[OWASP-TESTING] pentest checklist ver 1.1

Javier Fernandez-Sanguino jfernandez at germinus.com
Thu Jul 1 12:36:17 EDT 2004

It looks quite ok to me, I think it might be good to improve the text 
regarding the Workflow information, it might also be better to fill in 
the blank space between page 6 and 7.

How about this:

"The flow diagram below is based in several steps:

- The penetration test needs to start by gathering all possible 
information available information on the infraestructure and 
applications involved.

- The test should go through all the different phases described below

- An attempt should be done to exploit all vulnerabilities discovered 
in the application

- For all succesful exploitation of a vulnerability a risk should be 
done. Also, the information returned by some vulnerabilities, for 
example, programming errors, source code retrieved through them or 
other internal information disclosed should used to re-assess the 
known information of the application

- Finally, if at any point in time, a vulnerability is detected which 
can compromise the organisation's service or disclose 
business-critical internal information, the personnel responsible for 
the application should be contacted inmediately by issuing an "alert" 
(contacting them inmediately)

How does the above sound?

Regarding the workflow just a few comments:

a) The second step ("Go through each phase....") does not contain the 
full text.
b) The rhombus in the middle says "Have all attack methods has 
exhausted and investicated?" should say "Have all attack methods been 
exhausted and investigated?"
b) The rhombus to the end and right says "Is the information business 
criticle" should say "Is the information obtained business-critical?"

Sorry to be so nit-picking :-)



More information about the Owasp-testing mailing list