[Owasp-testing] Testing Guide v4: 2nd phase: Writing

Andrew Muller andrew at ionize.com.au
Wed Jan 2 23:44:45 UTC 2013


That makes sense too :) 

Re the vulnerability list from the ASDR; I think a reference to the more comprehensive CWE list   in the test guide is more appropriate as t he ASDR list is a subset of the CWE ( the ASDR project itself lists CWE as a related project ) . From here we  could go down the road of "well if we're referencing CWE, or ASDR, why don't we have test cases for each of the CWE or ASDR  software weaknesses ?" I'm in favour of referencing one or the other  for now and investigating whether its feasible to adopt this approach in the next version given the scope of such an undertaking. 


----- Original Message -----

From: "Eduardo Castellanos" <guayin at gmail.com> 
To: "Andrew Muller" <andrew at ionize.com.au> 
Cc: owasp-testing at lists.owasp.org 
Sent: Thursday, 3 January, 2013 10:19:30 AM 
Subject: Re: [Owasp-testing] Testing Guide v4: 2nd phase: Writing 


@Andrew,  I'm more inclined towards the data validation section as the main issue here would be that the file extension or the file's contents is not properly validated/sanitized.  


@Jim Manico, That's awesome, we only need to reformat it and find a place for it on the guide.  


Regards,  




Eduardo Castellanos N. 


On Wed, Jan 2, 2013 at 5:04 PM, Andrew Muller < andrew at ionize.com.au > wrote: 





Hi Eduardo, 
  I believe we should test for this (I know we currently do). I would suggest putting it into the business logic section given that it is largely a business decision as to what file types should be accepted for upload. 
  
regards, 
  Andrew 





From: "Eduardo Castellanos" < guayin at gmail.com > 
To: owasp-testing at lists.owasp.org 
Sent: Thursday, 3 January, 2013 9:46:41 AM 


Subject: Re: [Owasp-testing] Testing Guide v4: 2nd phase: Writing 


Hello,  


I was wondering in what part of the guide do we check for unrestricted/unvalidated file uploads? Should it be a new issue to test for? 


Regards, 


Eduardo Castellanos N. 


On Fri, Nov 9, 2012 at 3:08 AM, Andrew Muller < andrew at ionize.com.au > wrote: 

<blockquote>
Understood. I'll get writing 



----- Original Message ----- 
From: Matteo Meucci & lt;matteo.meucci at owasp.org > 
To: Andrew Muller & lt;andrew at ionize.com.au > 
Cc: owasp-testing at lists.owasp.org 
Sent: Fri, 09 Nov 2012 19:54:24 +1100 (EST) 
Subject: Re: [Owasp-testing] Testing Guide v4: 2nd phase: Writing 

Hi Andrew, 
We started writing to have a first draft of the guide soon. 
Then we can review the ToC and understand what we can improve. 
Make sense? 

Thanks, 
Mat 

On 11/09/2012 05:50 AM, Andrew Muller wrote: 
> Hi Matteo, 
> 
> It's been a bit quiet on the v4 Wiki. When did you want the ToC to be 
> finalised and writing on each of the test cases to completed? 
> 
> 
> 
> regards, 
> 
> Andrew. 
> 
> ------------------------------------------------------------------------ 
> 
> *From: *"Matteo Meucci" < matteo.meucci at owasp.org > 
> *To: * owasp-testing at lists.owasp.org 
> *Sent: *Wednesday, 10 October, 2012 2:36:40 AM 
> *Subject: *[Owasp-testing] Testing Guide v4: 2nd phase: Writing 
> 
> Hi all, 
> I've reviewed the ToC and add a new paragraph for each new issue to write. 
> https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents#4._Web_Application_Penetration_Testing 
> 
> For example a new article will be like that: 
> https://www.owasp.org/index.php/Testing_for_HTTP_Parameter_pollution_%28OWASP-DV-004%29 
> 
> Regarding the set of articles to review I linked the v3 articles with 
> the idea to modify that. 
> For example: 
> https://www.owasp.org/index.php/Testing_for_Reflected_Cross_site_scripting_%28OWASP-DV-001%29 
> 
> So from now the wiki will be our draft for v4 and v3 will be available 
> only via PDF. 
> 
> Many of you are not assigned to an article. 
> Please, from now tell me what section would you like to write. We have 
> to assign all the articles in the next few days. 
> 
> Feedback: The Toc is completed at 90%, please send me your feedback 
> about the new ToC and my notes in the Toc. 
> 
> Now we can start writing! 
> Please keep me update (I monitor all the changes on the wiki). Use the 
> ml for general discussion and my email for specific issues. 
> 
> Thanks, 
> Mat 
> 
> 
> -- 
> Matteo Meucci 
> OWASP Testing Guide Lead 
> OWASP Italy President 
> _______________________________________________ 
> Owasp-testing mailing list 
> Owasp-testing at lists.owasp.org 
> https://lists.owasp.org/mailman/listinfo/owasp-testing 
> 

-- 
-- 
Matteo Meucci 
OWASP Testing Guide Lead 
OWASP Italy President 

-- 
__________________________ 
Andrew Muller 
Ionize Pty Ltd 
Information Security Consultants 


Level 1 
44-52 Townshend St 
PHILLIP ACT 2606 

P: 02 6108 3695 | Mobile: 0400 481 179 | Fax: 02 6223 5244 
E-mail: andrew at ionize.com.au 


_______________________________________________ 
Owasp-testing mailing list 
Owasp-testing at lists.owasp.org 
https://lists.owasp.org/mailman/listinfo/owasp-testing 




_______________________________________________ 
Owasp-testing mailing list 
Owasp-testing at lists.owasp.org 
https://lists.owasp.org/mailman/listinfo/owasp-testing 


</blockquote>


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-testing/attachments/20130103/3d3be3e8/attachment-0001.html>


More information about the Owasp-testing mailing list