Skip to content

Instantly share code, notes, and snippets.

@The-XSS-Rat
Created March 1, 2022 02:28
Show Gist options
  • Save The-XSS-Rat/771e14c33ebfdbb7c2ed8d39617f2679 to your computer and use it in GitHub Desktop.
Save The-XSS-Rat/771e14c33ebfdbb7c2ed8d39617f2679 to your computer and use it in GitHub Desktop.
Revisions
===========
0.1 - Draft - Wesley Thijs
0.2 - Review 1 - Uncle rat
0.3 -
Document goals
===========
The goal of this document is to inform the client of the intention of the pentest before it occurs. We want to describe who will test, how they will test and what tools they will be using.
We also want to make sure to describe the deliverables of the pen test so the client knows what communication they can expect from our company.
Target audience
===========
This document is intended to be read by:
- Managers at the clients company
- Project managers at the pen testing company
- CTO’s at the client company
- Developers who want to implement measures to prevent issues as found in the pentest by implementing our methodology.
- Testers who want to implement measures to prevent issues as found in the pentest by implementing our methodology.
Project description
===========
We are hacking the website called “Cheesebook”. We will be using a web framework created by OWASP to test.
Glossary
===========
OWASP - An international organisation dedicated to security standards
Framework - A collection of measures put in place to detect and prevent exploits
CTO - Chief Technical Officer
Objectives
===========
We want to detect and prevent exploits, to do this we need to find them in a production environment and report them so they can be fixed and preventative measures can be taken on the developers side, One of our biggest extras is that we are all about eduction so with our testing we will also be aiming to test in a manner which can easily be replicated by any tester with moderate technical skills. We encourage our methodology be implemented in a routine check up internally or to hire us to do so.
Roles and responsibilities
===========
RatSec;
Wesley Thijs - Pen tester
Uncle Rat - Reviewer
Wheel of Cheese - Project Manager
Hackxpert:
Will I am - CTO - SPOC (Single Point Of contact)
Methodology
===========
In our pen testing, we check for the OWASP top 10 vulnerabilities but also the CWE top 25 list.
More details about this section in appendix A: Testing methodology
Test entry/exit criteria
===========
- We are timeboxed to a week
- Test stops if foothold is gained, continues at other sections
- To test, we need to have the website online
- We need to inform the parties of test initiation
Deliverables
===========
- This test plan
- An already signed and delivered NDA
- A letter of test commencing
- A report
- A debrief
All deliverables will be signed by both parties
Tools
===========
APPENDEX B
Signatures
===========
Party “Client”:
Party “RatSec”:
APPENDEX A:
...
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment