A penetration tester is finalizing the Rules of Engagement (RoE) for a web application assessment. The client has specified that the tester must verify whether the user authentication page is vulnerable to SQL injection and if the customer search function is susceptible to stored cross-site scripting. To ensure these requirements are met with a repeatable and verifiable methodology, what should the tester create and include in the engagement plan?
A list of target URLs and IP addresses to define the overall scope of the assessment.
Test cases that detail the exact steps, tools, and expected outcomes for each specific vulnerability check.
An executive summary outlining the high-level goals and potential business impact of the engagement.
A threat modeling framework like STRIDE to generally categorize potential threats to the application.
Test cases are the correct documentation for this purpose because they contain detailed, step-by-step procedures for executing a specific test, including the tools to be used and the expected results. This ensures that the client's specific concerns are addressed in a structured and verifiable manner. A list of target URLs defines the scope but not the testing method. A threat modeling framework is a high-level activity for identifying threats, not a specific test procedure. An executive summary is part of the final report, not the pre-engagement plan.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a 'test case' in the context of system assessments?
Open an interactive chat with Bash
Why is it important for test cases to have well-defined steps?
Open an interactive chat with Bash
How do 'test cases' differ from general testing guidelines?