[Owasp-leaders] Web Application Security Testing Cheat Sheet (work in progress; )

Matt Tesauro matt.tesauro at owasp.org
Thu Jul 26 02:38:08 UTC 2012


Simon,

Sweet idea, can't wait to see what you come up with.

I created a 1 sheet condensed version of the testing guide (v3)
sections/tests as well as a longer version with page references to look
them up in the testing guide.  Both were created in OpenOffice/LibreOffice.
 I'll happily share if you think it would be useful - I give them out as
part of my handouts when I teach web app testing trainings.

However, I'm not sure they'd do more then give you a bunch of stuff to
copy/paste since formatted for print but let me know if you're interested.

Also, I'd suggest keeping the testing guide numbering system in place (e.g.
DV-001 = Reflective Cross-Site Scripting) until the universal OWASP
numbering system gets worked out. I've found those to be a handy short
reference to a specific test.  In a past job, they were my de facto
categories for when I did reporting, trending, etc.

--
-- Matt Tesauro
OWASP Board Member
OWASP WTE Project Lead
http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project
http://AppSecLive.org - Community and Download site


On Wed, Jul 25, 2012 at 12:10 PM, psiinon <psiinon at gmail.com> wrote:

> Hi Rory,
>
> My plan was no detail at all actually, other than maybe linking to the
> relevant section of the Testing Guide.
> So the first few sections are actually as they will appear, unless we add
> more bullet points.
> When printed out it will look something like:
> Information Gathering [ ] Manually explore the site
> [ ] Spider/crawl for missed or hidden content
>
> etc.
> It really will be just a checklist, and will hopefully be printable on max
> 2 sides of A4.
>
> But we could actually include a sentence or 2 in the XML and then have
> various options for exporting/printing it out.
> I just dont want to compete with the Testing Guide - that should be the
> definitive tome :)
>
> Cheers,
>
> Simon
>
>
>
> On Wed, Jul 25, 2012 at 6:02 PM, Rory McCune <rorym at nmrconsult.net> wrote:
>
>> Hi,
>>
>> Cool idea. how must detail were you thinking should be put in each
>> section, purely leaving it as a bullet-point list or adding a bit of
>> extra information (couple of sentences) to flesh out each section?
>>
>> Cheers
>>
>> Rory
>>
>> On Wed, Jul 25, 2012 at 5:56 PM, psiinon <psiinon at gmail.com> wrote:
>> > Hi folks,
>> >
>> > I've just started a Web Application Security Testing Cheat Sheet.
>> >
>> > To quote from that page:
>> >
>> > Introduction
>> >
>> > This cheat sheet provides a checklist of tasks to be performed when
>> > performing a blackbox security test of a web application.
>> >
>> > Purpose
>> >
>> > This checklist is intended to be used as an aide memoire for experienced
>> > pentesters and should be used in conjunction with the OWASP Testing
>> Guide.
>> > It will be updated as the Testing Guide v4 is progressed.
>> >
>> > The intention is that this guide will be available as an XML document,
>> with
>> > scripts that convert it into formats such as pdf, Media Wiki markup,
>> HTML
>> > etc.
>> >
>> > This will allow it to be consumed within security tools as well as being
>> > available in a format suitable for printing.
>> >
>> > It is currently at a very early stage, but any feedback or offers of
>> help
>> > will be appreciated.
>> >
>> >
>> > Let me know if you have any feedback, and feel free to add more content
>> to
>> > the wiki!
>> >
>> > Cheers,
>> >
>> > Simon
>> >
>> > --
>> > OWASP ZAP: Toolsmith Tool of the Year 2011
>> >
>> >
>> > _______________________________________________
>> > OWASP-Leaders mailing list
>> > OWASP-Leaders at lists.owasp.org
>> > https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> >
>>
>
>
>
> --
> OWASP ZAP: Toolsmith Tool of the Year 2011<http://holisticinfosec.blogspot.com/2012/02/2011-toolsmith-tool-of-year-owasp-zap.html>
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20120725/550507c8/attachment.html>


More information about the OWASP-Leaders mailing list