[prev in list] [next in list] [prev in thread] [next in thread]
List: owasp-testing
Subject: Re: [Owasp-testing] Testing Guide v4: 2nd phase: Writing
From: Andrew Muller <andrew () ionize ! com ! au>
Date: 2013-01-02 23:44:45
Message-ID: 25943628.803.1357170285816.JavaMail.root () ionize ! com ! au
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
That makes sense too :)
Re the vulnerability list from the ASDR; I think a reference to the more \
comprehensive CWE list in the test guide is more appropriate as t he ASDR list is \
a subset of the CWE ( the ASDR project itself lists CWE as a related project ) . \
From here we could go down the road of "well if we're referencing CWE, or ASDR, why \
don't we have test cases for each of the CWE or ASDR software weaknesses ?" I'm in \
favour of referencing one or the other for now and investigating whether its \
feasible to adopt this approach in the next version given the scope of such an \
undertaking.
----- Original Message -----
From: "Eduardo Castellanos" <guayin@gmail.com>
To: "Andrew Muller" <andrew@ionize.com.au>
Cc: owasp-testing@lists.owasp.org
Sent: Thursday, 3 January, 2013 10:19:30 AM
Subject: Re: [Owasp-testing] Testing Guide v4: 2nd phase: Writing
@Andrew, I'm more inclined towards the data validation section as the main issue \
here would be that the file extension or the file's contents is not properly \
validated/sanitized.
@Jim Manico, That's awesome, we only need to reformat it and find a place for it on \
the guide.
Regards,
Eduardo Castellanos N.
On Wed, Jan 2, 2013 at 5:04 PM, Andrew Muller < andrew@ionize.com.au > wrote:
Hi Eduardo,
I believe we should test for this (I know we currently do). I would suggest \
putting it into the business logic section given that it is largely a business \
decision as to what file types should be accepted for upload.
regards,
Andrew
From: "Eduardo Castellanos" < guayin@gmail.com >
To: owasp-testing@lists.owasp.org
Sent: Thursday, 3 January, 2013 9:46:41 AM
Subject: Re: [Owasp-testing] Testing Guide v4: 2nd phase: Writing
Hello,
I was wondering in what part of the guide do we check for unrestricted/unvalidated \
file uploads? Should it be a new issue to test for?
Regards,
Eduardo Castellanos N.
On Fri, Nov 9, 2012 at 3:08 AM, Andrew Muller < andrew@ionize.com.au > wrote:
<blockquote>
Understood. I'll get writing
----- Original Message -----
From: Matteo Meucci & lt;matteo.meucci@owasp.org >
To: Andrew Muller & lt;andrew@ionize.com.au >
Cc: owasp-testing@lists.owasp.org
Sent: Fri, 09 Nov 2012 19:54:24 +1100 (EST)
Subject: Re: [Owasp-testing] Testing Guide v4: 2nd phase: Writing
Hi Andrew,
We started writing to have a first draft of the guide soon.
Then we can review the ToC and understand what we can improve.
Make sense?
Thanks,
Mat
On 11/09/2012 05:50 AM, Andrew Muller wrote:
> Hi Matteo,
>
> It's been a bit quiet on the v4 Wiki. When did you want the ToC to be
> finalised and writing on each of the test cases to completed?
>
>
>
> regards,
>
> Andrew.
>
> ------------------------------------------------------------------------
>
> *From: *"Matteo Meucci" < matteo.meucci@owasp.org >
> *To: * owasp-testing@lists.owasp.org
> *Sent: *Wednesday, 10 October, 2012 2:36:40 AM
> *Subject: *[Owasp-testing] Testing Guide v4: 2nd phase: Writing
>
> Hi all,
> I've reviewed the ToC and add a new paragraph for each new issue to write.
> https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents#4._Web_Application_Penetration_Testing \
>
> For example a new article will be like that:
> https://www.owasp.org/index.php/Testing_for_HTTP_Parameter_pollution_%28OWASP-DV-004%29 \
>
> Regarding the set of articles to review I linked the v3 articles with
> the idea to modify that.
> For example:
> https://www.owasp.org/index.php/Testing_for_Reflected_Cross_site_scripting_%28OWASP-DV-001%29 \
>
> So from now the wiki will be our draft for v4 and v3 will be available
> only via PDF.
>
> Many of you are not assigned to an article.
> Please, from now tell me what section would you like to write. We have
> to assign all the articles in the next few days.
>
> Feedback: The Toc is completed at 90%, please send me your feedback
> about the new ToC and my notes in the Toc.
>
> Now we can start writing!
> Please keep me update (I monitor all the changes on the wiki). Use the
> ml for general discussion and my email for specific issues.
>
> Thanks,
> Mat
>
>
> --
> Matteo Meucci
> OWASP Testing Guide Lead
> OWASP Italy President
> _______________________________________________
> Owasp-testing mailing list
> Owasp-testing@lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-testing
>
--
--
Matteo Meucci
OWASP Testing Guide Lead
OWASP Italy President
--
__________________________
Andrew Muller
Ionize Pty Ltd
Information Security Consultants
Level 1
44-52 Townshend St
PHILLIP ACT 2606
P: 02 6108 3695 | Mobile: 0400 481 179 | Fax: 02 6223 5244
E-mail: andrew@ionize.com.au
_______________________________________________
Owasp-testing mailing list
Owasp-testing@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-testing
_______________________________________________
Owasp-testing mailing list
Owasp-testing@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-testing
</blockquote>
[Attachment #5 (text/html)]
<html><head><style type='text/css'>p { margin: 0; }</style></head><body><div \
style='font-family: times new roman,new york,times,serif; font-size: 12pt; color: \
#000000'><P>That makes sense too :)</P> <P> </P>
<P>Re the vulnerability list from the ASDR; I think a reference to the more \
comprehensive CWE list in the test guide is more appropriate as the ASDR list is \
a subset of the CWE (the ASDR project itself lists CWE as a related \
project). From here we could go down the road of "well if we're referencing \
CWE, or ASDR, why don't we have test cases for each of the CWE or ASDR software \
weaknesses?" I'm in favour of referencing one or the other for now and \
investigating whether its feasible to adopt this approach in the next version given \
the scope of such an undertaking.<BR><BR></P> <P>
<HR id=zwchr>
</P>
<DIV style="FONT-STYLE: normal; FONT-FAMILY: Helvetica,Arial,sans-serif; COLOR: #000; \
FONT-SIZE: 12pt; FONT-WEIGHT: normal; TEXT-DECORATION: none"><B>From: </B>"Eduardo \
Castellanos" <guayin@gmail.com><BR><B>To: </B>"Andrew Muller" \
<andrew@ionize.com.au><BR><B>Cc: </B>owasp-testing@lists.owasp.org<BR><B>Sent: \
</B>Thursday, 3 January, 2013 10:19:30 AM<BR><B>Subject: </B>Re: [Owasp-testing] \
Testing Guide v4: 2nd phase: Writing<BR><BR> <DIV dir=ltr>@Andrew, I'm more \
inclined towards the data validation section as the main issue here would be that the \
file extension or the file's contents is not properly validated/sanitized. \
<DIV><BR></DIV> <DIV>@Jim Manico, That's awesome, we only need to reformat it and \
find a place for it on the guide. </DIV> <DIV><BR></DIV>
<DIV>Regards, </DIV>
<DIV><BR></DIV></DIV>
<DIV class=gmail_extra><BR clear=all>
<DIV>Eduardo Castellanos N.</DIV><BR><BR>
<DIV class=gmail_quote>On Wed, Jan 2, 2013 at 5:04 PM, Andrew Muller <SPAN \
dir=ltr><<A href="mailto:andrew@ionize.com.au" \
target=_blank>andrew@ionize.com.au</A>></SPAN> wrote:<BR> <BLOCKQUOTE \
style="BORDER-LEFT: #ccc 1px solid; MARGIN: 0px 0px 0px 0.8ex; PADDING-LEFT: 1ex" \
class=gmail_quote> <DIV>
<DIV style="FONT-FAMILY: times new roman,new york,times,serif; FONT-SIZE: 12pt">
<P>Hi Eduardo,</P>
<P> I believe we should test for this (I know we currently do). I would suggest \
putting it into the business logic section given that it is largely a business \
decision as to what file types should be accepted for upload.</P> <P> </P>
<P>regards,</P>
<P> Andrew<BR><BR></P>
<P></P>
<HR>
<P></P>
<DIV style="FONT-STYLE: normal; FONT-FAMILY: Helvetica,Arial,sans-serif; FONT-SIZE: \
12pt; FONT-WEIGHT: normal; TEXT-DECORATION: none"><B>From: </B>"Eduardo Castellanos" \
<<A href="mailto:guayin@gmail.com" \
target=_blank>guayin@gmail.com</A>><BR><B>To: </B><A \
href="mailto:owasp-testing@lists.owasp.org" \
target=_blank>owasp-testing@lists.owasp.org</A><BR><B>Sent: </B>Thursday, 3 January, \
2013 9:46:41 AM <DIV>
<DIV class=h5><BR><B>Subject: </B>Re: [Owasp-testing] Testing Guide v4: 2nd phase: \
Writing<BR><BR> <DIV dir=ltr>Hello,
<DIV><BR></DIV>
<DIV>I was wondering in what part of the guide do we check for \
unrestricted/unvalidated file uploads? Should it be a new issue to test for?</DIV> \
<DIV><BR></DIV> <DIV>Regards,</DIV></DIV>
<DIV class=gmail_extra><BR clear=all>
<DIV>Eduardo Castellanos N.</DIV><BR><BR>
<DIV class=gmail_quote>On Fri, Nov 9, 2012 at 3:08 AM, Andrew Muller <SPAN \
dir=ltr><<A href="mailto:andrew@ionize.com.au" \
target=_blank>andrew@ionize.com.au</A>></SPAN> wrote:<BR> <BLOCKQUOTE \
style="BORDER-LEFT: #ccc 1px solid; MARGIN: 0px 0px 0px 0.8ex; PADDING-LEFT: 1ex" \
class=gmail_quote>Understood. I'll get writing<BR> <DIV>
<DIV><BR>----- Original Message -----<BR>From: Matteo Meucci &<A \
href="mailto:lt%3Bmatteo.meucci@owasp.org" \
target=_blank>lt;matteo.meucci@owasp.org</A>&gt;<BR>To: Andrew Muller &<A \
href="mailto:lt%3Bandrew@ionize.com.au" \
target=_blank>lt;andrew@ionize.com.au</A>&gt;<BR>Cc: <A \
href="mailto:owasp-testing@lists.owasp.org" \
target=_blank>owasp-testing@lists.owasp.org</A><BR>Sent: Fri, 09 Nov 2012 19:54:24 \
+1100 (EST)<BR>Subject: Re: [Owasp-testing] Testing Guide v4: 2nd phase: \
Writing<BR><BR>Hi Andrew,<BR>We started writing to have a first draft of the guide \
soon.<BR>Then we can review the ToC and understand what we can improve.<BR>Make \
sense?<BR><BR>Thanks,<BR>Mat<BR><BR>On 11/09/2012 05:50 AM, Andrew Muller \
wrote:<BR>> Hi Matteo,<BR>><BR>> It's been a bit quiet on the v4 Wiki. When \
did you want the ToC to be<BR>> finalised and writing on each of the test cases to \
completed?<BR>><BR>><BR>><BR>> regards,<BR>><BR>> \
Andrew.<BR>><BR>> \
------------------------------------------------------------------------<BR>><BR>> \
*From: *"Matteo Meucci" <<A href="mailto:matteo.meucci@owasp.org" \
target=_blank>matteo.meucci@owasp.org</A>><BR>> *To: *<A \
href="mailto:owasp-testing@lists.owasp.org" \
target=_blank>owasp-testing@lists.owasp.org</A><BR>> *Sent: *Wednesday, 10 \
October, 2012 2:36:40 AM<BR>> *Subject: *[Owasp-testing] Testing Guide v4: 2nd \
phase: Writing<BR>><BR>> Hi all,<BR>> I've reviewed the ToC and add a new \
paragraph for each new issue to write.<BR>> <A \
href="https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents#4._Web_Application_Penetration_Testing" \
target=_blank>https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents#4._Web_Application_Penetration_Testing</A><BR>><BR>> \
For example a new article will be like that:<BR>> <A \
href="https://www.owasp.org/index.php/Testing_for_HTTP_Parameter_pollution_%28OWASP-DV-004%29" \
target=_blank>https://www.owasp.org/index.php/Testing_for_HTTP_Parameter_pollution_%28OWASP-DV-004%29</A><BR>><BR>> \
Regarding the set of articles to review I linked the v3 articles with<BR>> the \
idea to modify that.<BR>> For example:<BR>> <A \
href="https://www.owasp.org/index.php/Testing_for_Reflected_Cross_site_scripting_%28OWASP-DV-001%29" \
target=_blank>https://www.owasp.org/index.php/Testing_for_Reflected_Cross_site_scripting_%28OWASP-DV-001%29</A><BR>><BR>> \
So from now the wiki will be our draft for v4 and v3 will be available<BR>> only \
via PDF.<BR>><BR>> Many of you are not assigned to an article.<BR>> Please, \
from now tell me what section would you like to write. We have<BR>> to assign all \
the articles in the next few days.<BR>><BR>> Feedback: The Toc is completed at \
90%, please send me your feedback<BR>> about the new ToC and my notes in the \
Toc.<BR>><BR>> Now we can start writing!<BR>> Please keep me update (I \
monitor all the changes on the wiki). Use the<BR>> ml for general discussion and \
my email for specific issues.<BR>><BR>> Thanks,<BR>> \
Mat<BR>><BR>><BR>> --<BR>> Matteo Meucci<BR>> OWASP Testing Guide \
Lead<BR>> OWASP Italy President<BR>> \
_______________________________________________<BR>> Owasp-testing mailing \
list<BR>> <A href="mailto:Owasp-testing@lists.owasp.org" \
target=_blank>Owasp-testing@lists.owasp.org</A><BR>> <A \
href="https://lists.owasp.org/mailman/listinfo/owasp-testing" \
target=_blank>https://lists.owasp.org/mailman/listinfo/owasp-testing</A><BR>><BR><BR>--<BR>--<BR>Matteo \
Meucci<BR>OWASP Testing Guide Lead<BR>OWASP Italy \
President<BR><BR></DIV></DIV>--<BR>__________________________<BR>Andrew \
Muller<BR>Ionize Pty Ltd<BR>Information Security Consultants<BR><BR><BR>Level \
1<BR>44-52 Townshend St<BR>PHILLIP ACT 2606<BR><BR>P: 02 6108 3695 | Mobile: 0400 481 \
179 | Fax: 02 6223 5244<BR>E-mail: <A href="mailto:andrew@ionize.com.au" \
target=_blank>andrew@ionize.com.au</A><BR> <DIV>
<DIV>_______________________________________________<BR>Owasp-testing mailing \
list<BR><A href="mailto:Owasp-testing@lists.owasp.org" \
target=_blank>Owasp-testing@lists.owasp.org</A><BR><A \
href="https://lists.owasp.org/mailman/listinfo/owasp-testing" \
target=_blank>https://lists.owasp.org/mailman/listinfo/owasp-testing</A><BR></DIV></DI \
V></BLOCKQUOTE></DIV><BR></DIV><BR>_______________________________________________<BR>Owasp-testing \
mailing list<BR><A href="mailto:Owasp-testing@lists.owasp.org" \
target=_blank>Owasp-testing@lists.owasp.org</A><BR><A \
href="https://lists.owasp.org/mailman/listinfo/owasp-testing" \
target=_blank>https://lists.owasp.org/mailman/listinfo/owasp-testing</A><BR></DIV></DI \
V></DIV><BR></DIV></DIV></BLOCKQUOTE></DIV><BR></DIV></DIV><BR></div></body></html>
_______________________________________________
Owasp-testing mailing list
Owasp-testing@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-testing
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic