[Owasp-testing] Status Report - Testing Guide v2 - 22nd October 06

Matteo Meucci matteo.meucci at gmail.com
Thu Oct 26 12:13:34 EDT 2006


Yes,
that's great.
Thank you,
Mat

On 10/26/06, Vicente Aguilera <vaguilera at isecauditors.com> wrote:
> Hi Mat,
>
> Yes, I think that I can write the article for the 5th November.
> I will use the template created for the chapter 4 (http: //
> www.owasp.org/index.php/IMAP/SMTP_Injection_Testing_AoC).
> Ok?
>
> Regards,
> -- Vicente Aguilera
>
>
> Matteo Meucci escribió:
> > Hi Vicente,
> > Yes I think it's perfect. Thank you.
> > Do you think you can write down the article by 5th November (our 1st
> > Deadline)?
> >
> > Thanks,
> > Mat
> >
> > On 10/25/06, Vicente Aguilera <vaguilera at isecauditors.com> wrote:
> >> Hi all,
> >>
> >> If it seems correct to you, I can take charge of the paragraph
> >> "IMAP/SMTP Injection"
> >>
> >> I have experience with the exploitation of this technique on different
> >> webmails:
> >> http://www.squirrelmail.org/security/issue/2006-02-15
> >> http://hastymail.sourceforge.net/security.php
> >> and others.
> >>
> >>
> >> Regards,
> >>
> >> _________________________________
> >> Vicente Aguilera Díaz
> >> Consultor en Seguridad
> >> CISA, CISSP, ITIL, CEH Instructor, OPSA, OPST
> >> vaguilera at isecauditors.com
> >> PGP: 0xC0F8EAFC - 66B6 56A8 39E0 7667 AF6F  1088 8ED6 4A77 C0F8 EAFC
> >>
> >> Internet Security Auditors, S.L.
> >> c. Santander, 101. Edif. A. 2º 1ª.
> >> 08030 Barcelona
> >> Tel: +34.933.051.318
> >> Fax: +34.932.782.248
> >> www.isecauditors.com
> >>           ____________________________________
> >> Este mensaje y los documentos que, en su caso lleve anexos, pueden
> >> contener información CONFIDENCIAL. Por ello, se informa al
> >> destinatario que la información contenida en el mismo es reservada y
> >> su uso no autorizado, publicación o difusión, entera o parcialmente,
> >> tanto en formato o medio físico como electrónico, sin el previo
> >> consentimiento de Internet Security Auditors, está prohibida legalmente.
> >>
> >> Si ha recibido este correo por error, le rogamos que nos lo comunique
> >> por la misma vía o por teléfono (93 305 13 18), se abstenga de
> >> realizar copias del mensaje o remitirlo o entregarlo a otra persona y
> >> proceda a borrarlo de inmediato.
> >>
> >> En cumplimiento de la Ley Orgánica 15/1999 de 13 de diciembre de
> >> protección de datos de carácter personal, Internet Security Auditors
> >> S.L., le informa de que sus datos personales se han incluido en
> >> ficheros informatizados titularidad de Internet Security Auditors
> >> S.L., que será el único destinatario de dichos datos, y cuya
> >> finalidad exclusiva es la gestión de clientes y acciones de
> >> comunicación comercial, y de que tiene la posibilidad de ejercer los
> >> derechos de acceso, rectificación, cancelación y oposición previstos
> >> en la ley mediante carta dirigida a Internet Security Auditors, c.
> >> Santander, 101. Edif. A. 2º 1ª, 08030 Barcelona, o vía e-mail a la
> >> siguiente
> >> dirección de correo: legal at isecauditors.com
> >>
> >>
> >>
> >>
> >> Matteo Meucci escribió:
> >> > Hi all,
> >> > Here is the status report of the 3rd week:
> >> >
> >> >  Week 03 - Oct 22
> >> > =============
> >> > * Assigned a paragraph for each contributor: we have set up a high
> >> quality team.
> >> > * Edited the Template for Chapter 4: now we have a new paragraph
> >> > titled "Brief Summary" in which we we describe in "natural language"
> >> > what we want to test.
> >> > * Begin to write the firt draft: deadline 5th November
> >> > * Begin to talk about how to write a report (Chapter 5).
> >> >
> >> > Next:
> >> > ====
> >> > * Discussion about how to write each paragraph.
> >> >
> >> > Paragraph not yet assigned:
> >> > ====================
> >> > 4.4 Authentication Testing (50%, TD)
> >> > 4.4.1 Default or guessable (dictionary) user account (90%, TD)
> >> > 4.5.4 Exposed session variables (0%,TD)
> >> > 4.6.2.1 Stored procedure injection (0%,TD)
> >> > 4.6.3 ORM Injection (0%,TD)
> >> > 4.6.8 IMAP/SMTP Injection (0%, TD)
> >> > 4.6.9 Code Injection (0%, TD)
> >> > 4.6.10 OS Commanding (0%, TD)
> >> >
> >> > Progress State of each paragraph (on Wiki portal):
> >> > ====================================
> >> >
> >> > Introduction
> >> > -----------------------------------------------------
> >> > 2.1 The OWASP Testing Project (100%, Review)
> >> > 2.2 Principles of Testing (100%, Review)
> >> > 2.3 Testing Techniques Explained (100%, Review)
> >> >
> >> > The OWASP Testing Framework
> >> > -----------------------------------------------------
> >> > Mark Curphey, Daniel Cuthbert, Andrew van der Stock, Larry Shields,
> >> > Javier Fernández-Sanguino, Stan Guzik, Harinath Pudipeddi, Glyn
> >> > Geoghegan, Mauro Bregolin
> >> > 3.1. Overview (90%, Review)
> >> > 3.2. Phase 1 — Before Development Begins (100%, Review)
> >> > 3.3. Phase 2: During Definition and Design(100%, Review)
> >> > 3.4. Phase 3: During Development(100%, Review)
> >> > 3.5. Phase 4: During Deployment(100%, Review)
> >> > 3.6. Phase 5: Maintenance and Operations(100%, Review)
> >> > 3.7. A Typical SDLC Testing Workflow (100%, Review)
> >> >
> >> > Web Application Penetration Testing
> >> > -----------------------------------------------------
> >> > 4.1 Introduction and objectives (0%, Matteo Meucci)
> >> > 4.2 Information Gathering (0%, Carlo Pelliccioni)
> >> > 4.2.1 Spidering and googling (0%, Tom Brennan)
> >> > 4.2.2 Analysis of error code (30%, Carlo Pelliccioni)
> >> > 4.2.3 Infrastructure configuration management testing (80%, Review)
> >> > 4.2.3.1 SSL/TLS Testing (100%,Mauro Bregolin,Review)
> >> > 4.2.3.2 DB Listener Testing (0%, Alexander Kornbrust)
> >> > 4.2.4 Application configuration management testing (80%, TD)
> >> > 4.2.4.1 File extensions handling (80%,Mauro Bregolin, Review)
> >> > 4.2.4.1 Old, backup and unreferenced files (80%,Mauro Bregolin,
> >> Review)
> >> > 4.3 Business logic testing (50%,Madhura Halasgikar)
> >> > 4.4 Authentication Testing (50%, TD)
> >> > 4.4.1 Default or guessable (dictionary) user account (90%, TD)
> >> > 4.4.2 Brute Force (0%,Giorgio Fedon, Andrea Lombardini)
> >> > 4.4.3 Bypassing authentication schema (0%,Giorgio Fedon, Andrea
> >> Lombardini)
> >> > 4.4.4 Directory traversal/file include (0%, Luca Carettoni)
> >> > 4.4.5 Vulnerable remember password and pwd reset (90%, Alberto
> >> Revelli)
> >> > 4.4.6 Logout and account expiry (0%,Alberto Revelli)
> >> > 4.5 Session Management Testing (0%,Glyn Geoghegan)
> >> > 4.5.1 Cookie and Session token Manipulation(reg, forg/brute force)
> >> > (100%,Alberto Revelli, Matteo Meucci Review)
> >> > 4.5.2 Weak session tokens (70%, Meucci)
> >> > 4.5.3 Session Riding (XSRF) (100%, Mauro Bregolin,Review)
> >> > 4.5.4 Exposed session variables (0%,TD)
> >> > 4.5.5 HTTP Exploit (0%, Arian J.Evans)
> >> > 4.6 Data Validation Testing 0% TD
> >> > 4.6.1 Cross site scripting (0%, Tom Brennan)
> >> > 4.6.1.1 HTTP Methods and XST (0%, Alberto Revelli)
> >> > 4.6.2 SQL Injection (0%, Alexander Kornbrust, Antonio Parata)
> >> > 4.6.2.1 Stored procedure injection (0%,TD)
> >> > 4.6.2.2 Oracle testing (0%,Alexander Kornbrust)
> >> > 4.6.2.3 MySQL testing (0%, Stefano Di Paola)
> >> > 4.6.2.4 SQL Server testing (0%,Ariel Waissbein)
> >> > 4.6.3 ORM Injection (0%,TD)
> >> > 4.6.4 LDAP Injection (0%,Stefano Di Paola)
> >> > 4.6.5 XML Injection (0%,Antonio Parata, Stefano Di Paola)
> >> > 4.6.6 SSI Injection (0%,Claudio Merloni)
> >> > 4.6.7 XPath Injection (0%, Antonio Parata, Alberto Revelli, Stefano
> >> Di Paola)
> >> > 4.6.8 IMAP/SMTP Injection (0%, TD)
> >> > 4.6.9 Code Injection (0%, TD)
> >> > 4.6.10 OS Commanding (0%, TD)
> >> > 4.6.11 Buffer overflow Testing (100%, Review)
> >> > 4.6.11.1 Heap overflow (100%, Review)
> >> > 4.6.11.2 Stack overflow (100%, Review)
> >> > 4.6.11.3 Format string (100%, Review)
> >> > 4.6.12 Incubated vulnerability testing (0%,Ariel Waissbein)
> >> > 4.7 Denial of Service Testing 95% Review
> >> > 4.7.1 Locking Customer Accounts 100% Review
> >> > 4.7.2 Buffer Overflows 100% Review
> >> > 4.7.3 User Specified Object Allocation 100% Review
> >> > 4.7.4 User Input as a Loop Counter 100% Review
> >> > 4.7.5 Writing User Provided Data to Disk 100% Review
> >> > 4.7.6 Failure to Release Resources 100% Review
> >> > 4.7.7 Storing too Much Data in Session 90% Review
> >> > 4.8 Web Services Testing (0%,Eoin Keary, Mark Roxberry)
> >> > 4.8.1 XML Structural Testing (0%)
> >> > 4.8.2 XML content-level Testing (0%)
> >> > 4.8.3 HTTP GET parameters/REST Testing (0%)
> >> > 4.8.4 Naughty SOAP attachments (0%)
> >> > 4.8.5 Brute force Testing (0%)
> >> > 4.9 AJAX Testing (0%, Dan Cornell, Giorgio Fedon, Stefano Di Paola)
> >> > 4.9.1 Vulnerabilities (0%, Anush Shetty)
> >> > 4.9.2 How to test (0%)
> >> >
> >> > Writing Reports: value the real risk
> >> > -----------------------------------------------------
> >> > 5.1 How to value the real risk (0%, Daniel Cuthbert, Matteo Meucci,
> >> > Sebastien Deleersnyder)
> >> > 5.2 How to write the report of the testing (0%, Daniel Cuthbert, Tom
> >> > Brennan) TD
> >> >
> >> > Thanks,
> >> > Mat
> >> >
> >> >
> >> > --
> >> > Matteo Meucci
> >> > OWASP-Italy Chair, CISSP, CISA
> >> > http://www.owasp.org/index.php/Italy
> >> > OWASP Testing Guide AoC
> >> >
> >> http://www.owasp.org/index.php/OWASP_Autumn_of_Code_2006_-_Projects:_Testing_Guide
> >>
> >> > _______________________________________________
> >> > Owasp-testing mailing list
> >> > Owasp-testing at lists.owasp.org
> >> > http://lists.owasp.org/mailman/listinfo/owasp-testing
> >> >
> >> >
> >>
> >>
> >>
> >
> >
>
>


-- 
Matteo Meucci
OWASP-Italy Chair, CISSP, CISA
http://www.owasp.org/index.php/Italy
OWASP Testing Guide AoC lead
http://www.owasp.org/index.php/OWASP_Autumn_of_Code_2006_-_Projects:_Testing_Guide



More information about the Owasp-testing mailing list