<div>Hello Rick.</div>
<div> </div>
<div>I agree with you that Mysql and Sql is much more prevalent.</div>
<div>The fact is there are already Mysql/Sql Server sections in V3. I´ve put Oracle just to ilustrate that is missing out of band and blind sql injection techniques for Oracle specifically. </div>
<div>We should have the same techniques/sections for all SGDBs (whenever is possible).</div>
<div> </div>
<div>Regards.</div>
<div> </div>
<div>Ismael Gonçalves</div>
<div><br><br><br> </div>
<div class="gmail_quote">On Fri, Aug 31, 2012 at 12:00 PM, <a href="mailto:rick.mitchell@bell.ca">rick.mitchell@bell.ca</a> <span dir="ltr"><<a href="mailto:rick.mitchell@bell.ca" target="_blank">rick.mitchell@bell.ca</a>></span> wrote:<br>
<blockquote style="BORDER-LEFT:#ccc 1px solid;MARGIN:0px 0px 0px 0.8ex;PADDING-LEFT:1ex" class="gmail_quote">
<div lang="EN-CA" link="blue" vlink="purple">
<div>
<p class="MsoNormal"><span style="FONT-FAMILY:'Calibri','sans-serif';COLOR:#1f497d;FONT-SIZE:11pt">For SQLi if we’re including Oracle as its own sub-category it would make more sense from my perspective and experience to also include MS SQL and MySQL (vs. SQLite). (That’s not meant to put down SQLite in any manner, I just see the other two as much more prevalent so far....)<u></u><u></u></span></p>
<p class="MsoNormal"><span style="FONT-FAMILY:'Calibri','sans-serif';COLOR:#1f497d;FONT-SIZE:11pt"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="FONT-FAMILY:'Calibri','sans-serif';COLOR:#1f497d;FONT-SIZE:11pt"><u></u> <u></u></span></p>
<div style="BORDER-BOTTOM:medium none;BORDER-LEFT:medium none;PADDING-BOTTOM:0cm;PADDING-LEFT:0cm;PADDING-RIGHT:0cm;BORDER-TOP:#b5c4df 1pt solid;BORDER-RIGHT:medium none;PADDING-TOP:3pt">
<p class="MsoNormal"><b><span style="FONT-FAMILY:'Tahoma','sans-serif';FONT-SIZE:10pt" lang="EN-US">From:</span></b><span style="FONT-FAMILY:'Tahoma','sans-serif';FONT-SIZE:10pt" lang="EN-US"> <a href="mailto:owasp-testing-bounces@lists.owasp.org" target="_blank">owasp-testing-bounces@lists.owasp.org</a> [mailto:<a href="mailto:owasp-testing-bounces@lists.owasp.org" target="_blank">owasp-testing-bounces@lists.owasp.org</a>] <b>On Behalf Of </b>Ismael Rocha<br>
<b>Sent:</b> August 31, 2012 10:29 AM<br><b>To:</b> Amro<br><b>Cc:</b> <a href="mailto:owasp-testing@lists.owasp.org" target="_blank">owasp-testing@lists.owasp.org</a>
<div>
<div class="h5"><br><b>Subject:</b> Re: [Owasp-testing] Testing Guide V4 - Start up<u></u><u></u></div></div></span>
<p></p></p></div>
<div>
<div class="h5">
<p class="MsoNormal"><u></u> <u></u></p>
<div>
<p class="MsoNormal">Hello all!<u></u><u></u></p></div>
<div>
<p class="MsoNormal"> <u></u><u></u></p></div>
<div>
<p class="MsoNormal">The following are some points I've noticed we can improve/add/discuss. It's not organized, it's a brainstorm about some subjects. Maybe some of them are already related with some section.<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal">This weekend I'm gonna try to make it organized and submit it to the list.<u></u><u></u></p></div>
<div>
<p class="MsoNormal"> <u></u><u></u></p></div>
<div>
<p class="MsoNormal">General<br> LFI/RFI<u></u><u></u></p></div>
<div>
<p class="MsoNormal"> <u></u><u></u></p></div>
<div>
<p class="MsoNormal">Application Discovery <br> Entry points <br> -> Include Ajax as well<u></u><u></u></p></div>
<div>
<p class="MsoNormal"> <u></u><u></u></p></div>
<div>
<p class="MsoNormal">ViewState tests (.NET/JSF)<u></u><u></u></p></div>
<div>
<p class="MsoNormal"> <u></u><u></u></p></div>
<div>
<p class="MsoNormal">SQL Injection<u></u><u></u></p></div>
<div>
<p class="MsoNormal"> Oracle<br> BlindSQLInjection<br> Out of band techniques<u></u><u></u></p></div>
<div>
<p class="MsoNormal"> SQLite<br> Is it worth to add it?<u></u><u></u></p></div>
<div>
<p class="MsoNormal"> <u></u><u></u></p></div>
<div>
<p class="MsoNormal">SSO SAML (SSO Profile)<br> -> Bind (post/get)<br> -> Token Signature<br> -> Anonymity<br> -> OneTimeUse<br> -> NotBefore<br> -> Local Logout<br> -> Global Logout<br> -> DoS<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"> <u></u><u></u></p></div>
<div>
<p class="MsoNormal">DoS<br> -> Slow HTTP Get<br> -> Slow HTTP Pos<u></u><u></u></p></div>
<div>
<p class="MsoNormal"> <u></u><u></u></p></div>
<div>
<p class="MsoNormal">SSL Test<br> -> Enhace (maybe based on Qualys SSLlabs results and tests?)<u></u><u></u></p></div>
<div>
<p class="MsoNormal"> <u></u><u></u></p></div>
<div>
<p class="MsoNormal">Evasive Techniques<br> -> Is it worth? One per section or one chapter?<u></u><u></u></p></div>
<div>
<p class="MsoNormal"> <u></u><u></u></p></div>
<div>
<p class="MsoNormal">Top Ten X Testing Guide Cross-Reference Table<u></u><u></u></p></div>
<div>
<p class="MsoNormal"><br>About the chapter Value The Real Risk I think we have to fix the calculations. <br>I think the risk rates (low and high) compared to the examples are wrong. <u></u><u></u></p></div>
<div>
<p class="MsoNormal"><br>Maybe somethings I put here is too specific but maybe it's worth to think about one way to put them.<u></u><u></u></p></div>
<div>
<p class="MsoNormal"> <u></u><u></u></p></div>
<div>
<p class="MsoNormal">Regards.<u></u><u></u></p></div>
<div>
<p class="MsoNormal"> <u></u><u></u></p></div>
<div>
<p class="MsoNormal">Ismael Gonçalves<u></u><u></u></p></div>
<div>
<p class="MsoNormal"><br> <u></u><u></u></p></div>
<div>
<p class="MsoNormal">On Fri, Aug 31, 2012 at 10:17 AM, Amro <<a href="mailto:amro@owasp.org" target="_blank">amro@owasp.org</a>> wrote:<u></u><u></u></p>
<div>
<div>
<p class="MsoNormal">We can add both based on the attack factor while list of Webscarab and ZAP capabilities will leave the tester to decide what tool to use without pushing him/her for a particular one.<br><br>below are my suggestions<br>
<br><b>(Dedicated section for relevant OWASP tools as we need to attract supporters)</b><br><br><b>Tool Name:</b> X Y Z <br><b>Project leader:</b> ( This will help the project leader getting suggestions to improve his/her project)<br>
<b>Short introduction</b> ( high level introduction that should not exceed one or two lines)<br><b>Features:</b> ( we can list them or provide a direct link to the project wiki)<br><b>Video tutorial</b>: ( if applicable )<br>
<b>Download: </b>( direct download link or the project wiki)<br><br>And so on ....... <br><br>I think by doing the above we will hit two birds with one stone ( market our tools and leave the tester to decide what tool he/she need the most based on the tool features/capabilities) <br>
<br>Regards, <br>Amro<u></u><u></u></p>
<div>
<div>
<p class="MsoNormal"><br><br>On 8/31/12 2:48 PM, psiinon wrote:<u></u><u></u></p></div></div></div>
<div>
<div>
<blockquote style="MARGIN-TOP:5pt;MARGIN-BOTTOM:5pt">
<p style="MARGIN-BOTTOM:12pt" class="MsoNormal">I'd definitely like to be closely involved in the ZAP related sections, but very happy for Amro to lead on it.<br><br>Cheers,<br><br>Simon<u></u><u></u></p>
<div>
<p class="MsoNormal">On Fri, Aug 31, 2012 at 11:28 AM, Matteo Meucci <<a href="mailto:matteo.meucci@owasp.org" target="_blank">matteo.meucci@owasp.org</a>> wrote:<u></u><u></u></p>
<p class="MsoNormal">Hi Simon,<br>yep I agree.<br><br>Maybe we can distinguish as follow for each paragraph:<br>- OWASP Tools:<br> (Flagship, Labs, Incubator, Archive)<br>- Other Open Source tools:<br><br>I think that a contributor should be dedicated to verifies which tests<br>
are suitable using ZAP (maybe Amro who writes the Appendix A "Testing<br>Tools")?<br><br>Thanks,<br>Mat<u></u><u></u></p>
<div>
<p class="MsoNormal"><br><br><br>On 08/31/2012 09:56 AM, psiinon wrote:<br>> I think its right for us to suggest an open source tool (or tools) for<br>> using in each section, however I dont think we should view this as a ZAP<br>
> vs WebScarab contest.<br>> We want to suggest the best possible tool, but I also think that its<u></u><u></u></p></div>
<p class="MsoNormal">> reasonable for us to /prefer /OWASP ones.<u></u><u></u></p>
<div>
<div>
<p class="MsoNormal">> But we should also favour tools that are more mature and/or more<br>> frequently updated.<br>> For OWASP tools I think we can rely on the new classifications:<br>> Flagship, Labs, Incubator, Archive.<br>
> So I think its really a sliding scale.<br>> If theres a Flagship OWASP project that is great at finding a specific<br>> type of vulnerability then we should definitely use that as the example.<br>> If not then we have to balance how relevant that tool is likely to remain.<br>
> A brand new Incubator project might be great in one specific case, but<br>> may also not really be in a fit state for most people to use, or the<br>> project may quickly wither and die.<br>> And if a well regarded non OWASP open source tool is the best option<br>
> then we should use that.<br>><br>> Going back to ZAP, I obviously hope it will be the ideal tool in many<br>> cases :)<br>> And helping to establish if this is the case and explaining exactly how<br>> ZAP can be used may be the most effective way I can contribute to this<br>
> guide.<br>><br>> But I also want to use this process to learn where ZAP's weaknesses are.<br>> And depending on how long it takes to produce the guide we (the ZAP<br>> developers) may be able to enhance specific areas of ZAP as the work on<br>
> the guide develops.<br>> So please let me know asap if/when you work on an area of the guide that<br>> you dont think ZAP is effective in helping with, or if you would like<br>> advice and guidance on how to use ZAP as effectively as possible.<br>
><br>> Cheers,<br>><br>> Simon (ZAP Project Lead)<br>><br>> On Thu, Aug 30, 2012 at 10:18 PM, Matteo Meucci <<a href="mailto:matteo.meucci@owasp.org" target="_blank">matteo.meucci@owasp.org</a><u></u><u></u></p>
</div></div>
<div>
<p class="MsoNormal">> <mailto:<a href="mailto:matteo.meucci@owasp.org" target="_blank">matteo.meucci@owasp.org</a>>> wrote:<br>><br>> Perfect!<br>> I've updated the wiki, thanks!<br>><br>
> Mat<br>><br>> On 08/30/2012 11:15 PM, Amro wrote:<br>> > Thanks Mat,<br>> ><br>> > Please assign this task to me and I will make sure that our tool<br>> sets are updated.<br>
> ><br>> > Regards,<br>> > Amro<br>> > Sent from BlackBerry®. Excuse typo's and brevity.<br>> ><br>> > -----Original Message-----<br>> > From: Matteo Meucci <<a href="mailto:matteo.meucci@owasp.org" target="_blank">matteo.meucci@owasp.org</a><u></u><u></u></p>
</div>
<div>
<p class="MsoNormal">> <mailto:<a href="mailto:matteo.meucci@owasp.org" target="_blank">matteo.meucci@owasp.org</a>>><br>> > Date: Thu, 30 Aug 2012 23:11:41<u></u><u></u></p></div>
<div>
<div>
<p class="MsoNormal">> > To: <<a href="mailto:amro@owasp.org" target="_blank">amro@owasp.org</a> <mailto:<a href="mailto:amro@owasp.org" target="_blank">amro@owasp.org</a>>><br>> > Cc: <<a href="mailto:owasp-testing-bounces@lists.owasp.org" target="_blank">owasp-testing-bounces@lists.owasp.org</a><br>
> <mailto:<a href="mailto:owasp-testing-bounces@lists.owasp.org" target="_blank">owasp-testing-bounces@lists.owasp.org</a>>>;<br>> <<a href="mailto:owasp-testing@lists.owasp.org" target="_blank">owasp-testing@lists.owasp.org</a> <mailto:<a href="mailto:owasp-testing@lists.owasp.org" target="_blank">owasp-testing@lists.owasp.org</a>>><br>
> > Subject: Re: [Owasp-testing] Testing Guide V4 - Start up<br>> ><br>> > Hi Amro,<br>> > good question related to the tools. Here we have to update many<br>> references.<br>
> ><br>> > Usually at the end of each article we suggest to use a particular open<br>> > source tool to perform the test. I think we can use and suggest<br>> both the<br>> > tools in many situations.<br>
> > Also the Appendix A "Testing Tools" should pick all the testing tools<br>> > cited in the Testing Guide and give more details.<br>> ><br>> > Thanks,<br>> > Mat<br>
> ><br>> > On 08/30/2012 10:58 PM, Amro wrote:<br>> >> Please count me in as well .. Are we gonna use ZAP instead of<br>> WebScarab in the new version?<br>> >><br>> >> Regards,<br>
> >> Amro<br>> >> Sent from BlackBerry®. Excuse typo's and brevity.<br>> >><br>> >> -----Original Message-----<br>> >> From: Matteo Meucci <<a href="mailto:matteo.meucci@owasp.org" target="_blank">matteo.meucci@owasp.org</a><u></u><u></u></p>
</div></div>
<div>
<p class="MsoNormal">> <mailto:<a href="mailto:matteo.meucci@owasp.org" target="_blank">matteo.meucci@owasp.org</a>>><br>> >> Sender: <a href="mailto:owasp-testing-bounces@lists.owasp.org" target="_blank">owasp-testing-bounces@lists.owasp.org</a><br>
> <mailto:<a href="mailto:owasp-testing-bounces@lists.owasp.org" target="_blank">owasp-testing-bounces@lists.owasp.org</a>><br>> >> Date: Thu, 30 Aug 2012 17:40:29<br>> >> To: <<a href="mailto:owasp-testing@lists.owasp.org" target="_blank">owasp-testing@lists.owasp.org</a><u></u><u></u></p>
</div>
<div>
<div>
<p class="MsoNormal">> <mailto:<a href="mailto:owasp-testing@lists.owasp.org" target="_blank">owasp-testing@lists.owasp.org</a>>><br>> >> Subject: [Owasp-testing] Testing Guide V4 - Start up<br>
> >><br>> >> Hi all Testing Guide contributors.<br>> >><br>> >> Testing Guide v4 has been approved as Projects Reboot 2012!<br>> >> <a href="https://www.owasp.org/index.php/Projects_Reboot_2012" target="_blank">https://www.owasp.org/index.php/Projects_Reboot_2012</a><br>
> >><br>> >> Here is the list of contributors I've collected:<br>> >><br>> >> Pavol Luptak<br>> >> Marco Morana<br>> >> Giorgio Fedon<br>> >> Stefano Di Paola<br>
> >> Gianrico Ingrosso<br>> >> Giuseppe Bonfà<br>> >> Roberto Suggi Liverani<br>> >> Robert Smith<br>> >> Andrew Muller<br>> >> Robert Winkel<br>
> >> tripurari rai<br>> >> Thomas Ryan<br>> >> tim bertels<br>> >> Cecil Su<br>> >> Aung KhAnt<br>> >> Norbert Szetei<br>> >> michael.boman<br>
> >> Wagner Elias<br>> >> Kevin Horvat<br>> >> Juan Galiana Lara<br>> >> Kenan Gursoy<br>> >> Jason Flood<br>> >> Javier Marcos de Prado<br>> >> Sumit Siddharth<br>
> >> Mike Hryekewicz<br>> >> psiinon<br>> >> Ray Schippers<br>> >> Raul Siles<br>> >> Jayanta Karmakar<br>> >> Brad Causey<br>> >> Vicente Aguilera<br>
> >> Ismael Gonçalves<br>> >><br>> >> Reviewers team:<br>> >><br>> >> Paolo Perego<br>> >> Daniel Cuthbert<br>> >> Matthew Churcher<br>
> >> Lode Vanstechelman<br>> >> Sebastien Gioria<br>> >><br>> >><br>> >> Introduction and Project purpose for v4:<br>> >> ============================ =============<br>
> >> The OWASP Testing Guide v3 includes a "best practice" penetration<br>> >> testing framework which users can implement in their own<br>> organizations<br>> >> and a "low level" penetration testing guide that describes techniques<br>
> >> for testing most common web application and web service security<br>> >> issues. Nowadays the Testing Guide has become the standard to perform<br>> >> a Web Application Penetration Testing and many Companies all around<br>
> >> the world have adopted it.<br>> >> It is vital for the project mantaining an updated project that<br>> >> represents the state of the art for WebAppSec.<br>> >><br>
> >> Project Roadmap<br>> >> =============<br>> >><br>> >> - (1) 1st phase: Brainstorming and create a new table of contents<br>> >><br>> >> Objective: creating a new table of contents of the OTGv4<br>
> >> assigning a task for each contributor.<br>> >> I created a new OWASP Testing Guide v4 table of Contents here:<br>> >><br>> <a href="https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents" target="_blank">https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents</a><br>
> >><br>> >> - (2) 2nd phase: Writing<br>> >> 20th September 2012: Start writing the articles<br>> >> 1st November 2012: 1st Draft<br>> >> 30th November: end of writing phase<br>
> >><br>> >> - (3) 3rd phase: Reviewing<br>> >><br>> >> - 1st December 2012: Starting the review phase,<br>> >> - 15th December 2012: Create the RC1,<br>> >> - 31st January 2013: Release the version 4.<br>
> >><br>> >> Timeline November 2012 1st Draft, January 2013 Final Release<br>> >><br>> >> So, let's start discussion about phase (1)!<br>> >><br>> >> Thanks!<br>
> >> Mat<br>> >><br>> >> --<br>> >> Matteo Meucci<br>> >> OWASP Testing Guide Lead<br>> >> OWASP-Italy President<br>> >><br>> >><br>
> >> _______________________________________________<br>> >> Owasp-testing mailing list<u></u><u></u></p></div></div>
<p class="MsoNormal">> >> <a href="mailto:Owasp-testing@lists.owasp.org" target="_blank">Owasp-testing@lists.owasp.org</a> <mailto:<a href="mailto:Owasp-testing@lists.owasp.org" target="_blank">Owasp-testing@lists.owasp.org</a>><u></u><u></u></p>
<div>
<p class="MsoNormal">> >> <a href="https://lists.owasp.org/mailman/listinfo/owasp-testing" target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-testing</a><br>> >><br>> ><br>
><br>> --<br>> --<br>> Matteo Meucci<br>> OWASP Testing Guide Lead<br>> OWASP Italy President<br>> _______________________________________________<br>> Owasp-testing mailing list<u></u><u></u></p>
</div>
<p class="MsoNormal">> <a href="mailto:Owasp-testing@lists.owasp.org" target="_blank">Owasp-testing@lists.owasp.org</a> <mailto:<a href="mailto:Owasp-testing@lists.owasp.org" target="_blank">Owasp-testing@lists.owasp.org</a>><u></u><u></u></p>
<div>
<p class="MsoNormal">> <a href="https://lists.owasp.org/mailman/listinfo/owasp-testing" target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-testing</a><br>><br>><br>><br>><br>> --<br>> OWASP ZAP: Toolsmith Tool of the Year 2011<u></u><u></u></p>
</div>
<p class="MsoNormal">> <<a href="http://holisticinfosec.blogspot.com/2012/02/2011-toolsmith-tool-of-year-owasp-zap.html" target="_blank">http://holisticinfosec.blogspot.com/2012/02/2011-toolsmith-tool-of-year-owasp-zap.html</a>><u></u><u></u></p>
<div>
<div>
<p class="MsoNormal">><br><br>--<br>--<br>Matteo Meucci<br>OWASP Testing Guide Lead<br>OWASP Italy President<u></u><u></u></p></div></div></div>
<p style="MARGIN-BOTTOM:12pt" class="MsoNormal"><br><br clear="all"><br>-- <br>OWASP ZAP: <a href="http://holisticinfosec.blogspot.com/2012/02/2011-toolsmith-tool-of-year-owasp-zap.html" target="_blank">Toolsmith Tool of the Year 2011</a><u></u><u></u></p>
</blockquote>
<p style="MARGIN-BOTTOM:12pt" class="MsoNormal"><u></u> <u></u></p></div></div></div>
<p style="MARGIN-BOTTOM:12pt" class="MsoNormal"><br>_______________________________________________<br>Owasp-testing mailing list<br><a href="mailto:Owasp-testing@lists.owasp.org" target="_blank">Owasp-testing@lists.owasp.org</a><br>
<a href="https://lists.owasp.org/mailman/listinfo/owasp-testing" target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-testing</a><u></u><u></u></p></div>
<p class="MsoNormal"><br><br clear="all"><br>-- <br>Ismael Gonçalves<u></u><u></u></p></div></div></div></div><br>_______________________________________________<br>Owasp-testing mailing list<br><a href="mailto:Owasp-testing@lists.owasp.org">Owasp-testing@lists.owasp.org</a><br>
<a href="https://lists.owasp.org/mailman/listinfo/owasp-testing" target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-testing</a><br><br></blockquote></div><br><br clear="all"><br>-- <br>Ismael Gonçalves<br>