[Owasp-testing] Testing Guide V4 - Start up

Paolo Perego thesp0nge at owasp.org
Mon Sep 3 11:56:04 UTC 2012


XMLHttpRequest is the fundamental object used behind the scene in an
Ajax call (http://www.w3schools.com/xml/xml_http.asp).

I guess it's there because in earlier guide version there were less
frameworks for ajax calls.

Actually XML vs JSON debate is a question either client side (ajax
calls) than server side (APIs and webservices using both the data
formats) that we must address in the guide.

Paolo

On Mon, Sep 3, 2012 at 1:01 PM, Juan Galiana <jgaliana at owasp.org> wrote:
> Agreed. Anyone knows why is then called *XML*HttpRequest? :)
>
> JSON is now all over the web. We need to cover JSONP and other insecure
> practices.
>
>
> On 03/09/2012 10:57, Jim Manico wrote:
>> +1 : JSON is the XML :)
>>
>> Good call.
>>
>> --
>> Jim Manico
>> (808) 652-3805
>>
>> On Sep 3, 2012, at 10:16 AM, Paolo Perego <thesp0nge at owasp.org> wrote:
>>
>>> Another thing... since we talk about XML parsing while testing
>>> webservices, we should also check if something can be exploited in the
>>> wild when data is exchanged using JSON.
>>>
>>> Another 0.02 cents.
>>>
>>>
>>> On Mon, Sep 3, 2012 at 10:23 AM, Juan Galiana <jgaliana at owasp.org> wrote:
>> Hi,
>>
>> The contents of the TG are organized based on types of vulnerabilities
>> and is not feature oriented, so we have to think the best way to add
>> this new content regarding HTML5 (and mobile).
>> As I can see in the new table of contents[1], the section for Ajax
>> Testing is not there anymore, but there is a new "Client Side Testing
>> (New!)". Is this the best place?
>> Other approach would be to review different sections and update them
>> with the bits that have changed. For example in the case of CORS, if
>> the URLs passed to XMLHttpRequest.open are not validated that can lead
>> to code injection, so there is the option to review each appropriate
>> section (for example in this case XSS) and add the specific content
>> for the new features.
>>
>>
>> [1]
>> https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents
>>
>>
>>
>> Juan Galiana
>>>> _______________________________________________
>>>> Owasp-testing mailing list
>>>> Owasp-testing at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-testing
>>>
>>>
>>>
>>> --
>>> "... static analysis is fun, again!"
>>>
>>> OWASP Orizon project leader, http://github.com/thesp0nge/owasp-orizon
>>> OWASP Esapi Ruby project leader,
>>> https://github.com/thesp0nge/owasp-esapi-ruby
>>> _______________________________________________
>>> Owasp-testing mailing list
>>> Owasp-testing at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-testing
>
>
>



-- 
"... static analysis is fun, again!"

OWASP Orizon project leader, http://github.com/thesp0nge/owasp-orizon
OWASP Esapi Ruby project leader, https://github.com/thesp0nge/owasp-esapi-ruby


More information about the Owasp-testing mailing list