[Owasp-testing] Updated Index draft
Matteo Flora
mf at matteoflora.com
Sat Jun 7 07:00:29 EDT 2008
On Fri, Jun 6, 2008 at 9:42 PM, kevin horvath <kevin.horvath at gmail.com> wrote:
> I know everyone is busy writing but if anyone could help and do a
Non everybody is busy writing. Someone is READING :)
> quick review of one of my sections I would appreciate it.
Nice work, really.
If only I'm allowed a little side-note I've seen you've suggested the
use of webapp proxies for analyzing POST requests. It should, in my
opinion, be clarified that use of proxies (or browser plugins) are a
good methodology all-over even in GET requests.
More and more over, in fact, as you know GET and POSTs are manipuleted
or generated via JS and a clear imagine of what happens behind the
courtains of the code even taking a look at the page source. Add to
this multiple JS inclusion, a little bit of obfuscation (think about
Google Analytics scripts) and some fast redirect (as in Tivoli Access
Manager, for example) and I think anyone will understand why WebScarab
and/or Tamperdata and/or [include_your_fave_app_here] is vital...
...and better not forget those pesky little Iframes that always get
neglected when you don't use a proxy...
I know you use prokies, I see only the oportunity for doing some
gentle concept bashing into the minds of "newbies" and people seeking
a good start in a testing methodology :)
Of course these are just my $0.02 (or €.0012 at the actual exchange rate =])
Matteo. (the OTHER italian Matteo)
--
Matteo G.P. Flora // www.matteoflora.com // mf(at)matteoflora(dot)com
Security Consultant and New Media Strategic Consultant
Profile www.linkedin.com/in/matteoflora || Blog www.lastknight.com ||
Twitter www.twitter.com/lastknight || Facebook
http://www.facebook.com/profile.php?id=502992052
More information about the Owasp-testing
mailing list