[Owasp-testing] V4 Update ideas

Christian Heinrich christian.heinrich at cmlh.id.au
Sat Sep 22 09:50:12 UTC 2012


Alessandro,

On Fri, Sep 21, 2012 at 8:12 PM, Alessandro Gai
<alessandro.gai at mediaservice.net> wrote:
> ********** Chapter 3 (The OWASP Testing Framework)
> Update and add contents whit primary focus on the SAMM framework and
> test/task in the various phases of SDLC.
> Add a references part.

OpenSAMM is outside of the scope of the Testing Guide but the
touchpoint is discussed within the thread starting at
https://lists.owasp.org/pipermail/samm/2011-September/000314.html

On Fri, Sep 21, 2012 at 8:12 PM, Alessandro Gai
<alessandro.gai at mediaservice.net> wrote:
> ********** Chapter 4.2 (Information Gathering)
> Update and add contents in the next subchapter:

http://lists.owasp.org/pipermail/owasp-testing/2011-August/001930.html
has discussed this before but in relation these new points:

On Fri, Sep 21, 2012 at 8:12 PM, Alessandro Gai
<alessandro.gai at mediaservice.net> wrote:
> 4.2.1 Spiders, Robots and Crawlers (OWASP-IG-001)
>     Add material about Spiders and Crawlers (not only robots.txt)

<META> is also considered in v3 but if their is something missed (I
last looked at Bing/Yahoo! earlier in 2012) then please let me/us
know?

On Fri, Sep 21, 2012 at 8:12 PM, Alessandro Gai
<alessandro.gai at mediaservice.net> wrote:
>     Add robots techniques for "not html" files (swf / silverlightl /
> jsfx / java class / ...)

I like this :)

On Fri, Sep 21, 2012 at 8:12 PM, Alessandro Gai
<alessandro.gai at mediaservice.net> wrote:
> 4.2.2 Search Engine Discovery/Reconnaissance (OWASP-IG-002)
>      Add Search Engine on social (linkedin / facebook / twitter / ...)
>      Obtain information from the web by helpdesk, config files, help
> files, ...
>      How to use googling for our test (search particular variables name,
> db name, path, ...)
>      Search inside the Metadata (Foca tool?)
>      Search information inside default files like "thunmbs.db",
> ".dstrore" ...?

I believe Social Network, Social Engineering and Document Metadata is
outside of the Testing Guide and is explored by say PTES already.

https://www.owasp.org/index.php/Testing:_Search_engine_discovery/reconnaissance_(OWASP-IG-002)
was intended to deflate the hype of
http://www.hackersforcharity.org/ghdb/.

Also, a majority of http://www.hackersforcharity.org/ghdb/ or
http://www.exploit-db.com/google-dorks/ aren't vuln, rather they are
people copy and pasting the various Google Search Queries :)

On Fri, Sep 21, 2012 at 8:12 PM, Alessandro Gai
<alessandro.gai at mediaservice.net> wrote:
> 4.2.4 Testing Web Application Fingerprint (OWASP-IG-004) --> update +
> parte identificazione framework client / applicativi + cms
>     Identify default application, client framework, development
> framework, ...
>     Identify optional components on CMS
>     Use http://www.shodanhq.com/ ?

I would support the inclusion of http://builtwith.com/ but not SHODAN.

The use case for SHODAN in this context is
http://cmlh.id.au/post/26035488573/rdp-sbs-june-2012 and
http://cmlh.id.au/post/19595166120/rdp-sbs-march-2012

On Fri, Sep 21, 2012 at 8:12 PM, Alessandro Gai
<alessandro.gai at mediaservice.net> wrote:
> 4.2.5 Application Discovery (OWASP-IG-005)
>     HTTPS hostname to find virtual host
>     dns brute forcing
>     default directory, banner, ...

In relation to vhost:
http://msdn.microsoft.com/en-us/library/ff795671.aspx
http://www.domaintools.com/research/reverse-ip/

On Fri, Sep 21, 2012 at 8:12 PM, Alessandro Gai
<alessandro.gai at mediaservice.net> wrote:
> 4.2.x Add a chapter about how to obtain info from the application code
> (variables names, directory structure, parameters, application step, ...) ?

Are you referring to the "Target Analyzer" of Burp Pro (for instance)?

On Fri, Sep 21, 2012 at 8:12 PM, Alessandro Gai
<alessandro.gai at mediaservice.net> wrote:
> - Identification and bypass of WAF: an introduction about WAF, how to
> identify the presence of them and a short description of fundamental
> bypass technique.

I generally turn off the WAF during testing.


-- 
Regards,
Christian Heinrich

http://cmlh.id.au/contact


More information about the Owasp-testing mailing list