victoriadrake
commented
4 years ago @tolo7010 Would you like to be assigned to this one?
Open tolo7010 opened 6 years ago
victoriadrake
commented
4 years ago @tolo7010 Would you like to be assigned to this one?
tolo7010
commented
4 years ago @victoriadrake sure thank you. But please give me more instruction on this since this is my first time here. I am pleased if I can be a part of upcoming testing guide v5. I am from bug bounty field however I am not a native English writer so I need some one to revise this after the first draft.
kingthorin
commented
4 years ago I am not a native English writer so I need some one to revise this after the first draft.
That's no problem at all. We can provide feedback during the Pull Request review period.
To get started checkout the contributing info here: https://github.com/OWASP/wstg/blob/master/CONTRIBUTING.md
tolo7010
commented
4 years ago Hi @kingthorin , thank you for your clarification. I notice that there is already OTG-CONFIG-010 section at https://github.com/OWASP/wstg/blob/master/document/4_Web_Application_Security_Testing/4.3_Configuration_and_Deployment_Management_Testing/4.3.10_Test_for_Subdomain_Takeover_OTG-CONFIG-010.md
Can I rename this section and reassign it to, e.g: OTG-CONFIG-011?
kingthorin
commented
4 years ago So there were a number of bullets in the original ticket.
Amazon AWS bucket service: ... Social media profile link validation: ... CloudFlare / CDN service: ... Unclaimed CNAME domains (DNS?): ... ...
If Unclaimed CNAME domains (DNS?): ... fits in to CONFIG-010 then feel free to update that article. If all of them need a new item on their own then sure creating CONFIG-011 is fine (or 11, 12, 13, as applicable) [you can also do level 4 sub-sections like some of the items in 4.8 do if that helps].
You could also create it/them un-numbered for the time being and we can figure out how to fit it in or together once there's something to review? (We're definitely open to suggestions.)
tolo7010
commented
4 years ago Thank you @kingthorin , one more question. what is the dead line for this first draft submission?
kingthorin
commented
4 years ago Yesterday :rofl: Hahahahaha just kidding.
You tell us, we're all volunteers and flexible. If you need something to work toward I can pick one for you but really it's up to you.
ThunderSon
commented
4 years ago @kingthorin we simply didn't ask the ticket opener to tackle the issue ... How ignorant of us 🤦♂ @victoriadrake what would we do without you.
victoriadrake
commented
4 years ago @kingthorin we simply didn't ask the ticket opener to tackle the issue ... How ignorant of us man_facepalming @victoriadrake what would we do without you.
Not ask the issue opener to tackle the issue, I guess :grin: /smartass
Thank you for taking this on @tolo7010!
tolo7010
commented
4 years ago Hi team! since #14 is a main section for testing integration / third party service (it should be 4.3.11). As you said we need collaboration and I will provide general information / overall about how 3rd party applications (cloud / installed) could be misused, but each individual technology should be added by someone who really getting used (expert) at it. The specific detail of each technology (Amazon S3 for #328) should be a sub-section of #14, e.g: 4.3.11.1. Thank you @jeremychoi for the contribution!
tolo7010
commented
4 years ago For future PR, anything about 3rd party integration (cloud / local-install / embedded scripts, ...) such as issue tracker, customer support channel, etc...) should also be added to be well-organized
tolo7010
commented
4 years ago Because technology changes every day, I think we need one dedicated section for this and add a sub-section for each new technology in the future.
kingthorin
commented
4 years ago @tolo7010 if you're ready to tackle this please proceed with the outline that's been suggested elsewhere:
4.3.11. Testing for integrating / third party services 4.3.11.1. Cloud Computing
- Amazon S3, CDN... 4.3.11.2. Development Control
- Git, ... 4.3.11.3. Issue Tracking
- Jira, ... 4.3.11.4. Customer Support
- Zendesk, ... 4.3.11.5. Payment System
github-actions[bot]
commented
4 years ago Please comment if you are still working on this issue, as it has been inactive for 30 days. To give everyone a chance to contribute, we are releasing it to new contributors.
github-actions[bot]
commented
3 years ago Please comment if you are still working on this issue, as it has been inactive for 30 days. To give everyone a chance to contribute, we are releasing it to new contributors.
github-actions[bot]
commented
3 years ago Please comment if you are still working on this issue, as it has been inactive for 30 days. To give everyone a chance to contribute, we are releasing it to new contributors.
github-actions[bot]
commented
2 years ago Please comment if you are still working on this issue, as it has been inactive for 90 days. To give everyone a chance to contribute, we are releasing it to new contributors.
Web application integrating external services must be tested for well-known vulnerabilities caused by misconfigurations.