[Owasp-testing] V4 Update ideas

Alessandro Gai alessandro.gai at mediaservice.net
Thu Sep 27 08:45:10 UTC 2012


Hi Christian, thx for the answer.
Sorry for delay, I'm going to add some reply to Maurizio's email.

Il 22/09/2012 11:50, Christian Heinrich ha scritto:
> Alessandro,
>
> On Fri, Sep 21, 2012 at 8:12 PM, Alessandro Gai
> <alessandro.gai at mediaservice.net> wrote:
>> ********** Chapter 3 (The OWASP Testing Framework)
>> Update and add contents whit primary focus on the SAMM framework and
>> test/task in the various phases of SDLC.
>> Add a references part.
> OpenSAMM is outside of the scope of the Testing Guide but the
> touchpoint is discussed within the thread starting at
> https://lists.owasp.org/pipermail/samm/2011-September/000314.html

Yes, maybe SAMM is out of scope. I dont want subistitue the testing
framework whit SAMM but I think that could be useful have in this part a
focus (executive summary's depth) on a "larger" Secure SDLC framework
(SAMM / BSIMM / ...) (SAMM is the most related with owasp, right?).
And sure we have to insert something about the touchpoint (starting from
you post?)


> On Fri, Sep 21, 2012 at 8:12 PM, Alessandro Gai
> <alessandro.gai at mediaservice.net> wrote:
>> ********** Chapter 4.2 (Information Gathering)
>> Update and add contents in the next subchapter:
> http://lists.owasp.org/pipermail/owasp-testing/2011-August/001930.html
> has discussed this before but in relation these new points:
>
> On Fri, Sep 21, 2012 at 8:12 PM, Alessandro Gai
> <alessandro.gai at mediaservice.net> wrote:
>> 4.2.1 Spiders, Robots and Crawlers (OWASP-IG-001)
>>     Add material about Spiders and Crawlers (not only robots.txt)
> <META> is also considered in v3 but if their is something missed (I
> last looked at Bing/Yahoo! earlier in 2012) then please let me/us
> know?
>
> On Fri, Sep 21, 2012 at 8:12 PM, Alessandro Gai
> <alessandro.gai at mediaservice.net> wrote:
>>     Add robots techniques for "not html" files (swf / silverlightl /
>> jsfx / java class / ...)
> I like this :)
>
> On Fri, Sep 21, 2012 at 8:12 PM, Alessandro Gai
> <alessandro.gai at mediaservice.net> wrote:
>> 4.2.2 Search Engine Discovery/Reconnaissance (OWASP-IG-002)
>>      Add Search Engine on social (linkedin / facebook / twitter / ...)
>>      Obtain information from the web by helpdesk, config files, help
>> files, ...
>>      How to use googling for our test (search particular variables name,
>> db name, path, ...)
>>      Search inside the Metadata (Foca tool?)
>>      Search information inside default files like "thunmbs.db",
>> ".dstrore" ...?
> I believe Social Network, Social Engineering and Document Metadata is
> outside of the Testing Guide and is explored by say PTES already.
>
> https://www.owasp.org/index.php/Testing:_Search_engine_discovery/reconnaissance_(OWASP-IG-002)
> was intended to deflate the hype of
> http://www.hackersforcharity.org/ghdb/.
I'd add some example, something like: site:www.testsite.com "upload" OR
"admin" OR "password"
>
> Also, a majority of http://www.hackersforcharity.org/ghdb/ or
> http://www.exploit-db.com/google-dorks/ aren't vuln, rather they are
> people copy and pasting the various Google Search Queries :)
I agree! :)


>
> On Fri, Sep 21, 2012 at 8:12 PM, Alessandro Gai
> <alessandro.gai at mediaservice.net> wrote:
>> 4.2.4 Testing Web Application Fingerprint (OWASP-IG-004) --> update +
>> parte identificazione framework client / applicativi + cms
>>     Identify default application, client framework, development
>> framework, ...
>>     Identify optional components on CMS
>>     Use http://www.shodanhq.com/ ?
> I would support the inclusion of http://builtwith.com/ but not SHODAN.
>
> The use case for SHODAN in this context is
> http://cmlh.id.au/post/26035488573/rdp-sbs-june-2012 and
> http://cmlh.id.au/post/19595166120/rdp-sbs-march-2012
>
> On Fri, Sep 21, 2012 at 8:12 PM, Alessandro Gai
> <alessandro.gai at mediaservice.net> wrote:
>> 4.2.5 Application Discovery (OWASP-IG-005)
>>     HTTPS hostname to find virtual host
>>     dns brute forcing
>>     default directory, banner, ...
> In relation to vhost:
> http://msdn.microsoft.com/en-us/library/ff795671.aspx
> http://www.domaintools.com/research/reverse-ip/
>
> On Fri, Sep 21, 2012 at 8:12 PM, Alessandro Gai
> <alessandro.gai at mediaservice.net> wrote:
>> 4.2.x Add a chapter about how to obtain info from the application code
>> (variables names, directory structure, parameters, application step, ...) ?
> Are you referring to the "Target Analyzer" of Burp Pro (for instance)?

Burp Target Analyzer generate a good report about dynamic / static
pages. This is useful.
I mean also pay attention on tipical application strutcture useful for
brute force, some example:
- variables / parameters / directory structure format : "word1_word2"
"Word1Word2
- step pages: "page_1.asp" "page02.aspx"
- language: "amministrazione" / "admin"


> On Fri, Sep 21, 2012 at 8:12 PM, Alessandro Gai
> <alessandro.gai at mediaservice.net> wrote:
>> - Identification and bypass of WAF: an introduction about WAF, how to
>> identify the presence of them and a short description of fundamental
>> bypass technique.
> I generally turn off the WAF during testing.
>
>




More information about the Owasp-testing mailing list