing

_________________________________________________________________
Find a baby-sitter FAST with MSN Search! http://search.msn.ie/




More information about the Owasp-testing mailing list