[Owasp-testing] V4 Update ideas

Christian Heinrich christian.heinrich at cmlh.id.au
Thu Sep 27 22:55:06 UTC 2012


Alessandro,

On Thu, Sep 27, 2012 at 6:45 PM, Alessandro Gai
<alessandro.gai at mediaservice.net> wrote:
> I'd add some example, something like: site:www.testsite.com "upload" OR
> "admin" OR "password"

The difference with the OWASP Testing Guide v3 then is that you would
have to execute multiple searches if the robots.txt and/or metadata
prohibits caching of the content since you cannot retrieve the cached
web page and execute the various regex.

On Thu, Sep 27, 2012 at 6:45 PM, Alessandro Gai
<alessandro.gai at mediaservice.net> wrote:
>> Also, a majority of http://www.hackersforcharity.org/ghdb/ or
>> http://www.exploit-db.com/google-dorks/ aren't vuln, rather they are
>> people copy and pasting the various Google Search Queries :)
> I agree! :)

There is also some WAF product (the name escapes me at the moment)
which will mimic the various GHDB and will then trigger an alarm when
the generated page is accessed.

On Thu, Sep 27, 2012 at 6:45 PM, Alessandro Gai
<alessandro.gai at mediaservice.net> wrote:
> Burp Target Analyzer generate a good report about dynamic / static
> pages. This is useful.
> I mean also pay attention on tipical application strutcture useful for
> brute force, some example:
> - variables / parameters / directory structure format : "word1_word2"
> "Word1Word2
> - step pages: "page_1.asp" "page02.aspx"
> - language: "amministrazione" / "admin"

OK


-- 
Regards,
Christian Heinrich

http://cmlh.id.au/contact


More information about the Owasp-testing mailing list