[OWASP-TESTING] final draft of the outline

Eoin Keary eoinkeary at hotmail.com
Wed May 4 04:54:34 EDT 2005


Authentication:
•	Token storage? (If not marked as 'secure' a cookie will be stored on hard 
disk)

This is also true if the cookie not transient. Has an expiry date. The main 
reason for the cookie flag to be set id to assure is can only be sent via 
SSL

Business logic testing:
See if this is done on the client side or the serverside.  - This would 
include Thick clients and web apps

•	Session token generation (are they generated by the web server software or 
by the application itself?):
Using a "home made" PRNG (Psudo Rnd Numb Gen) which can be broken easly or a 
key lenght less than 128 bits would be things to look out for here.

>From: Daniel Cuthbert <daniel.cuthbert at owasp.org>
>To: owasp-testing at lists.sourceforge.net
>Subject: Re: [OWASP-TESTING] final draft of the outline
>Date: Wed, 4 May 2005 08:13:54 +0100
>
>>1) Clear definition of audit/assessment/penetration testing
>definitely, this needs to be in there as i think there is still a  large 
>amount of confusion surrounding these terms
>
>>2) How to split up an application test into manageable network  pentest /
>>assessment / system assessment / service assessments / application
>>testing ...
>
>that would be a good section to add
>
>>3) A section on reporting. We have good experience splitting  reports up
>>into
>
>This slipped my mind and should have made it to the document, that  will 
>teach me to do stuff at 1am
>
>On 4 May 2005, at 06:42, Sebastien Deleersnyder wrote:
>
>>Hey,
>>
>>Looks nice,
>>Maybe some things to add:
>>1) Clear definition of audit/assessment/penetration testing
>>2) How to split up an application test into manageable network  pentest /
>>assessment / system assessment / service assessments / application
>>testing ...
>>3) A section on reporting. We have good experience splitting  reports up
>>into
>>* technically detailed reports per test as first level of reporting,
>>* then creating one detailed audit report grouping the findings,
>>analysis and recommendations together with some risk rating
>>* and one management document with some nice color graphs and 1 page
>>summary
>>
>>Regards,
>>
>>Sebastien
>>
>>-----Original Message-----
>>From: owasp-testing-admin at lists.sourceforge.net
>>[mailto:owasp-testing-admin at lists.sourceforge.net] On Behalf Of Daniel
>>Cuthbert
>>Sent: woensdag 4 mei 2005 2:07
>>To: owasp-testing at lists.sourceforge.net
>>Subject: [OWASP-TESTING] final draft of the outline
>>
>>hey all,
>>
>>Attached is, what i feel, the final draft of the initial outline.
>>If everyone is happy with what is included, i'll spend the  remainder of
>>this week creating the sections in which everyone can choose their
>>chosen topic.
>>
>>Obviously the basic penetration testing tips caused an interesting
>>discussion, i'll have a think about the future of them within the
>>testing guide.
>>
>>Look forward to your feedback
>>
>>Daniel
>>
>>
>>
>
>
>
>-------------------------------------------------------
>This SF.Net email is sponsored by: NEC IT Guy Games.
>Get your fingers limbered up and give it your best shot. 4 great events, 4
>opportunities to win big! Highest score wins.NEC IT Guy Games. Play to
>win an NEC 61 plasma display. Visit http://www.necitguy.com/?r=20
>_______________________________________________
>owasp-testing mailing list
>owasp-testing at lists.sourceforge.net
>https://lists.sourceforge.net/lists/listinfo/owasp-testing

_________________________________________________________________
Millions of quality singles are online now - click to meet them! 
http://match.msn.ie





More information about the Owasp-testing mailing list