[OWASP-TESTING] pentest cheat sheet

Daniel Daniel at deeper.co.za
Tue Jul 13 05:53:15 EDT 2004


This is pretty much the direction i was going

When we have the final structure decided, im going to put out the call for
everyone to pick a section they want to write on, and it will take the
form of your description below.

So say SQL injection:

1. Vulnerability overview (short version)
2. Why/when it happens?
3. In-depth technical vulnerability description
4. How to test for it
5. Drawbacks of the testing (things that can go untested / things that can
not be tested)
6. "Thing to test" / "Things to try"

As for fixing it, i think at the start of the doc it does state that the
OWASP guide to building secure webapps should be used as well.



> Hi all,
>
> I like the idea but what about having that as part of the 2nd phase
> contents? At the end of each section a "things to test" subsection - like
> this it can be easily related to the in-depth discussion of the
> vulnerability that (I assume) will be part of that section and can be more
> easily mantained than a separate document.
>
> I think a way forward (even before we have the definitive list of
> sections)
> could be to write up one of the sections, so that we agree on the content
> of
> the section. What about something along the lines of:
>
>   1. Vulnerability overview (short version)
>   2. Why/when it happens?
>   3. In-depth technical vulnerability description
>   4. How to test for it
>   5. Drawbacks of the testing (things that can go untested / things that
> can
> not be tested)
>   6. "Thing to test" / "Things to try"
>   7. How to solve it? (Is this outside the scope of the "testing" group?)
>   ...?
>
> If we agree on this I would pick up a not-so-widely published/discussed
> vulnerability (e.g. not SQL injection or XSS) to try and test the content
> structure fits us.
>
> Cheers,
>
> Lluis
> .
>
>> -----Original Message-----
>> From: owasp-testing-admin at lists.sourceforge.net
>> [mailto:owasp-testing-admin at lists.sourceforge.net] On Behalf Of Daniel
>> Sent: martes, 13 de julio de 2004 9:15
>> To: owasp
>> Subject: [OWASP-TESTING] pentest cheat sheet
>>
>>
>> hey all,
>>
>> I was working on the 2nd phase last night (adding all the
>> sections that everyone has said need to be added) and it got
>> me thinking about the possibility of including a cheat sheet.
>>
>> The idea:
>> You have the OWASP pentest checklist, so why not have a
>> document which lists the most common things to test (dir
>> traversal with all the various encoding tricks/SQL injection
>> strings/commands etc)
>>
>> Does anyone use anything like this at the moment?
>> I have a very muddled up collection of scribbles but nothing
>> that would make sense to anyone and i think that this would
>> be a worthwhile addition to the OWASP testing guide.
>>
>> Comments/examples appreciated.
>>
>> Daniel
>>
>>
>>
>> -------------------------------------------------------
>> This SF.Net email sponsored by Black Hat Briefings &
>> Training. Attend Black Hat Briefings & Training, Las Vegas
>> July 24-29 -
>> digital self defense, top technical experts, no vendor pitches,
>> unmatched networking opportunities. Visit www.blackhat.com
>> _______________________________________________
>> owasp-testing mailing list
>> owasp-testing at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/owasp-testing
>>
>>
>
>






More information about the Owasp-testing mailing list