[OWASP-TESTING] pentest cheat sheet

Javier Fernandez-Sanguino jfernandez at germinus.com
Wed Jul 14 05:53:46 EDT 2004


Lluis Mora wrote:

> Hi all,
> 
> I like the idea but what about having that as part of the 2nd phase
> contents? At the end of each section a "things to test" subsection - like
> this it can be easily related to the in-depth discussion of the
> vulnerability that (I assume) will be part of that section and can be more
> easily mantained than a separate document.

That's a good idea. Actually, that's what we started writting for the 
testing guide last year. All the info is currently sitting (unused) in 
the CVS, it's also far from complete:
http://cvs.sourceforge.net/viewcvs.py/owasp/testing/

> I think a way forward (even before we have the definitive list of sections)
> could be to write up one of the sections, so that we agree on the content of
> the section. What about something along the lines of:

The outline looks great to me. My only concern is that the last time 
we tried this we did not cover all the vulnerabilities we wanted to 
(not everyone did their homework). So maybe it's better to do first a 
generic overview of the common vulnerabilities in section 6 and then 
provide examples for specific vulnerabilities (i.e. those we can write 
down stuff for following your outline). So the section might say 
"Below you will find some examples of vulnerabilities and how they 
should be tested as well as their known caveats"

IF we are able to cover all the vulnerabilities as defined in the 
Pentest checklist then we can scratch the reference to those sections 
being examples and substitute that with a "Below you will find a list 
of all known common vulnerabilities and how test should be conducted 
to detect them as well as known caveats"

Regards

Javier




More information about the Owasp-testing mailing list