[Owasp-testing] V4 Update ideas

Ismael Rocha ismaelrocha.projetos at gmail.com
Thu Sep 27 11:57:20 UTC 2012


Hello All.

About the suggestion of WAF, I've suggested in a previous email a topic
that talks about Evasion techniques in general and WAF could fit in it. The
idea of this topic is to talk about filter evasion in general.

Talking about the audience, I agree with Maurizio considerations about the
theme and we should try to answer the question about a person who is
learning his job. If you take for example "The Web Application Hackers
Handbook", it presents even the HTTP protocol there (just to illustrate).

Regards.

Ismael Gonçalves

On Thu, Sep 27, 2012 at 7:28 AM, David Fern <dfern at verizon.net> wrote:

> Great Point!
>
> I think taht this means that we need to specifically at the beginning of
> the document "Who the intended audience is"
>
> I think the guide should be the "one stop shop" for the "newbie"
>
> Not rewriting the other documents but tieing them together in one place so
> an experience person can use it as a quick reference and the newbie can use
> it to leran.
>
> Thanks,
> David :)
>
>    *From:* Agazzini Maurizio <inode at mediaservice.net>
> *To:* owasp-testing at lists.owasp.org
> *Sent:* Thursday, September 27, 2012 5:03 AM
> *Subject:* Re: [Owasp-testing] V4 Update ideas
>
> On 27/09/2012 01:42, Christian Heinrich wrote:
> >
> > The above is already covered in other documents (outside of OWASP) and
> > we would ultimately just be duplicating their information without
> > providing any additional value.
> >
> > Since @mediaservice contribute to the OSSTMM i.e.
> > http://www.isecom.org/team.html then maybe you could include the
> > relevant links to/from the OWASP Testing Guide v4?
> >
>
> Hi Christian,
>
> Before starting write to the ML for the new ideas/contributions we
> discuss (some colleagues) how OWASP Testing Guide can be a better guide,
> we tried to ask ourself what are the point that a newbie "web app
> pentester" need to learn to do the job.
>
> It's true a lot of our proposal can be found on others documents, we are
> not creating nothing new, but all OWASP TG chapter/info can be found in
> others places. As wrote on the project overview, the goal of the project
> it's create a "best practices web application penetration testing
> framework", so why exclude some things useful for the testers?
>
> A skilled pentester (maybe one that do also others kind of PT) doesn't
> need all these info for do the job, he don't need a chapter about
> finding the web server technology or a chapter about how to identify if
> a WAF is on the target. So what's the correct audience of OWASP TG? For
> who is OWASP TG?
>
> Add just some links to the testing guide it's a way, but I'm not sure
> that is the best way for OWASP to grow.
>
> I hope that also others people will reply to this topic to know also
> others thought.
>
> Regars,
>
> Maurizio
>
> --
> Maurizio Agazzini                    CISSP, OPST
> Senior Security Advisor              Gsm: +39-346-52.09.207
> @ Mediaservice.net <http://mediaservice.net/> Srl                Tel:
> +39-011-32.72.100
> Via Santorelli, 15                    Fax: +39-011-32.46.497
> 10095 Grugliasco (TO) ITALY          http://mediaservice.net/disclaimer
>
> "C programmers never die. They are just cast into void"
> _______________________________________________
> Owasp-testing mailing list
> Owasp-testing at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-testing
>
>
>
> _______________________________________________
> Owasp-testing mailing list
> Owasp-testing at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-testing
>
>


-- 
Ismael Gonçalves
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-testing/attachments/20120927/d41a822a/attachment.html>


More information about the Owasp-testing mailing list