[Owasp-testing] V4 Update ideas

Christian Heinrich christian.heinrich at cmlh.id.au
Wed Sep 26 23:42:17 UTC 2012


Maurizio,

On Tue, Sep 25, 2012 at 11:43 PM, Agazzini Maurizio
<inode at mediaservice.net> wrote:
> On Testing Guide 3 there wasn't any chapter about real
> spidering/crawling, the results of this activity are used into the
> OWASP-IG-003, but if this task is done on the wrong way a tester could
> miss a lot of entry points.

This was one of the recommendation(s) of
http://lists.owasp.org/pipermail/owasp-testing/2011-August/001930.html

The only caveat would be that spidering et al wouldn't be applicable
for a development web server since the results will be incorrect (to
that of the production web server).

On Tue, Sep 25, 2012 at 11:43 PM, Agazzini Maurizio
<inode at mediaservice.net> wrote:
> On our experience metadata, googling and others can give very valuables
> informations about the web applications. You don't have to look at
> metadata and google only on the standard and known way.
>
> We have found a lot of time a configuration about the apache of our
> customer (for example in help forum). The metadata of docs can be used
> to create a wordlist for bruteforce. The social network (linkedin and
> facebook) can be used too for wordlist creation, for example by
> searching the sysadmins name/nickname.

The issue that I was intending to address was (as an example)
http://www.smh.com.au/it-pro/security-it/telstra-customer-database-exposed-20111209-1on60.html

The above is already covered in other documents (outside of OWASP) and
we would ultimately just be duplicating their information without
providing any additional value.

Since @mediaservice contribute to the OSSTMM i.e.
http://www.isecom.org/team.html then maybe you could include the
relevant links to/from the OWASP Testing Guide v4?

On Tue, Sep 25, 2012 at 11:43 PM, Agazzini Maurizio
<inode at mediaservice.net> wrote:
> I think that this guide have to become something more than an "how to
> find sql injection".

The issue with this is it may alinate the already established audience.

On Tue, Sep 25, 2012 at 11:43 PM, Agazzini Maurizio
<inode at mediaservice.net> wrote:
> Shodan host profile can be useful for identify system technology. But I
> have to get more information of the usage ;)

SHODAN will provide with the historical web server header(s) over time.

On Tue, Sep 25, 2012 at 11:43 PM, Agazzini Maurizio
<inode at mediaservice.net> wrote:
> We ask to disable the WAF too during test, but I think a chapter will be
> very useful for non so experienced tester.

I like the bodies of work produced by Ivan Ristic e.g.
http://media.blackhat.com/bh-us-12/Briefings/Ristic/BH_US_12_Ristic_Protocol_Level_Slides.pdf


-- 
Regards,
Christian Heinrich

http://cmlh.id.au/contact


More information about the Owasp-testing mailing list