This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "OWASP Testing Guide v2 Review Panel"
Line 35: | Line 35: | ||
4.2.4.2 DB Listener Testing (0%, Alexander Kornbrust)<br> | 4.2.4.2 DB Listener Testing (0%, Alexander Kornbrust)<br> | ||
4.5.5 HTTP Exploit (0%, Arian J.Evans)<br> | 4.5.5 HTTP Exploit (0%, Arian J.Evans)<br> | ||
− | |||
4.6.2.2 Oracle testing (0%,Alexander Kornbrust)<br> | 4.6.2.2 Oracle testing (0%,Alexander Kornbrust)<br> | ||
4.6.4 ORM Injection (0%, Mark Roxberry)<br> | 4.6.4 ORM Injection (0%, Mark Roxberry)<br> | ||
Line 49: | Line 48: | ||
</nowiki> | </nowiki> | ||
_________________________________________________________________________________________________________________________ | _________________________________________________________________________________________________________________________ | ||
− | * Introduction -->... | + | * '''Introduction -->...''' |
1 of 1 article to be reviewed -> reviewed by Eoin Keary | 1 of 1 article to be reviewed -> reviewed by Eoin Keary | ||
_________________________________________________________________________________________________________________________ | _________________________________________________________________________________________________________________________ | ||
− | * The OWASP Testing Framework -->... | + | * '''The OWASP Testing Framework -->...''' |
1 of 1 article to be reviewed | 1 of 1 article to be reviewed | ||
_________________________________________________________________________________________________________________________ | _________________________________________________________________________________________________________________________ | ||
− | * 4.1 Introduction and objectives -->... | + | * '''4.1 Introduction and objectives -->...''' |
1 of 1 article to be reviewed (no Meucci, Reviewed by EK) | 1 of 1 article to be reviewed (no Meucci, Reviewed by EK) | ||
_________________________________________________________________________________________________________________________ | _________________________________________________________________________________________________________________________ | ||
− | * 4.2 Information Gathering (Reviewed by EK) --> | + | * '''4.2 Information Gathering (Reviewed by EK) --> Keary''' |
9 of 10 articles to be reviewed -> <BR> | 9 of 10 articles to be reviewed -> <BR> | ||
* '''Application Discovery''': | * '''Application Discovery''': | ||
Line 85: | Line 84: | ||
_________________________________________________________________________________________________________________________ | _________________________________________________________________________________________________________________________ | ||
− | *4.3 Business logic testing -->... | + | * '''4.3 Business logic testing -->...''' |
1 of 1 article to be reviewed | 1 of 1 article to be reviewed | ||
_________________________________________________________________________________________________________________________ | _________________________________________________________________________________________________________________________ | ||
− | * 4.4 Authentication Testing --> Roxberry | + | * '''4.4 Authentication Testing --> Roxberry''' |
5 of 5 articles to be reviewed (No Meucci, no Revelli) | 5 of 5 articles to be reviewed (No Meucci, no Revelli) | ||
_________________________________________________________________________________________________________________________ | _________________________________________________________________________________________________________________________ | ||
− | * 4.5 Session Management Testing --> Syed Mohamed A | + | * '''4.5 Session Management Testing --> Syed Mohamed A''' |
5 of 6 articles to be reviewed (No Meucci) | 5 of 6 articles to be reviewed (No Meucci) | ||
_________________________________________________________________________________________________________________________ | _________________________________________________________________________________________________________________________ | ||
− | * 4.6 Data Validation Testing --> Meucci | + | * '''4.6 Data Validation Testing --> Meucci''' |
18 of 21 articles to be reviewed | 18 of 21 articles to be reviewed | ||
− | + | - '''4.6 Data Validation Testing''' : Reviewed by EK | |
− | + | - 4.6.1 - '''Cross site scripting''': Reviewed by EK (Reformatted it slightly with wiki tags) | |
− | + | - 4.6.1.1 HTTP Methods and XST Reviewed by MM | |
− | + | - 4.6.2 SQL Injection (90%) Reviewed by MM. Eoin can you review Eng, please? | |
− | + | 4.6.2.1 Stored procedure injection (40%) | |
− | + | 4.6.2.2 Oracle testing (0%) | |
− | + | 4.6.2.3 MySQL testing (100%) Reviewed by MM | |
− | + | 4.6.2.4 SQL Server testing (95%) | |
− | + | 4.6.3 LDAP Injection (90%) | |
− | + | 4.6.4 ORM Injection (0%) | |
− | + | 4.6.5 XML Injection (80%) | |
− | + | 4.6.6 SSI Injection (95%) | |
− | + | 4.6.7 XPath Injection (80%) | |
− | + | 4.6.8 IMAP/SMTP Injection (95%) | |
− | + | 4.6.9 Code Injection (70%) | |
− | + | 4.6.10 OS Commanding (70%) | |
− | + | 4.6.11 Buffer overflow Testing (100%) | |
− | + | 4.6.11.1 Heap overflow (100%) | |
− | + | 4.6.11.2 Stack overflow (100%) | |
− | + | 4.6.11.3 Format string (100%) | |
+ | 4.6.12 Incubated vulnerability testing (95%) | ||
_________________________________________________________________________________________________________________________ | _________________________________________________________________________________________________________________________ | ||
− | * 4.7 Denial of Service Testing -->... | + | * '''4.7 Denial of Service Testing -->...''' |
8 of 8 articles to be reviewed | 8 of 8 articles to be reviewed | ||
_________________________________________________________________________________________________________________________ | _________________________________________________________________________________________________________________________ | ||
− | * 4.8 Web Services Testing -->... | + | * '''4.8 Web Services Testing -->...''' |
6 of 6 articles to be reviewed (No Keary) | 6 of 6 articles to be reviewed (No Keary) | ||
_________________________________________________________________________________________________________________________ | _________________________________________________________________________________________________________________________ | ||
− | * 4.9 AJAX Testing --> Roxberry | + | * '''4.9 AJAX Testing --> Roxberry''' |
6 of 6 articles to be reviewed (No Di Paola) | 6 of 6 articles to be reviewed (No Di Paola) | ||
_________________________________________________________________________________________________________________________ | _________________________________________________________________________________________________________________________ | ||
− | * 5. Writing Reports: value the real risk | + | * '''5. Writing Reports: value the real risk''' |
We have to write about it. I consider it not yet finished. | We have to write about it. I consider it not yet finished. | ||
O of 3 articles to be reviewed. | O of 3 articles to be reviewed. | ||
_________________________________________________________________________________________________________________________ | _________________________________________________________________________________________________________________________ | ||
− | * Appendix A: Testing Tools -->... | + | * '''Appendix A: Testing Tools -->...''' |
1 article of 1: need to update it searching all the guide for paragraps: tools | 1 article of 1: need to update it searching all the guide for paragraps: tools | ||
_________________________________________________________________________________________________________________________ | _________________________________________________________________________________________________________________________ | ||
− | * Appendix B: Suggested Reading -->... | + | * '''Appendix B: Suggested Reading -->...''' |
1 article of 1: need to update it searching all the guide for paragraps: tools | 1 article of 1: need to update it searching all the guide for paragraps: tools | ||
_________________________________________________________________________________________________________________________ | _________________________________________________________________________________________________________________________ | ||
− | * Appendix C: Fuzz Vectors -->... | + | * '''Appendix C: Fuzz Vectors -->...''' |
1 article of 1: Need to be updated | 1 article of 1: Need to be updated | ||
Revision as of 18:03, 13 November 2006
Update: 13th November, 11.00 (GMT+1)
**********************
Reviewing planning
**********************
The reviewers are: Mark Roxberry Revelli Alberto Daniel Cuthbert Matteo G.P. Flora Matteo Meucci Eoin Keary Stefano Di Paola James Kist Vicente Aguilera Mauro Bregolin Syed Mohamed A
We can begin the 1st reviewing phase by review all 63 articles (nearly 13 articles per person). The deadline is 15th November at 20.00 (GMT+1) because we have 15th November as 1st deadline for the Autumn of Code Project.
*********************************************
We are waiting for the following articles
*********************************************
4.2.2 Spidering and googling (0%, Tom Brennan, Tom Ryan)
4.2.4.2 DB Listener Testing (0%, Alexander Kornbrust)
4.5.5 HTTP Exploit (0%, Arian J.Evans)
4.6.2.2 Oracle testing (0%,Alexander Kornbrust)
4.6.4 ORM Injection (0%, Mark Roxberry)
5. Writing Reports: value the real risk
5.1 How to value the real risk (50%, Daniel Cuthbert, Matteo Meucci, Sebastien Deleersnyder, Marco Morana)
5.2 How to write the report of the testing (0%, Daniel Cuthbert, Tom Brennan, Tom Ryan)
*********************************************************
Here is the complete list of articles to be reviewed:
*********************************************************
_________________________________________________________________________________________________________________________
- Introduction -->...
1 of 1 article to be reviewed -> reviewed by Eoin Keary
_________________________________________________________________________________________________________________________
- The OWASP Testing Framework -->...
1 of 1 article to be reviewed
_________________________________________________________________________________________________________________________
- 4.1 Introduction and objectives -->...
1 of 1 article to be reviewed (no Meucci, Reviewed by EK)
_________________________________________________________________________________________________________________________
- 4.2 Information Gathering (Reviewed by EK) --> Keary
9 of 10 articles to be reviewed ->
- Application Discovery:
- Reviewed + updated(EK) (Maybe we should include HTTP methods for application descovery, such as HTTP HEAD command?)
- Reviewed + updated(EK) (Maybe we should include HTTP methods for application descovery, such as HTTP HEAD command?)
- Analysis of error codes:
- Reviewed + updated(EK)
- Reviewed + updated(EK)
- Infrastructure configuration management testing AoC:
- Reviewed by EK. Not in typical guide structure
- Reviewed by EK. Not in typical guide structure
- SSL/TLS Testing AoC:
- Reviewed + updated(EK)
- Reviewed + updated(EK)
- DB Listener Testing:
- Incomplete
- Incomplete
- Application configuration management testing:
- Reviewed by EK. Not typical guide structure
- This is generally a "white box" section. There are no examples of testing the configuration from a remote perspective. If this was the aim of the document, thats fine. - Need feedback on this one!!
- Sample/known files and directories: might be good to refer to http://www.owasp.org/index.php/Old_file_testing_AoC ??
- Logging: Timestamp is also important
- File extensions handling
- contains the text: "...To review and expand..." - Is this complete??
- Need a second opinion on this one!! :)
- Old file testing: Reviewed by EK
_________________________________________________________________________________________________________________________
- 4.3 Business logic testing -->...
1 of 1 article to be reviewed
_________________________________________________________________________________________________________________________
- 4.4 Authentication Testing --> Roxberry
5 of 5 articles to be reviewed (No Meucci, no Revelli)
_________________________________________________________________________________________________________________________
- 4.5 Session Management Testing --> Syed Mohamed A
5 of 6 articles to be reviewed (No Meucci)
_________________________________________________________________________________________________________________________
- 4.6 Data Validation Testing --> Meucci
18 of 21 articles to be reviewed - 4.6 Data Validation Testing : Reviewed by EK - 4.6.1 - Cross site scripting: Reviewed by EK (Reformatted it slightly with wiki tags) - 4.6.1.1 HTTP Methods and XST Reviewed by MM - 4.6.2 SQL Injection (90%) Reviewed by MM. Eoin can you review Eng, please? 4.6.2.1 Stored procedure injection (40%) 4.6.2.2 Oracle testing (0%) 4.6.2.3 MySQL testing (100%) Reviewed by MM 4.6.2.4 SQL Server testing (95%) 4.6.3 LDAP Injection (90%) 4.6.4 ORM Injection (0%) 4.6.5 XML Injection (80%) 4.6.6 SSI Injection (95%) 4.6.7 XPath Injection (80%) 4.6.8 IMAP/SMTP Injection (95%) 4.6.9 Code Injection (70%) 4.6.10 OS Commanding (70%) 4.6.11 Buffer overflow Testing (100%) 4.6.11.1 Heap overflow (100%) 4.6.11.2 Stack overflow (100%) 4.6.11.3 Format string (100%) 4.6.12 Incubated vulnerability testing (95%)
_________________________________________________________________________________________________________________________
- 4.7 Denial of Service Testing -->...
8 of 8 articles to be reviewed
_________________________________________________________________________________________________________________________
- 4.8 Web Services Testing -->...
6 of 6 articles to be reviewed (No Keary)
_________________________________________________________________________________________________________________________
- 4.9 AJAX Testing --> Roxberry
6 of 6 articles to be reviewed (No Di Paola)
_________________________________________________________________________________________________________________________
- 5. Writing Reports: value the real risk
We have to write about it. I consider it not yet finished. O of 3 articles to be reviewed.
_________________________________________________________________________________________________________________________
- Appendix A: Testing Tools -->...
1 article of 1: need to update it searching all the guide for paragraps: tools
_________________________________________________________________________________________________________________________
- Appendix B: Suggested Reading -->...
1 article of 1: need to update it searching all the guide for paragraps: tools
_________________________________________________________________________________________________________________________
- Appendix C: Fuzz Vectors -->...
1 article of 1: Need to be updated
_________________________________________________________________________________________________________________________
*************************
Reviewers Rules
*************************
1) Check the english language
2) Check the template: the articles on chapter 4 should have the following:
In some articles we don't need to talk about Gray Box Testing or other, so we can eliminate it.
3) Check the reference style. (I'd like to have all the referenced URLs visible because I have to produce also a pdf document of the Guide). I agree with Stefano, we have to use a reference like that:
== References ==
'''Whitepapers'''<br>
* [1] Author1, Author2: "Title" - http://www.ietf.org/rfc/rfc2254.txt<br>
* [2]...<br>
'''Tools'''<br>
* Francois Larouche: "Multiple DBMS Sql Injection tool" - http://www.sqlpowerinjector.com/index.htm <br>
4) Check the reference with the other articles of the guide or with the other OWASP Project.
5) Other?