[Owasp-testing] Testing Guide V4 - Start up

Ismael Rocha ismaelrocha.projetos at gmail.com
Fri Aug 31 16:09:52 UTC 2012


Hello Rick.

I agree with you that Mysql and Sql is much more prevalent.
The fact is there are already Mysql/Sql Server sections in V3. I´ve put
Oracle just to ilustrate that is missing out of band and blind sql
injection techniques for Oracle specifically.
We should have the same techniques/sections for all SGDBs (whenever is
possible).

Regards.

Ismael Gonçalves




On Fri, Aug 31, 2012 at 12:00 PM, rick.mitchell at bell.ca <
rick.mitchell at bell.ca> wrote:

>  For SQLi if we’re including Oracle as its own sub-category it would make
> more sense from my perspective and experience to also include MS SQL and
> MySQL (vs. SQLite). (That’s not meant to put down SQLite in any manner, I
> just see the other two as much more prevalent so far....)****
>
> ** **
>
> ** **
>
> *From:* owasp-testing-bounces at lists.owasp.org [mailto:
> owasp-testing-bounces at lists.owasp.org] *On Behalf Of *Ismael Rocha
> *Sent:* August 31, 2012 10:29 AM
> *To:* Amro
> *Cc:* owasp-testing at lists.owasp.org
>
> *Subject:* Re: [Owasp-testing] Testing Guide V4 - Start up****
>
>  ** **
>
> Hello all!****
>
>  ****
>
> The following are some points I've noticed we can improve/add/discuss.
> It's not organized, it's a brainstorm about some subjects. Maybe some of
> them are already related with some section.****
>
> This weekend I'm gonna try to make it organized and submit it to the list.
> ****
>
>  ****
>
> General
>     LFI/RFI****
>
>  ****
>
> Application Discovery
>     Entry points
>        -> Include Ajax as well****
>
>  ****
>
> ViewState tests (.NET/JSF)****
>
>  ****
>
> SQL Injection****
>
>  Oracle
>   BlindSQLInjection
>   Out of band techniques****
>
>  SQLite
>   Is it worth to add it?****
>
>  ****
>
> SSO SAML (SSO Profile)
>  -> Bind (post/get)
>  -> Token Signature
>  -> Anonymity
>  -> OneTimeUse
>  -> NotBefore
>  -> Local Logout
>  -> Global Logout
>  -> DoS****
>
>  ****
>
> DoS
>  -> Slow HTTP Get
>  -> Slow HTTP Pos****
>
>  ****
>
> SSL Test
>  -> Enhace (maybe based on Qualys SSLlabs results and tests?)****
>
>  ****
>
> Evasive Techniques
>  -> Is it worth? One per section or one chapter?****
>
>  ****
>
> Top Ten X Testing Guide Cross-Reference Table****
>
>
> About the chapter Value The Real Risk I think we have to fix the
> calculations.
> I think the risk rates (low and high) compared to the examples are wrong.
> ****
>
>
> Maybe somethings I put here is too specific but maybe it's worth to think
> about one way to put them.****
>
>  ****
>
> Regards.****
>
>  ****
>
> Ismael Gonçalves****
>
>
>  ****
>
> On Fri, Aug 31, 2012 at 10:17 AM, Amro <amro at owasp.org> wrote:****
>
> We can add both based on the attack factor while list of Webscarab and ZAP
> capabilities will leave the tester to decide what tool to use without
> pushing him/her for a particular one.
>
> below are my suggestions
>
> *(Dedicated section for relevant OWASP tools as we need to attract
> supporters)*
>
> *Tool Name:* X Y Z
> *Project leader:* ( This will help the project leader getting suggestions
> to improve his/her project)
> *Short introduction* ( high level introduction that should not exceed one
> or two lines)
> *Features:* ( we can list them or provide a direct link to the project
> wiki)
> *Video tutorial*: ( if applicable )
> *Download: *( direct download link or the project wiki)
>
> And so on .......
>
> I think by doing the above we will hit two birds with one stone ( market
> our tools and leave the tester to decide what tool he/she need the most
> based on the tool features/capabilities)
>
> Regards,
> Amro****
>
>
>
> On 8/31/12 2:48 PM, psiinon wrote:****
>
> I'd definitely like to be closely involved in the ZAP related sections,
> but very happy for Amro to lead on it.
>
> Cheers,
>
> Simon****
>
> On Fri, Aug 31, 2012 at 11:28 AM, Matteo Meucci <matteo.meucci at owasp.org>
> wrote:****
>
> Hi Simon,
> yep I agree.
>
> Maybe we can distinguish as follow for each paragraph:
> - OWASP Tools:
>  (Flagship, Labs, Incubator, Archive)
> - Other Open Source tools:
>
> I think that a contributor should be dedicated to verifies which tests
> are suitable using ZAP (maybe Amro who writes the Appendix A "Testing
> Tools")?
>
> Thanks,
> Mat****
>
>
>
>
> On 08/31/2012 09:56 AM, psiinon wrote:
> > I think its right for us to suggest an open source tool (or tools) for
> > using in each section, however I dont think we should view this as a ZAP
> > vs WebScarab contest.
> > We want to suggest the best possible tool, but I also think that its****
>
> > reasonable for us to /prefer /OWASP ones.****
>
> > But we should also favour tools that are more mature and/or more
> > frequently updated.
> > For OWASP tools I think we can rely on the new classifications:
> > Flagship, Labs, Incubator, Archive.
> > So I think its really a sliding scale.
> > If theres a Flagship OWASP project that is great at finding a specific
> > type of vulnerability then we should definitely use that as the example.
> > If not then we have to balance how relevant that tool is likely to
> remain.
> > A brand new Incubator project might be great in one specific case, but
> > may also not really be in a fit state for most people to use, or the
> > project may quickly wither and die.
> > And if a well regarded non OWASP open source tool is the best option
> > then we should use that.
> >
> > Going back to ZAP, I obviously hope it will be the ideal tool in many
> > cases :)
> > And helping to establish if this is the case and explaining exactly how
> > ZAP can be used may be the most effective way I can contribute to this
> > guide.
> >
> > But I also want to use this process to learn where ZAP's weaknesses are.
> > And depending on how long it takes to produce the guide we (the ZAP
> > developers) may be able to enhance specific areas of ZAP as the work on
> > the guide develops.
> > So please let me know asap if/when you work on an area of the guide that
> > you dont think ZAP is effective in helping with, or if you would like
> > advice and guidance on how to use ZAP as effectively as possible.
> >
> > Cheers,
> >
> > Simon (ZAP Project Lead)
> >
> > On Thu, Aug 30, 2012 at 10:18 PM, Matteo Meucci <matteo.meucci at owasp.org
> ****
>
> > <mailto:matteo.meucci at owasp.org>> wrote:
> >
> >     Perfect!
> >     I've updated the wiki, thanks!
> >
> >     Mat
> >
> >     On 08/30/2012 11:15 PM, Amro wrote:
> >     > Thanks Mat,
> >     >
> >     > Please assign this task to me and I will make sure that our tool
> >     sets are updated.
> >     >
> >     > Regards,
> >     > Amro
> >     > Sent from BlackBerry®. Excuse typo's and brevity.
> >     >
> >     > -----Original Message-----
> >     > From: Matteo Meucci <matteo.meucci at owasp.org****
>
> >     <mailto:matteo.meucci at owasp.org>>
> >     > Date: Thu, 30 Aug 2012 23:11:41****
>
> >     > To: <amro at owasp.org <mailto:amro at owasp.org>>
> >     > Cc: <owasp-testing-bounces at lists.owasp.org
> >     <mailto:owasp-testing-bounces at lists.owasp.org>>;
> >     <owasp-testing at lists.owasp.org <mailto:owasp-testing at lists.owasp.org
> >>
> >     > Subject: Re: [Owasp-testing] Testing Guide V4 - Start up
> >     >
> >     > Hi Amro,
> >     > good question related to the tools. Here we have to update many
> >     references.
> >     >
> >     > Usually at the end of each article we suggest to use a particular
> open
> >     > source tool to perform the test. I think we can use and suggest
> >     both the
> >     > tools in many situations.
> >     > Also the Appendix A "Testing Tools" should pick all the testing
> tools
> >     > cited in the Testing Guide and give more details.
> >     >
> >     > Thanks,
> >     > Mat
> >     >
> >     > On 08/30/2012 10:58 PM, Amro wrote:
> >     >> Please count me in as well .. Are we gonna use ZAP instead of
> >     WebScarab in the new version?
> >     >>
> >     >> Regards,
> >     >> Amro
> >     >> Sent from BlackBerry®. Excuse typo's and brevity.
> >     >>
> >     >> -----Original Message-----
> >     >> From: Matteo Meucci <matteo.meucci at owasp.org****
>
> >     <mailto:matteo.meucci at owasp.org>>
> >     >> Sender: owasp-testing-bounces at lists.owasp.org
> >     <mailto:owasp-testing-bounces at lists.owasp.org>
> >     >> Date: Thu, 30 Aug 2012 17:40:29
> >     >> To: <owasp-testing at lists.owasp.org****
>
> >     <mailto:owasp-testing at lists.owasp.org>>
> >     >> Subject: [Owasp-testing] Testing Guide V4 - Start up
> >     >>
> >     >> Hi all Testing Guide contributors.
> >     >>
> >     >> Testing Guide v4 has been approved as Projects Reboot 2012!
> >     >> https://www.owasp.org/index.php/Projects_Reboot_2012
> >     >>
> >     >> Here is the list of contributors I've collected:
> >     >>
> >     >> Pavol Luptak
> >     >> Marco Morana
> >     >> Giorgio Fedon
> >     >> Stefano Di Paola
> >     >> Gianrico Ingrosso
> >     >> Giuseppe Bonfà
> >     >> Roberto Suggi Liverani
> >     >> Robert Smith
> >     >> Andrew Muller
> >     >> Robert Winkel
> >     >> tripurari rai
> >     >> Thomas Ryan
> >     >> tim bertels
> >     >> Cecil Su
> >     >> Aung KhAnt
> >     >> Norbert Szetei
> >     >> michael.boman
> >     >> Wagner Elias
> >     >> Kevin Horvat
> >     >> Juan Galiana Lara
> >     >> Kenan Gursoy
> >     >> Jason Flood
> >     >> Javier Marcos de Prado
> >     >> Sumit Siddharth
> >     >> Mike Hryekewicz
> >     >> psiinon
> >     >> Ray Schippers
> >     >> Raul Siles
> >     >> Jayanta Karmakar
> >     >> Brad Causey
> >     >> Vicente Aguilera
> >     >> Ismael Gonçalves
> >     >>
> >     >> Reviewers team:
> >     >>
> >     >> Paolo Perego
> >     >> Daniel Cuthbert
> >     >> Matthew Churcher
> >     >> Lode Vanstechelman
> >     >> Sebastien Gioria
> >     >>
> >     >>
> >     >> Introduction and Project purpose for v4:
> >     >> ============================ =============
> >     >> The OWASP Testing Guide v3 includes a "best practice" penetration
> >     >> testing framework which users can implement in their own
> >     organizations
> >     >> and a "low level" penetration testing guide that describes
> techniques
> >     >> for testing most common web application and web service security
> >     >> issues. Nowadays the Testing Guide has become the standard to
> perform
> >     >> a Web Application Penetration Testing and many Companies all
> around
> >     >> the world have adopted it.
> >     >> It is vital for the project mantaining an updated project that
> >     >> represents the state of the art for WebAppSec.
> >     >>
> >     >> Project Roadmap
> >     >> =============
> >     >>
> >     >> - (1) 1st phase: Brainstorming and create a new table of contents
> >     >>
> >     >> Objective: creating a new table of contents of the OTGv4
> >     >> assigning a task for each contributor.
> >     >> I created a new OWASP Testing Guide v4 table of Contents here:
> >     >>
> >
> https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents
> >     >>
> >     >> - (2) 2nd phase:  Writing
> >     >> 20th September 2012: Start writing the articles
> >     >> 1st November 2012: 1st Draft
> >     >> 30th November: end of writing phase
> >     >>
> >     >> - (3) 3rd phase: Reviewing
> >     >>
> >     >> - 1st December 2012: Starting the review phase,
> >     >> - 15th December 2012: Create the RC1,
> >     >> - 31st January 2013: Release the version 4.
> >     >>
> >     >> Timeline November 2012 1st Draft, January 2013 Final Release
> >     >>
> >     >> So, let's start discussion about phase (1)!
> >     >>
> >     >> Thanks!
> >     >> Mat
> >     >>
> >     >> --
> >     >> Matteo Meucci
> >     >> OWASP Testing Guide Lead
> >     >> OWASP-Italy President
> >     >>
> >     >>
> >     >> _______________________________________________
> >     >> Owasp-testing mailing list****
>
> >     >> Owasp-testing at lists.owasp.org <mailto:
> Owasp-testing at lists.owasp.org>****
>
> >     >> https://lists.owasp.org/mailman/listinfo/owasp-testing
> >     >>
> >     >
> >
> >     --
> >     --
> >     Matteo Meucci
> >     OWASP Testing Guide Lead
> >     OWASP Italy President
> >     _______________________________________________
> >     Owasp-testing mailing list****
>
> >     Owasp-testing at lists.owasp.org <mailto:Owasp-testing at lists.owasp.org>
> ****
>
> >     https://lists.owasp.org/mailman/listinfo/owasp-testing
> >
> >
> >
> >
> > --
> > OWASP ZAP: Toolsmith Tool of the Year 2011****
>
> > <
> http://holisticinfosec.blogspot.com/2012/02/2011-toolsmith-tool-of-year-owasp-zap.html
> >****
>
> >
>
> --
> --
> Matteo Meucci
> OWASP Testing Guide Lead
> OWASP Italy President****
>
>
>
>
> --
> OWASP ZAP: Toolsmith Tool of the Year 2011<http://holisticinfosec.blogspot.com/2012/02/2011-toolsmith-tool-of-year-owasp-zap.html>
> ****
>
> ** **
>
>
> _______________________________________________
> Owasp-testing mailing list
> Owasp-testing at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-testing****
>
>
>
>
> --
> Ismael Gonçalves****
>
> _______________________________________________
> Owasp-testing mailing list
> Owasp-testing at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-testing
>
>


-- 
Ismael Gonçalves
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-testing/attachments/20120831/8c3c95da/attachment-0001.html>


More information about the Owasp-testing mailing list