The-XSS-Rat/Short test plan

## Short test plan
Revisions
===========
0.1 - Draft - Wesley Thijs
0.2 - Review 1 - Uncle rat
0.3 -

Document goals
===========
The goal of this document is to inform the client of the intention of the pentest before it occurs. We want to describe who will test, how they will test and what tools they will be using.

We also want to make sure to describe the deliverables of the pen test so the client knows what communication they can expect from our company.

Target audience
===========
This document is intended to be read by:
- Managers at the clients company
- Project managers at the pen testing company
- CTO’s at the client company
- Developers who want to implement measures to prevent issues as found in the pentest by implementing our methodology.
- Testers who want to implement measures to prevent issues as found in the pentest by implementing our methodology.

Project description
===========
We are hacking the website called “Cheesebook”. We will be using a web framework created by OWASP to test.

Glossary
===========
OWASP - An international organisation dedicated to security standards
Framework - A collection of measures put in place to detect and prevent exploits
CTO - Chief Technical Officer
…


Objectives
===========
We want to detect and prevent exploits, to do this we need to find them in a production environment and report them so they can be fixed and preventative measures can be taken on the developers side, One of our biggest extras is that we are all about eduction so with our testing we will also be aiming to test in a manner which can easily be replicated by any tester with moderate technical skills. We encourage our methodology be implemented in a routine check up internally or to hire us to do so.

Roles and responsibilities
===========
RatSec;
Wesley Thijs - Pen tester
Uncle Rat - Reviewer
Wheel of Cheese - Project Manager

Hackxpert:
Will I am - CTO - SPOC (Single Point Of contact)

Methodology
===========
In our pen testing, we check for the OWASP top 10 vulnerabilities but also the CWE top 25 list.

More details about this section in appendix A: Testing methodology

Test entry/exit criteria
===========
- We are timeboxed to a week
- Test stops if foothold is gained, continues at other sections

- To test, we need to have the website online
- We need to inform the parties of test initiation

Deliverables
===========
- This test plan
- An already signed and delivered NDA
- A letter of test commencing
- A report
- A debrief

All deliverables will be signed by both parties

Tools
===========
APPENDEX B

Signatures
===========
Party “Client”:


Party “RatSec”:


APPENDEX A:
...
	Revisions
	===========
	0.1 - Draft - Wesley Thijs
	0.2 - Review 1 - Uncle rat
	0.3 -

	Document goals
	===========
	The goal of this document is to inform the client of the intention of the pentest before it occurs. We want to describe who will test, how they will test and what tools they will be using.

	We also want to make sure to describe the deliverables of the pen test so the client knows what communication they can expect from our company.

	Target audience
	===========
	This document is intended to be read by:
	- Managers at the clients company
	- Project managers at the pen testing company
	- CTO’s at the client company
	- Developers who want to implement measures to prevent issues as found in the pentest by implementing our methodology.
	- Testers who want to implement measures to prevent issues as found in the pentest by implementing our methodology.

	Project description
	===========
	We are hacking the website called “Cheesebook”. We will be using a web framework created by OWASP to test.

	Glossary
	===========
	OWASP - An international organisation dedicated to security standards
	Framework - A collection of measures put in place to detect and prevent exploits
	CTO - Chief Technical Officer
	…


	Objectives
	===========
	We want to detect and prevent exploits, to do this we need to find them in a production environment and report them so they can be fixed and preventative measures can be taken on the developers side, One of our biggest extras is that we are all about eduction so with our testing we will also be aiming to test in a manner which can easily be replicated by any tester with moderate technical skills. We encourage our methodology be implemented in a routine check up internally or to hire us to do so.

	Roles and responsibilities
	===========
	RatSec;
	Wesley Thijs - Pen tester
	Uncle Rat - Reviewer
	Wheel of Cheese - Project Manager

	Hackxpert:
	Will I am - CTO - SPOC (Single Point Of contact)

	Methodology
	===========
	In our pen testing, we check for the OWASP top 10 vulnerabilities but also the CWE top 25 list.

	More details about this section in appendix A: Testing methodology

	Test entry/exit criteria
	===========
	- We are timeboxed to a week
	- Test stops if foothold is gained, continues at other sections

	- To test, we need to have the website online
	- We need to inform the parties of test initiation

	Deliverables
	===========
	- This test plan
	- An already signed and delivered NDA
	- A letter of test commencing
	- A report
	- A debrief

	All deliverables will be signed by both parties

	Tools
	===========
	APPENDEX B

	Signatures
	===========
	Party “Client”:




	Party “RatSec”:


	APPENDEX A:
	...