This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "OWASP Testing Guide v2 Review Panel"
| Line 1: | Line 1: | ||
13th November, 0 AM (GMT+1)<br> | 13th November, 0 AM (GMT+1)<br> | ||
| + | |||
<nowiki> | <nowiki> | ||
********************************************* | ********************************************* | ||
| − | </nowiki> <br> | + | </nowiki><br>We are waiting for the following articles <br> |
| − | |||
<nowiki> | <nowiki> | ||
********************************************* | ********************************************* | ||
| Line 20: | Line 20: | ||
<nowiki> | <nowiki> | ||
********************************************************* | ********************************************************* | ||
| − | </nowiki> <br> Here is the complete list of articles to be reviewed: <br> | + | </nowiki><br>Here is the complete list of articles to be reviewed: <br> |
<nowiki> | <nowiki> | ||
********************************************************* | ********************************************************* | ||
| Line 78: | Line 78: | ||
************************* | ************************* | ||
</nowiki> | </nowiki> | ||
| − | |||
| − | |||
| − | *Template | + | 1) Check the english language<br> |
| + | 2) Check the template: the articles on chapter 4 should have the following:<br> | ||
| + | |||
| + | * Template | ||
<nowiki> | <nowiki> | ||
| − | [[http://www.owasp.org/index.php/Web_Application_Penetration_Testing_AoC Up]] | + | [[http://www.owasp.org/index.php/Web_Application_Penetration_Testing_AoC Up]] |
| + | |||
{{Template:OWASP Testing Guide v2}} | {{Template:OWASP Testing Guide v2}} | ||
| Line 112: | Line 114: | ||
{{Category:OWASP Testing Project AoC}} | {{Category:OWASP Testing Project AoC}} | ||
</nowiki> | </nowiki> | ||
| − | * | + | * Template |
In some articles we don't need to talk about Gray Box Testing or other, so we can eliminate it. | In some articles we don't need to talk about Gray Box Testing or other, so we can eliminate it. | ||
| Line 123: | Line 125: | ||
* [1] Author1, Author2: "Title" - http://www.ietf.org/rfc/rfc2254.txt<br> | * [1] Author1, Author2: "Title" - http://www.ietf.org/rfc/rfc2254.txt<br> | ||
* [2]...<br> | * [2]...<br> | ||
| − | |||
'''Tools'''<br> | '''Tools'''<br> | ||
* Francois Larouche: "Multiple DBMS Sql Injection tool" - http://www.sqlpowerinjector.com/index.htm <br> | * Francois Larouche: "Multiple DBMS Sql Injection tool" - http://www.sqlpowerinjector.com/index.htm <br> | ||
</nowiki> | </nowiki> | ||
| + | |||
4) Check the reference with the other articles of the guide or with the other OWASP Project. | 4) Check the reference with the other articles of the guide or with the other OWASP Project. | ||
| Line 134: | Line 136: | ||
<nowiki> | <nowiki> | ||
********************** | ********************** | ||
| − | </nowiki> <br> | + | </nowiki><br>Reviewing planning<br> |
| − | Reviewing planning<br> | ||
<nowiki> | <nowiki> | ||
********************** | ********************** | ||
</nowiki><br> | </nowiki><br> | ||
| + | |||
The reviewers are: | The reviewers are: | ||
| − | Daniel Cuthbert | + | Daniel Cuthbert, |
| − | Eoin Keary | + | Eoin Keary, |
| − | Mauro Bregolin | + | Mauro Bregolin, |
| − | Stefano Di Paola | + | Stefano Di Paola, |
| − | Matteo Meucci | + | Matteo Meucci. |
We can begin the 1st reviewing phase by review all 63 articles (nearly 13 articles per person). The deadline is 15th November at 20.00 (GMT+1) because we have 15th November as 1st deadline for the Autumn of Code Project. | We can begin the 1st reviewing phase by review all 63 articles (nearly 13 articles per person). The deadline is 15th November at 20.00 (GMT+1) because we have 15th November as 1st deadline for the Autumn of Code Project. | ||
Revision as of 22:57, 12 November 2006
13th November, 0 AM (GMT+1)
*********************************************
We are waiting for the following articles
*********************************************
4.2.2 Spidering and googling (0%, Tom Brennan, Tom Ryan)
4.2.4.2 DB Listener Testing (0%, Alexander Kornbrust)
4.5.5 HTTP Exploit (0%, Arian J.Evans)
4.6.2.1 Stored procedure injection (0%,TD)
4.6.2.2 Oracle testing (0%,Alexander Kornbrust)
4.6.4 ORM Injection (0%,TD)
5. Writing Reports: value the real risk
5.1 How to value the real risk (50%, Daniel Cuthbert, Matteo Meucci, Sebastien Deleersnyder, Marco Morana)
5.2 How to write the report of the testing (0%, Daniel Cuthbert, Tom Brennan, Tom Ryan)
*********************************************************
Here is the complete list of articles to be reviewed:
*********************************************************
- Introduction
1 of 1 article to be reviewed
- The OWASP Testing Framework
1 of 1 article to be reviewed
- 4.1 Introduction and objectives
1 of 1 article to be reviewed (no Meucci, Reviewed by EK)
- 4.2 Information Gathering (Reviewed by EK)
9 of 10 articles to be reviewed
- 4.3 Business logic testing
1 of 1 article to be reviewed
- 4.4 Authentication Testing
5 of 5 articles to be reviewed (No Meucci, no Revelli)
- 4.5 Session Management Testing
5 of 6 articles to be reviewed (No Meucci)
- 4.6 Data Validation Testing
18 of 21 articles to be reviewed
- 4.7 Denial of Service Testing
8 of 8 articles to be reviewed
- 4.8 Web Services Testing
6 of 6 articles to be reviewed (No Keary)
- 4.9 AJAX Testing
6 of 6 articles to be reviewed (No Di Paola)
- Writing Reports: value the real risk
We have to write about it. I consider it not yet finished. O of 3 articles to be reviewed.
- Appendix A: Testing Tools
1 article of 1: need to update it searching all the guide for paragraps: tools
- Appendix B: Suggested Reading
1 article of 1: need to update it searching all the guide for paragraps: tools
- Appendix C: Fuzz Vectors
Need to be updated
*************************
Reviewers Rules
*************************
1) Check the english language
2) Check the template: the articles on chapter 4 should have the following:
- Template
[[http://www.owasp.org/index.php/Web_Application_Penetration_Testing_AoC Up]] {{Template:OWASP Testing Guide v2}} == Brief Summary == <br> ..here: we describe in "natural language" what we want to test. <br> == Description of the Issue == <br> ...here: Short Description of the Issue: Topic and Explanation <br> == Black Box testing and example == '''Testing for Topic X vulnerabilities:''' <br> ...<br> '''Result Expected:'''<br> ...<br><br> == Gray Box testing and example == '''Testing for Topic X vulnerabilities:'''<br> ...<br> '''Result Expected:'''<br> ...<br><br> == References == '''Whitepapers'''<br> ...<br> '''Tools'''<br> ...<br> {{Category:OWASP Testing Project AoC}}
- Template
In some articles we don't need to talk about Gray Box Testing or other, so we can eliminate it.
3) Check the reference style. (I'd like to have all the referenced URLs visible because I have to produce also a pdf document of the Guide). I agree with Stefano, we have to use a reference like that: <nokiwi>
References
Whitepapers
- [1] Author1, Author2: "Title" - http://www.ietf.org/rfc/rfc2254.txt
- [2]...
Tools
- Francois Larouche: "Multiple DBMS Sql Injection tool" - http://www.sqlpowerinjector.com/index.htm
</nowiki>
4) Check the reference with the other articles of the guide or with the other OWASP Project.
5) Other?
**********************
Reviewing planning
**********************
The reviewers are: Daniel Cuthbert, Eoin Keary, Mauro Bregolin, Stefano Di Paola, Matteo Meucci.
We can begin the 1st reviewing phase by review all 63 articles (nearly 13 articles per person). The deadline is 15th November at 20.00 (GMT+1) because we have 15th November as 1st deadline for the Autumn of Code Project.
