[OWASP-TESTING] Pentest checklist 0.9

Mark Curphey mark.curphey at foundstone.com
Wed Apr 7 17:35:56 EDT 2004


Thanks. I agree this is coming along. I think though we need to do a bit
of work before release. 

Let me tackle that tonight and send out an updated draft. Here are my

1. We need to sync completely with the OASIS WAS list. 
2. We mix mechanisms with techniques. An example is we say "Forcing the
application to display error messages back to user (SQL errors, 404's)."
This is a technique. I personally think we need to extrapolate a little
i.e. sat that "test to ensure that the application can not be forced to
generate error conditions that would be useful to an attacker". I think
we need to intentionally be ambiguous otherwise it will be impossible to
list very potential issue. We could I guess go with the layout of "use
technique X to text mechanism Y" but I think that maybe tricky.
3. There are places where I think we need to look at what the security
implications are. As an example "Directory Enumeration	Search for all
directories under the web root. This includes hidden directories". I
think this should be covered by Access Control and we really need to be
saying something like "Ensure that there are no URL's or web resources
that can be accessed in violation of the Access Control policy /
I think this is a common comment of mine. One suggestion of how we could
tackle this is to provide an example. So in the case of Access Control
we may have;
"Ensure that there are no URL's or web resources that can be accessed in
violation of the Access Control policy / design. An example of this
issue maybe URL's that an attacker could directly request and obtain
service without being challenged for appropriate credentials". (Not
happy with that but you can get the idea)

Anyways let me change it the way I think it should read and send it out
to see if people agree. I am thick skinned so if its not good that's

I'll do it now and send out before midnight EST('ish)



-----Original Message-----
From: daniel at deeper.co.za [mailto:daniel at deeper.co.za] 
Sent: Wednesday, April 07, 2004 5:02 AM
To: owasp-testing at lists.sourceforge.net
Subject: [OWASP-TESTING] Pentest checklist 0.9

Morning all,

I'm hoping we are really close to a 1.0 release on this doc, so could
everyone give it a good review and let me know what you think?
Ive also created a new flow diagram from Juan's original one, this has
been heavily used here at the Bank and it seems to work well (obviously
feedback is happily accepted)

Mark, does this fit in with the Oasis standard?



More information about the Owasp-testing mailing list