[OWASP-TESTING] pentest cheat sheet
Daniel at deeper.co.za
Tue Jul 13 13:59:45 EDT 2004
totally, there is no need to duplicate any of the work done by the owasp
guide team, so i feel there should be pointers instead of actual howto's
as for code review, it does have a place and should cover both
> Are we all using the word 'testing' to include code review? And would
> section 4 be split somehow to cover both?
> I think references to "how to solve it" -- like pointers to the Guide
> be pretty helpful.
> ----- Original Message -----
> From: "Mads Rasmussen" <mads at opencs.com.br>
> To: "Lluis Mora" <llmora at sentryware.com>
> Cc: <Daniel at deeper.co.za>; "'owasp '"
> <owasp-testing at lists.sourceforge.net>
> Sent: Tuesday, July 13, 2004 12:52 PM
> Subject: Re: [OWASP-TESTING] pentest cheat sheet
>> Lluis Mora wrote:
>> > I think a way forward (even before we have the definitive list of
>> > could be to write up one of the sections, so that we agree on the
> content of
>> > the section. What about something along the lines of:
>> > 1. Vulnerability overview (short version)
>> > 2. Why/when it happens?
>> > 3. In-depth technical vulnerability description
>> > 4. How to test for it
>> > 5. Drawbacks of the testing (things that can go untested / things
>> > not be tested)
>> > 6. "Thing to test" / "Things to try"
>> > 7. How to solve it? (Is this outside the scope of the "testing"
>> > ...?
>> I think Lluis's idea is excelent. The outline above seems to me to be a
>> good layout for the document. Maybe section 3 and 4 should be merged,
>> this way you could submit to a more "teacher" writing style, mentioning
>> the vulnerability in details and showing how to test for it side by
>> We probably _should_ include a "how to solve it" section or annex but it
>> could be done in another version or document.
>> > If we agree on this I would pick up a not-so-widely
>> > vulnerability (e.g. not SQL injection or XSS) to try and test the
>> > structure fits us.
>> I am sorry to say I haven't had much time to look at the outline Daniel
>> posted some time back. Will try to catch up and send comments
>> Mads Rasmussen, M.Sc.
>> Open Communications Security
>> +55 11 3345 2525
>> This SF.Net email sponsored by Black Hat Briefings & Training.
>> Attend Black Hat Briefings & Training, Las Vegas July 24-29 -
>> digital self defense, top technical experts, no vendor pitches,
>> unmatched networking opportunities. Visit www.blackhat.com
>> owasp-testing mailing list
>> owasp-testing at lists.sourceforge.net
More information about the Owasp-testing