[Owasp-testing] Defect report and questions on OWASP TESTING GUIDE V3.0

Matteo Meucci matteo.meucci at gmail.com
Sun May 16 06:24:33 EDT 2010


Hi Tetsuo,
thanks for your questions.

>   1) item4 in section 4.5.1: What each comma is for and what each period
>      is for?  In Japanese, decimal point is represented with period.
>      Comma in Japanese are usually used as separator of some items or
>      three digits for large integer.

Do you refer at the table at page 154?
1,2 or 1.2 means: 1 integer and 2 decimal
1,2E+3: is exponential notation = 1,2*10^3 = 1200
May you give us an example please?

>   2) item9 in section 4.6.3: What do you want to state specifically with
>      vague usage of "another user"s and "the user"?

The Guide says: "The tester should try to access such functions as
another user in order to verify, for example, if it is possible to
access a function that should not be permitted by the user's
role/privilege (but might be permitted as another user)."
We are describing the section "Testing for Privilege escalation". With
another user we mean to test the application with a set of credetials
of a user with different privileges. So we can verify what a different
user with different role/privileges could do with the application.

>   3) item13 in section 4.7: What means asking to "the business"?

"If you are a third‐party tester, then you're going to have to use
your common sense and ask the business if different operations should
be allowed by the
application". Yes, we mean to ask to the team or person responsible of
the application: you need eople who should knows exactly the design of
the target application. The idea is to test if it is possible to "use"
the application in a different way from the original design.

>   4) item16 in section 4.7: What is "~8"?

~8h means: approximately 8 hours (a range from 7h 55 min to 8h 5 min
for example).

> How are you tracking defects in each document?
We use the wiki as the updated version, so when we create a new
version in PDF we can use this version more updated than PDF.
If you find errors you can report it directly to me and I'll update the wiki.

Hope this help,
thanks!
Mat


2010/5/16 Kuge, Tetsuo <tetsuo.kuge at hp.com>:
> Hello,
> Here is a list of defects and questions to the authors.
> I am Tetsuo Kuge, a member of a term to interpret OWASP
> TESTING GUIDE V3.0 into Japanese.
> My part is from section 4.5 to 4.8.2.
>
> The attached excel file contains a list of query items
> including defects and questions.
>
> -  The Page number is based on OWASP_Testing_Guide_V3.pdf
>
> -  The Category, Type and Sub Category are just as my suggestion.
>   I am hoping to find some practical criteria all over the OWASP
>   TESTING GUIDE V3.0 but I do not know current status of other
>   sections for now.
>
> -  There are three questions to be confirmed to the Authors.
>   1) item4 in section 4.5.1: What each comma is for and what each period
>      is for?  In Japanese, decimal point is represented with period.
>      Comma in Japanese are usually used as separator of some items or
>      three digits for large integer.
>   2) item9 in section 4.6.3: What do you want to state specifically with
>      vague usage of "another user"s and "the user"?
>   3) item13 in section 4.7: What means asking to "the business"?
>   4) item16 in section 4.7: What is "~8"?
>
> How are you tracking defects in each document?
> The Typos page looks just for typo.  semantic defects and logical defects seems out of scope for the page.
> --
> Regards,
> Tetsuo.
>
> Full name        Tetsuo Kuge       Hewlett-Packard Japan, Ltd.
> E-mail  tetsuo.kuge at hp.com
>
> _______________________________________________
> Owasp-testing mailing list
> Owasp-testing at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-testing
>
>



-- 
Matteo Meucci
OWASP-Italy Chair, CISSP, CISA
http://www.owasp.org/index.php/Italy
OWASP Testing Guide lead
http://www.owasp.org/index.php/Testing_Guide


More information about the Owasp-testing mailing list