[Owasp-testing] Testing Guide V4: Stop writing, start the review

Christian Heinrich christian.heinrich at cmlh.id.au
Tue Apr 1 23:09:27 UTC 2014


On Wed, Apr 2, 2014 at 1:03 AM, Mitchell, Rick (6030318)
<rick.mitchell at bell.ca> wrote:
> Testing: Conduct search engine discovery/reconnaissance for information leakage (OTG-INFO-001)
> * Lead-in paragraph indicates: " Indirect methods relate to gleaning sensitive design and configuration information by searching forums, newsgroups and tendering websites." Yet no such information is covered in the entry. IMHO either this article needs to be beefed up or the statement should be removed.
> * Made minor corrections related to punctuation (addition of Oxford commas and some missing periods, as well as borders on images).

I didn't contribute this to v4 due to smear enabled by the
incompetence of Dinis Cruz, Jeff Williams, Tom Brennan, Paulo Coimbra
and Brad Causey i.e.

I have no issue with OTG-INFO-001 being removed from v4 as it would
appear to have taken the more popular and less technical view of
http://www.hackersforcharity.org/ghdb/ that lacks the innovation or
"common sense" :) that I presented at the OWASP Conference in New York
in 2009 i.e. http://www.youtube.com/watch?v=BgXSlEenNeA

On Wed, Apr 2, 2014 at 1:03 AM, Mitchell, Rick (6030318)
<rick.mitchell at bell.ca> wrote:
> Testing: Review Webserver Metafiles for Information Leakage (OTG-INFO-003)
> * Reference links in this article are confusing. For example: [1] in the "Summary" section is not the same as [1] in the "How to Test" section...
> * Minor updates, grammar and content.

The reference to OWASP-IG-009 is stated within the "Summary" and "Test
Objectives" sections i.e. "... the list of directories that are to be
avoided by Spiders/Robots/Crawler ..."

This is the "Disallow" directive of the Robots Exclusion Protocol
expanded within the "How to Test" section.  Perhaps adding a mention
of the "Disallow" directive without complicating the "Summary" and
"Test Objectives" section would clarify this?

Christian Heinrich


More information about the Owasp-testing mailing list