[Owasp-testing] Brainstorming about the new Index

Matteo Meucci matteo.meucci at gmail.com
Sat Oct 14 10:32:23 EDT 2006


Hi,
After a long brainstorming with Stefano, our idea is to change Data
Validation paragraph as follow:
DATA VALIDATION

4.6.1 Cross site scripting 0% TD
4.6.1.1 HTTP Methods and XST 0% TD
//(Phishing +XSS is not a test, but a particular attack. So we can
describe it like an //example in 4.6.1)

//(more rational par about SQL Injection)
4.6.2 SQL Injection 0% TD
4.6.2.1 Stored procedure injection 0% TD
4.6.2.2 Oracle testing,
4.6.2.3 MySQL testing,
4.6.2.4 SQL Server testing
// 4.6.2.4 Listener Testing - is an infrastructural testing

//(a par. for every different test)
4.6.3 ORM Injection
4.6.4 LDAP Injection
4.6.5 XML Injection,
4.6.6 SSI Injection,
4.6.7 XPath Injection
4.6.8 IMAP/SMTP Injection
4.6.9 Code Injection
4.6.10 OS Commanding

4.6.11 Buffer overflow Testing
4.6.11.1 Heap overflow
4.6.11.2 Stack overflow
4.6.11.3 Format string

4.6.12 Incubated vulnerability testing
//(we see this like an advanced testing that exploits multiple vulnerabilities)

What do you think about that?

Thanks again Stefano.
Mat


On 10/13/06, Matteo Meucci <matteo.meucci at gmail.com> wrote:
> I've talked about "4.2 Information Gathering" and "4.8 Infrastructure
> and configuration Testing" with Carlo and Stefano.
> (http://www.owasp.org/index.php/OWASP_Testing_Guide_v2_Table_of_Contents)
>
> May be we can merge these like that (deleting par.4.8):
>
> 4.2 Information Gathering
> 4.2.1 Spidering and googling
> 4.2.2 Analisys of error code
> 4.2.3 Infrastructure configuration management testing
> SSL/TLS Testing
> 4.2.4 Application configuration management testing
> File extensions handling
> Old, backup and unreferenced files
>
> What is your opinion?
> Mat
>
>
> On 10/13/06, Matteo Meucci <matteo.meucci at gmail.com> wrote:
> > Perfect.
> > Thank you Stefano, I've added:
> > 4.4.4 Directory traversal/file include
> >
> > What about your second idea...where can we insert this item?
> >
> > Mat
> >
> > On 10/13/06, Stefano Di Paola <wisec at wisec.it> wrote:
> > > Just a couple of things that come to my mind (thanks to Matteo and
> > > Alberto)...
> > >
> > > Data Validation Testing chapter misses a little par. about
> > > directory traversal/local file include and remote file include.
> > >
> > > Another point is about athentication and authorization chapter, on pages
> > > which miss to exit on a redirection when they find the login/passwd are
> > > wrong.
> > > An example below in Php:
> > > <?
> > > if(islogged())
> > > header("Location : redir.php")
> > > // without exit and then login page follows
> > > logged-in code..-.
> > > ?>
> > >
> > > Maybe in this cases a paragraph is worth writing to cover the issue and
> > > to point out the use of command line raw requests like curl and related.
> > >
> > > Stefano
> > >
> > >
> > >
> > > On gio, 2006-10-12 at 11:51 +0200, Matteo Meucci wrote:
> > > > Yes,
> > > > I think you are right: this paragraph already exists.
> > > > look at:
> > > > (http://www.owasp.org/index.php/OWASP_Testing_Guide_v2_Table_of_Contents)
> > > > 4.6 Data Validation Testing 0% TD
> > > > 4.6.1 Cross site scripting 0% TD
> > > > 4.6.1.1 Incubated attacks 0% TD
> > > >
> > > > Ariel may be says that Incubated attacks are a combination of SQL Inj
> > > > and XSS, but we can reasonably affirm that is a particular XSS attack.
> > > > In the same paragraph we can show an example that how a XSS Inc Attack
> > > > works exploiting an SQL Inj vulnerability.
> > > > Right?
> > > >
> > > > Mat
> > > >
> > > >
> > > >
> > > > On 10/12/06, Eoin <eoinkeary at gmail.com> wrote:
> > > > > Hi,
> > > > > incubated attacks are important enough to warrant a section under XSS. It is
> > > > > another varient of XSS.
> > > > > Metteo what do you think?
> > > > >
> > > > >
> > > > >
> > > > > On 11/10/06, Ariel Waissbein <wata.34mt at coresecurity.com> wrote:
> > > > > > Hi all,
> > > > > >
> > > > > > my first post and 2 cents here:
> > > > > >
> > > > > > I guess we should make a difference between the techniques of unit
> > > > > > testing and the results of UT. Even if UT can be used to... e.g.,
> > > > > > discover BO or SQL-injection vulns.
> > > > > >
> > > > > > Although, I noticed that there is an Appendix for fuzzing which is
> > > > > > another technique for discovering (some) vulnerabilities.
> > > > > >
> > > > > >
> > > > > > A new question: imagine the following situation: The pen tester
> > > > > > discovers a SQL-injection vulnerability in a webapp he is auditing. This
> > > > > > vuln. allows him to store some javascript in the Db and therefore
> > > > > > perpetrate a XSS attack (incubated) on the users of this webapp.  My
> > > > > > question is where do we describe this attacks? (I think they are
> > > > > > important enough to be included somewhere.)
> > > > > >
> > > > > > Cheers,
> > > > > > Ariel
> > > > > >
> > > > > > Eoin Keary wrote:
> > > > > > > Hi,
> > > > > > >
> > > > > > > Question:
> > > > > > > Do we want to get into Unit Testing and SDLC methodology in this guide?
> > > > > > > I thought they would be more suite to Andrews dev guide or the code
> > > > > > > review project.
> > > > > > > unit testing is related to testing small blocks of a syaytem
> > > > > > > individually and hence a development phase done prior to system and
> > > > > > > integration testing.
> > > > > > > The Guide currently focuses on penetration testing which is "After the
> > > > > > > Fact" testing and not really one until the system in developed.
> > > > > > >
> > > > > > > What y'all think?
> > > > > > >
> > > > > > > Eoin
> > > > > > >
> > > > > > _______________________________________________
> > > > > > Owasp-testing mailing list
> > > > > > Owasp-testing at lists.owasp.org
> > > > > > http://lists.owasp.org/mailman/listinfo/owasp-testing
> > > > > >
> > > > >
> > > > >
> > > > >
> > > > > --
> > > > > Eoin Keary OWASP - Ireland
> > > > > http://www.owasp.org/local/ireland.html
> > > > >  http://www.owasp.org/index.php/OWASP_Testing_Project
> > > > > http://www.owasp.org/index.php/OWASP_Code_Review_Project
> > > > > _______________________________________________
> > > > > Owasp-testing mailing list
> > > > > Owasp-testing at lists.owasp.org
> > > > > http://lists.owasp.org/mailman/listinfo/owasp-testing
> > > > >
> > > > >
> > > > >
> > > >
> > >
> > >
> > >
> >
> >
> > --
> > Matteo Meucci
> > OWASP-Italy Chair, CISSP, CISA
> > site: http://www.owasp.org/index.php/Italy
> > mail: matteo.meucci at owasp.org
> > ml: http://lists.owasp.org/mailman/listinfo/owasp-italy
> >
>
>
> --
> Matteo Meucci
> OWASP-Italy Chair, CISSP, CISA
> site: http://www.owasp.org/index.php/Italy
> mail: matteo.meucci at owasp.org
> ml: http://lists.owasp.org/mailman/listinfo/owasp-italy
>


-- 
Matteo Meucci
OWASP-Italy Chair, CISSP, CISA
site: http://www.owasp.org/index.php/Italy
mail: matteo.meucci at owasp.org
ml: http://lists.owasp.org/mailman/listinfo/owasp-italy



More information about the Owasp-testing mailing list