[OWASP-TESTING] pentest cheat sheet
Daniel at deeper.co.za
Tue Jul 13 05:53:15 EDT 2004
This is pretty much the direction i was going
When we have the final structure decided, im going to put out the call for
everyone to pick a section they want to write on, and it will take the
form of your description below.
So say SQL injection:
1. Vulnerability overview (short version)
2. Why/when it happens?
3. In-depth technical vulnerability description
4. How to test for it
5. Drawbacks of the testing (things that can go untested / things that can
not be tested)
6. "Thing to test" / "Things to try"
As for fixing it, i think at the start of the doc it does state that the
OWASP guide to building secure webapps should be used as well.
> Hi all,
> I like the idea but what about having that as part of the 2nd phase
> contents? At the end of each section a "things to test" subsection - like
> this it can be easily related to the in-depth discussion of the
> vulnerability that (I assume) will be part of that section and can be more
> easily mantained than a separate document.
> I think a way forward (even before we have the definitive list of
> could be to write up one of the sections, so that we agree on the content
> the section. What about something along the lines of:
> 1. Vulnerability overview (short version)
> 2. Why/when it happens?
> 3. In-depth technical vulnerability description
> 4. How to test for it
> 5. Drawbacks of the testing (things that can go untested / things that
> not be tested)
> 6. "Thing to test" / "Things to try"
> 7. How to solve it? (Is this outside the scope of the "testing" group?)
> If we agree on this I would pick up a not-so-widely published/discussed
> vulnerability (e.g. not SQL injection or XSS) to try and test the content
> structure fits us.
>> -----Original Message-----
>> From: owasp-testing-admin at lists.sourceforge.net
>> [mailto:owasp-testing-admin at lists.sourceforge.net] On Behalf Of Daniel
>> Sent: martes, 13 de julio de 2004 9:15
>> To: owasp
>> Subject: [OWASP-TESTING] pentest cheat sheet
>> hey all,
>> I was working on the 2nd phase last night (adding all the
>> sections that everyone has said need to be added) and it got
>> me thinking about the possibility of including a cheat sheet.
>> The idea:
>> You have the OWASP pentest checklist, so why not have a
>> document which lists the most common things to test (dir
>> traversal with all the various encoding tricks/SQL injection
>> strings/commands etc)
>> Does anyone use anything like this at the moment?
>> I have a very muddled up collection of scribbles but nothing
>> that would make sense to anyone and i think that this would
>> be a worthwhile addition to the OWASP testing guide.
>> Comments/examples appreciated.
>> This SF.Net email sponsored by Black Hat Briefings &
>> Training. Attend Black Hat Briefings & Training, Las Vegas
>> July 24-29 -
>> digital self defense, top technical experts, no vendor pitches,
>> unmatched networking opportunities. Visit www.blackhat.com
>> owasp-testing mailing list
>> owasp-testing at lists.sourceforge.net
More information about the Owasp-testing