[Owasp-testing] Testing Guide V4 - Start up

Irene Abezgauz irene at seekersec.com
Fri Aug 31 17:25:35 UTC 2012


From the ToC it seems that JSON, RestFUL, SOAP front-end testing are already covered. This means the guide already has a lot of the relevant technical information. 

However, I agree with Eoin in that it could benefit from a dedicated mobile section that will talk about:
-  differences and similarities between a browser-client app and a mobile-client app from the server side aspects 
- points of interest when testing mobile apps (for example, adding phone-specific user-agent headers is often needed to access certain functionality aspects and achieve good testing coverage)
- tools that could be relevant - such as emulators or request generators for specific tasks 
- referring to relevant sections of the guide when talking about the protocols usually used for mobile-app traffic (the abovementioned JSON/REST/etc.). this should allow someone approaching to mobile-apps testing an understanding of what they are facing. 

Btw, if not too late - I'll be happy to contribute to the guide - provide content or as a reviewer.

Cheers,
Irene 

-----Original Message-----
From: owasp-testing-bounces at lists.owasp.org [mailto:owasp-testing-bounces at lists.owasp.org] On Behalf Of Eoin
Sent: Friday, August 31, 2012 8:01 PM
To: Matteo Meucci
Cc: owasp-testing at lists.owasp.org
Subject: Re: [Owasp-testing] Testing Guide V4 - Start up

Are we covering mobile testing at all?
Sorry if this was mentioned already.



Eoin Keary
Owasp Global Board
+353 87 977 2988


On 31 Aug 2012, at 11:28, Matteo Meucci <matteo.meucci at owasp.org> wrote:

> Hi Simon,
> yep I agree.
> 
> Maybe we can distinguish as follow for each paragraph:
> - OWASP Tools:
> (Flagship, Labs, Incubator, Archive)
> - Other Open Source tools:
> 
> I think that a contributor should be dedicated to verifies which tests 
> are suitable using ZAP (maybe Amro who writes the Appendix A "Testing 
> Tools")?
> 
> Thanks,
> Mat
> 
> 
> 
> On 08/31/2012 09:56 AM, psiinon wrote:
>> I think its right for us to suggest an open source tool (or tools) 
>> for using in each section, however I dont think we should view this 
>> as a ZAP vs WebScarab contest.
>> We want to suggest the best possible tool, but I also think that its 
>> reasonable for us to /prefer /OWASP ones.
>> But we should also favour tools that are more mature and/or more 
>> frequently updated.
>> For OWASP tools I think we can rely on the new classifications:
>> Flagship, Labs, Incubator, Archive.
>> So I think its really a sliding scale.
>> If theres a Flagship OWASP project that is great at finding a 
>> specific type of vulnerability then we should definitely use that as the example.
>> If not then we have to balance how relevant that tool is likely to remain.
>> A brand new Incubator project might be great in one specific case, 
>> but may also not really be in a fit state for most people to use, or 
>> the project may quickly wither and die.
>> And if a well regarded non OWASP open source tool is the best option 
>> then we should use that.
>> 
>> Going back to ZAP, I obviously hope it will be the ideal tool in many 
>> cases :) And helping to establish if this is the case and explaining 
>> exactly how ZAP can be used may be the most effective way I can 
>> contribute to this guide.
>> 
>> But I also want to use this process to learn where ZAP's weaknesses are.
>> And depending on how long it takes to produce the guide we (the ZAP
>> developers) may be able to enhance specific areas of ZAP as the work 
>> on the guide develops.
>> So please let me know asap if/when you work on an area of the guide 
>> that you dont think ZAP is effective in helping with, or if you would 
>> like advice and guidance on how to use ZAP as effectively as possible.
>> 
>> Cheers,
>> 
>> Simon (ZAP Project Lead)
>> 
>> On Thu, Aug 30, 2012 at 10:18 PM, Matteo Meucci 
>> <matteo.meucci at owasp.org <mailto:matteo.meucci at owasp.org>> wrote:
>> 
>>    Perfect!
>>    I've updated the wiki, thanks!
>> 
>>    Mat
>> 
>>    On 08/30/2012 11:15 PM, Amro wrote:
>>> Thanks Mat,
>>> 
>>> Please assign this task to me and I will make sure that our tool
>>    sets are updated.
>>> 
>>> Regards,
>>> Amro
>>> Sent from BlackBerry®. Excuse typo's and brevity.
>>> 
>>> -----Original Message-----
>>> From: Matteo Meucci <matteo.meucci at owasp.org
>>    <mailto:matteo.meucci at owasp.org>>
>>> Date: Thu, 30 Aug 2012 23:11:41
>>> To: <amro at owasp.org <mailto:amro at owasp.org>>
>>> Cc: <owasp-testing-bounces at lists.owasp.org
>>    <mailto:owasp-testing-bounces at lists.owasp.org>>;
>>    <owasp-testing at lists.owasp.org 
>> <mailto:owasp-testing at lists.owasp.org>>
>>> Subject: Re: [Owasp-testing] Testing Guide V4 - Start up
>>> 
>>> Hi Amro,
>>> good question related to the tools. Here we have to update many
>>    references.
>>> 
>>> Usually at the end of each article we suggest to use a particular 
>>> open source tool to perform the test. I think we can use and suggest
>>    both the
>>> tools in many situations.
>>> Also the Appendix A "Testing Tools" should pick all the testing 
>>> tools cited in the Testing Guide and give more details.
>>> 
>>> Thanks,
>>> Mat
>>> 
>>> On 08/30/2012 10:58 PM, Amro wrote:
>>>> Please count me in as well .. Are we gonna use ZAP instead of
>>    WebScarab in the new version?
>>>> 
>>>> Regards,
>>>> Amro
>>>> Sent from BlackBerry®. Excuse typo's and brevity.
>>>> 
>>>> -----Original Message-----
>>>> From: Matteo Meucci <matteo.meucci at owasp.org
>>    <mailto:matteo.meucci at owasp.org>>
>>>> Sender: owasp-testing-bounces at lists.owasp.org
>>    <mailto:owasp-testing-bounces at lists.owasp.org>
>>>> Date: Thu, 30 Aug 2012 17:40:29
>>>> To: <owasp-testing at lists.owasp.org
>>    <mailto:owasp-testing at lists.owasp.org>>
>>>> Subject: [Owasp-testing] Testing Guide V4 - Start up
>>>> 
>>>> Hi all Testing Guide contributors.
>>>> 
>>>> Testing Guide v4 has been approved as Projects Reboot 2012!
>>>> https://www.owasp.org/index.php/Projects_Reboot_2012
>>>> 
>>>> Here is the list of contributors I've collected:
>>>> 
>>>> Pavol Luptak
>>>> Marco Morana
>>>> Giorgio Fedon
>>>> Stefano Di Paola
>>>> Gianrico Ingrosso
>>>> Giuseppe Bonfà
>>>> Roberto Suggi Liverani
>>>> Robert Smith
>>>> Andrew Muller
>>>> Robert Winkel
>>>> tripurari rai
>>>> Thomas Ryan
>>>> tim bertels
>>>> Cecil Su
>>>> Aung KhAnt
>>>> Norbert Szetei
>>>> michael.boman
>>>> Wagner Elias
>>>> Kevin Horvat
>>>> Juan Galiana Lara
>>>> Kenan Gursoy
>>>> Jason Flood
>>>> Javier Marcos de Prado
>>>> Sumit Siddharth
>>>> Mike Hryekewicz
>>>> psiinon
>>>> Ray Schippers
>>>> Raul Siles
>>>> Jayanta Karmakar
>>>> Brad Causey
>>>> Vicente Aguilera
>>>> Ismael Gonçalves
>>>> 
>>>> Reviewers team:
>>>> 
>>>> Paolo Perego
>>>> Daniel Cuthbert
>>>> Matthew Churcher
>>>> Lode Vanstechelman
>>>> Sebastien Gioria
>>>> 
>>>> 
>>>> Introduction and Project purpose for v4:
>>>> ============================ ============= The OWASP Testing Guide 
>>>> v3 includes a "best practice" penetration testing framework which 
>>>> users can implement in their own
>>    organizations
>>>> and a "low level" penetration testing guide that describes 
>>>> techniques for testing most common web application and web service 
>>>> security issues. Nowadays the Testing Guide has become the standard 
>>>> to perform a Web Application Penetration Testing and many Companies 
>>>> all around the world have adopted it.
>>>> It is vital for the project mantaining an updated project that 
>>>> represents the state of the art for WebAppSec.
>>>> 
>>>> Project Roadmap
>>>> =============
>>>> 
>>>> - (1) 1st phase: Brainstorming and create a new table of contents
>>>> 
>>>> Objective: creating a new table of contents of the OTGv4 assigning 
>>>> a task for each contributor.
>>>> I created a new OWASP Testing Guide v4 table of Contents here:
>>>> 
>>    
>> https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Conte
>> nts
>>>> 
>>>> - (2) 2nd phase:  Writing
>>>> 20th September 2012: Start writing the articles 1st November 2012: 
>>>> 1st Draft 30th November: end of writing phase
>>>> 
>>>> - (3) 3rd phase: Reviewing
>>>> 
>>>> - 1st December 2012: Starting the review phase,
>>>> - 15th December 2012: Create the RC1,
>>>> - 31st January 2013: Release the version 4.
>>>> 
>>>> Timeline November 2012 1st Draft, January 2013 Final Release
>>>> 
>>>> So, let's start discussion about phase (1)!
>>>> 
>>>> Thanks!
>>>> Mat
>>>> 
>>>> --
>>>> Matteo Meucci
>>>> OWASP Testing Guide Lead
>>>> OWASP-Italy President
>>>> 
>>>> 
>>>> _______________________________________________
>>>> Owasp-testing mailing list
>>>> Owasp-testing at lists.owasp.org 
>>>> <mailto:Owasp-testing at lists.owasp.org>
>>>> https://lists.owasp.org/mailman/listinfo/owasp-testing
>>>> 
>>> 
>> 
>>    --
>>    --
>>    Matteo Meucci
>>    OWASP Testing Guide Lead
>>    OWASP Italy President
>>    _______________________________________________
>>    Owasp-testing mailing list
>>    Owasp-testing at lists.owasp.org <mailto:Owasp-testing at lists.owasp.org>
>>    https://lists.owasp.org/mailman/listinfo/owasp-testing
>> 
>> 
>> 
>> 
>> --
>> OWASP ZAP: Toolsmith Tool of the Year 2011 
>> <http://holisticinfosec.blogspot.com/2012/02/2011-toolsmith-tool-of-y
>> ear-owasp-zap.html>
>> 
> 
> --
> --
> Matteo Meucci
> OWASP Testing Guide Lead
> OWASP Italy President
> _______________________________________________
> Owasp-testing mailing list
> Owasp-testing at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-testing
_______________________________________________
Owasp-testing mailing list
Owasp-testing at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-testing


More information about the Owasp-testing mailing list