[OWASP-TESTING] pentest checklist ver 1.1
daniel at deeper.co.za
Thu Jul 1 17:31:01 EDT 2004
We love nit-picking.. it makes the doc so much better
Ill update the space with your comments and edit the workflow
Expect a new version tomorrow
On 1 Jul 2004, at 17:36, Javier Fernandez-Sanguino wrote:
> It looks quite ok to me, I think it might be good to improve the text
> regarding the Workflow information, it might also be better to fill in
> the blank space between page 6 and 7.
> How about this:
> "The flow diagram below is based in several steps:
> - The penetration test needs to start by gathering all possible
> information available information on the infraestructure and
> applications involved.
> - The test should go through all the different phases described below
> - An attempt should be done to exploit all vulnerabilities discovered
> in the application
> - For all succesful exploitation of a vulnerability a risk should be
> done. Also, the information returned by some vulnerabilities, for
> example, programming errors, source code retrieved through them or
> other internal information disclosed should used to re-assess the
> known information of the application
> - Finally, if at any point in time, a vulnerability is detected which
> can compromise the organisation's service or disclose
> business-critical internal information, the personnel responsible for
> the application should be contacted inmediately by issuing an "alert"
> (contacting them inmediately)
> How does the above sound?
> Regarding the workflow just a few comments:
> a) The second step ("Go through each phase....") does not contain the
> full text.
> b) The rhombus in the middle says "Have all attack methods has
> exhausted and investicated?" should say "Have all attack methods been
> exhausted and investigated?"
> b) The rhombus to the end and right says "Is the information business
> criticle" should say "Is the information obtained business-critical?"
> Sorry to be so nit-picking :-)
More information about the Owasp-testing