[Owasp-testing] V4 Update ideas

Kevin Horvath kevin.horvath at gmail.com
Thu Sep 27 12:27:59 UTC 2012


I think WAF evasion (or other evasion such as reverse proxy, IPS,
etc.) should be included as an Appendix, if at all, or just add a
reference to other projects where applicable.  If we start to include
other topics then the guide starts to trail off and we end up with a
1000+ page guide that is almost to cumbersome to use.  WAF evasion or
even just overall evasion techniques could potentially be an OWASP
project in itself.  Just my 2 cents.

Kevin

On Thu, Sep 27, 2012 at 7:57 AM, Ismael Rocha
<ismaelrocha.projetos at gmail.com> wrote:
> Hello All.
>
> About the suggestion of WAF, I've suggested in a previous email a topic that
> talks about Evasion techniques in general and WAF could fit in it. The idea
> of this topic is to talk about filter evasion in general.
>
> Talking about the audience, I agree with Maurizio considerations about the
> theme and we should try to answer the question about a person who is
> learning his job. If you take for example "The Web Application Hackers
> Handbook", it presents even the HTTP protocol there (just to illustrate).
>
> Regards.
>
> Ismael Gonçalves
>
> On Thu, Sep 27, 2012 at 7:28 AM, David Fern <dfern at verizon.net> wrote:
>>
>> Great Point!
>>
>> I think taht this means that we need to specifically at the beginning of
>> the document "Who the intended audience is"
>>
>> I think the guide should be the "one stop shop" for the "newbie"
>>
>> Not rewriting the other documents but tieing them together in one place so
>> an experience person can use it as a quick reference and the newbie can use
>> it to leran.
>>
>> Thanks,
>> David :)
>>
>> From: Agazzini Maurizio <inode at mediaservice.net>
>> To: owasp-testing at lists.owasp.org
>> Sent: Thursday, September 27, 2012 5:03 AM
>> Subject: Re: [Owasp-testing] V4 Update ideas
>>
>> On 27/09/2012 01:42, Christian Heinrich wrote:
>> >
>> > The above is already covered in other documents (outside of OWASP) and
>> > we would ultimately just be duplicating their information without
>> > providing any additional value.
>> >
>> > Since @mediaservice contribute to the OSSTMM i.e.
>> > http://www.isecom.org/team.html then maybe you could include the
>> > relevant links to/from the OWASP Testing Guide v4?
>> >
>>
>> Hi Christian,
>>
>> Before starting write to the ML for the new ideas/contributions we
>> discuss (some colleagues) how OWASP Testing Guide can be a better guide,
>> we tried to ask ourself what are the point that a newbie "web app
>> pentester" need to learn to do the job.
>>
>> It's true a lot of our proposal can be found on others documents, we are
>> not creating nothing new, but all OWASP TG chapter/info can be found in
>> others places. As wrote on the project overview, the goal of the project
>> it's create a "best practices web application penetration testing
>> framework", so why exclude some things useful for the testers?
>>
>> A skilled pentester (maybe one that do also others kind of PT) doesn't
>> need all these info for do the job, he don't need a chapter about
>> finding the web server technology or a chapter about how to identify if
>> a WAF is on the target. So what's the correct audience of OWASP TG? For
>> who is OWASP TG?
>>
>> Add just some links to the testing guide it's a way, but I'm not sure
>> that is the best way for OWASP to grow.
>>
>> I hope that also others people will reply to this topic to know also
>> others thought.
>>
>> Regars,
>>
>> Maurizio
>>
>> --
>> Maurizio Agazzini                    CISSP, OPST
>> Senior Security Advisor              Gsm: +39-346-52.09.207
>> @ Mediaservice.net Srl                Tel: +39-011-32.72.100
>> Via Santorelli, 15                    Fax: +39-011-32.46.497
>> 10095 Grugliasco (TO) ITALY          http://mediaservice.net/disclaimer
>>
>> "C programmers never die. They are just cast into void"
>> _______________________________________________
>> Owasp-testing mailing list
>> Owasp-testing at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-testing
>>
>>
>>
>> _______________________________________________
>> Owasp-testing mailing list
>> Owasp-testing at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-testing
>>
>
>
>
> --
> Ismael Gonçalves
>
> _______________________________________________
> Owasp-testing mailing list
> Owasp-testing at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-testing
>


More information about the Owasp-testing mailing list