This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Talk:Conduct search engine discovery/reconnaissance for information leakage (OTG-INFO-001)

From OWASP
Revision as of 00:38, 16 August 2013 by Cmlh (talk | contribs) (Response to Rick)

Jump to: navigation, search

v3 Review Comments

This section does not cover the items stated in the "brief summary". For v3, if the section is to remain completely google'centric I suggest we rename "Search engine discovery" to "Google searching your web application and accessing google's cache".

Reply to "v3 Review Comments" from @cmlh

The roadmap was to add Yahoo! and Bing to the next release of the OWASP Testing Guide (i.e. v3 -> v4) and to not appear to promote Google over Yahoo! and Bing. It should be noted that Yahoo! and Bing might refer to the same "entity" as further research is undertaken i.e. the "Yahoo! and Microsoft Search Alliance"/"Yahoo! Bing Network".

Furthermore, the intent is *not* to promote the inferior http://www.hackersforcharity.org/ghdb/, rather a more scientific and innovative approach.

Hi cmlh, thanks for the follow-up. That comment was really old and seems to have been migrated for the v3 > v4 draft. I think the new heading/title is more appropriate than previously, however, the content still seems awfully google'centric.
Should we also be including some Shodan stuff? (http://www.shodanhq.com/) Rick.mitchell (talk)
Actually now that I'm looking at this. I'm not sure how the heading has changed since v3 was a draft (when the comment was originally made). However, again looking at this now there are a number of goals, etc stated in the summary that don't seem to be covered by the content. Also the summary seems to be written from the perspective of a app/system owner not a tester.
I also wonder if we should be including examples such as xssed.com and their ilk, web.archive.org, etc Rick.mitchell (talk)

Adding web services, such as xxsed.com or web.archive.org, would depend on if they an API available to the public (I believe archive.org has and API) and if there is a product available (possibly released under FOSS licenses) to provide an example.

IMHO that only applies from a purely automated point of view. There is no reason we shouldn't be referencing such as a manual step (or steps).
CMLH - I am aware of archive.org, I am not sure about the xxsed example that you are referring too?
I'm not sure how the majority of the industry ends up getting involved in Web App VA but from my perspective and experience there is usually limited targets so doing a few manual lookups isn't a major stumbling block.
CMLH - I believe some of these other services might be out of scope of OTG-INFO-001.