[Owasp-testing] Testing Guide V4: Stop writing, start the review

Mitchell, Rick (6030318) rick.mitchell at bell.ca
Tue Apr 1 14:03:32 UTC 2014

I had some time to tackle more review this morning. I only made it through the first few sections, here are some notes:

Testing: Conduct search engine discovery/reconnaissance for information leakage (OTG-INFO-001)
* Lead-in paragraph indicates: " Indirect methods relate to gleaning sensitive design and configuration information by searching forums, newsgroups and tendering websites." Yet no such information is covered in the entry. IMHO either this article needs to be beefed up or the statement should be removed.
* Made minor corrections related to punctuation (addition of Oxford commas and some missing periods, as well as borders on images).

Fingerprint Web Server (OTG-INFO-002)
* Minor updates, grammar and content.
* Makes me wonder if we have a style guide? Are we supposed to be using Title Caps for section naming?

Testing: Review Webserver Metafiles for Information Leakage (OTG-INFO-003)
* Reference links in this article are confusing. For example: [1] in the "Summary" section is not the same as [1] in the "How to Test" section...
* Minor updates, grammar and content.


-----Original Message-----
From: owasp-testing-bounces at lists.owasp.org [mailto:owasp-testing-bounces at lists.owasp.org] On Behalf Of Matteo Meucci
Sent: Saturday, March 08, 2014 6:25 PM
To: owasp-testing at lists.owasp.org
Cc: Andrew Muller; Davide Danelon
Subject: [Owasp-testing] Testing Guide V4: Stop writing, start the review

Dear OWASP Testing Guide followers.
thanks to David who did the last rush, we have closed the Testing Guide
Project's first phase!
Many thanks to all the contributors!

All the articles are closed now.
Now it is time for the reviewers.

You can see the status here:

Now the ToC is definitive:

We deleted many items and 3 chapters:
- Web Services Testing (no completed at all, it's better to have a
separate guide on this)
- Logging (not in scope of the wapt)
- Denial of Service (not in scope of the wapt)

Now we have split the set of active tests in 12 sub-categories for a
total of 91 controls:
Information Gathering
Configuration and Deploy Management Testing
Identity Management Testing
Authentication Testing
Authorization Testing
Session Management Testing
Data Validation Testing
Error Handling
Business Logic Testing
Client Side Testing

We'll contact all the proposed reviewers asking them to review the
Guide in the next 2 weeks:
> Paolo Perego
> Daniel Cuthbert
> Matthew Churcher
> Lode Vanstechelman
> Sebastien Gioria
> Antonio Fontes

Any others that want to help? Please answer only if you can review the
guide in the next days.

Deadline: end of March 2014

Mat & Andrew

Matteo Meucci
OWASP Testing Guide co-Lead
OWASP Italy President

Owasp-testing mailing list
Owasp-testing at lists.owasp.org

More information about the Owasp-testing mailing list