[Owasp-testing] Status Report - Testing Guide v2 - 22nd October 06

Matteo Meucci matteo.meucci at gmail.com
Wed Oct 25 19:29:47 EDT 2006


Hi Vicente,
Yes I think it's perfect. Thank you.
Do you think you can write down the article by 5th November (our 1st Deadline)?

Thanks,
Mat

On 10/25/06, Vicente Aguilera <vaguilera at isecauditors.com> wrote:
> Hi all,
>
> If it seems correct to you, I can take charge of the paragraph
> "IMAP/SMTP Injection"
>
> I have experience with the exploitation of this technique on different
> webmails:
> http://www.squirrelmail.org/security/issue/2006-02-15
> http://hastymail.sourceforge.net/security.php
> and others.
>
>
> Regards,
>
> _________________________________
> Vicente Aguilera Díaz
> Consultor en Seguridad
> CISA, CISSP, ITIL, CEH Instructor, OPSA, OPST
> vaguilera at isecauditors.com
> PGP: 0xC0F8EAFC - 66B6 56A8 39E0 7667 AF6F  1088 8ED6 4A77 C0F8 EAFC
>
> Internet Security Auditors, S.L.
> c. Santander, 101. Edif. A. 2º 1ª.
> 08030 Barcelona
> Tel: +34.933.051.318
> Fax: +34.932.782.248
> www.isecauditors.com
>           ____________________________________
> Este mensaje y los documentos que, en su caso lleve anexos, pueden contener información CONFIDENCIAL. Por ello, se informa al destinatario que la información contenida en el mismo es reservada y su uso no autorizado, publicación o difusión, entera o parcialmente, tanto en formato o medio físico como electrónico, sin el previo consentimiento de Internet Security Auditors, está prohibida legalmente.
>
> Si ha recibido este correo por error, le rogamos que nos lo comunique por la misma vía o por teléfono (93 305 13 18), se abstenga de realizar copias del mensaje o remitirlo o entregarlo a otra persona y proceda a borrarlo de inmediato.
>
> En cumplimiento de la Ley Orgánica 15/1999 de 13 de diciembre de protección de datos de carácter personal, Internet Security Auditors S.L., le informa de que sus datos personales se han incluido en ficheros informatizados titularidad de Internet Security Auditors S.L., que será el único destinatario de dichos datos, y cuya finalidad exclusiva es la gestión de clientes y acciones de comunicación comercial, y de que tiene la posibilidad de ejercer los derechos de acceso, rectificación, cancelación y oposición previstos en la ley mediante carta dirigida a Internet Security Auditors, c. Santander, 101. Edif. A. 2º 1ª, 08030 Barcelona, o vía e-mail a la siguiente
> dirección de correo: legal at isecauditors.com
>
>
>
>
> Matteo Meucci escribió:
> > Hi all,
> > Here is the status report of the 3rd week:
> >
> >  Week 03 - Oct 22
> > =============
> > * Assigned a paragraph for each contributor: we have set up a high quality team.
> > * Edited the Template for Chapter 4: now we have a new paragraph
> > titled "Brief Summary" in which we we describe in "natural language"
> > what we want to test.
> > * Begin to write the firt draft: deadline 5th November
> > * Begin to talk about how to write a report (Chapter 5).
> >
> > Next:
> > ====
> > * Discussion about how to write each paragraph.
> >
> > Paragraph not yet assigned:
> > ====================
> > 4.4 Authentication Testing (50%, TD)
> > 4.4.1 Default or guessable (dictionary) user account (90%, TD)
> > 4.5.4 Exposed session variables (0%,TD)
> > 4.6.2.1 Stored procedure injection (0%,TD)
> > 4.6.3 ORM Injection (0%,TD)
> > 4.6.8 IMAP/SMTP Injection (0%, TD)
> > 4.6.9 Code Injection (0%, TD)
> > 4.6.10 OS Commanding (0%, TD)
> >
> > Progress State of each paragraph (on Wiki portal):
> > ====================================
> >
> > Introduction
> > -----------------------------------------------------
> > 2.1 The OWASP Testing Project (100%, Review)
> > 2.2 Principles of Testing (100%, Review)
> > 2.3 Testing Techniques Explained (100%, Review)
> >
> > The OWASP Testing Framework
> > -----------------------------------------------------
> > Mark Curphey, Daniel Cuthbert, Andrew van der Stock, Larry Shields,
> > Javier Fernández-Sanguino, Stan Guzik, Harinath Pudipeddi, Glyn
> > Geoghegan, Mauro Bregolin
> > 3.1. Overview (90%, Review)
> > 3.2. Phase 1 — Before Development Begins (100%, Review)
> > 3.3. Phase 2: During Definition and Design(100%, Review)
> > 3.4. Phase 3: During Development(100%, Review)
> > 3.5. Phase 4: During Deployment(100%, Review)
> > 3.6. Phase 5: Maintenance and Operations(100%, Review)
> > 3.7. A Typical SDLC Testing Workflow (100%, Review)
> >
> > Web Application Penetration Testing
> > -----------------------------------------------------
> > 4.1 Introduction and objectives (0%, Matteo Meucci)
> > 4.2 Information Gathering (0%, Carlo Pelliccioni)
> > 4.2.1 Spidering and googling (0%, Tom Brennan)
> > 4.2.2 Analysis of error code (30%, Carlo Pelliccioni)
> > 4.2.3 Infrastructure configuration management testing (80%, Review)
> > 4.2.3.1 SSL/TLS Testing (100%,Mauro Bregolin,Review)
> > 4.2.3.2 DB Listener Testing (0%, Alexander Kornbrust)
> > 4.2.4 Application configuration management testing (80%, TD)
> > 4.2.4.1 File extensions handling (80%,Mauro Bregolin, Review)
> > 4.2.4.1 Old, backup and unreferenced files (80%,Mauro Bregolin, Review)
> > 4.3 Business logic testing (50%,Madhura Halasgikar)
> > 4.4 Authentication Testing (50%, TD)
> > 4.4.1 Default or guessable (dictionary) user account (90%, TD)
> > 4.4.2 Brute Force (0%,Giorgio Fedon, Andrea Lombardini)
> > 4.4.3 Bypassing authentication schema (0%,Giorgio Fedon, Andrea Lombardini)
> > 4.4.4 Directory traversal/file include (0%, Luca Carettoni)
> > 4.4.5 Vulnerable remember password and pwd reset (90%, Alberto Revelli)
> > 4.4.6 Logout and account expiry (0%,Alberto Revelli)
> > 4.5 Session Management Testing (0%,Glyn Geoghegan)
> > 4.5.1 Cookie and Session token Manipulation(reg, forg/brute force)
> > (100%,Alberto Revelli, Matteo Meucci Review)
> > 4.5.2 Weak session tokens (70%, Meucci)
> > 4.5.3 Session Riding (XSRF) (100%, Mauro Bregolin,Review)
> > 4.5.4 Exposed session variables (0%,TD)
> > 4.5.5 HTTP Exploit (0%, Arian J.Evans)
> > 4.6 Data Validation Testing 0% TD
> > 4.6.1 Cross site scripting (0%, Tom Brennan)
> > 4.6.1.1 HTTP Methods and XST (0%, Alberto Revelli)
> > 4.6.2 SQL Injection (0%, Alexander Kornbrust, Antonio Parata)
> > 4.6.2.1 Stored procedure injection (0%,TD)
> > 4.6.2.2 Oracle testing (0%,Alexander Kornbrust)
> > 4.6.2.3 MySQL testing (0%, Stefano Di Paola)
> > 4.6.2.4 SQL Server testing (0%,Ariel Waissbein)
> > 4.6.3 ORM Injection (0%,TD)
> > 4.6.4 LDAP Injection (0%,Stefano Di Paola)
> > 4.6.5 XML Injection (0%,Antonio Parata, Stefano Di Paola)
> > 4.6.6 SSI Injection (0%,Claudio Merloni)
> > 4.6.7 XPath Injection (0%, Antonio Parata, Alberto Revelli, Stefano Di Paola)
> > 4.6.8 IMAP/SMTP Injection (0%, TD)
> > 4.6.9 Code Injection (0%, TD)
> > 4.6.10 OS Commanding (0%, TD)
> > 4.6.11 Buffer overflow Testing (100%, Review)
> > 4.6.11.1 Heap overflow (100%, Review)
> > 4.6.11.2 Stack overflow (100%, Review)
> > 4.6.11.3 Format string (100%, Review)
> > 4.6.12 Incubated vulnerability testing (0%,Ariel Waissbein)
> > 4.7 Denial of Service Testing 95% Review
> > 4.7.1 Locking Customer Accounts 100% Review
> > 4.7.2 Buffer Overflows 100% Review
> > 4.7.3 User Specified Object Allocation 100% Review
> > 4.7.4 User Input as a Loop Counter 100% Review
> > 4.7.5 Writing User Provided Data to Disk 100% Review
> > 4.7.6 Failure to Release Resources 100% Review
> > 4.7.7 Storing too Much Data in Session 90% Review
> > 4.8 Web Services Testing (0%,Eoin Keary, Mark Roxberry)
> > 4.8.1 XML Structural Testing (0%)
> > 4.8.2 XML content-level Testing (0%)
> > 4.8.3 HTTP GET parameters/REST Testing (0%)
> > 4.8.4 Naughty SOAP attachments (0%)
> > 4.8.5 Brute force Testing (0%)
> > 4.9 AJAX Testing (0%, Dan Cornell, Giorgio Fedon, Stefano Di Paola)
> > 4.9.1 Vulnerabilities (0%, Anush Shetty)
> > 4.9.2 How to test (0%)
> >
> > Writing Reports: value the real risk
> > -----------------------------------------------------
> > 5.1 How to value the real risk (0%, Daniel Cuthbert, Matteo Meucci,
> > Sebastien Deleersnyder)
> > 5.2 How to write the report of the testing (0%, Daniel Cuthbert, Tom
> > Brennan) TD
> >
> > Thanks,
> > Mat
> >
> >
> > --
> > Matteo Meucci
> > OWASP-Italy Chair, CISSP, CISA
> > http://www.owasp.org/index.php/Italy
> > OWASP Testing Guide AoC
> > http://www.owasp.org/index.php/OWASP_Autumn_of_Code_2006_-_Projects:_Testing_Guide
> > _______________________________________________
> > Owasp-testing mailing list
> > Owasp-testing at lists.owasp.org
> > http://lists.owasp.org/mailman/listinfo/owasp-testing
> >
> >
>
>
>


-- 
Matteo Meucci
OWASP-Italy Chair, CISSP, CISA
http://www.owasp.org/index.php/Italy
OWASP Testing Guide AoC lead
http://www.owasp.org/index.php/OWASP_Autumn_of_Code_2006_-_Projects:_Testing_Guide



More information about the Owasp-testing mailing list