[Owasp-testing] Testing Guide V4: Stop writing, start the review

Mitchell, Rick (6030318) rick.mitchell at bell.ca
Tue Apr 1 23:24:15 UTC 2014


Hi Christian, I think I was unclear. When I suggested something should be removed it was simply the references to "Indirect methods" which are mentioned in the lead-in but not actually covered at all in the article. I wasn't suggesting that INFO-001 should be dropped entirely.

As for the reference links my confusion is that there seem to be two [1]s which lead to different locations. (There might be two [2]s or [3]s too, I don't recall right this second and don't have time to check.)

Anyway just my 2cents, wasn't meant to step on any toes or anything.

Rick

-----Original Message-----
From: Christian Heinrich [mailto:christian.heinrich at cmlh.id.au] 
Sent: Tuesday, April 01, 2014 7:09 PM
To: Mitchell, Rick (6030318)
Cc: owasp-testing at lists.owasp.org
Subject: Re: [Owasp-testing] Testing Guide V4: Stop writing, start the review

Rick,

On Wed, Apr 2, 2014 at 1:03 AM, Mitchell, Rick (6030318) <rick.mitchell at bell.ca> wrote:
> Testing: Conduct search engine discovery/reconnaissance for 
> information leakage (OTG-INFO-001)
> * Lead-in paragraph indicates: " Indirect methods relate to gleaning sensitive design and configuration information by searching forums, newsgroups and tendering websites." Yet no such information is covered in the entry. IMHO either this article needs to be beefed up or the statement should be removed.
> * Made minor corrections related to punctuation (addition of Oxford commas and some missing periods, as well as borders on images).

I didn't contribute this to v4 due to smear enabled by the incompetence of Dinis Cruz, Jeff Williams, Tom Brennan, Paulo Coimbra and Brad Causey i.e.
https://www.owasp.org/index.php?title=OWASP_Inquiries/Google_Hacking_Project&oldid=169442

I have no issue with OTG-INFO-001 being removed from v4 as it would appear to have taken the more popular and less technical view of http://www.hackersforcharity.org/ghdb/ that lacks the innovation or "common sense" :) that I presented at the OWASP Conference in New York in 2009 i.e. http://www.youtube.com/watch?v=BgXSlEenNeA

On Wed, Apr 2, 2014 at 1:03 AM, Mitchell, Rick (6030318) <rick.mitchell at bell.ca> wrote:
> Testing: Review Webserver Metafiles for Information Leakage 
> (OTG-INFO-003)
> * Reference links in this article are confusing. For example: [1] in the "Summary" section is not the same as [1] in the "How to Test" section...
> * Minor updates, grammar and content.

The reference to OWASP-IG-009 is stated within the "Summary" and "Test Objectives" sections i.e. "... the list of directories that are to be avoided by Spiders/Robots/Crawler ..."

This is the "Disallow" directive of the Robots Exclusion Protocol expanded within the "How to Test" section.  Perhaps adding a mention of the "Disallow" directive without complicating the "Summary" and "Test Objectives" section would clarify this?


--
Regards,
Christian Heinrich

http://cmlh.id.au/contact


More information about the Owasp-testing mailing list