[Owasp-testing] V4 Update ideas

Agazzini Maurizio inode at mediaservice.net
Tue Sep 25 13:43:55 UTC 2012


Hi Christian,

I read the previous threads, I hope to have not missed something important.

On 22/09/2012 11:50, Christian Heinrich wrote:
>> ********** Chapter 4.2 (Information Gathering)
>> Update and add contents in the next subchapter:
> 
> http://lists.owasp.org/pipermail/owasp-testing/2011-August/001930.html
> has discussed this before but in relation these new points:
> 
>> 4.2.1 Spiders, Robots and Crawlers (OWASP-IG-001)
>>     Add material about Spiders and Crawlers (not only robots.txt)
> 
> <META> is also considered in v3 but if their is something missed (I
> last looked at Bing/Yahoo! earlier in 2012) then please let me/us
> know?
> 
>>     Add robots techniques for "not html" files (swf / silverlightl /
>> jsfx / java class / ...)
> 
> I like this :)

On Testing Guide 3 there wasn't any chapter about real
spidering/crawling, the results of this activity are used into the
OWASP-IG-003, but if this task is done on the wrong way a tester could
miss a lot of entry points.

>> 4.2.2 Search Engine Discovery/Reconnaissance (OWASP-IG-002)
>>      Add Search Engine on social (linkedin / facebook / twitter / ...)
>>      Obtain information from the web by helpdesk, config files, help
>> files, ...
>>      How to use googling for our test (search particular variables name,
>> db name, path, ...)
>>      Search inside the Metadata (Foca tool?)
>>      Search information inside default files like "thunmbs.db",
>> ".dstrore" ...?
> 
> I believe Social Network, Social Engineering and Document Metadata is
> outside of the Testing Guide and is explored by say PTES already.
> 
> https://www.owasp.org/index.php/Testing:_Search_engine_discovery/reconnaissance_(OWASP-IG-002)
> was intended to deflate the hype of
> http://www.hackersforcharity.org/ghdb/.
> 
> Also, a majority of http://www.hackersforcharity.org/ghdb/ or
> http://www.exploit-db.com/google-dorks/ aren't vuln, rather they are
> people copy and pasting the various Google Search Queries :)

On our experience metadata, googling and others can give very valuables
informations about the web applications. You don't have to look at
metadata and google only on the standard and known way.

We have found a lot of time a configuration about the apache of our
customer (for example in help forum). The metadata of docs can be used
to create a wordlist for bruteforce. The social network (linkedin and
facebook) can be used too for wordlist creation, for example by
searching the sysadmins name/nickname.

I think that this guide have to become something more than an "how to
find sql injection".

>> 4.2.4 Testing Web Application Fingerprint (OWASP-IG-004) --> update +
>> parte identificazione framework client / applicativi + cms
>>     Identify default application, client framework, development
>> framework, ...
>>     Identify optional components on CMS
>>     Use http://www.shodanhq.com/ ?
> 
> I would support the inclusion of http://builtwith.com/ but not SHODAN.
> 
> The use case for SHODAN in this context is
> http://cmlh.id.au/post/26035488573/rdp-sbs-june-2012 and
> http://cmlh.id.au/post/19595166120/rdp-sbs-march-2012

Shodan host profile can be useful for identify system technology. But I
have to get more information of the usage ;)

>> 4.2.5 Application Discovery (OWASP-IG-005)
>>     HTTPS hostname to find virtual host
>>     dns brute forcing
>>     default directory, banner, ...
> 
> In relation to vhost:
> http://msdn.microsoft.com/en-us/library/ff795671.aspx
> http://www.domaintools.com/research/reverse-ip/

A very good tool was "hostmap" (http://hostmap.lonerunners.net/), but
now is dead. I will check all the ways used by the software to find
virtual host.

>> - Identification and bypass of WAF: an introduction about WAF, how to
>> identify the presence of them and a short description of fundamental
>> bypass technique.
> 
> I generally turn off the WAF during testing.
> 

We ask to disable the WAF too during test, but I think a chapter will be
very useful for non so experienced tester.

Maurizio

-- 
Maurizio Agazzini                     CISSP, OPST
Senior Security Advisor               Gsm: +39-346-52.09.207
@ Mediaservice.net Srl                Tel: +39-011-32.72.100
Via Santorelli, 15                    Fax: +39-011-32.46.497
10095 Grugliasco (TO) ITALY           http://mediaservice.net/disclaimer

"C programmers never die. They are just cast into void"


More information about the Owasp-testing mailing list