[Owasp-testing] Testing Guide V4: Stop writing, start the review

John M. Willis john.willis at pinfosec.com
Tue Apr 22 09:13:49 UTC 2014


What is the plan for creating/completing the separate web services 
testing guide?

On 04/22/2014 03:36 AM, Matteo Meucci wrote:
> Hi Irene,
> yes please do now. Samantha is starting the final review phase.
>
> We need to stop writing on the wiki asap.
>
> Thanks,
> Mat
>
> On 04/22/2014 12:29 AM, Samantha Groves wrote:
>> Are we still reviewing or can Jane get started on the copy?
>>
>>
>> On Mon, Apr 21, 2014 at 3:21 PM, Irene Abezgauz <irene at quotium.com
>> <mailto:irene at quotium.com>> wrote:
>>
>>      As we’re doing the final bits – ____
>>
>>      __ __
>>
>>      I’ve reviewed a bunch of articles and have them in a word file (With
>>      track changes), didn’t input them into reviewers spreadsheet or the
>>      wiki of the project.____
>>
>>      __ __
>>
>>      __ __
>>
>>      *In terms of project timelines – still possible to commit those?____*
>>
>>      *__ __*
>>
>>      *__ __*
>>
>>      __ __
>>
>>      I’ve got reviews with corrections for:____
>>
>>      *Testing for Sensitive information sent via unencrypted channels
>>      (OTG-CRYPST-007)**____*
>>
>>      	
>>
>>      some additions and changes____
>>
>>      *Enumerate Infrastructure and Application Admin Interfaces
>>      (OTG-CONFIG-005)**____*
>>
>>      	
>>
>>      minor changes, added tools____
>>
>>      *Testing for Account Enumeration and Guessable User Account
>>      (OTG-IDENT-004)**____*
>>
>>      	
>>
>>      seems to currently have two pages - one 'old' and one 'new content',
>>      with 'new content' being unfinished. Have corrections for old. ____
>>
>>      *Testing for cookies attributes (OWASP-SM-002)____*
>>
>>      	
>>
>>      minor edits____
>>
>>      *Testing for Stack Traces (OWASP-IG-XXX)____*
>>
>>      	
>>
>>      minor edits and changes, needs to be assigned a category number____
>>
>>      *Testing for Error Code (OWASP-IG-006)____*
>>
>>      	
>>
>>      some additions, minor changes____
>>
>>      *Testing for HTTP Parameter pollution (OWASP-DV-004)____*
>>
>>      	
>>
>>      no changes____
>>
>>      *Testing for Session puzzling (OTG-SESS-010)____*
>>
>>      	
>>
>>      minor changes____
>>
>>      *Test Session Timeout (OTG-SESS-008)____*
>>
>>      	
>>
>>      minor changes____
>>
>>      *Testing for XPath Injection (OWASP-DV-010)____*
>>
>>      	
>>
>>      minor change____
>>
>>      __ __
>>
>>      __ __
>>
>>      the following has an entry which is currently not updated:____
>>
>>      _https://www.owasp.org/index.php/Testing_for_Weak_or_unenforced_username_policy_%28OWASP-AT-009%29_____
>>
>>      	
>>
>>      *Testing for Weak or unenforced username* *policy (OTG-IDENT-005)**____*
>>
>>      	
>>
>>      needs to be rewritten____
>>
>>      __ __
>>
>>      __ __
>>
>>      And I suggest per recommendation already in the spreadsheet and
>>      after looking at both – to unite Test Upload of Malicious Files
>>      (OTG-BUSLOGIC-016) with Test Upload of Unexpected File Types
>>      (OTG-BUSLOGIC-015) should indeed be merged (separating them into
>>      malicious file upload and malicious file extension seems redundant),
>>      can easily rewrite.____
>>
>>      __ __
>>
>>      Irene ____
>>
>>       ____
>>
>>      __ __
>>
>>      __ __
>>
>>      *From:*owasp-testing-bounces at lists.owasp.org
>>      <mailto:owasp-testing-bounces at lists.owasp.org>
>>      [mailto:owasp-testing-bounces at lists.owasp.org
>>      <mailto:owasp-testing-bounces at lists.owasp.org>] *On Behalf Of
>>      *Samantha Groves
>>      *Sent:* Friday, April 18, 2014 6:59 PM
>>      *To:* Matteo Meucci
>>      *Cc:* owasp-testing at lists.owasp.org
>>      <mailto:owasp-testing at lists.owasp.org>
>>
>>
>>      *Subject:* Re: [Owasp-testing] Testing Guide V4: Stop writing, start
>>      the review____
>>
>>      __ __
>>
>>      End of August is when the project should end, but I believe we will
>>      finish earlier as Joan and Hugo are on the last bits of the work.
>>      Thank you for the feedback on the covers, Matteo. :-)____
>>
>>      __ __
>>
>>      On Fri, Apr 18, 2014 at 6:12 AM, Matteo Meucci
>>      <matteo.meucci at owasp.org <mailto:matteo.meucci at owasp.org>> wrote:____
>>
>>      We are under final review.
>>
>>      Samantha, we have a final date for the release?
>>
>>      Thanks,
>>      Mat
>>
>>
>>
>>      On 04/18/2014 03:10 PM, Lovelace, Sunni wrote:
>>      > Is there a release date for Testing Guide V4?.____
>>
>>      >
>>      >
>>      >
>>      > -----Original Message-----
>>      > From: owasp-testing-bounces at lists.owasp.org
>>      <mailto:owasp-testing-bounces at lists.owasp.org>
>>      [mailto:owasp-testing-bounces at lists.owasp.org
>>      <mailto:owasp-testing-bounces at lists.owasp.org>] On Behalf Of Jim Manico
>>      > Sent: Tuesday, April 01, 2014 5:13 PM
>>      > To: Matteo Meucci; owasp-testing at lists.owasp.org
>>      <mailto:owasp-testing at lists.owasp.org>
>>      > Subject: Re: [Owasp-testing] Testing Guide V4: Stop writing, start
>>      the review
>>      >____
>>
>>      > Wow, very exciting. :) I'm thrilled to see this close to getting
>>      released!
>>      >
>>      > Aloha,
>>      > Jim____
>>
>>      >
>>      > On 4/1/14, 10:47 AM, Matteo Meucci wrote:
>>      >> Hi all,
>>      >> the reviewing phase is finished.
>>      >> Some reviewers did the review, but it is not complete.
>>      >>
>>      >> Please if you have reviews to add to the wiki do it now.
>>      >>
>>      >> In the next days we will start the last phase of the project.
>>      >>
>>      >> Thanks!
>>      >> Mat
>>      >>
>>      >> On 04/01/2014 04:03 PM, Mitchell, Rick (6030318) wrote:
>>      >>> I had some time to tackle more review this morning. I only made
>>      it through the first few sections, here are some notes:
>>      >>>
>>      >>> Testing: Conduct search engine discovery/reconnaissance for
>>      >>> information leakage (OTG-INFO-001)
>>      >>> * Lead-in paragraph indicates: " Indirect methods relate to
>>      gleaning sensitive design and configuration information by searching
>>      forums, newsgroups and tendering websites." Yet no such information
>>      is covered in the entry. IMHO either this article needs to be beefed
>>      up or the statement should be removed.
>>      >>> * Made minor corrections related to punctuation (addition of
>>      Oxford commas and some missing periods, as well as borders on images).
>>      >>>
>>      >>> Fingerprint Web Server (OTG-INFO-002)
>>      >>> * Minor updates, grammar and content.
>>      >>> * Makes me wonder if we have a style guide? Are we supposed to
>>      be using Title Caps for section naming?
>>      >>>
>>      >>> Testing: Review Webserver Metafiles for Information Leakage
>>      >>> (OTG-INFO-003)
>>      >>> * Reference links in this article are confusing. For example:
>>      [1] in the "Summary" section is not the same as [1] in the "How to
>>      Test" section...
>>      >>> * Minor updates, grammar and content.
>>      >>>
>>      >>> Rick
>>      >>>
>>      >>>
>>      >>> -----Original Message-----
>>      >>> From: owasp-testing-bounces at lists.owasp.org
>>      <mailto:owasp-testing-bounces at lists.owasp.org>
>>      >>> [mailto:owasp-testing-bounces at lists.owasp.org
>>      <mailto:owasp-testing-bounces at lists.owasp.org>] On Behalf Of Matteo
>>      >>> Meucci
>>      >>> Sent: Saturday, March 08, 2014 6:25 PM
>>      >>> To: owasp-testing at lists.owasp.org
>>      <mailto:owasp-testing at lists.owasp.org>
>>      >>> Cc: Andrew Muller; Davide Danelon
>>      >>> Subject: [Owasp-testing] Testing Guide V4: Stop writing, start the
>>      >>> review
>>      >>>
>>      >>> Dear OWASP Testing Guide followers.
>>      >>> thanks to David who did the last rush, we have closed the Testing
>>      >>> Guide Project's first phase!
>>      >>> Many thanks to all the contributors!
>>      >>>
>>      >>> All the articles are closed now.
>>      >>> Now it is time for the reviewers.
>>      >>>
>>      >>> You can see the status here:
>>      >>>
>>      https://docs.google.com/a/owasp.org/spreadsheet/ccc?key=0AmEhPtZ0cHq3
>>      >>> dDc5ZFI0Nm9oSkhzNkNxTzNJbGdPdVE#gid=0
>>      >>>
>>      >>> Now the ToC is definitive:
>>      >>>
>>      https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Conte
>>      >>> nts
>>      >>>
>>      >>> We deleted many items and 3 chapters:
>>      >>> - Web Services Testing (no completed at all, it's better to have a
>>      >>> separate guide on this)
>>      >>> - Logging (not in scope of the wapt)
>>      >>> - Denial of Service (not in scope of the wapt)
>>      >>>
>>      >>> Now we have split the set of active tests in 12 sub-categories for a
>>      >>> total of 91 controls:
>>      >>> Information Gathering
>>      >>> Configuration and Deploy Management Testing Identity Management
>>      >>> Testing Authentication Testing Authorization Testing Session
>>      >>> Management Testing Data Validation Testing Error Handling
>>      >>> Cryptography Logging Business Logic Testing Client Side Testing
>>      >>>
>>      >>> NEXT STEP:
>>      >>> We'll contact all the proposed reviewers asking them to review the
>>      >>> Guide in the next 2 weeks:
>>      >>>> Paolo Perego
>>      >>>> Daniel Cuthbert
>>      >>>> Matthew Churcher
>>      >>>> Lode Vanstechelman
>>      >>>> Sebastien Gioria
>>      >>>> Antonio Fontes
>>      >>> Any others that want to help? Please answer only if you can review
>>      >>> the guide in the next days.
>>      >>>
>>      >>> Deadline: end of March 2014
>>      >>>
>>      >>> Thanks!
>>      >>> Mat & Andrew
>>      >>>
>>      >>> --
>>      >>> Matteo Meucci
>>      >>> OWASP Testing Guide co-Lead
>>      >>> OWASP Italy President
>>      >>>
>>      >>>
>>      >>> _______________________________________________
>>      >>> Owasp-testing mailing list
>>      >>> Owasp-testing at lists.owasp.org <mailto:Owasp-testing at lists.owasp.org>
>>      >>> https://lists.owasp.org/mailman/listinfo/owasp-testing
>>      >>> _______________________________________________
>>      >>> Owasp-testing mailing list
>>      >>> Owasp-testing at lists.owasp.org <mailto:Owasp-testing at lists.owasp.org>
>>      >>> https://lists.owasp.org/mailman/listinfo/owasp-testing
>>      >>>
>>      >
>>      > _______________________________________________
>>      > Owasp-testing mailing list
>>      > Owasp-testing at lists.owasp.org <mailto:Owasp-testing at lists.owasp.org>
>>      > https://lists.owasp.org/mailman/listinfo/owasp-testing____
>>
>>      > ====================
>>      > This email/fax message is for the sole use of the intended
>>      > recipient(s) and may contain confidential and privileged information.
>>      > Any unauthorized review, use, disclosure or distribution of this
>>      > email/fax is prohibited. If you are not the intended recipient, please
>>      > destroy all paper and electronic copies of the original message.____
>>
>>      >
>>
>>      --
>>      --
>>      Matteo Meucci
>>      OWASP Testing Guide Lead
>>      OWASP Italy President____
>>
>>
>>
>>      ____
>>
>>      __ __
>>
>>      -- ____
>>
>>      *Samantha Groves, MBA*____
>>
>>      /OWASP Projects Manager/____
>>
>>      __ __
>>
>>      The OWASP Foundation____
>>
>>      Phoenix, USA____
>>
>>      Email: samantha.groves at owasp.org <mailto:samantha.groves at owasp.org>____
>>
>>      Skype: samanthahz ____
>>
>>      __ __
>>
>>      OWASP Global Projects
>>      <https://www.owasp.org/index.php/Category:OWASP_Project>____
>>
>>      Book a Meeting with Me <http://goo.gl/mZXdZ>____
>>
>>      OWASP Contact US Form <http://owasp4.owasp.org/contactus.html>____
>>
>>      New Project Application Form <http://www.tfaforms.com/263506>____
>>
>>      __ __
>>
>>      __ __
>>
>>
>>
>>
>> -- 
>>
>> *Samantha Groves, MBA*____
>>
>> /OWASP Projects Manager/
>>
>> /
>> /
>>
>> The OWASP Foundation
>>
>> Phoenix, USA
>>
>> Email: samantha.groves at owasp.org <mailto:samantha.groves at owasp.org>
>>
>> Skype: samanthahz
>>
>>
>> OWASP Global Projects
>> <https://www.owasp.org/index.php/Category:OWASP_Project>
>>
>> Book a Meeting with Me <http://goo.gl/mZXdZ>
>>
>> OWASP Contact US Form <http://owasp4.owasp.org/contactus.html>
>>
>> New Project Application Form <http://www.tfaforms.com/263506>
>>
>>
>>



More information about the Owasp-testing mailing list