[ OWASP - Montreal ] [ OWASP - Montréal ] OWASP Testing Guide v2 - How to learn from that huge brick?

Benoit Guerette benoit.guerette at gmail.com
Sat Nov 29 20:31:58 EST 2008

I found a document, seems to be a great starting point, shorter than
the official document and look like your document.

OWASP Web Application Penetration Checklist


Thanks Laurent!

On Thu, Nov 27, 2008 at 9:32 PM, Laurent Desaulniers
<laurent.desaulniers at gmail.com> wrote:
> I know it is silly, but my best "framework" for security is a checklist:
> www.secguru.com/files/cheatsheet/webappcheatsheet2.pdf
> This is a high level view of what i need; certainly not as restraining as
> the usual framework but also does not help as much as other frameworks. For
> example, using this framework, it does not tell HOW to check for session id
> analysis or XSS. It just makes sure everything is covered.
> OSSTM is more focused toward "standard pen-test" i.e Networks and
> applications, BO and SO.
> The OWASP testing guide is still THE reference, at least for all the SOAP
> and AJAX sections.
> I hope it helps.
> I can give you my "procedure" at the next talk. But here is a little
> excerpt:
> 1) Focus on logic flaws. Many app scanners can now find blind sql
> injections, Xss and even csrf. But it is not possible for an application to
> know that a negative amount is not valid for an amount transfer. This is not
> only the easiest thing to test, but also what will ensure you to most
> visibilty to your clients. (imho)
> 2) I abuse of paper cards. Usually, what i do is write a little card for
> every page, including every input and ouput and hidden fields. If there is a
> web service, i also write every parameters. It not only allows you to get a
> good idea of the inner working of a web app
> 3) Check encryption, especially on parameters you can control. Even if the
> page redirects to https, all you need is a SINGLE valid image on http and
> the application is insecure to cookie stealing. Same about cookies. Make
> sure all cookies are marked as safe.
> 4) Usually, when i do a white box web assesment, i require 2 accounts. An
> admin account and a "user" account. This allows to know more about the
> application and inner function.
> 5) Fuzzing. I am not a fan of fuzzing but i have seen very good results. It
> is not for me, but you might want to check it out.
> Laurent
> On Thu, Nov 27, 2008 at 9:10 PM, Benoit Guerette <benoit.guerette at gmail.com>
> wrote:
>> I was looking for a framework to guide my webapps penetration testing.
>> At this point, I found lot of useful powerpoint presentations, maximum
>> 30 pages, and parts of some books.
>> Now, I want to go the next level. There is OSSTM, NIST security
>> testing guide, the Penetration Testing Framework 0.51 and OWASP
>> Testing Guide v2.
>> OWASP is the reference, but where do you start from that 344 pages
>> documents?
>> Did you all read the whole brick and create your shortest how-to?
>> I guess holidays vacations will serve that goal ;)
>> Thanks!
>> --
>> http://www.linkedin.com/in/benoitguerette
>> _______________________________________________
>> Owasp-montreal mailing list
>> Owasp-montreal at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-montreal
> --
> *CONFIDENTIALITÉ* L'information apparaissant dans ce message électronique
> est de nature légalement privilégiée et confidentielle. Si ce message vous
> est parvenu par erreur et que vous n'êtes pas le destinataire visé, vous
> êtes par les présentes avisé que tout usage, copie ou distribution de ce
> message est strictement interdit. Vous êtes donc prié de nous informer
> immédiatement de cette erreur et de détruire ce message.
> *CONFIDENTIALITY* The information in this message is legally privileged and
> confidential. In the event of a transmission error and if you are not the
> individual or entity mentioned above, you are hereby advised that any use,
> copying or reproduction of this document is strictly forbidden. Please
> advise us of this error and destroy this message.


More information about the Owasp-montreal mailing list