[OWASP-TESTING] web application penetration testing checklist

Nishchal Bhalla nishchalbhalla at yahoo.ca
Fri Mar 19 09:15:28 EST 2004


Daniel, 
 
I guess we can add 2 more minor things 
A) Alternative Admin port scan based on web server.
B) Archive.org scan for older versions of the website (Though after an audit companies remove any unnecessary comments, many a times they don't change the password that was left in one of their prior versions of the site, this has lead to admin level access).
 
Nish.

daniel at deeper.co.za wrote:
Hey all,

Mark has agreed for me to take ownership of this as a separate guide to the main Testing
guide and I’m hoping it will be
eventually used as a standard requirement when performing a web application security
review.

Over this weekend I will be changing the way the document is structured, my idea is
splitting it into two sections:

1st section: 
This will cover all the information learning stages that are done beforehand, such as
understanding the application,
viewing the source of the components and generally getting information ready to start the
main testing.

2nd section:
This section will aim to be the meat of the pen test, where the tester will check for
input validation weaknesses,
session management voodoo and other ninja testing techniques.

The best way to make this checklist work is for everyone to print out a copy and use it
when performing an application
test. Write down things you think should be included as well as the flow of the checklist
(example of this could be
testing to see what database is in operation before doing SQL insertion techniques).

Comments would be appreciated on the structure and design as well as the sections
(remember this isn’t the how do they
fix the problem, its how do we test and find the problem)

Daniel




> ATTACHMENT part 2 application/msword name=OWASP



---------------------------------
Post your free ad now! Yahoo! Canada Personals
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.owasp.org/pipermail/owasp-testing/attachments/20040319/61926f52/attachment.html 


More information about the Owasp-testing mailing list