[Owasp-testing] V4 Update ideas

Matteo Meucci matteo.meucci at owasp.org
Tue Oct 9 15:32:49 UTC 2012


Hi,
OWASP SAMM and OWASP Testing Guide are 2 different projects. The first
is a an open framework to help organizations formulate and implement a
strategy for software security that is tailored to the specific risks
facing the organization. To evaluate the maturity of a Company you have
to perform interviews. The only part related to the Testing Guide is in
the Security Practice called "Security Testing" inside the
"Verification" Business Function.

We discussed many time ago the OWASP Testing goals. Here you can read
about it:
https://www.owasp.org/index.php/Testing:_Introduction_and_objectives
https://www.owasp.org/index.php/Testing_Guide_Introduction

So in this guide we want to explain the OWASP testing methodology.
Penetration testing will never be an exact science where a complete list
of all possible issues that should be tested can be defined. Indeed,
penetration testing is only an appropriate technique for testing the
security of web applications under certain circumstances. The goal is to
collect all the possible testing techniques, explain them, and keep the
guide updated.

As discussed time ago the audience are the testers, also if we
introduced a Brief Summary for each paragraph to explain the issue and
how to test it from a high level point of view.

Thanks,
Mat


On 09/28/2012 12:55 AM, Christian Heinrich wrote:
> Alessandro,
> 
> On Thu, Sep 27, 2012 at 6:45 PM, Alessandro Gai
> <alessandro.gai at mediaservice.net> wrote:
>> I'd add some example, something like: site:www.testsite.com "upload" OR
>> "admin" OR "password"
> 
> The difference with the OWASP Testing Guide v3 then is that you would
> have to execute multiple searches if the robots.txt and/or metadata
> prohibits caching of the content since you cannot retrieve the cached
> web page and execute the various regex.
> 
> On Thu, Sep 27, 2012 at 6:45 PM, Alessandro Gai
> <alessandro.gai at mediaservice.net> wrote:
>>> Also, a majority of http://www.hackersforcharity.org/ghdb/ or
>>> http://www.exploit-db.com/google-dorks/ aren't vuln, rather they are
>>> people copy and pasting the various Google Search Queries :)
>> I agree! :)
> 
> There is also some WAF product (the name escapes me at the moment)
> which will mimic the various GHDB and will then trigger an alarm when
> the generated page is accessed.
> 
> On Thu, Sep 27, 2012 at 6:45 PM, Alessandro Gai
> <alessandro.gai at mediaservice.net> wrote:
>> Burp Target Analyzer generate a good report about dynamic / static
>> pages. This is useful.
>> I mean also pay attention on tipical application strutcture useful for
>> brute force, some example:
>> - variables / parameters / directory structure format : "word1_word2"
>> "Word1Word2
>> - step pages: "page_1.asp" "page02.aspx"
>> - language: "amministrazione" / "admin"
> 
> OK
> 
> 

-- 
--
Matteo Meucci
OWASP Testing Guide Lead
OWASP Italy President


More information about the Owasp-testing mailing list