[OWASP-TESTING] pentest cheat sheet

Daniel Daniel at deeper.co.za
Tue Jul 13 13:59:45 EDT 2004


totally, there is no need to duplicate any of the work done by the owasp
guide team, so i feel there should be pointers instead of actual howto's

as for code review, it does have a place and should cover both



> Are we all using the word 'testing' to include code review?  And would
> section 4 be split somehow to cover both?
>
> I think references to "how to solve it" -- like pointers to the Guide
> would
> be pretty helpful.
>
> --Jeff
>
> ----- Original Message -----
> From: "Mads Rasmussen" <mads at opencs.com.br>
> To: "Lluis Mora" <llmora at sentryware.com>
> Cc: <Daniel at deeper.co.za>; "'owasp '"
> <owasp-testing at lists.sourceforge.net>
> Sent: Tuesday, July 13, 2004 12:52 PM
> Subject: Re: [OWASP-TESTING] pentest cheat sheet
>
>
>> Lluis Mora wrote:
>> > I think a way forward (even before we have the definitive list of
> sections)
>> > could be to write up one of the sections, so that we agree on the
> content of
>> > the section. What about something along the lines of:
>> >
>> >   1. Vulnerability overview (short version)
>> >   2. Why/when it happens?
>> >   3. In-depth technical vulnerability description
>> >   4. How to test for it
>> >   5. Drawbacks of the testing (things that can go untested / things
>> that
> can
>> > not be tested)
>> >   6. "Thing to test" / "Things to try"
>> >   7. How to solve it? (Is this outside the scope of the "testing"
> group?)
>> >   ...?
>>
>> I think Lluis's idea is excelent. The outline above seems to me to be a
>> good layout for the document. Maybe section 3 and 4 should be merged,
>> this way you could submit to a more "teacher" writing style, mentioning
>> the vulnerability in details and showing how to test for it side by
>> side.
>> We probably _should_ include a "how to solve it" section or annex but it
>> could be done in another version or document.
>>
>> > If we agree on this I would pick up a not-so-widely
>> published/discussed
>> > vulnerability (e.g. not SQL injection or XSS) to try and test the
> content
>> > structure fits us.
>>
>> I am sorry to say I haven't had much time to look at the outline Daniel
>> posted some time back. Will try to catch up and send comments
>>
>> --
>> Mads Rasmussen, M.Sc.
>> Open Communications Security
>> www.opencs.com.br
>> +55 11 3345 2525
>>
>>
>> -------------------------------------------------------
>> This SF.Net email sponsored by Black Hat Briefings & Training.
>> Attend Black Hat Briefings & Training, Las Vegas July 24-29 -
>> digital self defense, top technical experts, no vendor pitches,
>> unmatched networking opportunities. Visit www.blackhat.com
>> _______________________________________________
>> owasp-testing mailing list
>> owasp-testing at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/owasp-testing
>
>





More information about the Owasp-testing mailing list