[OWASP-TESTING] pentest checklist ver 1.1

Daniel daniel at deeper.co.za
Thu Jul 1 17:31:01 EDT 2004

We love nit-picking.. it makes the doc so much better
Ill update the space with your comments and edit the workflow

Expect a new version tomorrow

Cheers Javier

On 1 Jul 2004, at 17:36, Javier Fernandez-Sanguino wrote:

> It looks quite ok to me, I think it might be good to improve the text 
> regarding the Workflow information, it might also be better to fill in 
> the blank space between page 6 and 7.
> How about this:
> "The flow diagram below is based in several steps:
> - The penetration test needs to start by gathering all possible 
> information available information on the infraestructure and 
> applications involved.
> - The test should go through all the different phases described below
> - An attempt should be done to exploit all vulnerabilities discovered 
> in the application
> - For all succesful exploitation of a vulnerability a risk should be 
> done. Also, the information returned by some vulnerabilities, for 
> example, programming errors, source code retrieved through them or 
> other internal information disclosed should used to re-assess the 
> known information of the application
> - Finally, if at any point in time, a vulnerability is detected which 
> can compromise the organisation's service or disclose 
> business-critical internal information, the personnel responsible for 
> the application should be contacted inmediately by issuing an "alert" 
> (contacting them inmediately)
> "
> How does the above sound?
> Regarding the workflow just a few comments:
> a) The second step ("Go through each phase....") does not contain the 
> full text.
> b) The rhombus in the middle says "Have all attack methods has 
> exhausted and investicated?" should say "Have all attack methods been 
> exhausted and investigated?"
> b) The rhombus to the end and right says "Is the information business 
> criticle" should say "Is the information obtained business-critical?"
> Sorry to be so nit-picking :-)
> Regards
> Javier

More information about the Owasp-testing mailing list