/java/

Pre-engagement Pentest Checklist for Web Applications Assessments

2017-01-04 02:01:53

base on

Pre-engagement Pentest Checklist for Web Applications Assessments

That list will evolve

    1. Contact person
    1. Determination of the type of pentest (Blackbox, Whitebox, Greybox)
    1. Location address (urls)
    1. Minimum 2 sets of credentials (normal and admin or a privilege user) and validation that are working
    1. Determination of the environment (Production or User acceptance testing)
    1. Testing Boundaries (DoS, Brute force attacks etc.)
    • 5.1 Dos Allowed ? Yes / No
    • 5.2 Brute force attacks Allowed ? Yes / No
    1. Any VPN or port numbers are needed and verify those ahead of time
    1. Any web services that the site may use.
    1. Any pages that submit emails
    1. Any pages that can generate payment
    1. 3rd parties that needs to be contacted in advance of the pentest
    1. Timeframe of the assessment (dates and hours)
    1. Validation that a backup has been performed recently on the application
    1. What is out of scope of this test ?
    1. Other client requirements

Final arrangements

  • Dev Team / Contact person agrees to remove or block test users used by pen-tester
  • Dev Team / Contact person agrees to send feedback (not longer than 2 weeks after receiving the report)
  • Dev Team / Contact person should specify within 2 weeks which issues are to be fixed and when