[Owasp-testing] Testing Guide V4 - Start up

Paolo Perego thesp0nge at owasp.org
Mon Sep 3 09:15:03 UTC 2012

Another thing... since we talk about XML parsing while testing
webservices, we should also check if something can be exploited in the
wild when data is exchanged using JSON.

Another 0.02 cents.

On Mon, Sep 3, 2012 at 10:23 AM, Juan Galiana <jgaliana at owasp.org> wrote:
> Hash: SHA1
> Hi,
> The contents of the TG are organized based on types of vulnerabilities
> and is not feature oriented, so we have to think the best way to add
> this new content regarding HTML5 (and mobile).
> As I can see in the new table of contents[1], the section for Ajax
> Testing is not there anymore, but there is a new "Client Side Testing
> (New!)". Is this the best place?
> Other approach would be to review different sections and update them
> with the bits that have changed. For example in the case of CORS, if
> the URLs passed to XMLHttpRequest.open are not validated that can lead
> to code injection, so there is the option to review each appropriate
> section (for example in this case XSS) and add the specific content
> for the new features.
> [1]
> https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents
> Juan Galiana
> Version: GnuPG v1.4.12 (Darwin)
> URxaZZf3h3dKE17htwZ4nNRlLZ40dLlY4YcxEuYWMJrSVS1FdQiDia9bCsIREHT+
> rZqGpNfhb7ZHc9KJ96lROV/oD9CwMiST2VFOMzENz6SozYzuEO5cbaU1VYd34HpV
> F5kiKsCsHrN8mSl98Nlg9M95wu6WBW8LI5o5JK99sr7ZQ1gNPjmvM/MP6TCSW0Du
> E9gxWLg7s5hKJifw0GcS90MGAuNf7zf2/vrX9staZXJbjsnLI4rtQCtT0JklcxYL
> SpZXsj+Oo825CD9SXOVG+kyet9AkJOw5N714p+GZj8NoRibmwNyx7PFZ5l+RtNFf
> hOHuVs9PqEQfivR9HdMVUy0Yv60XQDhVZKfev0lszf1orloPD0M6+AgBgbK4IFnT
> pQOxrRHTRqs3ih2Dpvxu1w4BEBjPmE9Gp7/Prz5MZIo2yGoMwHoJQWo3wlcdBe4T
> /i4BVjtAoJ9qE1SwCygWMrM90ZhVb7KW4+6Ks943erZja37pJtepugvCLlgyE6NX
> oE6E3pqswfgBBkxZztuzNZMxG2jCjb4IQ77MLoMzyagcNiFgU1k33REjxnIeSRp4
> Mo/qD3ByHIZ2S0hYymOoZ8av0YJOb8uw7reeo+Wcf2r2Oh24FJAq/Pk6aMrdNCwc
> SW9/+msuQp44ypIge74d
> =3Oew
> _______________________________________________
> Owasp-testing mailing list
> Owasp-testing at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-testing

"... static analysis is fun, again!"

OWASP Orizon project leader, http://github.com/thesp0nge/owasp-orizon
OWASP Esapi Ruby project leader, https://github.com/thesp0nge/owasp-esapi-ruby

More information about the Owasp-testing mailing list