[Owasp-testing] Owasp-testing Digest, Vol 61, Issue 1

srinivas.kadiyala at itcinfotech.com srinivas.kadiyala at itcinfotech.com
Thu Jan 3 05:14:43 UTC 2013


Hi,

I forgot the website name.can u provide me the complete URL ?

-
Regards,
Srinivas

-----Original Message-----
From: owasp-testing-bounces at lists.owasp.org
[mailto:owasp-testing-bounces at lists.owasp.org] On Behalf Of
owasp-testing-request at lists.owasp.org
Sent: 03 January 2013 04:42
To: owasp-testing at lists.owasp.org
Subject: Owasp-testing Digest, Vol 61, Issue 1
Importance: High

Send Owasp-testing mailing list submissions to
	owasp-testing at lists.owasp.org

To subscribe or unsubscribe via the World Wide Web, visit
	https://lists.owasp.org/mailman/listinfo/owasp-testing
or, via email, send a message with subject or body 'help' to
	owasp-testing-request at lists.owasp.org

You can reach the person managing the list at
	owasp-testing-owner at lists.owasp.org

When replying, please edit your Subject line so it is more specific than
"Re: Contents of Owasp-testing digest..."


Today's Topics:

   1. Re: Testing Guide v4: 2nd phase: Writing (Eduardo Castellanos)
   2. Re: Testing Guide v4: 2nd phase: Writing (Jim Manico)
   3. Re: Testing Guide v4: 2nd phase: Writing (Andrew Muller)


----------------------------------------------------------------------

Message: 1
Date: Wed, 2 Jan 2013 16:46:41 -0600
From: Eduardo Castellanos <guayin at gmail.com>
To: owasp-testing at lists.owasp.org
Subject: Re: [Owasp-testing] Testing Guide v4: 2nd phase: Writing
Message-ID:
	<CAFcywCTmZLP7KyZGtvrXaYfqQQ8ug632Go-33azF+_h7=--BsQ at mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"

Hello,

I was wondering in what part of the guide do we check for
unrestricted/unvalidated file uploads? Should it be a new issue to test for?

Regards,

Eduardo Castellanos N.


On Fri, Nov 9, 2012 at 3:08 AM, Andrew Muller <andrew at ionize.com.au> wrote:

> Understood. I'll get writing
>
> ----- Original Message -----
> From: Matteo Meucci <matteo.meucci at owasp.org>
> To: Andrew Muller <andrew at ionize.com.au>
> Cc: owasp-testing at lists.owasp.org
> Sent: Fri, 09 Nov 2012 19:54:24 +1100 (EST)
> Subject: Re: [Owasp-testing] Testing Guide v4: 2nd phase: Writing
>
> Hi Andrew,
> We started writing to have a first draft of the guide soon.
> Then we can review the ToC and understand what we can improve.
> Make sense?
>
> Thanks,
> Mat
>
> On 11/09/2012 05:50 AM, Andrew Muller wrote:
> > Hi Matteo,
> >
> > It's been a bit quiet on the v4 Wiki. When did you want the ToC to 
> > be finalised and writing on each of the test cases to completed?
> >
> >
> >
> > regards,
> >
> > Andrew.
> >
> > --------------------------------------------------------------------
> > ----
> >
> > *From: *"Matteo Meucci" <matteo.meucci at owasp.org>
> > *To: *owasp-testing at lists.owasp.org
> > *Sent: *Wednesday, 10 October, 2012 2:36:40 AM
> > *Subject: *[Owasp-testing] Testing Guide v4: 2nd phase: Writing
> >
> > Hi all,
> > I've reviewed the ToC and add a new paragraph for each new issue to
> write.
> >
> https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Conten
> ts#4._Web_Application_Penetration_Testing
> >
> > For example a new article will be like that:
> >
> https://www.owasp.org/index.php/Testing_for_HTTP_Parameter_pollution_%
> 28OWASP-DV-004%29
> >
> > Regarding the set of articles to review I linked the v3 articles 
> > with the idea to modify that.
> > For example:
> >
> https://www.owasp.org/index.php/Testing_for_Reflected_Cross_site_scrip
> ting_%28OWASP-DV-001%29
> >
> > So from now the wiki will be our draft for v4 and v3 will be 
> > available only via PDF.
> >
> > Many of you are not assigned to an article.
> > Please, from now tell me what section would you like to write. We 
> > have to assign all the articles in the next few days.
> >
> > Feedback: The Toc is completed at 90%, please send me your feedback 
> > about the new ToC and my notes in the Toc.
> >
> > Now we can start writing!
> > Please keep me update (I monitor all the changes on the wiki). Use 
> > the ml for general discussion and my email for specific issues.
> >
> > Thanks,
> > Mat
> >
> >
> > --
> > Matteo Meucci
> > OWASP Testing Guide Lead
> > OWASP Italy President
> > _______________________________________________
> > Owasp-testing mailing list
> > Owasp-testing at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/owasp-testing
> >
>
> --
> --
> Matteo Meucci
> OWASP Testing Guide Lead
> OWASP Italy President
>
> --
> __________________________
> Andrew Muller
> Ionize Pty Ltd
> Information Security Consultants
>
>
> Level 1
> 44-52 Townshend St
> PHILLIP ACT 2606
>
> P: 02 6108 3695 | Mobile: 0400 481 179 | Fax: 02 6223 5244
> E-mail: andrew at ionize.com.au
> _______________________________________________
> Owasp-testing mailing list
> Owasp-testing at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-testing
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.owasp.org/pipermail/owasp-testing/attachments/20130102/094e114
2/attachment-0001.html>

------------------------------

Message: 2
Date: Wed, 02 Jan 2013 12:56:35 -1000
From: Jim Manico <jim.manico at owasp.org>
To: Eduardo Castellanos <guayin at gmail.com>
Cc: owasp-testing at lists.owasp.org
Subject: Re: [Owasp-testing] Testing Guide v4: 2nd phase: Writing
Message-ID: <50E4BB23.2070707 at owasp.org>
Content-Type: text/plain; charset=ISO-8859-1

Some reasonable content on this here:

 https://www.owasp.org/index.php/Unrestricted_File_Upload

- Jim

> Hello,
> 
> I was wondering in what part of the guide do we check for 
> unrestricted/unvalidated file uploads? Should it be a new issue to test
for?
> 
> Regards,
> 
> Eduardo Castellanos N.
> 
> 
> On Fri, Nov 9, 2012 at 3:08 AM, Andrew Muller <andrew at ionize.com.au>
wrote:
> 
>> Understood. I'll get writing
>>
>> ----- Original Message -----
>> From: Matteo Meucci <matteo.meucci at owasp.org>
>> To: Andrew Muller <andrew at ionize.com.au>
>> Cc: owasp-testing at lists.owasp.org
>> Sent: Fri, 09 Nov 2012 19:54:24 +1100 (EST)
>> Subject: Re: [Owasp-testing] Testing Guide v4: 2nd phase: Writing
>>
>> Hi Andrew,
>> We started writing to have a first draft of the guide soon.
>> Then we can review the ToC and understand what we can improve.
>> Make sense?
>>
>> Thanks,
>> Mat
>>
>> On 11/09/2012 05:50 AM, Andrew Muller wrote:
>>> Hi Matteo,
>>>
>>> It's been a bit quiet on the v4 Wiki. When did you want the ToC to 
>>> be finalised and writing on each of the test cases to completed?
>>>
>>>
>>>
>>> regards,
>>>
>>> Andrew.
>>>
>>> --------------------------------------------------------------------
>>> ----
>>>
>>> *From: *"Matteo Meucci" <matteo.meucci at owasp.org>
>>> *To: *owasp-testing at lists.owasp.org
>>> *Sent: *Wednesday, 10 October, 2012 2:36:40 AM
>>> *Subject: *[Owasp-testing] Testing Guide v4: 2nd phase: Writing
>>>
>>> Hi all,
>>> I've reviewed the ToC and add a new paragraph for each new issue to
>> write.
>>>
>> https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Conte
>> nts#4._Web_Application_Penetration_Testing
>>>
>>> For example a new article will be like that:
>>>
>> https://www.owasp.org/index.php/Testing_for_HTTP_Parameter_pollution_
>> %28OWASP-DV-004%29
>>>
>>> Regarding the set of articles to review I linked the v3 articles 
>>> with the idea to modify that.
>>> For example:
>>>
>> https://www.owasp.org/index.php/Testing_for_Reflected_Cross_site_scri
>> pting_%28OWASP-DV-001%29
>>>
>>> So from now the wiki will be our draft for v4 and v3 will be 
>>> available only via PDF.
>>>
>>> Many of you are not assigned to an article.
>>> Please, from now tell me what section would you like to write. We 
>>> have to assign all the articles in the next few days.
>>>
>>> Feedback: The Toc is completed at 90%, please send me your feedback 
>>> about the new ToC and my notes in the Toc.
>>>
>>> Now we can start writing!
>>> Please keep me update (I monitor all the changes on the wiki). Use 
>>> the ml for general discussion and my email for specific issues.
>>>
>>> Thanks,
>>> Mat
>>>
>>>
>>> --
>>> Matteo Meucci
>>> OWASP Testing Guide Lead
>>> OWASP Italy President
>>> _______________________________________________
>>> Owasp-testing mailing list
>>> Owasp-testing at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-testing
>>>
>>
>> --
>> --
>> Matteo Meucci
>> OWASP Testing Guide Lead
>> OWASP Italy President
>>
>> --
>> __________________________
>> Andrew Muller
>> Ionize Pty Ltd
>> Information Security Consultants
>>
>>
>> Level 1
>> 44-52 Townshend St
>> PHILLIP ACT 2606
>>
>> P: 02 6108 3695 | Mobile: 0400 481 179 | Fax: 02 6223 5244
>> E-mail: andrew at ionize.com.au
>> _______________________________________________
>> Owasp-testing mailing list
>> Owasp-testing at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-testing
>>
> 
> 
> 
> _______________________________________________
> Owasp-testing mailing list
> Owasp-testing at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-testing
> 



------------------------------

Message: 3
Date: Thu, 3 Jan 2013 10:04:22 +1100 (EST)
From: Andrew Muller <andrew at ionize.com.au>
To: Eduardo Castellanos <guayin at gmail.com>
Cc: owasp-testing at lists.owasp.org
Subject: Re: [Owasp-testing] Testing Guide v4: 2nd phase: Writing
Message-ID: <3560613.746.1357167862754.JavaMail.root at ionize.com.au>
Content-Type: text/plain; charset="utf-8"


Hi Eduardo,
? I believe we should test for this (I know we currently do). I would
suggest putting it into the business logic section given that it is largely
a business decision as to what file types should be accepted for upload. 

regards,
? Andrew 


----- Original Message -----

From: "Eduardo Castellanos" <guayin at gmail.com> 
To: owasp-testing at lists.owasp.org 
Sent: Thursday, 3 January, 2013 9:46:41 AM 
Subject: Re: [Owasp-testing] Testing Guide v4: 2nd phase: Writing 


Hello,? 


I was wondering in what part of the guide do we check for
unrestricted/unvalidated file uploads? Should it be a new issue to test for?



Regards, 


Eduardo Castellanos N. 


On Fri, Nov 9, 2012 at 3:08 AM, Andrew Muller < andrew at ionize.com.au >
wrote: 


Understood. I'll get writing 



----- Original Message ----- 
From: Matteo Meucci & lt;matteo.meucci at owasp.org > 
To: Andrew Muller & lt;andrew at ionize.com.au > 
Cc: owasp-testing at lists.owasp.org 
Sent: Fri, 09 Nov 2012 19:54:24 +1100 (EST) 
Subject: Re: [Owasp-testing] Testing Guide v4: 2nd phase: Writing 

Hi Andrew, 
We started writing to have a first draft of the guide soon. 
Then we can review the ToC and understand what we can improve. 
Make sense? 

Thanks, 
Mat 

On 11/09/2012 05:50 AM, Andrew Muller wrote: 
> Hi Matteo, 
> 
> It's been a bit quiet on the v4 Wiki. When did you want the ToC to be 
> finalised and writing on each of the test cases to completed? 
> 
> 
> 
> regards, 
> 
> Andrew. 
> 
> ------------------------------------------------------------------------ 
> 
> *From: *"Matteo Meucci" < matteo.meucci at owasp.org > 
> *To: * owasp-testing at lists.owasp.org 
> *Sent: *Wednesday, 10 October, 2012 2:36:40 AM 
> *Subject: *[Owasp-testing] Testing Guide v4: 2nd phase: Writing 
> 
> Hi all, 
> I've reviewed the ToC and add a new paragraph for each new issue to write.

>
https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents#4._
Web_Application_Penetration_Testing 
> 
> For example a new article will be like that: 
>
https://www.owasp.org/index.php/Testing_for_HTTP_Parameter_pollution_%28OWAS
P-DV-004%29 
> 
> Regarding the set of articles to review I linked the v3 articles with 
> the idea to modify that. 
> For example: 
>
https://www.owasp.org/index.php/Testing_for_Reflected_Cross_site_scripting_%
28OWASP-DV-001%29 
> 
> So from now the wiki will be our draft for v4 and v3 will be available 
> only via PDF. 
> 
> Many of you are not assigned to an article. 
> Please, from now tell me what section would you like to write. We have 
> to assign all the articles in the next few days. 
> 
> Feedback: The Toc is completed at 90%, please send me your feedback 
> about the new ToC and my notes in the Toc. 
> 
> Now we can start writing! 
> Please keep me update (I monitor all the changes on the wiki). Use the 
> ml for general discussion and my email for specific issues. 
> 
> Thanks, 
> Mat 
> 
> 
> -- 
> Matteo Meucci 
> OWASP Testing Guide Lead 
> OWASP Italy President 
> _______________________________________________ 
> Owasp-testing mailing list 
> Owasp-testing at lists.owasp.org 
> https://lists.owasp.org/mailman/listinfo/owasp-testing 
> 

-- 
-- 
Matteo Meucci 
OWASP Testing Guide Lead 
OWASP Italy President 

-- 
__________________________ 
Andrew Muller 
Ionize Pty Ltd 
Information Security Consultants 


Level 1 
44-52 Townshend St 
PHILLIP ACT 2606 

P: 02 6108 3695 | Mobile: 0400 481 179 | Fax: 02 6223 5244 
E-mail: andrew at ionize.com.au 


_______________________________________________ 
Owasp-testing mailing list 
Owasp-testing at lists.owasp.org 
https://lists.owasp.org/mailman/listinfo/owasp-testing 




_______________________________________________ 
Owasp-testing mailing list 
Owasp-testing at lists.owasp.org 
https://lists.owasp.org/mailman/listinfo/owasp-testing 

-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.owasp.org/pipermail/owasp-testing/attachments/20130103/994102d
2/attachment.html>

------------------------------

_______________________________________________
Owasp-testing mailing list
Owasp-testing at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-testing


End of Owasp-testing Digest, Vol 61, Issue 1
********************************************

Please consider the environment before printing this e-mail

Disclaimer: This  communication  is  for the exclusive use of the intended recipient(s) and  shall  not attach any liability on the originator or ITC Infotech India Ltd./its  Holding company/ its Subsidiaries/ its Group Companies. If you are the addressee, the contents of this e-mail are intended for your use only and it shall  not be forwarded to any third party, without first obtaining written authorization from the originator or ITC Infotech India Ltd./ its Holding company/its  Subsidiaries/ its Group Companies. It may contain information which is confidential and legally privileged and the same shall not be used or dealt with  by any  third  party  in  any manner whatsoever without the specific consent  of  ITC  Infotech India Ltd./ its Holding company/ its Subsidiaries/ its Group Companies.



More information about the Owasp-testing mailing list