[OWASP-TESTING] Got Sidetracked

Javier Fernandez-Sanguino jfernandez at germinus.com
Mon Apr 12 16:18:55 EDT 2004

Calderon, Juan Carlos (GE Commercial Finance, NonGE) wrote:

> hey!
> Congrats to all, the new flow is cool and the whole thing looks
> just great!
> I have no further comments about the "issues" just a few about the
> workflow (Dan?)
> 1. In some processes like "try to exploit the vulnerability" is not
> a decision point so I think the "Yes" flow arrow should not go
> there. 

Correct. The arrow from "Try and exploit" to "Did you succeed" should 
not have a "YES" on it

> 2. "Can you compromise the application with the
> vulnerability?" it is a decision point so it should be into a
> rhombus 

Correct again.

> 3. "Is there information leakage?" has 2 "YES" flow arrows.

Correct. The "YES" should point to the "Is the type of information 
business critical" and the "No" of "Is the type of information 
business cricital" should point to "Go through each testing...."

>  4. "Is the type of information business critical?" has no "NO"
> flow arrow 

See above.

> 5. "Have all possible test being executed?" it is not
> "referenced", IMO the "YES" flow arrow from "Have all attack
> methods being exhausted and investigated?" should be pointing here.


Also notice that there should be an arrow after "Contact the business 
organization". All the steps after the "YES" to "Attack succeded" 
should go back to the same phases since the main idea as the "NO" (in 
order for the cycle to be repeated)

I've been thinking about the flowchart a little bit. And attached is 
my proposal for it. I think it's easier to understand this way. I'm 
sorry it's not put in a "prettier form" (but I've done my best to 
re-route all connections)

> Cheers


-------------- next part --------------
A non-text attachment was scrubbed...
Name: www-attack-flow.png
Type: image/png
Size: 15298 bytes
Desc: not available
Url : http://lists.owasp.org/pipermail/owasp-testing/attachments/20040412/51e51ac2/attachment.png 

More information about the Owasp-testing mailing list