[Owasp-testing] Testing Guide V4 - Start up

Juan Galiana jgaliana at owasp.org
Mon Sep 3 11:01:09 UTC 2012


Agreed. Anyone knows why is then called *XML*HttpRequest? :)

JSON is now all over the web. We need to cover JSONP and other insecure
practices.

On 03/09/2012 10:57, Jim Manico wrote:
> +1 : JSON is the XML :)
>
> Good call.
>
> --
> Jim Manico
> (808) 652-3805
>
> On Sep 3, 2012, at 10:16 AM, Paolo Perego <thesp0nge at owasp.org> wrote:
>
>> Another thing... since we talk about XML parsing while testing
>> webservices, we should also check if something can be exploited in the
>> wild when data is exchanged using JSON.
>>
>> Another 0.02 cents.
>>
>>
>> On Mon, Sep 3, 2012 at 10:23 AM, Juan Galiana <jgaliana at owasp.org> wrote:
> Hi,
>
> The contents of the TG are organized based on types of vulnerabilities
> and is not feature oriented, so we have to think the best way to add
> this new content regarding HTML5 (and mobile).
> As I can see in the new table of contents[1], the section for Ajax
> Testing is not there anymore, but there is a new "Client Side Testing
> (New!)". Is this the best place?
> Other approach would be to review different sections and update them
> with the bits that have changed. For example in the case of CORS, if
> the URLs passed to XMLHttpRequest.open are not validated that can lead
> to code injection, so there is the option to review each appropriate
> section (for example in this case XSS) and add the specific content
> for the new features.
>
>
> [1]
> https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents
>
>
>
> Juan Galiana
>>> _______________________________________________
>>> Owasp-testing mailing list
>>> Owasp-testing at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-testing
>>
>>
>>
>> --
>> "... static analysis is fun, again!"
>>
>> OWASP Orizon project leader, http://github.com/thesp0nge/owasp-orizon
>> OWASP Esapi Ruby project leader,
https://github.com/thesp0nge/owasp-esapi-ruby
>> _______________________________________________
>> Owasp-testing mailing list
>> Owasp-testing at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-testing


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-testing/attachments/20120903/165df722/attachment.html>


More information about the Owasp-testing mailing list