[Owasp-testing] Updated Index draft
kevin.horvath at gmail.com
Sat Jun 7 09:21:14 EDT 2008
Thank you for your responses. As for the GET requests I intended the
proxy to be used for all requests not just the POST's. In the
description I say that I trap every request and every response
additionally I also note that every interesting GET/POST should be
recorded in the spreadsheet and cross referenced to the request number
in the proxy. Although I will look at it again to try to make sure it
is more clear so that new readers to the project don't misunderstand
it. Thanks again for all the help so far as it is very much
On Sat, Jun 7, 2008 at 7:00 AM, Matteo Flora <mf at matteoflora.com> wrote:
> On Fri, Jun 6, 2008 at 9:42 PM, kevin horvath <kevin.horvath at gmail.com> wrote:
>> I know everyone is busy writing but if anyone could help and do a
> Non everybody is busy writing. Someone is READING :)
>> quick review of one of my sections I would appreciate it.
> Nice work, really.
> If only I'm allowed a little side-note I've seen you've suggested the
> use of webapp proxies for analyzing POST requests. It should, in my
> opinion, be clarified that use of proxies (or browser plugins) are a
> good methodology all-over even in GET requests.
> More and more over, in fact, as you know GET and POSTs are manipuleted
> or generated via JS and a clear imagine of what happens behind the
> courtains of the code even taking a look at the page source. Add to
> this multiple JS inclusion, a little bit of obfuscation (think about
> Google Analytics scripts) and some fast redirect (as in Tivoli Access
> Manager, for example) and I think anyone will understand why WebScarab
> and/or Tamperdata and/or [include_your_fave_app_here] is vital...
> ...and better not forget those pesky little Iframes that always get
> neglected when you don't use a proxy...
> I know you use prokies, I see only the oportunity for doing some
> gentle concept bashing into the minds of "newbies" and people seeking
> a good start in a testing methodology :)
> Of course these are just my $0.02 (or €.0012 at the actual exchange rate =])
> Matteo. (the OTHER italian Matteo)
> Matteo G.P. Flora // www.matteoflora.com // mf(at)matteoflora(dot)com
> Security Consultant and New Media Strategic Consultant
> Profile www.linkedin.com/in/matteoflora || Blog www.lastknight.com ||
> Twitter www.twitter.com/lastknight || Facebook
More information about the Owasp-testing