[Owasp-testing] Defect report and questions on OWASP TESTING GUIDE V3.0

Kuge, Tetsuo tetsuo.kuge at hp.com
Mon May 17 18:21:30 EDT 2010


Hello Metteo,
Good morning.

Thank you for your feed backs.

> >   1) item4 in section 4.5.1: What each comma is for and what each period
> >      is for?  In Japanese, decimal point is represented with period.
> >      Comma in Japanese are usually used as separator of some items or
> >      three digits for large integer.
> 
> Do you refer at the table at page 154?
> 1,2 or 1.2 means: 1 integer and 2 decimal
> 1,2E+3: is exponential notation = 1,2*10^3 = 1200
> May you give us an example please?

From the column name "Brute Force Attempts", I assumed it as a non-negative integer
to count the times of the attempts.

At first, I remembered old days to have used FORTRAN in University on checking
the Brute Force Attempts values for X_ID, X_ID_YACAS and CAS_SCC, yet finding
the decimal point seems switching from period to comma.
However, the values in COOKIE_IDENT_SERV, COOKIE_IDENT, X_UPC, CAS_UPC
and vgnvisitor, switching period to comma suggests mixed decimal values.
Then I noticed that there are lots of commas in Character Set columns, which
seems usual usage of comma for Japanese enumerating the character items.

So I decided to treat this topic as a question to the author, for the exact meaning
of value treatment.

According to your description, each column for Randomness Index and Brute Force Attempts
has one value, and each value of Brute Force Attempts are not integer, right?

> >   2) item9 in section 4.6.3: What do you want to state specifically with
> >      vague usage of "another user"s and "the user"?
> 
> The Guide says: "The tester should try to access such functions as
> another user in order to verify, for example, if it is possible to
> access a function that should not be permitted by the user's
> role/privilege (but might be permitted as another user)."
> We are describing the section "Testing for Privilege escalation". With
> another user we mean to test the application with a set of credetials
> of a user with different privileges. So we can verify what a different
> user with different role/privileges could do with the application.

So the "the user's role/privilege" means the tester's role/privilege
in the sentence checked in item9, right?

> >   3) item13 in section 4.7: What means asking to "the business"?
> 
> "If you are a third‐party tester, then you're going to have to use
> your common sense and ask the business if different operations should
> be allowed by the
> application". Yes, we mean to ask to the team or person responsible of
> the application: you need eople who should knows exactly the design of
> the target application. The idea is to test if it is possible to "use"
> the application in a different way from the original design.
> 
> >   4) item16 in section 4.7: What is "~8"?
> 
> ~8h means: approximately 8 hours (a range from 7h 55 min to 8h 5 min
> for example).

Bingo, my guess seems not so far from what the author wanted to state.
I could not point out any example of that expression with dictionary queries
and some google/yahoo/goo searches.

Thank you for feed backs, again.
we may have to ask or report to the authors about what we find,
after reviewing merged Japanese V3 before submitting to OWASP.
--
Regards,
Tetsuo.

Full name        Tetsuo Kuge       Hewlett-Packard Japan, Ltd.
E-mail  tetsuo.kuge at hp.com


More information about the Owasp-testing mailing list