[OWASP-TESTING] pentest cheat sheet

Jeff Williams jeff.williams at owasp.org
Tue Jul 13 14:33:44 EDT 2004


Are we all using the word 'testing' to include code review?  And would
section 4 be split somehow to cover both?

I think references to "how to solve it" -- like pointers to the Guide would
be pretty helpful.

--Jeff

----- Original Message ----- 
From: "Mads Rasmussen" <mads at opencs.com.br>
To: "Lluis Mora" <llmora at sentryware.com>
Cc: <Daniel at deeper.co.za>; "'owasp '" <owasp-testing at lists.sourceforge.net>
Sent: Tuesday, July 13, 2004 12:52 PM
Subject: Re: [OWASP-TESTING] pentest cheat sheet


> Lluis Mora wrote:
> > I think a way forward (even before we have the definitive list of
sections)
> > could be to write up one of the sections, so that we agree on the
content of
> > the section. What about something along the lines of:
> >
> >   1. Vulnerability overview (short version)
> >   2. Why/when it happens?
> >   3. In-depth technical vulnerability description
> >   4. How to test for it
> >   5. Drawbacks of the testing (things that can go untested / things that
can
> > not be tested)
> >   6. "Thing to test" / "Things to try"
> >   7. How to solve it? (Is this outside the scope of the "testing"
group?)
> >   ...?
>
> I think Lluis's idea is excelent. The outline above seems to me to be a
> good layout for the document. Maybe section 3 and 4 should be merged,
> this way you could submit to a more "teacher" writing style, mentioning
> the vulnerability in details and showing how to test for it side by side.
> We probably _should_ include a "how to solve it" section or annex but it
> could be done in another version or document.
>
> > If we agree on this I would pick up a not-so-widely published/discussed
> > vulnerability (e.g. not SQL injection or XSS) to try and test the
content
> > structure fits us.
>
> I am sorry to say I haven't had much time to look at the outline Daniel
> posted some time back. Will try to catch up and send comments
>
> -- 
> Mads Rasmussen, M.Sc.
> Open Communications Security
> www.opencs.com.br
> +55 11 3345 2525
>
>
> -------------------------------------------------------
> This SF.Net email sponsored by Black Hat Briefings & Training.
> Attend Black Hat Briefings & Training, Las Vegas July 24-29 -
> digital self defense, top technical experts, no vendor pitches,
> unmatched networking opportunities. Visit www.blackhat.com
> _______________________________________________
> owasp-testing mailing list
> owasp-testing at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/owasp-testing





More information about the Owasp-testing mailing list