[Owasp-testing] Owasp-testing Digest, Vol 84, Issue 3

Denis Vinny ddtaxe at gmail.com
Tue Mar 24 13:40:31 UTC 2015


Hi, Jeff.
I agree with you.
I think that this could be covered under the Information Gathering section.
Simple test guidelines to instruct how to get data.
Regards.

Denis Mello

2015-03-24 9:00 GMT-03:00 <owasp-testing-request at lists.owasp.org>:

> Send Owasp-testing mailing list submissions to
>         owasp-testing at lists.owasp.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         https://lists.owasp.org/mailman/listinfo/owasp-testing
> or, via email, send a message with subject or body 'help' to
>         owasp-testing-request at lists.owasp.org
>
> You can reach the person managing the list at
>         owasp-testing-owner at lists.owasp.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Owasp-testing digest..."
>
>
> Today's Topics:
>
>    1. Addition of CSS to (OTG-INFO-005) (Jeff Sergeant)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Tue, 24 Mar 2015 10:44:19 +0000
> From: Jeff Sergeant <jeffuk at gmail.com>
> To: owasp-testing at lists.owasp.org
> Subject: [Owasp-testing] Addition of CSS to (OTG-INFO-005)
> Message-ID:
>         <CAAHcKrqfHSh=
> eqm2iXGN6PfJK70P15GsaqmNudxjsCwuGJhR9A at mail.gmail.com>
> Content-Type: text/plain; charset="utf-8"
>
> Good Morning!
>
> I have recently seen a few applications where the stylesheets give away
> information that they probably shouldn't, and are useful to a tester.
>
> E.g.  I'm looking at a site now where the admin login page has a
> 'default.css'  which is evidently used for unauthenticated and
> authenticated users, and gives me an insight into the full structure of the
> application behind the login.  By virtue of referring to classes like
> .AddUser .RemoveUser .DeletePage etc.    And with reference to icons like
> (images/newProduct.png) etc.
>
> I've seen cases where it's possible to identify filenames this way,
> knowing that admin_portal.php is the login page, and seeing
> .admin_portal{...} .admin_home{...} .admin_settings{...}
> .admin_new_user{...} in the CSS allows the tester to infer the existence of
> admin_home.php, .admin_settings.php  etc. without actually having to log
> in.
>
> I think this would fit well in OTG-INFO-005;  any thoughts?
>
> Regards,
>
> Jeff Sergeant
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <
> http://lists.owasp.org/pipermail/owasp-testing/attachments/20150324/16cb3ec1/attachment-0001.html
> >
>
> ------------------------------
>
> _______________________________________________
> Owasp-testing mailing list
> Owasp-testing at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-testing
>
>
> End of Owasp-testing Digest, Vol 84, Issue 3
> ********************************************
>



-- 
To breath, is a consequence of... Running! Run Fast!

There is no glory in practice, but without practice there is no glory!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-testing/attachments/20150324/1bdb7832/attachment.html>


More information about the Owasp-testing mailing list