[OWASP-TESTING] Pen Test Check List

Jeff Williams jeff.williams at aspectsecurity.com
Wed Mar 10 21:45:47 EST 2004


Here's a couple ideas for an Access Control (aka Authorization) section:

1) Account Separation - Ensure that one user cannot access another user's
account
2) Privilege Escalation - Ensure that users cannot manipulate the system to
perform functions or access resources beyond their role.
3) Least Privilege - Ensure that roles are limited to the resources and
functions they need.

Where would we put the instructions for how to test these things?

--Jeff

----- Original Message ----- 
From: Mark Curphey
To: owasp-testing at lists.sourceforge.net
Sent: Wednesday, March 10, 2004 7:39 PM
Subject: [OWASP-TESTING] Pen Test Check List


I made a start...I will continue after dinner and hopefully have a list for
review later tonight.

I think its inline with Glyns list etc

I think we need to scope this as

Internet Pen Test Only
Check List Format (ie simple)

I think we can get a first draft out easily. We should then align the layout
with the OASIS Thesaurus of issues that should be complete after the next
OASIS meeting on March 23rd.





More information about the Owasp-testing mailing list