[Owasp-testing] Brainstorming about the new Index

Eoin eoinkeary at gmail.com
Sat Oct 14 15:33:04 EDT 2006


For some reason ones account corrupts when you tick "remember me"

On 14/10/06, Daniel Cuthbert <daniel.cuthbert at owasp.org> wrote:
>
> i cant believe we have this issue :0)
>
> Jeff, is this a ongoing issue with our implementation of the Wiki? do
> Wiki know themselves out the bug?
>
>
> On 14 Oct 2006, at 03:14, Eoin Keary wrote:
>
> >
> > Dan if you create a new account the problem will go away.
> >
> >> From: Daniel Cuthbert <daniel.cuthbert at owasp.org>
> >> To: owasp-testing at lists.owasp.org
> >> CC: owasp-leaders at lists.owasp.org
> >> Subject: Re: [Owasp-testing] Brainstorming about the new Index
> >> Date: Fri, 13 Oct 2006 21:20:53 +0700
> >>
> >> nope, seems something isnt happy with our version of wiki and mac
> >> support
> >>
> >> Andrew, you use a mac, you seen this before?
> >> On 13 Oct 2006, at 20:11, Eoin wrote:
> >>
> >>> Yep, had this before, dont turn on "remember me" and clear your
> >>> cache.
> >>> that seems to solve the problem
> >>>
> >>> On 13/10/06, Daniel Cuthbert < daniel.cuthbert at owasp.org> wrote:
> >>> Anyone else having a issue with the Wiki?
> >>> seems once i go through the authentication process, the site returns
> >>> a blank page
> >>>
> >>> confused!
> >>> On 13 Oct 2006, at 18:10, Matteo Meucci wrote:
> >>>
> >>> > I've talked about "4.2 Information Gathering" and " 4.8
> >>> Infrastructure
> >>> > and configuration Testing" with Carlo and Stefano.
> >>> > (http://www.owasp.org/index.php/
> >>> > OWASP_Testing_Guide_v2_Table_of_Contents)
> >>> >
> >>> > May be we can merge these like that (deleting par.4.8):
> >>> >
> >>> > 4.2 Information Gathering
> >>> > 4.2.1 Spidering and googling
> >>> > 4.2.2 Analisys of error code
> >>> > 4.2.3 Infrastructure configuration management testing
> >>> > SSL/TLS Testing
> >>> > 4.2.4 Application configuration management testing
> >>> > File extensions handling
> >>> > Old, backup and unreferenced files
> >>> >
> >>> > What is your opinion?
> >>> > Mat
> >>> >
> >>> >
> >>> > On 10/13/06, Matteo Meucci <matteo.meucci at gmail.com> wrote:
> >>> >> Perfect.
> >>> >> Thank you Stefano, I've added:
> >>> >> 4.4.4 Directory traversal/file include
> >>> >>
> >>> >> What about your second idea...where can we insert this item?
> >>> >>
> >>> >> Mat
> >>> >>
> >>> >> On 10/13/06, Stefano Di Paola <wisec at wisec.it > wrote:
> >>> >>> Just a couple of things that come to my mind (thanks to
> >>> Matteo and
> >>> >>> Alberto)...
> >>> >>>
> >>> >>> Data Validation Testing chapter misses a little par. about
> >>> >>> directory traversal/local file include and remote file include.
> >>> >>>
> >>> >>> Another point is about athentication and authorization chapter,
> >>> >>> on pages
> >>> >>> which miss to exit on a redirection when they find the login/
> >>> >>> passwd are
> >>> >>> wrong.
> >>> >>> An example below in Php:
> >>> >>> <?
> >>> >>> if(islogged())
> >>> >>> header("Location : redir.php")
> >>> >>> // without exit and then login page follows
> >>> >>> logged-in code..-.
> >>> >>> ?>
> >>> >>>
> >>> >>> Maybe in this cases a paragraph is worth writing to cover the
> >>> >>> issue and
> >>> >>> to point out the use of command line raw requests like curl and
> >>> >>> related.
> >>> >>>
> >>> >>> Stefano
> >>> >>>
> >>> >>>
> >>> >>>
> >>> >>> On gio, 2006-10-12 at 11:51 +0200, Matteo Meucci wrote:
> >>> >>>> Yes,
> >>> >>>> I think you are right: this paragraph already exists.
> >>> >>>> look at:
> >>> >>>> (http://www.owasp.org/index.php/
> >>> >>>> OWASP_Testing_Guide_v2_Table_of_Contents)
> >>> >>>> 4.6 Data Validation Testing 0% TD
> >>> >>>> 4.6.1 Cross site scripting 0% TD
> >>> >>>> 4.6.1.1 Incubated attacks 0% TD
> >>> >>>>
> >>> >>>> Ariel may be says that Incubated attacks are a combination of
> >>> >>>> SQL Inj
> >>> >>>> and XSS, but we can reasonably affirm that is a particular XSS
> >>> >>>> attack.
> >>> >>>> In the same paragraph we can show an example that how a XSS Inc
> >>> >>>> Attack
> >>> >>>> works exploiting an SQL Inj vulnerability.
> >>> >>>> Right?
> >>> >>>>
> >>> >>>> Mat
> >>> >>>>
> >>> >>>>
> >>> >>>>
> >>> >>>> On 10/12/06, Eoin <eoinkeary at gmail.com> wrote:
> >>> >>>>> Hi,
> >>> >>>>> incubated attacks are important enough to warrant a section
> >>> >>>>> under XSS. It is
> >>> >>>>> another varient of XSS.
> >>> >>>>> Metteo what do you think?
> >>> >>>>>
> >>> >>>>>
> >>> >>>>>
> >>> >>>>> On 11/10/06, Ariel Waissbein < wata.34mt at coresecurity.com>
> >>> wrote:
> >>> >>>>>> Hi all,
> >>> >>>>>>
> >>> >>>>>> my first post and 2 cents here:
> >>> >>>>>>
> >>> >>>>>> I guess we should make a difference between the techniques of
> >>> >>>>>> unit
> >>> >>>>>> testing and the results of UT. Even if UT can be used
> >>> to...  e.g.,
> >>> >>>>>> discover BO or SQL-injection vulns.
> >>> >>>>>>
> >>> >>>>>> Although, I noticed that there is an Appendix for fuzzing
> >>> >>>>>> which is
> >>> >>>>>> another technique for discovering (some) vulnerabilities.
> >>> >>>>>>
> >>> >>>>>>
> >>> >>>>>> A new question: imagine the following situation: The pen
> >>> tester
> >>> >>>>>> discovers a SQL-injection vulnerability in a webapp he is
> >>> >>>>>> auditing. This
> >>> >>>>>> vuln. allows him to store some javascript in the Db and
> >>> therefore
> >>> >>>>>> perpetrate a XSS attack (incubated) on the users of this
> >>> >>>>>> webapp.  My
> >>> >>>>>> question is where do we describe this attacks? (I think
> >>> they  are
> >>> >>>>>> important enough to be included somewhere.)
> >>> >>>>>>
> >>> >>>>>> Cheers,
> >>> >>>>>> Ariel
> >>> >>>>>>
> >>> >>>>>> Eoin Keary wrote:
> >>> >>>>>>> Hi,
> >>> >>>>>>>
> >>> >>>>>>> Question:
> >>> >>>>>>> Do we want to get into Unit Testing and SDLC methodology in
> >>> >>>>>>> this guide?
> >>> >>>>>>> I thought they would be more suite to Andrews dev guide or
> >>> >>>>>>> the code
> >>> >>>>>>> review project.
> >>> >>>>>>> unit testing is related to testing small blocks of a syaytem
> >>> >>>>>>> individually and hence a development phase done prior to
> >>> >>>>>>> system and
> >>> >>>>>>> integration testing.
> >>> >>>>>>> The Guide currently focuses on penetration testing which is
> >>> >>>>>>> "After the
> >>> >>>>>>> Fact" testing and not really one until the system in
> >>> developed.
> >>> >>>>>>>
> >>> >>>>>>> What y'all think?
> >>> >>>>>>>
> >>> >>>>>>> Eoin
> >>> >>>>>>>
> >>> >>>>>> _______________________________________________
> >>> >>>>>> Owasp-testing mailing list
> >>> >>>>>> Owasp-testing at lists.owasp.org
> >>> >>>>>> http://lists.owasp.org/mailman/listinfo/owasp-testing
> >>> >>>>>>
> >>> >>>>>
> >>> >>>>>
> >>> >>>>>
> >>> >>>>> --
> >>> >>>>> Eoin Keary OWASP - Ireland
> >>> >>>>> http://www.owasp.org/local/ireland.html
> >>> >>>>>  http://www.owasp.org/index.php/OWASP_Testing_Project
> >>> >>>>> http://www.owasp.org/index.php/OWASP_Code_Review_Project
> >>> >>>>> _______________________________________________
> >>> >>>>> Owasp-testing mailing list
> >>> >>>>> Owasp-testing at lists.owasp.org
> >>> >>>>> http://lists.owasp.org/mailman/listinfo/owasp-testing
> >>> >>>>>
> >>> >>>>>
> >>> >>>>>
> >>> >>>>
> >>> >>>
> >>> >>>
> >>> >>>
> >>> >>
> >>> >>
> >>> >> --
> >>> >> Matteo Meucci
> >>> >> OWASP-Italy Chair, CISSP, CISA
> >>> >> site: http://www.owasp.org/index.php/Italy
> >>> >> mail: matteo.meucci at owasp.org
> >>> >> ml: http://lists.owasp.org/mailman/listinfo/owasp-italy
> >>> >>
> >>> >
> >>> >
> >>> > --
> >>> > Matteo Meucci
> >>> > OWASP-Italy Chair, CISSP, CISA
> >>> > site: http://www.owasp.org/index.php/Italy
> >>> > mail: matteo.meucci at owasp.org
> >>> > ml: http://lists.owasp.org/mailman/listinfo/owasp-italy
> >>> > _______________________________________________
> >>> > Owasp-testing mailing list
> >>> > Owasp-testing at lists.owasp.org
> >>> > http://lists.owasp.org/mailman/listinfo/owasp-testing
> >>>
> >>> _______________________________________________
> >>> Owasp-testing mailing list
> >>> Owasp-testing at lists.owasp.org
> >>> http://lists.owasp.org/mailman/listinfo/owasp-testing
> >>>
> >>>
> >>>
> >>> --
> >>> Eoin Keary OWASP - Ireland
> >>> http://www.owasp.org/local/ireland.html
> >>> http://www.owasp.org/index.php/OWASP_Testing_Project
> >>> http://www.owasp.org/index.php/OWASP_Code_Review_Project
> >>
> >
> >
> >> _______________________________________________
> >> Owasp-testing mailing list
> >> Owasp-testing at lists.owasp.org
> >> http://lists.owasp.org/mailman/listinfo/owasp-testing
> >
> > _________________________________________________________________
> > Find a baby-sitter FAST with MSN Search! http://search.msn.ie/
> >
>
> _______________________________________________
> Owasp-testing mailing list
> Owasp-testing at lists.owasp.org
> http://lists.owasp.org/mailman/listinfo/owasp-testing
>



-- 
Eoin Keary OWASP - Ireland
http://www.owasp.org/local/ireland.html
http://www.owasp.org/index.php/OWASP_Testing_Project
http://www.owasp.org/index.php/OWASP_Code_Review_Project
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.owasp.org/pipermail/owasp-testing/attachments/20061014/bab5b1a5/attachment-0002.html 


More information about the Owasp-testing mailing list