[Owasp-testing] Brainstorming about the new Index

Daniel Cuthbert daniel.cuthbert at owasp.org
Sat Oct 14 08:06:37 EDT 2006


i cant believe we have this issue :0)

Jeff, is this a ongoing issue with our implementation of the Wiki? do  
Wiki know themselves out the bug?


On 14 Oct 2006, at 03:14, Eoin Keary wrote:

>
> Dan if you create a new account the problem will go away.
>
>> From: Daniel Cuthbert <daniel.cuthbert at owasp.org>
>> To: owasp-testing at lists.owasp.org
>> CC: owasp-leaders at lists.owasp.org
>> Subject: Re: [Owasp-testing] Brainstorming about the new Index
>> Date: Fri, 13 Oct 2006 21:20:53 +0700
>>
>> nope, seems something isnt happy with our version of wiki and mac   
>> support
>>
>> Andrew, you use a mac, you seen this before?
>> On 13 Oct 2006, at 20:11, Eoin wrote:
>>
>>> Yep, had this before, dont turn on "remember me" and clear your  
>>> cache.
>>> that seems to solve the problem
>>>
>>> On 13/10/06, Daniel Cuthbert < daniel.cuthbert at owasp.org> wrote:
>>> Anyone else having a issue with the Wiki?
>>> seems once i go through the authentication process, the site returns
>>> a blank page
>>>
>>> confused!
>>> On 13 Oct 2006, at 18:10, Matteo Meucci wrote:
>>>
>>> > I've talked about "4.2 Information Gathering" and " 4.8   
>>> Infrastructure
>>> > and configuration Testing" with Carlo and Stefano.
>>> > (http://www.owasp.org/index.php/
>>> > OWASP_Testing_Guide_v2_Table_of_Contents)
>>> >
>>> > May be we can merge these like that (deleting par.4.8):
>>> >
>>> > 4.2 Information Gathering
>>> > 4.2.1 Spidering and googling
>>> > 4.2.2 Analisys of error code
>>> > 4.2.3 Infrastructure configuration management testing
>>> > SSL/TLS Testing
>>> > 4.2.4 Application configuration management testing
>>> > File extensions handling
>>> > Old, backup and unreferenced files
>>> >
>>> > What is your opinion?
>>> > Mat
>>> >
>>> >
>>> > On 10/13/06, Matteo Meucci <matteo.meucci at gmail.com> wrote:
>>> >> Perfect.
>>> >> Thank you Stefano, I've added:
>>> >> 4.4.4 Directory traversal/file include
>>> >>
>>> >> What about your second idea...where can we insert this item?
>>> >>
>>> >> Mat
>>> >>
>>> >> On 10/13/06, Stefano Di Paola <wisec at wisec.it > wrote:
>>> >>> Just a couple of things that come to my mind (thanks to  
>>> Matteo and
>>> >>> Alberto)...
>>> >>>
>>> >>> Data Validation Testing chapter misses a little par. about
>>> >>> directory traversal/local file include and remote file include.
>>> >>>
>>> >>> Another point is about athentication and authorization chapter,
>>> >>> on pages
>>> >>> which miss to exit on a redirection when they find the login/
>>> >>> passwd are
>>> >>> wrong.
>>> >>> An example below in Php:
>>> >>> <?
>>> >>> if(islogged())
>>> >>> header("Location : redir.php")
>>> >>> // without exit and then login page follows
>>> >>> logged-in code..-.
>>> >>> ?>
>>> >>>
>>> >>> Maybe in this cases a paragraph is worth writing to cover the
>>> >>> issue and
>>> >>> to point out the use of command line raw requests like curl and
>>> >>> related.
>>> >>>
>>> >>> Stefano
>>> >>>
>>> >>>
>>> >>>
>>> >>> On gio, 2006-10-12 at 11:51 +0200, Matteo Meucci wrote:
>>> >>>> Yes,
>>> >>>> I think you are right: this paragraph already exists.
>>> >>>> look at:
>>> >>>> (http://www.owasp.org/index.php/
>>> >>>> OWASP_Testing_Guide_v2_Table_of_Contents)
>>> >>>> 4.6 Data Validation Testing 0% TD
>>> >>>> 4.6.1 Cross site scripting 0% TD
>>> >>>> 4.6.1.1 Incubated attacks 0% TD
>>> >>>>
>>> >>>> Ariel may be says that Incubated attacks are a combination of
>>> >>>> SQL Inj
>>> >>>> and XSS, but we can reasonably affirm that is a particular XSS
>>> >>>> attack.
>>> >>>> In the same paragraph we can show an example that how a XSS Inc
>>> >>>> Attack
>>> >>>> works exploiting an SQL Inj vulnerability.
>>> >>>> Right?
>>> >>>>
>>> >>>> Mat
>>> >>>>
>>> >>>>
>>> >>>>
>>> >>>> On 10/12/06, Eoin <eoinkeary at gmail.com> wrote:
>>> >>>>> Hi,
>>> >>>>> incubated attacks are important enough to warrant a section
>>> >>>>> under XSS. It is
>>> >>>>> another varient of XSS.
>>> >>>>> Metteo what do you think?
>>> >>>>>
>>> >>>>>
>>> >>>>>
>>> >>>>> On 11/10/06, Ariel Waissbein < wata.34mt at coresecurity.com>   
>>> wrote:
>>> >>>>>> Hi all,
>>> >>>>>>
>>> >>>>>> my first post and 2 cents here:
>>> >>>>>>
>>> >>>>>> I guess we should make a difference between the techniques of
>>> >>>>>> unit
>>> >>>>>> testing and the results of UT. Even if UT can be used  
>>> to...  e.g.,
>>> >>>>>> discover BO or SQL-injection vulns.
>>> >>>>>>
>>> >>>>>> Although, I noticed that there is an Appendix for fuzzing
>>> >>>>>> which is
>>> >>>>>> another technique for discovering (some) vulnerabilities.
>>> >>>>>>
>>> >>>>>>
>>> >>>>>> A new question: imagine the following situation: The pen  
>>> tester
>>> >>>>>> discovers a SQL-injection vulnerability in a webapp he is
>>> >>>>>> auditing. This
>>> >>>>>> vuln. allows him to store some javascript in the Db and   
>>> therefore
>>> >>>>>> perpetrate a XSS attack (incubated) on the users of this
>>> >>>>>> webapp.  My
>>> >>>>>> question is where do we describe this attacks? (I think  
>>> they  are
>>> >>>>>> important enough to be included somewhere.)
>>> >>>>>>
>>> >>>>>> Cheers,
>>> >>>>>> Ariel
>>> >>>>>>
>>> >>>>>> Eoin Keary wrote:
>>> >>>>>>> Hi,
>>> >>>>>>>
>>> >>>>>>> Question:
>>> >>>>>>> Do we want to get into Unit Testing and SDLC methodology in
>>> >>>>>>> this guide?
>>> >>>>>>> I thought they would be more suite to Andrews dev guide or
>>> >>>>>>> the code
>>> >>>>>>> review project.
>>> >>>>>>> unit testing is related to testing small blocks of a syaytem
>>> >>>>>>> individually and hence a development phase done prior to
>>> >>>>>>> system and
>>> >>>>>>> integration testing.
>>> >>>>>>> The Guide currently focuses on penetration testing which is
>>> >>>>>>> "After the
>>> >>>>>>> Fact" testing and not really one until the system in   
>>> developed.
>>> >>>>>>>
>>> >>>>>>> What y'all think?
>>> >>>>>>>
>>> >>>>>>> Eoin
>>> >>>>>>>
>>> >>>>>> _______________________________________________
>>> >>>>>> Owasp-testing mailing list
>>> >>>>>> Owasp-testing at lists.owasp.org
>>> >>>>>> http://lists.owasp.org/mailman/listinfo/owasp-testing
>>> >>>>>>
>>> >>>>>
>>> >>>>>
>>> >>>>>
>>> >>>>> --
>>> >>>>> Eoin Keary OWASP - Ireland
>>> >>>>> http://www.owasp.org/local/ireland.html
>>> >>>>>  http://www.owasp.org/index.php/OWASP_Testing_Project
>>> >>>>> http://www.owasp.org/index.php/OWASP_Code_Review_Project
>>> >>>>> _______________________________________________
>>> >>>>> Owasp-testing mailing list
>>> >>>>> Owasp-testing at lists.owasp.org
>>> >>>>> http://lists.owasp.org/mailman/listinfo/owasp-testing
>>> >>>>>
>>> >>>>>
>>> >>>>>
>>> >>>>
>>> >>>
>>> >>>
>>> >>>
>>> >>
>>> >>
>>> >> --
>>> >> Matteo Meucci
>>> >> OWASP-Italy Chair, CISSP, CISA
>>> >> site: http://www.owasp.org/index.php/Italy
>>> >> mail: matteo.meucci at owasp.org
>>> >> ml: http://lists.owasp.org/mailman/listinfo/owasp-italy
>>> >>
>>> >
>>> >
>>> > --
>>> > Matteo Meucci
>>> > OWASP-Italy Chair, CISSP, CISA
>>> > site: http://www.owasp.org/index.php/Italy
>>> > mail: matteo.meucci at owasp.org
>>> > ml: http://lists.owasp.org/mailman/listinfo/owasp-italy
>>> > _______________________________________________
>>> > Owasp-testing mailing list
>>> > Owasp-testing at lists.owasp.org
>>> > http://lists.owasp.org/mailman/listinfo/owasp-testing
>>>
>>> _______________________________________________
>>> Owasp-testing mailing list
>>> Owasp-testing at lists.owasp.org
>>> http://lists.owasp.org/mailman/listinfo/owasp-testing
>>>
>>>
>>>
>>> --
>>> Eoin Keary OWASP - Ireland
>>> http://www.owasp.org/local/ireland.html
>>> http://www.owasp.org/index.php/OWASP_Testing_Project
>>> http://www.owasp.org/index.php/OWASP_Code_Review_Project
>>
>
>
>> _______________________________________________
>> Owasp-testing mailing list
>> Owasp-testing at lists.owasp.org
>> http://lists.owasp.org/mailman/listinfo/owasp-testing
>
> _________________________________________________________________
> Find a baby-sitter FAST with MSN Search! http://search.msn.ie/
>




More information about the Owasp-testing mailing list