Adding "How to Test" for the WSTG Checklist [Work in Progress] #1109
Comments
CristiVlad25
added
the
enhancement
|
How do you intend such bullets to be generated/extracted/added? |
Two ways:
|
|
That How to section is usually a light checklist inside the file itself, we kept it generic cz it's really hard in some files to not repeat content. It'll be an interesting challenge that's for sure. Another thing to keep in mind, as changes/releases are created, we need to be able to scale accordingly. If we do it for one version, and not for another, it'll become a debt. 🤔 |
|
If it has to be maintained manually it won't work/scale. Checklist are generated through automation. |
|
Well, it would be a challenge indeed, but why not try? |
|
I'm not saying don't try, I'm saying plan for it. If we simply push an updated checklist at this point it'll get clobbered the next time an update PR is merged. |
|
It's discouraging. I'll probably do this for myself then. |
|
You could add a Test Summary section or something that could be extracted like the Objectives are? I dunno, open to ideas. |
|
Hey @CristiVlad25. I understand it's slightly frustrating. You mentioned how the checklist is of high importance, we're not opposing you, we need to challenge you if we want this for the long term. If it's a good result, I'm sure we can figure out a way to add it as an experimental piece :) What me and @kingthorin are talking about is the scale of it with newer versions. Let's worry about that later. Is there anything we can help you with? We'll be happy to review PRs/progress/brainstorm things. |
|
Let me just have a first version of it and we'll see where we can go from there. |
|
@kingthorin and @ThunderSon, here it is: https://docs.google.com/spreadsheets/d/1BWs_SzkO7al59gSwZHFh3ISvK9zO4kEN/edit Let me know your thoughts. |
|
I like the initial results. I still need to review more of it to ensure what's written is good with the test itself :) |
|
Thanks @ThunderSon! |
|
Sorry I haven’t gotten to this yet, it hasn’t been forgotten. |
|
What about keeping this 'How to test' data as files inside the checklist folder ? We could update the script to accommodate that during build ? |
|
It's definitely an option, but I'd worry about it getting out of sync with the actual content. I'm willing to be convinced that it can/will work. |
|
If we can easily track changes,I'd love to be on track and sync, especially
if this is well received by the community
…On Mon, Dec 4, 2023, 13:54 Rick M ***@***.***> wrote:
It's definitely an option, but I'd worry about it getting out of sync with
the actual content.
I'm willing to be convinced that it can/will work.
—
Reply to this email directly, view it on GitHub
<#1109 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/AECBJN67KQSYMMZOKAVVHC3YHW2YHAVCNFSM6AAAAAA7K5K4GWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQMZYGQ4DAOBSGQ>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
The WSTG checklist is of utmost importance to penetration testers because it provides the blueprint for what to test. Its current format provides the following:
ID, Test Name, Objectives, Status, Notes.
ID, Test Name, and Objectives have been compiled from WSTG.
WSTG is a companion and reference manual that I go to often for the pentest I do for my clients. For each test, it also has a section called "How to Test" which provides a few actionables for the specific vulnerability.
I propose to include this section (as a new column) in the checklist. The new format will be:
ID, Test Name, Objectives, How to Test, Status, Notes.
I know it might be tricky because for some tests, the "How to Test" is very extensive, while for some it is very succinct. However, I take on the challenge of making a uniform "How to Test" in the checklist across all tests.
Each "How to Test" entry will be 3-5 short bullet points, as in the image below:
What do you all think about this?
The text was updated successfully, but these errors were encountered: