[Owasp-testing] Testing Guide V4 - Start up

Jim Manico jim.manico at owasp.org
Mon Sep 3 09:57:52 UTC 2012


+1 : JSON is the XML :)

Good call.

--
Jim Manico
(808) 652-3805

On Sep 3, 2012, at 10:16 AM, Paolo Perego <thesp0nge at owasp.org> wrote:

> Another thing... since we talk about XML parsing while testing
> webservices, we should also check if something can be exploited in the
> wild when data is exchanged using JSON.
>
> Another 0.02 cents.
>
>
> On Mon, Sep 3, 2012 at 10:23 AM, Juan Galiana <jgaliana at owasp.org> wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Hi,
>>
>> The contents of the TG are organized based on types of vulnerabilities
>> and is not feature oriented, so we have to think the best way to add
>> this new content regarding HTML5 (and mobile).
>> As I can see in the new table of contents[1], the section for Ajax
>> Testing is not there anymore, but there is a new "Client Side Testing
>> (New!)". Is this the best place?
>> Other approach would be to review different sections and update them
>> with the bits that have changed. For example in the case of CORS, if
>> the URLs passed to XMLHttpRequest.open are not validated that can lead
>> to code injection, so there is the option to review each appropriate
>> section (for example in this case XSS) and add the specific content
>> for the new features.
>>
>>
>> [1]
>> https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents
>>
>>
>>
>> Juan Galiana
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.4.12 (Darwin)
>>
>> iQIcBAEBAgAGBQJQRGkOAAoJEBxa26374/HXcvAP/jhmB2E6OVMrjDdIqfa9SRyA
>> URxaZZf3h3dKE17htwZ4nNRlLZ40dLlY4YcxEuYWMJrSVS1FdQiDia9bCsIREHT+
>> rZqGpNfhb7ZHc9KJ96lROV/oD9CwMiST2VFOMzENz6SozYzuEO5cbaU1VYd34HpV
>> F5kiKsCsHrN8mSl98Nlg9M95wu6WBW8LI5o5JK99sr7ZQ1gNPjmvM/MP6TCSW0Du
>> E9gxWLg7s5hKJifw0GcS90MGAuNf7zf2/vrX9staZXJbjsnLI4rtQCtT0JklcxYL
>> SpZXsj+Oo825CD9SXOVG+kyet9AkJOw5N714p+GZj8NoRibmwNyx7PFZ5l+RtNFf
>> hOHuVs9PqEQfivR9HdMVUy0Yv60XQDhVZKfev0lszf1orloPD0M6+AgBgbK4IFnT
>> pQOxrRHTRqs3ih2Dpvxu1w4BEBjPmE9Gp7/Prz5MZIo2yGoMwHoJQWo3wlcdBe4T
>> /i4BVjtAoJ9qE1SwCygWMrM90ZhVb7KW4+6Ks943erZja37pJtepugvCLlgyE6NX
>> oE6E3pqswfgBBkxZztuzNZMxG2jCjb4IQ77MLoMzyagcNiFgU1k33REjxnIeSRp4
>> Mo/qD3ByHIZ2S0hYymOoZ8av0YJOb8uw7reeo+Wcf2r2Oh24FJAq/Pk6aMrdNCwc
>> SW9/+msuQp44ypIge74d
>> =3Oew
>> -----END PGP SIGNATURE-----
>> _______________________________________________
>> Owasp-testing mailing list
>> Owasp-testing at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-testing
>
>
>
> --
> "... static analysis is fun, again!"
>
> OWASP Orizon project leader, http://github.com/thesp0nge/owasp-orizon
> OWASP Esapi Ruby project leader, https://github.com/thesp0nge/owasp-esapi-ruby
> _______________________________________________
> Owasp-testing mailing list
> Owasp-testing at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-testing


More information about the Owasp-testing mailing list