[OWASP-TESTING] pentest cheat sheet

Mads Rasmussen mads at opencs.com.br
Tue Jul 13 12:52:30 EDT 2004


Lluis Mora wrote:
> I think a way forward (even before we have the definitive list of sections)
> could be to write up one of the sections, so that we agree on the content of
> the section. What about something along the lines of:
> 
>   1. Vulnerability overview (short version)
>   2. Why/when it happens?
>   3. In-depth technical vulnerability description
>   4. How to test for it
>   5. Drawbacks of the testing (things that can go untested / things that can
> not be tested)
>   6. "Thing to test" / "Things to try"
>   7. How to solve it? (Is this outside the scope of the "testing" group?)
>   ...?

I think Lluis's idea is excelent. The outline above seems to me to be a 
good layout for the document. Maybe section 3 and 4 should be merged, 
this way you could submit to a more "teacher" writing style, mentioning 
the vulnerability in details and showing how to test for it side by side.
We probably _should_ include a "how to solve it" section or annex but it 
could be done in another version or document.

> If we agree on this I would pick up a not-so-widely published/discussed
> vulnerability (e.g. not SQL injection or XSS) to try and test the content
> structure fits us.

I am sorry to say I haven't had much time to look at the outline Daniel 
posted some time back. Will try to catch up and send comments

-- 
Mads Rasmussen, M.Sc.
Open Communications Security
www.opencs.com.br
+55 11 3345 2525




More information about the Owasp-testing mailing list