[OWASP-TESTING] web application penetration testing checklist

daniel at deeper.co.za daniel at deeper.co.za
Thu Mar 18 10:36:25 EST 2004


Hey all,

Mark has agreed for me to take ownership of this as a separate guide to the main Testing
guide and I’m hoping it will be
eventually used as a standard requirement when performing a web application security
review.

Over this weekend I will be changing the way the document is structured, my idea is
splitting it into two sections:

1st section:  
This will cover all the information learning stages that are done beforehand, such as
understanding the application,
viewing the source of the components and generally getting information ready to start the
main testing.

2nd section:
This section will aim to be the meat of the pen test, where the tester will check for
input validation weaknesses,
session management voodoo and other ninja testing techniques.

The best way to make this checklist work is for everyone to print out a copy and use it
when performing an application
test. Write down things you think should be included as well as the flow of the checklist
(example of this could be
testing to see what database is in operation before doing SQL insertion techniques).

Comments would be appreciated on the structure and design as well as the sections
(remember this isn’t the how do they
fix the problem, its how do we test and find the problem)

Daniel


-------------- next part --------------
A non-text attachment was scrubbed...
Name: OWASP Web App Internet Pen Test Check List 0.6.doc
Type: application/msword
Size: 64000 bytes
Desc: not available
Url : http://lists.owasp.org/pipermail/owasp-testing/attachments/20040318/3c49e9db/attachment.doc 


More information about the Owasp-testing mailing list