[OWASP-TESTING] pentest checklist ver 1.1
jfernandez at germinus.com
Thu Jul 1 12:36:17 EDT 2004
It looks quite ok to me, I think it might be good to improve the text
regarding the Workflow information, it might also be better to fill in
the blank space between page 6 and 7.
How about this:
"The flow diagram below is based in several steps:
- The penetration test needs to start by gathering all possible
information available information on the infraestructure and
- The test should go through all the different phases described below
- An attempt should be done to exploit all vulnerabilities discovered
in the application
- For all succesful exploitation of a vulnerability a risk should be
done. Also, the information returned by some vulnerabilities, for
example, programming errors, source code retrieved through them or
other internal information disclosed should used to re-assess the
known information of the application
- Finally, if at any point in time, a vulnerability is detected which
can compromise the organisation's service or disclose
business-critical internal information, the personnel responsible for
the application should be contacted inmediately by issuing an "alert"
(contacting them inmediately)
How does the above sound?
Regarding the workflow just a few comments:
a) The second step ("Go through each phase....") does not contain the
b) The rhombus in the middle says "Have all attack methods has
exhausted and investicated?" should say "Have all attack methods been
exhausted and investigated?"
b) The rhombus to the end and right says "Is the information business
criticle" should say "Is the information obtained business-critical?"
Sorry to be so nit-picking :-)
More information about the Owasp-testing