<HTML><BODY style="word-wrap: break-word; -khtml-nbsp-mode: space; -khtml-line-break: after-white-space; ">nope, seems something isnt happy with our version of wiki and mac support<DIV><BR class="khtml-block-placeholder"></DIV><DIV>Andrew, you use a mac, you seen this before?<BR><DIV><DIV>On 13 Oct 2006, at 20:11, Eoin wrote:</DIV><BR class="Apple-interchange-newline"><BLOCKQUOTE type="cite">Yep, had this before, dont turn on "remember me" and clear your cache.<BR>that seems to solve the problem<BR><BR><DIV><SPAN class="gmail_quote">On 13/10/06, <B class="gmail_sendername">Daniel Cuthbert</B> <<A href="mailto:daniel.cuthbert@owasp.org"> daniel.cuthbert@owasp.org</A>> wrote:</SPAN><BLOCKQUOTE class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">Anyone else having a issue with the Wiki?<BR> seems once i go through the authentication process, the site returns<BR>a blank page<BR><BR>confused!<BR>On 13 Oct 2006, at 18:10, Matteo Meucci wrote:<BR><BR>> I've talked about "4.2 Information Gathering" and " 4.8 Infrastructure<BR>> and configuration Testing" with Carlo and Stefano.<BR>> (<A href="http://www.owasp.org/index.php/">http://www.owasp.org/index.php/</A><BR>> OWASP_Testing_Guide_v2_Table_of_Contents)<BR> ><BR>> May be we can merge these like that (deleting par.4.8):<BR>><BR>> 4.2 Information Gathering<BR>> 4.2.1 Spidering and googling<BR>> 4.2.2 Analisys of error code<BR>> 4.2.3 Infrastructure configuration management testing <BR>> SSL/TLS Testing<BR>> 4.2.4 Application configuration management testing<BR>> File extensions handling<BR>> Old, backup and unreferenced files<BR>><BR>> What is your opinion?<BR>> Mat<BR>><BR> ><BR>> On 10/13/06, Matteo Meucci <<A href="mailto:matteo.meucci@gmail.com">matteo.meucci@gmail.com</A>> wrote:<BR>>> Perfect.<BR>>> Thank you Stefano, I've added:<BR>>> 4.4.4 Directory traversal/file include <BR>>><BR>>> What about your second idea...where can we insert this item?<BR>>><BR>>> Mat<BR>>><BR>>> On 10/13/06, Stefano Di Paola <<A href="mailto:wisec@wisec.it">wisec@wisec.it</A> > wrote:<BR>>>> Just a couple of things that come to my mind (thanks to Matteo and<BR>>>> Alberto)...<BR>>>><BR>>>> Data Validation Testing chapter misses a little par. about<BR>>>> directory traversal/local file include and remote file include. <BR>>>><BR>>>> Another point is about athentication and authorization chapter,<BR>>>> on pages<BR>>>> which miss to exit on a redirection when they find the login/<BR>>>> passwd are <BR>>>> wrong.<BR>>>> An example below in Php:<BR>>>> <?<BR>>>> if(islogged())<BR>>>> header("Location : redir.php")<BR>>>> // without exit and then login page follows <BR>>>> logged-in code..-.<BR>>>> ?><BR>>>><BR>>>> Maybe in this cases a paragraph is worth writing to cover the<BR>>>> issue and<BR>>>> to point out the use of command line raw requests like curl and <BR>>>> related.<BR>>>><BR>>>> Stefano<BR>>>><BR>>>><BR>>>><BR>>>> On gio, 2006-10-12 at 11:51 +0200, Matteo Meucci wrote:<BR>>>>> Yes,<BR>>>>> I think you are right: this paragraph already exists. <BR>>>>> look at:<BR>>>>> (<A href="http://www.owasp.org/index.php/">http://www.owasp.org/index.php/</A><BR>>>>> OWASP_Testing_Guide_v2_Table_of_Contents)<BR>>>>> 4.6 Data Validation Testing 0% TD <BR>>>>> 4.6.1 Cross site scripting 0% TD<BR>>>>> <A href="http://4.6.1.1">4.6.1.1</A> Incubated attacks 0% TD<BR>>>>><BR>>>>> Ariel may be says that Incubated attacks are a combination of <BR>>>>> SQL Inj<BR>>>>> and XSS, but we can reasonably affirm that is a particular XSS<BR>>>>> attack.<BR>>>>> In the same paragraph we can show an example that how a XSS Inc <BR>>>>> Attack<BR>>>>> works exploiting an SQL Inj vulnerability.<BR>>>>> Right?<BR>>>>><BR>>>>> Mat<BR>>>>><BR>>>>><BR>>>>> <BR>>>>> On 10/12/06, Eoin <<A href="mailto:eoinkeary@gmail.com">eoinkeary@gmail.com</A>> wrote:<BR>>>>>> Hi,<BR>>>>>> incubated attacks are important enough to warrant a section <BR>>>>>> under XSS. It is<BR>>>>>> another varient of XSS.<BR>>>>>> Metteo what do you think?<BR>>>>>><BR>>>>>><BR>>>>>><BR>>>>>> On 11/10/06, Ariel Waissbein < <A href="mailto:wata.34mt@coresecurity.com">wata.34mt@coresecurity.com</A>> wrote:<BR>>>>>>> Hi all,<BR>>>>>>><BR>>>>>>> my first post and 2 cents here:<BR>>>>>>> <BR>>>>>>> I guess we should make a difference between the techniques of<BR>>>>>>> unit<BR>>>>>>> testing and the results of UT. Even if UT can be used to... e.g.,<BR> >>>>>> discover BO or SQL-injection vulns.<BR>>>>>>><BR>>>>>>> Although, I noticed that there is an Appendix for fuzzing<BR>>>>>>> which is<BR>>>>>>> another technique for discovering (some) vulnerabilities. <BR>>>>>>><BR>>>>>>><BR>>>>>>> A new question: imagine the following situation: The pen tester<BR>>>>>>> discovers a SQL-injection vulnerability in a webapp he is <BR>>>>>>> auditing. This<BR>>>>>>> vuln. allows him to store some javascript in the Db and therefore<BR>>>>>>> perpetrate a XSS attack (incubated) on the users of this <BR>>>>>>> webapp. My<BR>>>>>>> question is where do we describe this attacks? (I think they are<BR>>>>>>> important enough to be included somewhere.)<BR>>>>>>> <BR>>>>>>> Cheers,<BR>>>>>>> Ariel<BR>>>>>>><BR>>>>>>> Eoin Keary wrote:<BR>>>>>>>> Hi,<BR>>>>>>>><BR>>>>>>>> Question: <BR>>>>>>>> Do we want to get into Unit Testing and SDLC methodology in<BR>>>>>>>> this guide?<BR>>>>>>>> I thought they would be more suite to Andrews dev guide or <BR>>>>>>>> the code<BR>>>>>>>> review project.<BR>>>>>>>> unit testing is related to testing small blocks of a syaytem<BR>>>>>>>> individually and hence a development phase done prior to <BR>>>>>>>> system and<BR>>>>>>>> integration testing.<BR>>>>>>>> The Guide currently focuses on penetration testing which is<BR>>>>>>>> "After the <BR>>>>>>>> Fact" testing and not really one until the system in developed.<BR>>>>>>>><BR>>>>>>>> What y'all think?<BR>>>>>>>><BR>>>>>>>> Eoin <BR>>>>>>>><BR>>>>>>> _______________________________________________<BR>>>>>>> Owasp-testing mailing list<BR>>>>>>> <A href="mailto:Owasp-testing@lists.owasp.org"> Owasp-testing@lists.owasp.org</A><BR>>>>>>> <A href="http://lists.owasp.org/mailman/listinfo/owasp-testing">http://lists.owasp.org/mailman/listinfo/owasp-testing</A><BR>>>>>>><BR>>>>>> <BR>>>>>><BR>>>>>><BR>>>>>> --<BR>>>>>> Eoin Keary OWASP - Ireland<BR>>>>>> <A href="http://www.owasp.org/local/ireland.html">http://www.owasp.org/local/ireland.html </A><BR>>>>>> <A href="http://www.owasp.org/index.php/OWASP_Testing_Project">http://www.owasp.org/index.php/OWASP_Testing_Project</A><BR>>>>>> <A href="http://www.owasp.org/index.php/OWASP_Code_Review_Project"> http://www.owasp.org/index.php/OWASP_Code_Review_Project</A><BR>>>>>> _______________________________________________<BR>>>>>> Owasp-testing mailing list<BR>>>>>> <A href="mailto:Owasp-testing@lists.owasp.org"> Owasp-testing@lists.owasp.org</A><BR>>>>>> <A href="http://lists.owasp.org/mailman/listinfo/owasp-testing">http://lists.owasp.org/mailman/listinfo/owasp-testing</A><BR>>>>>><BR>>>>>> <BR>>>>>><BR>>>>><BR>>>><BR>>>><BR>>>><BR>>><BR>>><BR>>> --<BR>>> Matteo Meucci<BR>>> OWASP-Italy Chair, CISSP, CISA<BR>>> site: <A href="http://www.owasp.org/index.php/Italy"> http://www.owasp.org/index.php/Italy</A><BR>>> mail: <A href="mailto:matteo.meucci@owasp.org">matteo.meucci@owasp.org</A><BR>>> ml: <A href="http://lists.owasp.org/mailman/listinfo/owasp-italy">http://lists.owasp.org/mailman/listinfo/owasp-italy </A><BR>>><BR>><BR>><BR>> --<BR>> Matteo Meucci<BR>> OWASP-Italy Chair, CISSP, CISA<BR>> site: <A href="http://www.owasp.org/index.php/Italy">http://www.owasp.org/index.php/Italy</A><BR>> mail: <A href="mailto:matteo.meucci@owasp.org">matteo.meucci@owasp.org</A><BR>> ml: <A href="http://lists.owasp.org/mailman/listinfo/owasp-italy">http://lists.owasp.org/mailman/listinfo/owasp-italy</A><BR>> _______________________________________________ <BR>> Owasp-testing mailing list<BR>> <A href="mailto:Owasp-testing@lists.owasp.org">Owasp-testing@lists.owasp.org</A><BR>> <A href="http://lists.owasp.org/mailman/listinfo/owasp-testing">http://lists.owasp.org/mailman/listinfo/owasp-testing </A><BR><BR>_______________________________________________<BR>Owasp-testing mailing list<BR><A href="mailto:Owasp-testing@lists.owasp.org">Owasp-testing@lists.owasp.org</A><BR><A href="http://lists.owasp.org/mailman/listinfo/owasp-testing"> http://lists.owasp.org/mailman/listinfo/owasp-testing</A><BR></BLOCKQUOTE></DIV><BR><BR clear="all"><BR>-- <BR>Eoin Keary OWASP - Ireland<BR><A href="http://www.owasp.org/local/ireland.html">http://www.owasp.org/local/ireland.html </A><BR><A href="http://www.owasp.org/index.php/OWASP_Testing_Project">http://www.owasp.org/index.php/OWASP_Testing_Project</A><BR><A href="http://www.owasp.org/index.php/OWASP_Code_Review_Project">http://www.owasp.org/index.php/OWASP_Code_Review_Project </A></BLOCKQUOTE></DIV><BR></DIV></BODY></HTML>