[OWASP-TESTING] pentest cheat sheet

Lluis Mora llmora at sentryware.com
Tue Jul 13 06:24:57 EDT 2004


Hi all,

I like the idea but what about having that as part of the 2nd phase
contents? At the end of each section a "things to test" subsection - like
this it can be easily related to the in-depth discussion of the
vulnerability that (I assume) will be part of that section and can be more
easily mantained than a separate document.

I think a way forward (even before we have the definitive list of sections)
could be to write up one of the sections, so that we agree on the content of
the section. What about something along the lines of:

  1. Vulnerability overview (short version)
  2. Why/when it happens?
  3. In-depth technical vulnerability description
  4. How to test for it
  5. Drawbacks of the testing (things that can go untested / things that can
not be tested)
  6. "Thing to test" / "Things to try"
  7. How to solve it? (Is this outside the scope of the "testing" group?)
  ...?

If we agree on this I would pick up a not-so-widely published/discussed
vulnerability (e.g. not SQL injection or XSS) to try and test the content
structure fits us.

Cheers,

Lluis
.

> -----Original Message-----
> From: owasp-testing-admin at lists.sourceforge.net 
> [mailto:owasp-testing-admin at lists.sourceforge.net] On Behalf Of Daniel
> Sent: martes, 13 de julio de 2004 9:15
> To: owasp 
> Subject: [OWASP-TESTING] pentest cheat sheet
> 
> 
> hey all,
> 
> I was working on the 2nd phase last night (adding all the 
> sections that everyone has said need to be added) and it got 
> me thinking about the possibility of including a cheat sheet.
> 
> The idea:
> You have the OWASP pentest checklist, so why not have a 
> document which lists the most common things to test (dir 
> traversal with all the various encoding tricks/SQL injection 
> strings/commands etc)
> 
> Does anyone use anything like this at the moment?
> I have a very muddled up collection of scribbles but nothing 
> that would make sense to anyone and i think that this would 
> be a worthwhile addition to the OWASP testing guide.
> 
> Comments/examples appreciated.
> 
> Daniel
> 
> 
> 
> -------------------------------------------------------
> This SF.Net email sponsored by Black Hat Briefings & 
> Training. Attend Black Hat Briefings & Training, Las Vegas 
> July 24-29 - 
> digital self defense, top technical experts, no vendor pitches, 
> unmatched networking opportunities. Visit www.blackhat.com 
> _______________________________________________
> owasp-testing mailing list
> owasp-testing at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/owasp-testing
> 
> 





More information about the Owasp-testing mailing list