Created
March 1, 2022 02:28
-
-
Save The-XSS-Rat/771e14c33ebfdbb7c2ed8d39617f2679 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Revisions | |
=========== | |
0.1 - Draft - Wesley Thijs | |
0.2 - Review 1 - Uncle rat | |
0.3 - | |
Document goals | |
=========== | |
The goal of this document is to inform the client of the intention of the pentest before it occurs. We want to describe who will test, how they will test and what tools they will be using. | |
We also want to make sure to describe the deliverables of the pen test so the client knows what communication they can expect from our company. | |
Target audience | |
=========== | |
This document is intended to be read by: | |
- Managers at the clients company | |
- Project managers at the pen testing company | |
- CTO’s at the client company | |
- Developers who want to implement measures to prevent issues as found in the pentest by implementing our methodology. | |
- Testers who want to implement measures to prevent issues as found in the pentest by implementing our methodology. | |
Project description | |
=========== | |
We are hacking the website called “Cheesebook”. We will be using a web framework created by OWASP to test. | |
Glossary | |
=========== | |
OWASP - An international organisation dedicated to security standards | |
Framework - A collection of measures put in place to detect and prevent exploits | |
CTO - Chief Technical Officer | |
… | |
Objectives | |
=========== | |
We want to detect and prevent exploits, to do this we need to find them in a production environment and report them so they can be fixed and preventative measures can be taken on the developers side, One of our biggest extras is that we are all about eduction so with our testing we will also be aiming to test in a manner which can easily be replicated by any tester with moderate technical skills. We encourage our methodology be implemented in a routine check up internally or to hire us to do so. | |
Roles and responsibilities | |
=========== | |
RatSec; | |
Wesley Thijs - Pen tester | |
Uncle Rat - Reviewer | |
Wheel of Cheese - Project Manager | |
Hackxpert: | |
Will I am - CTO - SPOC (Single Point Of contact) | |
Methodology | |
=========== | |
In our pen testing, we check for the OWASP top 10 vulnerabilities but also the CWE top 25 list. | |
More details about this section in appendix A: Testing methodology | |
Test entry/exit criteria | |
=========== | |
- We are timeboxed to a week | |
- Test stops if foothold is gained, continues at other sections | |
- To test, we need to have the website online | |
- We need to inform the parties of test initiation | |
Deliverables | |
=========== | |
- This test plan | |
- An already signed and delivered NDA | |
- A letter of test commencing | |
- A report | |
- A debrief | |
All deliverables will be signed by both parties | |
Tools | |
=========== | |
APPENDEX B | |
Signatures | |
=========== | |
Party “Client”: | |
Party “RatSec”: | |
APPENDEX A: | |
... |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment