This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "OWASP Testing Project v3 Review Roadmap"
From OWASP
Line 53: | Line 53: | ||
*** Subsection 4.6.1: "Review code for path traversal" does not exist in the Code Review Guide, or the link the broken. | *** Subsection 4.6.1: "Review code for path traversal" does not exist in the Code Review Guide, or the link the broken. | ||
** Section 4.5 | ** Section 4.5 | ||
+ | |||
+ | Sep 10, 2008 | ||
+ | * Chapter 4 | ||
+ | ** Section 4.4 | ||
+ | ** Section 4.3 | ||
+ | ** Section 4.2 | ||
+ | ** Section 4.1 | ||
+ | * Chapter 3 | ||
+ | * Chapter 2 | ||
+ | * Chapter 1 | ||
+ | ** [[Testing Guide Frontispiece]] still shows v2 editors and reviewers | ||
+ | ** [[About The Open Web Application Security Project]] The link to the printed edition of the book is invalid. This page is a generally shared wiki page among all projects. | ||
+ | |||
'''Kevin Review:''' | '''Kevin Review:''' |
Revision as of 07:12, 10 September 2008
This page track all the update to the Testing Guide v3 during the Reviewing phase.
In particular the focus is:
- Review the content of each article
- Review the english sintax
- no "attacker", better "tester"
- no "we describe", but "it is described"
Official Testing Guide Reviewers are:
- Nam Nguyen
- Kevin R.Fuller
- if you want to review it add your name please and keep track of updating
Nam Review:
Aug 31, 2008
- Appendix D
- Appendix C
- Appendix B
- Appendix A
- Chapter 5
- How to write the report of the testing
- ``TO UPDATE WITH V3 controls`` is still in the article. Has it been updated to v3? (Mat: I'm updating it, thanks)
- How to write the report of the testing
- Chapter 4
- Section 4.11 Testing for AJAX Vulnerabilities
- There are mentioning of "attackers" but I think they are fine.
- The subsection on Memory leaks is not complete.
- Section 4.11 Testing for AJAX
- The subsection "Intercepting and Debugging JS code with Browsers" is very difficult to understand. I tried to fix it, but I'm afraid what I have might not reflect what the original author wanted to express.
- Section 4.11 Testing for AJAX Vulnerabilities
Sep 02, 2008
- Chapter 4
- Section 4.10
- Subsection Testing for WS Replay Gray box testing and examples gives incomplete sample code. I believe the call to GetSessionIDMac() missed four parameters. In this same part, using SSL helps in preventing replay attack but it doesnt prevent replay attack by itself. In this same subection, the images show identifiable real Internet address in Hungary, should them be masked off?
- Section 4.10
Sep 04, 2008
- Chapter 4
- Section 4.9
- Section 4.8
- I'm not sure if format string could be classified under subsection 4.8.14 "Buffer overflow testing".
- Subsecion 4.8.3: Incomplete
- Subsection 4.8.4: Incomplete
- Subsection 4.8.5: What is "data-plane input"?
Sep 06, 2008
- Chapter 4
- Section 4.8
Sep 07, 2008
- Chapter 4
- Section 4.7
- Section 4.6
- Subsection 4.6.1: "Review code for path traversal" does not exist in the Code Review Guide, or the link the broken.
- Section 4.5
Sep 10, 2008
- Chapter 4
- Section 4.4
- Section 4.3
- Section 4.2
- Section 4.1
- Chapter 3
- Chapter 2
- Chapter 1
- Testing Guide Frontispiece still shows v2 editors and reviewers
- About The Open Web Application Security Project The link to the printed edition of the book is invalid. This page is a generally shared wiki page among all projects.
Kevin Review:
Date
articles reviewed
Date
articles reviewed
Questions: (Mat will answer it)