<div>Hello all!</div><div> </div><div>The following are some points I've noticed we can improve/add/discuss. It's not organized, it's a brainstorm about some subjects. Maybe some of them are already related with some section.</div>
<div>This weekend I'm gonna try to make it organized and submit it to the list.</div><div> </div><div>General<br> LFI/RFI</div><div> </div><div>Application Discovery <br> Entry points <br> -> Include Ajax as well</div>
<div> </div><div>ViewState tests (.NET/JSF)</div><div> </div><div>SQL Injection</div><div> Oracle<br> BlindSQLInjection<br> Out of band techniques</div><div> SQLite<br> Is it worth to add it?</div><div> </div><div>SSO SAML (SSO Profile)<br>
-> Bind (post/get)<br> -> Token Signature<br> -> Anonymity<br> -> OneTimeUse<br> -> NotBefore<br> -> Local Logout<br> -> Global Logout<br> -> DoS</div><div> </div><div>DoS<br> -> Slow HTTP Get<br>
-> Slow HTTP Pos</div><div> </div><div>SSL Test<br> -> Enhace (maybe based on Qualys SSLlabs results and tests?)</div><div> </div><div>Evasive Techniques<br> -> Is it worth? One per section or one chapter?</div>
<div> </div><div>Top Ten X Testing Guide Cross-Reference Table</div><div><br>About the chapter Value The Real Risk I think we have to fix the calculations. <br>I think the risk rates (low and high) compared to the examples are wrong. </div>
<div><br>Maybe somethings I put here is too specific but maybe it's worth to think about one way to put them.</div><div> </div><div>Regards.</div><div> </div><div>Ismael Gonçalves</div><div><br> </div><div class="gmail_quote">
On Fri, Aug 31, 2012 at 10:17 AM, Amro <span dir="ltr"><<a href="mailto:amro@owasp.org" target="_blank">amro@owasp.org</a>></span> wrote:<br>
<blockquote style="margin:0px 0px 0px 0.8ex;padding-left:1ex;border-left-color:rgb(204,204,204);border-left-width:1px;border-left-style:solid" class="gmail_quote">
<div text="#000000" bgcolor="#FFFFFF">
<div>We can add both based on the attack
factor while list of Webscarab and ZAP capabilities will leave the
tester to decide what tool to use without pushing him/her for a
particular one.<br>
<br>
below are my suggestions<br>
<br>
<b>(Dedicated section for relevant OWASP tools as we need to
attract supporters)</b><br>
<b></b><br>
<b>Tool Name:</b> X Y Z <br>
<b>Project leader:</b> ( This will help the project leader getting
suggestions to improve his/her project)<br>
<b>Short introduction</b> ( high level introduction that should
not exceed one or two lines)<br>
<b>Features:</b> ( we can list them or provide a direct link to
the project wiki)<br>
<b>Video tutorial</b>: ( if applicable )<br>
<b>Download: </b>( direct download link or the project wiki)<br>
<br>
And so on ....... <br>
<br>
I think by doing the above we will hit two birds with one stone (
market our tools and leave the tester to decide what tool he/she
need the most based on the tool features/capabilities) <br>
<br>
Regards, <br>
Amro<div><div><br>
<br>
On 8/31/12 2:48 PM, psiinon wrote:<br>
</div></div></div><div><div>
<blockquote type="cite">I'd definitely like to be closely involved in the ZAP
related sections, but very happy for Amro to lead on it.<br>
<br>
Cheers,<br>
<br>
Simon<br>
<br>
<div class="gmail_quote">On Fri, Aug 31, 2012 at 11:28 AM, Matteo
Meucci <span dir="ltr"><<a href="mailto:matteo.meucci@owasp.org" target="_blank">matteo.meucci@owasp.org</a>></span>
wrote:<br>
<blockquote style="margin:0px 0px 0px 0.8ex;padding-left:1ex;border-left-color:rgb(204,204,204);border-left-width:1px;border-left-style:solid" class="gmail_quote">Hi Simon,<br>
yep I agree.<br>
<br>
Maybe we can distinguish as follow for each paragraph:<br>
- OWASP Tools:<br>
(Flagship, Labs, Incubator, Archive)<br>
- Other Open Source tools:<br>
<br>
I think that a contributor should be dedicated to verifies
which tests<br>
are suitable using ZAP (maybe Amro who writes the Appendix A
"Testing<br>
Tools")?<br>
<br>
Thanks,<br>
Mat<br>
<div><br>
<br>
<br>
On 08/31/2012 09:56 AM, psiinon wrote:<br>
> I think its right for us to suggest an open source tool
(or tools) for<br>
> using in each section, however I dont think we should
view this as a ZAP<br>
> vs WebScarab contest.<br>
> We want to suggest the best possible tool, but I also
think that its<br>
</div>
> reasonable for us to /prefer /OWASP ones.<br>
<div>
<div>> But we should also favour tools that
are more mature and/or more<br>
> frequently updated.<br>
> For OWASP tools I think we can rely on the new
classifications:<br>
> Flagship, Labs, Incubator, Archive.<br>
> So I think its really a sliding scale.<br>
> If theres a Flagship OWASP project that is great at
finding a specific<br>
> type of vulnerability then we should definitely use
that as the example.<br>
> If not then we have to balance how relevant that tool
is likely to remain.<br>
> A brand new Incubator project might be great in one
specific case, but<br>
> may also not really be in a fit state for most people
to use, or the<br>
> project may quickly wither and die.<br>
> And if a well regarded non OWASP open source tool is
the best option<br>
> then we should use that.<br>
><br>
> Going back to ZAP, I obviously hope it will be the
ideal tool in many<br>
> cases :)<br>
> And helping to establish if this is the case and
explaining exactly how<br>
> ZAP can be used may be the most effective way I can
contribute to this<br>
> guide.<br>
><br>
> But I also want to use this process to learn where
ZAP's weaknesses are.<br>
> And depending on how long it takes to produce the
guide we (the ZAP<br>
> developers) may be able to enhance specific areas of
ZAP as the work on<br>
> the guide develops.<br>
> So please let me know asap if/when you work on an
area of the guide that<br>
> you dont think ZAP is effective in helping with, or
if you would like<br>
> advice and guidance on how to use ZAP as effectively
as possible.<br>
><br>
> Cheers,<br>
><br>
> Simon (ZAP Project Lead)<br>
><br>
> On Thu, Aug 30, 2012 at 10:18 PM, Matteo Meucci <<a href="mailto:matteo.meucci@owasp.org" target="_blank">matteo.meucci@owasp.org</a><br>
</div>
</div>
<div>> <mailto:<a href="mailto:matteo.meucci@owasp.org" target="_blank">matteo.meucci@owasp.org</a>>>
wrote:<br>
><br>
> Perfect!<br>
> I've updated the wiki, thanks!<br>
><br>
> Mat<br>
><br>
> On 08/30/2012 11:15 PM, Amro wrote:<br>
> > Thanks Mat,<br>
> ><br>
> > Please assign this task to me and I will make
sure that our tool<br>
> sets are updated.<br>
> ><br>
> > Regards,<br>
> > Amro<br>
> > Sent from BlackBerry®. Excuse typo's and
brevity.<br>
> ><br>
> > -----Original Message-----<br>
> > From: Matteo Meucci <<a href="mailto:matteo.meucci@owasp.org" target="_blank">matteo.meucci@owasp.org</a><br>
</div>
<div>> <mailto:<a href="mailto:matteo.meucci@owasp.org" target="_blank">matteo.meucci@owasp.org</a>>><br>
> > Date: Thu, 30 Aug 2012 23:11:41<br>
</div>
<div>
<div>> > To: <<a href="mailto:amro@owasp.org" target="_blank">amro@owasp.org</a>
<mailto:<a href="mailto:amro@owasp.org" target="_blank">amro@owasp.org</a>>><br>
> > Cc: <<a href="mailto:owasp-testing-bounces@lists.owasp.org" target="_blank">owasp-testing-bounces@lists.owasp.org</a><br>
> <mailto:<a href="mailto:owasp-testing-bounces@lists.owasp.org" target="_blank">owasp-testing-bounces@lists.owasp.org</a>>>;<br>
> <<a href="mailto:owasp-testing@lists.owasp.org" target="_blank">owasp-testing@lists.owasp.org</a>
<mailto:<a href="mailto:owasp-testing@lists.owasp.org" target="_blank">owasp-testing@lists.owasp.org</a>>><br>
> > Subject: Re: [Owasp-testing] Testing Guide
V4 - Start up<br>
> ><br>
> > Hi Amro,<br>
> > good question related to the tools. Here we
have to update many<br>
> references.<br>
> ><br>
> > Usually at the end of each article we
suggest to use a particular open<br>
> > source tool to perform the test. I think we
can use and suggest<br>
> both the<br>
> > tools in many situations.<br>
> > Also the Appendix A "Testing Tools" should
pick all the testing tools<br>
> > cited in the Testing Guide and give more
details.<br>
> ><br>
> > Thanks,<br>
> > Mat<br>
> ><br>
> > On 08/30/2012 10:58 PM, Amro wrote:<br>
> >> Please count me in as well .. Are we
gonna use ZAP instead of<br>
> WebScarab in the new version?<br>
> >><br>
> >> Regards,<br>
> >> Amro<br>
> >> Sent from BlackBerry®. Excuse typo's and
brevity.<br>
> >><br>
> >> -----Original Message-----<br>
> >> From: Matteo Meucci <<a href="mailto:matteo.meucci@owasp.org" target="_blank">matteo.meucci@owasp.org</a><br>
</div>
</div>
<div>> <mailto:<a href="mailto:matteo.meucci@owasp.org" target="_blank">matteo.meucci@owasp.org</a>>><br>
> >> Sender: <a href="mailto:owasp-testing-bounces@lists.owasp.org" target="_blank">owasp-testing-bounces@lists.owasp.org</a><br>
> <mailto:<a href="mailto:owasp-testing-bounces@lists.owasp.org" target="_blank">owasp-testing-bounces@lists.owasp.org</a>><br>
> >> Date: Thu, 30 Aug 2012 17:40:29<br>
> >> To: <<a href="mailto:owasp-testing@lists.owasp.org" target="_blank">owasp-testing@lists.owasp.org</a><br>
</div>
<div>
<div>> <mailto:<a href="mailto:owasp-testing@lists.owasp.org" target="_blank">owasp-testing@lists.owasp.org</a>>><br>
> >> Subject: [Owasp-testing] Testing Guide
V4 - Start up<br>
> >><br>
> >> Hi all Testing Guide contributors.<br>
> >><br>
> >> Testing Guide v4 has been approved as
Projects Reboot 2012!<br>
> >> <a href="https://www.owasp.org/index.php/Projects_Reboot_2012" target="_blank">https://www.owasp.org/index.php/Projects_Reboot_2012</a><br>
> >><br>
> >> Here is the list of contributors I've
collected:<br>
> >><br>
> >> Pavol Luptak<br>
> >> Marco Morana<br>
> >> Giorgio Fedon<br>
> >> Stefano Di Paola<br>
> >> Gianrico Ingrosso<br>
> >> Giuseppe Bonfà<br>
> >> Roberto Suggi Liverani<br>
> >> Robert Smith<br>
> >> Andrew Muller<br>
> >> Robert Winkel<br>
> >> tripurari rai<br>
> >> Thomas Ryan<br>
> >> tim bertels<br>
> >> Cecil Su<br>
> >> Aung KhAnt<br>
> >> Norbert Szetei<br>
> >> michael.boman<br>
> >> Wagner Elias<br>
> >> Kevin Horvat<br>
> >> Juan Galiana Lara<br>
> >> Kenan Gursoy<br>
> >> Jason Flood<br>
> >> Javier Marcos de Prado<br>
> >> Sumit Siddharth<br>
> >> Mike Hryekewicz<br>
> >> psiinon<br>
> >> Ray Schippers<br>
> >> Raul Siles<br>
> >> Jayanta Karmakar<br>
> >> Brad Causey<br>
> >> Vicente Aguilera<br>
> >> Ismael Gonçalves<br>
> >><br>
> >> Reviewers team:<br>
> >><br>
> >> Paolo Perego<br>
> >> Daniel Cuthbert<br>
> >> Matthew Churcher<br>
> >> Lode Vanstechelman<br>
> >> Sebastien Gioria<br>
> >><br>
> >><br>
> >> Introduction and Project purpose for v4:<br>
> >> ============================
=============<br>
> >> The OWASP Testing Guide v3 includes a
"best practice" penetration<br>
> >> testing framework which users can
implement in their own<br>
> organizations<br>
> >> and a "low level" penetration testing
guide that describes techniques<br>
> >> for testing most common web application
and web service security<br>
> >> issues. Nowadays the Testing Guide has
become the standard to perform<br>
> >> a Web Application Penetration Testing
and many Companies all around<br>
> >> the world have adopted it.<br>
> >> It is vital for the project mantaining
an updated project that<br>
> >> represents the state of the art for
WebAppSec.<br>
> >><br>
> >> Project Roadmap<br>
> >> =============<br>
> >><br>
> >> - (1) 1st phase: Brainstorming and
create a new table of contents<br>
> >><br>
> >> Objective: creating a new table of
contents of the OTGv4<br>
> >> assigning a task for each contributor.<br>
> >> I created a new OWASP Testing Guide v4
table of Contents here:<br>
> >><br>
> <a href="https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents" target="_blank">https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents</a><br>
> >><br>
> >> - (2) 2nd phase: Writing<br>
> >> 20th September 2012: Start writing the
articles<br>
> >> 1st November 2012: 1st Draft<br>
> >> 30th November: end of writing phase<br>
> >><br>
> >> - (3) 3rd phase: Reviewing<br>
> >><br>
> >> - 1st December 2012: Starting the review
phase,<br>
> >> - 15th December 2012: Create the RC1,<br>
> >> - 31st January 2013: Release the version
4.<br>
> >><br>
> >> Timeline November 2012 1st Draft,
January 2013 Final Release<br>
> >><br>
> >> So, let's start discussion about phase
(1)!<br>
> >><br>
> >> Thanks!<br>
> >> Mat<br>
> >><br>
> >> --<br>
> >> Matteo Meucci<br>
> >> OWASP Testing Guide Lead<br>
> >> OWASP-Italy President<br>
> >><br>
> >><br>
> >>
_______________________________________________<br>
> >> Owasp-testing mailing list<br>
</div>
</div>
> >> <a href="mailto:Owasp-testing@lists.owasp.org" target="_blank">Owasp-testing@lists.owasp.org</a>
<mailto:<a href="mailto:Owasp-testing@lists.owasp.org" target="_blank">Owasp-testing@lists.owasp.org</a>><br>
<div>> >> <a href="https://lists.owasp.org/mailman/listinfo/owasp-testing" target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-testing</a><br>
> >><br>
> ><br>
><br>
> --<br>
> --<br>
> Matteo Meucci<br>
> OWASP Testing Guide Lead<br>
> OWASP Italy President<br>
> _______________________________________________<br>
> Owasp-testing mailing list<br>
</div>
> <a href="mailto:Owasp-testing@lists.owasp.org" target="_blank">Owasp-testing@lists.owasp.org</a>
<mailto:<a href="mailto:Owasp-testing@lists.owasp.org" target="_blank">Owasp-testing@lists.owasp.org</a>><br>
<div>> <a href="https://lists.owasp.org/mailman/listinfo/owasp-testing" target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-testing</a><br>
><br>
><br>
><br>
><br>
> --<br>
> OWASP ZAP: Toolsmith Tool of the Year 2011<br>
</div>
> <<a href="http://holisticinfosec.blogspot.com/2012/02/2011-toolsmith-tool-of-year-owasp-zap.html" target="_blank">http://holisticinfosec.blogspot.com/2012/02/2011-toolsmith-tool-of-year-owasp-zap.html</a>><br>
<div>
<div>><br>
<br>
--<br>
--<br>
Matteo Meucci<br>
OWASP Testing Guide Lead<br>
OWASP Italy President<br>
</div>
</div>
</blockquote>
</div>
<br>
<br clear="all">
<br>
-- <br>
OWASP ZAP: <a href="http://holisticinfosec.blogspot.com/2012/02/2011-toolsmith-tool-of-year-owasp-zap.html" target="_blank">Toolsmith Tool of the Year 2011</a><br>
<br>
</blockquote>
<br>
<br>
</div></div></div>
<br>_______________________________________________<br>
Owasp-testing mailing list<br>
<a href="mailto:Owasp-testing@lists.owasp.org" target="_blank">Owasp-testing@lists.owasp.org</a><br>
<a href="https://lists.owasp.org/mailman/listinfo/owasp-testing" target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-testing</a><br>
<br></blockquote></div><br><br clear="all"><br>-- <br>Ismael Gonçalves<br>