[Owasp-testing] V4 Update ideas

Irene Abezgauz irene at seekersec.com
Thu Sep 27 12:13:59 UTC 2012

+1, but with a slight reservation.


The problem with having an introduction that presents the HTTP protocol in detail is that the next thing you find yourself doing is explaining TCP.. We need to set a certain boundary to how deep and detailed we get.

However, what I think we do need to do is make sure that we provide an introduction and relevant chapters that allow the user to go and perform additional reading when needed.


This means in the introduction there should be a paragraph along the following lines - this guide assumes the reader has basic knowledge of HTTP, the concept of an intercepting proxy, etc. (we could even drop a couple of lines on each, but not go into a full-blown explanation of what each of these means).

Then say that a reader who is not familiar with these basic and important topics can read more on the subject here, here and here (and here). 


I think this extends to various other issues we've discussed previously. For example - on the topic of mobile testing - I don't think we should avoid mentioning it altogether, but rather have a short paragraph that says here is what is similar here is what is different (in very high level), then refer the user to mobile testing guide. Same goes for testing of applications using non-http protocols, for example, and various other topics that I think should be mentioned if we are trying to create a single document from where the user can branch and read more if needed.


My 2c.




From: owasp-testing-bounces at lists.owasp.org [mailto:owasp-testing-bounces at lists.owasp.org] On Behalf Of Ismael Rocha
Sent: Thursday, September 27, 2012 1:57 PM
To: David Fern
Cc: owasp-testing at lists.owasp.org
Subject: Re: [Owasp-testing] V4 Update ideas


Hello All.


About the suggestion of WAF, I've suggested in a previous email a topic that talks about Evasion techniques in general and WAF could fit in it. The idea of this topic is to talk about filter evasion in general.


Talking about the audience, I agree with Maurizio considerations about the theme and we should try to answer the question about a person who is learning his job. If you take for example "The Web Application Hackers Handbook", it presents even the HTTP protocol there (just to illustrate).




Ismael Gonçalves

On Thu, Sep 27, 2012 at 7:28 AM, David Fern <dfern at verizon.net> wrote:

Great Point!


I think taht this means that we need to specifically at the beginning of the document "Who the intended audience is" 


I think the guide should be the "one stop shop" for the "newbie"


Not rewriting the other documents but tieing them together in one place so an experience person can use it as a quick reference and the newbie can use it to leran.  



David :)


From: Agazzini Maurizio <inode at mediaservice.net>
To: owasp-testing at lists.owasp.org 
Sent: Thursday, September 27, 2012 5:03 AM
Subject: Re: [Owasp-testing] V4 Update ideas

On 27/09/2012 01:42, Christian Heinrich wrote:
> The above is already covered in other documents (outside of OWASP) and
> we would ultimately just be duplicating their information without
> providing any additional value.
> Since @mediaservice contribute to the OSSTMM i.e.
> http://www.isecom.org/team.html then maybe you could include the
> relevant links to/from the OWASP Testing Guide v4?

Hi Christian,

Before starting write to the ML for the new ideas/contributions we
discuss (some colleagues) how OWASP Testing Guide can be a better guide,
we tried to ask ourself what are the point that a newbie "web app
pentester" need to learn to do the job.

It's true a lot of our proposal can be found on others documents, we are
not creating nothing new, but all OWASP TG chapter/info can be found in
others places. As wrote on the project overview, the goal of the project
it's create a "best practices web application penetration testing
framework", so why exclude some things useful for the testers?

A skilled pentester (maybe one that do also others kind of PT) doesn't
need all these info for do the job, he don't need a chapter about
finding the web server technology or a chapter about how to identify if
a WAF is on the target. So what's the correct audience of OWASP TG? For
who is OWASP TG?

Add just some links to the testing guide it's a way, but I'm not sure
that is the best way for OWASP to grow.

I hope that also others people will reply to this topic to know also
others thought.



Maurizio Agazzini                    CISSP, OPST
Senior Security Advisor              Gsm: +39-346-52.09.207 <tel:%2B39-346-52.09.207> 
@ Mediaservice.net <http://mediaservice.net/>  Srl                Tel: +39-011-32.72.100 <tel:%2B39-011-32.72.100> 
Via Santorelli, 15                    Fax: +39-011-32.46.497 <tel:%2B39-011-32.46.497> 
10095 Grugliasco (TO) ITALY          http://mediaservice.net/disclaimer

"C programmers never die. They are just cast into void"
Owasp-testing mailing list
Owasp-testing at lists.owasp.org

Owasp-testing mailing list
Owasp-testing at lists.owasp.org

Ismael Gonçalves

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-testing/attachments/20120927/ec3bf8a7/attachment-0001.html>

More information about the Owasp-testing mailing list