[Owasp-testing] Testing Guide V4 - Start up

Ismael Rocha ismaelrocha.projetos at gmail.com
Fri Sep 7 22:26:24 UTC 2012


Hello.

I know we've been focused on testing list but I have some comments for
other sections.

a) About the Web Application Penetration Testing

Talking about the Web Application Penetration Testing (chapter 4), I
suggest we improve the section with some explanations.

4. Web Application Penetration testing

4.1 Introduction and Objectives
 -> Introduce about typical penetration test phases
  Here we would have an overview of a typical pen-test, divided into 4
phases.
  1) Plan
   This part basically talks about how to plan a penetration test
   -> Types of the Test (maybe the explanation about types of test could be
fit in a section in the beginning of the testing guide)
    -> Black Box
    -> White Box
    -> Gray Box
   -> Viewpoint
    -> External
    -> Internal
   -> Scope
    -> http://www.targetedapp.com
   -> Restrictions
    -> List of all restrictions (e.g. do not perform DoS, social
engineering)
  2) Discovery
   -> Information Gathering
   -> Vulnerability Analysis
  3) Attack
   -> Attack itself
  4) Report
   -> Last Phase of a penetration test (chapter 5 writing report)



b) About the paragraph of the testing cases:

One of the goals of this version is to make the Testing Guide more
readable. I think we need to define commons subsections present in all
testing cases.
Then, all testing cases would have the same sections and formats. I already
suggest to have the checklist (questions) in a pre-defined subsection
inside each
testing case. If we have a checklist in a table format, we could get them
and put them into a big table that could be printed and checked.

For example:

4.5.4 Testing for Exposed Session Variables (OWASP-SM-004)
 4.5.4.2   Brief Summary
 4.5.4.3   Description of the issue
 4.5.4.4   Related security activities
 4.5.4.5   Threats
 4.5.4.6   Countermesures
 4.5.4.7   Testing
    -> Black Box
            -> Technique 1
            -> Results expected
    -> Gray Box
             ....
    -> White Box
             ....
 4.5.4.8   Checklist
   -------------------------------------------------------------------------------------------------------
   | OWASP-SM-004                                      | Black Box | White
Box | Gray Box |
   -------------------------------------------------------------------------------------------------------
   | 1. Cache-control definied to no-cache      |           |
|          |                    |
   -------------------------------------------------------------------------------------------------------
   | 2. Different session token after login        |           |
|          |                    |
   -------------------------------------------------------------------------------------------------------
 4.5.4.9    References
 4.5.4.10  Tools
We can also have a box called tips in each section with some tips
highlighted.
Regards.

Ismael Gonçalves

On Thu, Sep 6, 2012 at 4:22 AM, Matteo Meucci <matteo.meucci at owasp.org>wrote:

> Great Luca!
>
> Thanks,
> Mat
>
> On 09/04/2012 07:29 PM, Luca Carettoni wrote:
> > On Thu, 2012-08-30 at 22:44 +0200, Matteo Meucci wrote:
> >> My idea is also to contact the authors of the new testing techniques
> >> asking for their contributes.
> >>
> >> So for example I wish that for HTTP Verb Tampering, Arshan could help
> >> and for HTTP Parameter pollution, Stefano and Luca can give us the
> >> better contents.
> >
> > Sure! Feel free to add my name on the list.
> > Actually, me and Stefano have already something drafted on HPP that has
> > been written during our research.
> >
> > Cheers,
> > Luca
> >
>
> _______________________________________________
> Owasp-testing mailing list
> Owasp-testing at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-testing
>



-- 
Ismael Gonçalves
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-testing/attachments/20120907/f0d64395/attachment.html>


More information about the Owasp-testing mailing list