OWASP - User contributions [en]

Web Application Security Testing Cheat Sheet

2014-07-10T03:56:03Z

Amro Ahmed:

= DRAFT CHEAT SHEET - WORK IN PROGRESS =

= Introduction =

This cheat sheet provides a checklist of tasks to be performed when performing a blackbox security test of a web application.

= Purpose =

This checklist is intended to be used as an aide memoire for experienced pentesters and should be used in conjunction with the [[:Category:OWASP Testing Project|OWASP Testing Guide]]. It will be updated as the [[OWASP_Application_Testing_guide_v4|Testing Guide v4]] is progressed.

The intention is that this guide will be available as an XML document, with scripts that convert it into formats such as pdf, Media Wiki markup, HTML etc.

This will allow it to be consumed within security tools as well as being available in a format suitable for printing.

All feedback or offers of help will be appreciated - and if you have specific chances you think should be made, just get stuck in.

= The Checklist =

== Information Gathering ==
* Manually explore the site
* Spider/crawl for missed or hidden content
* Check the Webserver Metafiles for information leakage files that expose content, such as robots.txt, sitemap.xml, .DS_Store
* Check the caches of major search engines for publicly accessible sites
* Check for differences in content based on User Agent (eg, Mobile sites, access as a Search engine Crawler)
* Check The Webpage Comments and Metadata for Information Leakage
* Check The Web Application Framework
* Perform Web Application Fingerprinting
* Identify technologies used
* Identify user roles
* Identify application entry points
* Identify client-side code
* Identify multiple versions/channels (e.g. web, mobile web, mobile app, web services)
* Identify co-hosted and related applications
* Identify all hostnames and ports
* Identify third-party hosted content

== Configuration Management ==
* Check for commonly used application and administrative URLs
* Check for old, backup and unreferenced files
* Check HTTP methods supported and Cross Site Tracing (XST)
* Test file extensions handling
* Test RIA cross domain policy
* Test for security HTTP headers (e.g. CSP, X-Frame-Options, HSTS)
* Test for policies (e.g. Flash, Silverlight, robots)
* Test for non-production data in live environment, and vice-versa
* Check for sensitive data in client-side code (e.g. API keys, credentials)

== Secure Transmission ==
* Check SSL Version, Algorithms, Key length
* Check for Digital Certificate Validity (Duration, Signature and CN)
* Check credentials only delivered over HTTPS
* Check that the login form is delivered over HTTPS
* Check session tokens only delivered over HTTPS
* Check if HTTP Strict Transport Security (HSTS) in use

== Authentication ==
* Test for user enumeration
* Test for authentication bypass
* Test for brute force protection
* Test for Credentials Transported over an Encrypted Channel
* Test password quality rules
* Test remember me functionality
* Test for autocomplete on password forms/input
* Test password reset and/or recovery
* Test password change process
* Test CAPTCHA
* Test multi factor authentication
* Test for logout functionality presence
* Test for cache management on HTTP (eg Pragma, Expires, Max-age)
* Test for default logins
* Test for user-accessible authentication history
* Test for out-of channel notification of account lockouts and successful password changes
* Test for consistent authentication across applications with shared authentication schema / SSO and alternative channels
* Test for Weak security question/answer

== Session Management ==
* Establish how session management is handled in the application (eg, tokens in cookies, token in URL)
* Check session tokens for cookie flags (httpOnly and secure)
* Check session cookie scope (path and domain)
* Check session cookie duration (expires and max-age)
* Check session termination after a maximum lifetime
* Check session termination after relative timeout
* Check session termination after logout
* Test to see if users can have multiple simultaneous sessions
* Test session cookies for randomness
* Confirm that new session tokens are issued on login, role change and logout
* Test for consistent session management across applications with shared session management
* Test for session puzzling
* Test for CSRF and clickjacking

== Authorization ==
* Test for path traversal
* Test for vertical Access control problems (a.k.a. Privilege Escalation)
* Test for horizontal Access control problems (between two users at the same privilege level)
* Test for missing authorisation
* Test for Insecure Direct Object References

== Data Validation ==
* Test for Reflected Cross Site Scripting
* Test for Stored Cross Site Scripting
* Test for DOM based Cross Site Scripting
* Test for Cross Site Flashing
* Test for HTML Injection
* Test for SQL Injection
* Test for LDAP Injection
* Test for ORM Injection
* Test for XML Injection
* Test for XXE Injection
* Test for SSI Injection
* Test for XPath Injection
* Test for XQuery Injection
* Test for IMAP/SMTP Injection
* Test for Code Injection
* Test for Expression Language Injection
* Test for Command Injection
* Test for Overflow (Stack, Heap and Integer)
* Test for Format String
* Test for incubated vulnerabilities
* Test for HTTP Splitting/Smuggling
* Test for HTTP Verb Tampering
* Test for Open Redirection
* Test for Local File Inclusion
* Test for Remote File Inclusion
* Compare client-side and server-side validation rules
* Test for NoSQL injection
* Test for HTTP parameter pollution
* Test for auto-binding
* Test for Mass Assignment
* Test for NULL/Invalid Session Cookie

== Denial of Service ==
* Test for anti-automation
* Test for account lockout
* Test for HTTP protocol DoS
* Test for SQL wildcard DoS

== Business Logic ==
* Test for feature misuse
* Test for lack of non-repudiation
* Test for trust relationships
* Test for integrity of data
* Test segregation of duties
* Test for Process Timing
* Test Number of Times a Function Can be Used Limits
* Test for the Circumvention of Work Flows
* Test Defenses Against Application Mis-use
* Test Upload of Unexpected File Types

== Cryptography ==
* Check if data which should be encrypted is not
* Check for wrong algorithms usage depending on context
* Check for weak algorithms usage
* Check for proper use of salting
* Check for randomness functions

== Risky Functionality - File Uploads ==
* Test that acceptable file types are whitelisted
* Test that file size limits, upload frequency and total file counts are defined and are enforced
* Test that file contents match the defined file type
* Test that all file uploads have Anti-Virus scanning in-place.
* Test that unsafe filenames are sanitised
* Test that uploaded files are not directly accessible within the web root
* Test that uploaded files are not served on the same hostname/port
* Test that files and other media are integrated with the authentication and authorisation schemas

== Risky Functionality - Card Payment ==
* Test for known vulnerabilities and configuration issues on Web Server and Web Application
* Test for default or guessable password
* Test for non-production data in live environment, and vice-versa
* Test for Injection vulnerabilities
* Test for Buffer Overflows
* Test for Insecure Cryptographic Storage
* Test for Insufficient Transport Layer Protection
* Test for Improper Error Handling
* Test for all vulnerabilities with a CVSS v2 score > 4.0
* Test for Authentication and Authorization issues
* Test for CSRF

== HTML 5==
* Test Web Messaging
* Test for Web Storage SQL injection
* Check CORS implementation
* Check Offline Web Application

== Error Handling==
* Check for Error Codes
* Check for Stack Traces

= Other Formats =

* DradisPro template format [https://github.com/raesene/OWASP_Web_App_Testing_Cheatsheet_Converter/blob/master/OWASP_Web_Application_Testing_Cheat_Sheet.xml on github]
* Asana template on [http://templana.com/templates/owasp-website-security-checklist/ Templana] (thanks to Bastien Siebman)

= Authors and primary contributors =

[[User:Simon Bennetts|Simon Bennetts]] 
[[User:Raesene|Rory McCune]] 
Colin Watson 
Simone Onofri 
[[User:Amro_Ahmed|Amro AlOlaqi]]

All the authors of the Testing Guide v3

= Other Contributors =

[[User:Ryan_Dewhurst|Ryan Dewhurst]] 

= Related articles =

OWASP [[:Category:OWASP Testing Project|Testing Guide]]

Mozilla [https://wiki.mozilla.org/WebAppSec/Web_Security_Verification Web Security Verification]

{{Cheatsheet_Navigation}}

[[Category:Cheatsheets]] [[Category:OWASP_Breakers]]

Web Application Security Testing Cheat Sheet

2014-07-10T03:54:34Z

Amro Ahmed:

= DRAFT CHEAT SHEET - WORK IN PROGRESS =

= Introduction =

This cheat sheet provides a checklist of tasks to be performed when performing a blackbox security test of a web application.

= Purpose =

This checklist is intended to be used as an aide memoire for experienced pentesters and should be used in conjunction with the [[:Category:OWASP Testing Project|OWASP Testing Guide]]. It will be updated as the [[OWASP_Application_Testing_guide_v4|Testing Guide v4]] is progressed.

The intention is that this guide will be available as an XML document, with scripts that convert it into formats such as pdf, Media Wiki markup, HTML etc.

This will allow it to be consumed within security tools as well as being available in a format suitable for printing.

All feedback or offers of help will be appreciated - and if you have specific chances you think should be made, just get stuck in.

= The Checklist =

== Information Gathering ==
* Manually explore the site
* Spider/crawl for missed or hidden content
* Check the Webserver Metafiles for information leakage files that expose content, such as robots.txt, sitemap.xml, .DS_Store
* Check the caches of major search engines for publicly accessible sites
* Check for differences in content based on User Agent (eg, Mobile sites, access as a Search engine Crawler)
* Check The Webpage Comments and Metadata for Information Leakage
* Check The Web Application Framework
* Perform Web Application Fingerprinting
* Identify technologies used
* Identify user roles
* Identify application entry points
* Identify client-side code
* Identify multiple versions/channels (e.g. web, mobile web, mobile app, web services)
* Identify co-hosted and related applications
* Identify all hostnames and ports
* Identify third-party hosted content

== Configuration Management ==
* Check for commonly used application and administrative URLs
* Check for old, backup and unreferenced files
* Check HTTP methods supported and Cross Site Tracing (XST)
* Test file extensions handling
* Test RIA cross domain policy
* Test for security HTTP headers (e.g. CSP, X-Frame-Options, HSTS)
* Test for policies (e.g. Flash, Silverlight, robots)
* Test for non-production data in live environment, and vice-versa
* Check for sensitive data in client-side code (e.g. API keys, credentials)

== Secure Transmission ==
* Check SSL Version, Algorithms, Key length
* Check for Digital Certificate Validity (Duration, Signature and CN)
* Check credentials only delivered over HTTPS
* Check that the login form is delivered over HTTPS
* Check session tokens only delivered over HTTPS
* Check if HTTP Strict Transport Security (HSTS) in use

== Authentication ==
* Test for user enumeration
* Test for authentication bypass
* Test for brute force protection
* * Test for Credentials Transported over an Encrypted Channel
* Test password quality rules
* Test remember me functionality
* Test for autocomplete on password forms/input
* Test password reset and/or recovery
* Test password change process
* Test CAPTCHA
* Test multi factor authentication
* Test for logout functionality presence
* Test for cache management on HTTP (eg Pragma, Expires, Max-age)
* Test for default logins
* Test for user-accessible authentication history
* Test for out-of channel notification of account lockouts and successful password changes
* Test for consistent authentication across applications with shared authentication schema / SSO and alternative channels
* Test for Weak security question/answer

== Session Management ==
* Establish how session management is handled in the application (eg, tokens in cookies, token in URL)
* Check session tokens for cookie flags (httpOnly and secure)
* Check session cookie scope (path and domain)
* Check session cookie duration (expires and max-age)
* Check session termination after a maximum lifetime
* Check session termination after relative timeout
* Check session termination after logout
* Test to see if users can have multiple simultaneous sessions
* Test session cookies for randomness
* Confirm that new session tokens are issued on login, role change and logout
* Test for consistent session management across applications with shared session management
* Test for session puzzling
* Test for CSRF and clickjacking

== Authorization ==
* Test for path traversal
* Test for vertical Access control problems (a.k.a. Privilege Escalation)
* Test for horizontal Access control problems (between two users at the same privilege level)
* Test for missing authorisation
* Test for Insecure Direct Object References

== Data Validation ==
* Test for Reflected Cross Site Scripting
* Test for Stored Cross Site Scripting
* Test for DOM based Cross Site Scripting
* Test for Cross Site Flashing
* Test for HTML Injection
* Test for SQL Injection
* Test for LDAP Injection
* Test for ORM Injection
* Test for XML Injection
* Test for XXE Injection
* Test for SSI Injection
* Test for XPath Injection
* Test for XQuery Injection
* Test for IMAP/SMTP Injection
* Test for Code Injection
* Test for Expression Language Injection
* Test for Command Injection
* Test for Overflow (Stack, Heap and Integer)
* Test for Format String
* Test for incubated vulnerabilities
* Test for HTTP Splitting/Smuggling
* Test for HTTP Verb Tampering
* Test for Open Redirection
* Test for Local File Inclusion
* Test for Remote File Inclusion
* Compare client-side and server-side validation rules
* Test for NoSQL injection
* Test for HTTP parameter pollution
* Test for auto-binding
* Test for Mass Assignment
* Test for NULL/Invalid Session Cookie

== Denial of Service ==
* Test for anti-automation
* Test for account lockout
* Test for HTTP protocol DoS
* Test for SQL wildcard DoS

== Business Logic ==
* Test for feature misuse
* Test for lack of non-repudiation
* Test for trust relationships
* Test for integrity of data
* Test segregation of duties
* Test for Process Timing
* Test Number of Times a Function Can be Used Limits
* Test for the Circumvention of Work Flows
* Test Defenses Against Application Mis-use
* Test Upload of Unexpected File Types

== Cryptography ==
* Check if data which should be encrypted is not
* Check for wrong algorithms usage depending on context
* Check for weak algorithms usage
* Check for proper use of salting
* Check for randomness functions

== Risky Functionality - File Uploads ==
* Test that acceptable file types are whitelisted
* Test that file size limits, upload frequency and total file counts are defined and are enforced
* Test that file contents match the defined file type
* Test that all file uploads have Anti-Virus scanning in-place.
* Test that unsafe filenames are sanitised
* Test that uploaded files are not directly accessible within the web root
* Test that uploaded files are not served on the same hostname/port
* Test that files and other media are integrated with the authentication and authorisation schemas

== Risky Functionality - Card Payment ==
* Test for known vulnerabilities and configuration issues on Web Server and Web Application
* Test for default or guessable password
* Test for non-production data in live environment, and vice-versa
* Test for Injection vulnerabilities
* Test for Buffer Overflows
* Test for Insecure Cryptographic Storage
* Test for Insufficient Transport Layer Protection
* Test for Improper Error Handling
* Test for all vulnerabilities with a CVSS v2 score > 4.0
* Test for Authentication and Authorization issues
* Test for CSRF

== HTML 5==
* Test Web Messaging
* Test for Web Storage SQL injection
* Check CORS implementation
* Check Offline Web Application

== Error Handling==
* Check for Error Codes
* Check for Stack Traces

= Other Formats =

* DradisPro template format [https://github.com/raesene/OWASP_Web_App_Testing_Cheatsheet_Converter/blob/master/OWASP_Web_Application_Testing_Cheat_Sheet.xml on github]
* Asana template on [http://templana.com/templates/owasp-website-security-checklist/ Templana] (thanks to Bastien Siebman)

= Authors and primary contributors =

[[User:Simon Bennetts|Simon Bennetts]] 
[[User:Raesene|Rory McCune]] 
Colin Watson 
Simone Onofri 
[[User:Amro_Ahmed|Amro AlOlaqi]]

All the authors of the Testing Guide v3

= Other Contributors =

[[User:Ryan_Dewhurst|Ryan Dewhurst]] 

= Related articles =

OWASP [[:Category:OWASP Testing Project|Testing Guide]]

Mozilla [https://wiki.mozilla.org/WebAppSec/Web_Security_Verification Web Security Verification]

{{Cheatsheet_Navigation}}

[[Category:Cheatsheets]] [[Category:OWASP_Breakers]]

Web Application Security Testing Cheat Sheet

2014-07-10T03:23:10Z

Amro Ahmed:

= DRAFT CHEAT SHEET - WORK IN PROGRESS =

= Introduction =

This cheat sheet provides a checklist of tasks to be performed when performing a blackbox security test of a web application.

= Purpose =

This checklist is intended to be used as an aide memoire for experienced pentesters and should be used in conjunction with the [[:Category:OWASP Testing Project|OWASP Testing Guide]]. It will be updated as the [[OWASP_Application_Testing_guide_v4|Testing Guide v4]] is progressed.

The intention is that this guide will be available as an XML document, with scripts that convert it into formats such as pdf, Media Wiki markup, HTML etc.

This will allow it to be consumed within security tools as well as being available in a format suitable for printing.

All feedback or offers of help will be appreciated - and if you have specific chances you think should be made, just get stuck in.

= The Checklist =

== Information Gathering ==
* Manually explore the site
* Spider/crawl for missed or hidden content
* Check for files that expose content, such as robots.txt, sitemap.xml, .DS_Store
* Check the caches of major search engines for publicly accessible sites
* Check for differences in content based on User Agent (eg, Mobile sites, access as a Search engine Crawler)
* Perform Web Application Fingerprinting
* Identify technologies used
* Identify user roles
* Identify application entry points
* Identify client-side code
* Identify multiple versions/channels (e.g. web, mobile web, mobile app, web services)
* Identify co-hosted and related applications
* Identify all hostnames and ports
* Identify third-party hosted content

== Configuration Management ==
* Check for commonly used application and administrative URLs
* Check for old, backup and unreferenced files
* Check HTTP methods supported and Cross Site Tracing (XST)
* Test file extensions handling
* Test for security HTTP headers (e.g. CSP, X-Frame-Options, HSTS)
* Test for policies (e.g. Flash, Silverlight, robots)
* Test for non-production data in live environment, and vice-versa
* Check for sensitive data in client-side code (e.g. API keys, credentials)

== Secure Transmission ==
* Check SSL Version, Algorithms, Key length
* Check for Digital Certificate Validity (Duration, Signature and CN)
* Check credentials only delivered over HTTPS
* Check that the login form is delivered over HTTPS
* Check session tokens only delivered over HTTPS
* Check if HTTP Strict Transport Security (HSTS) in use

== Authentication ==
* Test for user enumeration
* Test for authentication bypass
* Test for bruteforce protection
* Test password quality rules
* Test remember me functionality
* Test for autocomplete on password forms/input
* Test password reset and/or recovery
* Test password change process
* Test CAPTCHA
* Test multi factor authentication
* Test for logout functionality presence
* Test for cache management on HTTP (eg Pragma, Expires, Max-age)
* Test for default logins
* Test for user-accessible authentication history
* Test for out-of channel notification of account lockouts and successful password changes
* Test for consistent authentication across applications with shared authentication schema / SSO

== Session Management ==
* Establish how session management is handled in the application (eg, tokens in cookies, token in URL)
* Check session tokens for cookie flags (httpOnly and secure)
* Check session cookie scope (path and domain)
* Check session cookie duration (expires and max-age)
* Check session termination after a maximum lifetime
* Check session termination after relative timeout
* Check session termination after logout
* Test to see if users can have multiple simultaneous sessions
* Test session cookies for randomness
* Confirm that new session tokens are issued on login, role change and logout
* Test for consistent session management across applications with shared session management
* Test for session puzzling
* Test for CSRF and clickjacking

== Authorization ==
* Test for path traversal
* Test for bypassing authorization schema
* Test for vertical Access control problems (a.k.a. Privilege Escalation)
* Test for horizontal Access control problems (between two users at the same privilege level)
* Test for missing authorization

== Data Validation ==
* Test for Reflected Cross Site Scripting
* Test for Stored Cross Site Scripting
* Test for DOM based Cross Site Scripting
* Test for Cross Site Flashing
* Test for HTML Injection
* Test for SQL Injection
* Test for LDAP Injection
* Test for ORM Injection
* Test for XML Injection
* Test for XXE Injection
* Test for SSI Injection
* Test for XPath Injection
* Test for XQuery Injection
* Test for IMAP/SMTP Injection
* Test for Code Injection
* Test for Expression Language Injection
* Test for Command Injection
* Test for Overflow (Stack, Heap and Integer)
* Test for Format String
* Test for incubated vulnerabilities
* Test for HTTP Splitting/Smuggling
* Test for HTTP Verb Tampering
* Test for Open Redirection
* Test for Local File Inclusion
* Test for Remote File Inclusion
* Compare client-side and server-side validation rules
* Test for NoSQL injection
* Test for HTTP parameter pollution
* Test for auto-binding
* Test for Mass Assignment
* Test for NULL/Invalid Session Cookie

== Denial of Service ==
* Test for anti-automation
* Test for account lockout
* Test for HTTP protocol DoS
* Test for SQL wildcard DoS

== Business Logic ==
* Test for feature misuse
* Test for lack of non-repudiation
* Test for trust relationships
* Test for integrity of data
* Test segregation of duties
* Test for Process Timing
* Test Number of Times a Function Can be Used Limits
* Test for the Circumvention of Work Flows
* Test Defenses Against Application Mis-use
* Test Upload of Unexpected File Types

== Cryptography ==
* Check if data which should be encrypted is not
* Check for wrong algorithms usage depending on context
* Check for weak algorithms usage
* Check for proper use of salting
* Check for randomness functions

== Risky Functionality - File Uploads ==
* Test that acceptable file types are whitelisted
* Test that file size limits, upload frequency and total file counts are defined and are enforced
* Test that file contents match the defined file type
* Test that all file uploads have Anti-Virus scanning in-place.
* Test that unsafe filenames are sanitised
* Test that uploaded files are not directly accessible within the web root
* Test that uploaded files are not served on the same hostname/port
* Test that files and other media are integrated with the authentication and authorisation schemas

== Risky Functionality - Card Payment ==
* Test for known vulnerabilities and configuration issues on Web Server and Web Application
* Test for default or guessable password
* Test for non-production data in live environment, and vice-versa
* Test for Injection vulnerabilities
* Test for Buffer Overflows
* Test for Insecure Cryptographic Storage
* Test for Insufficient Transport Layer Protection
* Test for Improper Error Handling
* Test for all vulnerabilities with a CVSS v2 score > 4.0
* Test for Authentication and Authorization issues
* Test for CSRF

== HTML 5==
* Test Web Messaging
* Test for Web Storage SQL injection
* Check CORS implementation
* Check Offline Web Application

== Error Handling==
* Check for Error Codes
* Analysis for Stack Traces

= Other Formats =

* DradisPro template format [https://github.com/raesene/OWASP_Web_App_Testing_Cheatsheet_Converter/blob/master/OWASP_Web_Application_Testing_Cheat_Sheet.xml on github]
* Asana template on [http://templana.com/templates/owasp-website-security-checklist/ Templana] (thanks to Bastien Siebman)

= Authors and primary contributors =

[[User:Simon Bennetts|Simon Bennetts]] 
[[User:Raesene|Rory McCune]] 
Colin Watson 
Simone Onofri 

All the authors of theTesting Guide v3

= Other Contributors =

[[User:Ryan_Dewhurst|Ryan Dewhurst]] 
[[User:Amro_Ahmed|Amro AlOlaqi]]
= Related articles =

OWASP [[:Category:OWASP Testing Project|Testing Guide]]

Mozilla [https://wiki.mozilla.org/WebAppSec/Web_Security_Verification Web Security Verification]

{{Cheatsheet_Navigation}}

[[Category:Cheatsheets]] [[Category:OWASP_Breakers]]

Web Application Security Testing Cheat Sheet

2014-07-10T03:19:26Z

Amro Ahmed:

= DRAFT CHEAT SHEET - WORK IN PROGRESS =

= Introduction =

This cheat sheet provides a checklist of tasks to be performed when performing a blackbox security test of a web application.

= Purpose =

This checklist is intended to be used as an aide memoire for experienced pentesters and should be used in conjunction with the [[:Category:OWASP Testing Project|OWASP Testing Guide]]. It will be updated as the [[OWASP_Application_Testing_guide_v4|Testing Guide v4]] is progressed.

The intention is that this guide will be available as an XML document, with scripts that convert it into formats such as pdf, Media Wiki markup, HTML etc.

This will allow it to be consumed within security tools as well as being available in a format suitable for printing.

All feedback or offers of help will be appreciated - and if you have specific chances you think should be made, just get stuck in.

= The Checklist =

== Information Gathering ==
* Manually explore the site
* Spider/crawl for missed or hidden content
* Check for files that expose content, such as robots.txt, sitemap.xml, .DS_Store
* Check the caches of major search engines for publicly accessible sites
* Check for differences in content based on User Agent (eg, Mobile sites, access as a Search engine Crawler)
* Perform Web Application Fingerprinting
* Identify technologies used
* Identify user roles
* Identify application entry points
* Identify client-side code
* Identify multiple versions/channels (e.g. web, mobile web, mobile app, web services)
* Identify co-hosted and related applications
* Identify all hostnames and ports
* Identify third-party hosted content

== Configuration Management ==
* Check for commonly used application and administrative URLs
* Check for old, backup and unreferenced files
* Check HTTP methods supported and Cross Site Tracing (XST)
* Test file extensions handling
* Test for security HTTP headers (e.g. CSP, X-Frame-Options, HSTS)
* Test for policies (e.g. Flash, Silverlight, robots)
* Test for non-production data in live environment, and vice-versa
* Check for sensitive data in client-side code (e.g. API keys, credentials)

== Secure Transmission ==
* Check SSL Version, Algorithms, Key length
* Check for Digital Certificate Validity (Duration, Signature and CN)
* Check credentials only delivered over HTTPS
* Check that the login form is delivered over HTTPS
* Check session tokens only delivered over HTTPS
* Check if HTTP Strict Transport Security (HSTS) in use

== Authentication ==
* Test for user enumeration
* Test for authentication bypass
* Test for bruteforce protection
* Test password quality rules
* Test remember me functionality
* Test for autocomplete on password forms/input
* Test password reset and/or recovery
* Test password change process
* Test CAPTCHA
* Test multi factor authentication
* Test for logout functionality presence
* Test for cache management on HTTP (eg Pragma, Expires, Max-age)
* Test for default logins
* Test for user-accessible authentication history
* Test for out-of channel notification of account lockouts and successful password changes
* Test for consistent authentication across applications with shared authentication schema / SSO

== Session Management ==
* Establish how session management is handled in the application (eg, tokens in cookies, token in URL)
* Check session tokens for cookie flags (httpOnly and secure)
* Check session cookie scope (path and domain)
* Check session cookie duration (expires and max-age)
* Check session termination after a maximum lifetime
* Check session termination after relative timeout
* Check session termination after logout
* Test to see if users can have multiple simultaneous sessions
* Test session cookies for randomness
* Confirm that new session tokens are issued on login, role change and logout
* Test for consistent session management across applications with shared session management
* Test for session puzzling
* Test for CSRF and clickjacking

== Authorization ==
* Test for path traversal
* Test for bypassing authorization schema
* Test for vertical Access control problems (a.k.a. Privilege Escalation)
* Test for horizontal Access control problems (between two users at the same privilege level)
* Test for missing authorization

== Data Validation ==
* Test for Reflected Cross Site Scripting
* Test for Stored Cross Site Scripting
* Test for DOM based Cross Site Scripting
* Test for Cross Site Flashing
* Test for HTML Injection
* Test for SQL Injection
* Test for LDAP Injection
* Test for ORM Injection
* Test for XML Injection
* Test for XXE Injection
* Test for SSI Injection
* Test for XPath Injection
* Test for XQuery Injection
* Test for IMAP/SMTP Injection
* Test for Code Injection
* Test for Expression Language Injection
* Test for Command Injection
* Test for Overflow (Stack, Heap and Integer)
* Test for Format String
* Test for incubated vulnerabilities
* Test for HTTP Splitting/Smuggling
* Test for HTTP Verb Tampering
* Test for Open Redirection
* Test for Local File Inclusion
* Test for Remote File Inclusion
* Compare client-side and server-side validation rules
* Test for NoSQL injection
* Test for HTTP parameter pollution
* Test for auto-binding
* Test for Mass Assignment
* Test for NULL/Invalid Session Cookie

== Denial of Service ==
* Test for anti-automation
* Test for account lockout
* Test for HTTP protocol DoS
* Test for SQL wildcard DoS

== Business Logic ==
* Test for feature misuse
* Test for lack of non-repudiation
* Test for trust relationships
* Test for integrity of data
* Test segregation of duties

== Cryptography ==
* Check if data which should be encrypted is not
* Check for wrong algorithms usage depending on context
* Check for weak algorithms usage
* Check for proper use of salting
* Check for randomness functions

== Risky Functionality - File Uploads ==
* Test that acceptable file types are whitelisted
* Test that file size limits, upload frequency and total file counts are defined and are enforced
* Test that file contents match the defined file type
* Test that all file uploads have Anti-Virus scanning in-place.
* Test that unsafe filenames are sanitised
* Test that uploaded files are not directly accessible within the web root
* Test that uploaded files are not served on the same hostname/port
* Test that files and other media are integrated with the authentication and authorisation schemas

== Risky Functionality - Card Payment ==
* Test for known vulnerabilities and configuration issues on Web Server and Web Application
* Test for default or guessable password
* Test for non-production data in live environment, and vice-versa
* Test for Injection vulnerabilities
* Test for Buffer Overflows
* Test for Insecure Cryptographic Storage
* Test for Insufficient Transport Layer Protection
* Test for Improper Error Handling
* Test for all vulnerabilities with a CVSS v2 score > 4.0
* Test for Authentication and Authorization issues
* Test for CSRF

== HTML 5==
* Test Web Messaging
* Test for Web Storage SQL injection
* Check CORS implementation
* Check Offline Web Application

== Error Handling==
* Check for Error Codes
* Analysis for Stack Traces

= Other Formats =

* DradisPro template format [https://github.com/raesene/OWASP_Web_App_Testing_Cheatsheet_Converter/blob/master/OWASP_Web_Application_Testing_Cheat_Sheet.xml on github]
* Asana template on [http://templana.com/templates/owasp-website-security-checklist/ Templana] (thanks to Bastien Siebman)

= Authors and primary contributors =

[[User:Simon Bennetts|Simon Bennetts]] 
[[User:Raesene|Rory McCune]] 
Colin Watson 
Simone Onofri 

All the authors of theTesting Guide v3

= Other Contributors =

[[User:Ryan_Dewhurst|Ryan Dewhurst]] 
[[User:Amro_Ahmed|Amro AlOlaqi]]
= Related articles =

OWASP [[:Category:OWASP Testing Project|Testing Guide]]

Mozilla [https://wiki.mozilla.org/WebAppSec/Web_Security_Verification Web Security Verification]

{{Cheatsheet_Navigation}}

[[Category:Cheatsheets]] [[Category:OWASP_Breakers]]

Reporting

2014-05-29T11:45:49Z

Amro Ahmed:

{{Template:OWASP Testing Guide v4}}

Performing the technical side of the assessment is only half of the overall assessment process. The final product is the production of a well written and informative report. A report should be easy to understand and should highlight all the risks found during the assessment phase. The report should appeal to both executive management and technical staff.

The report needs to have three major sections. It should be created in a manner that allows each separate section to be printed and given to the appropriate teams, such as the developers or system managers. The recommended sections are outlined below.

'''1. Executive Summary'''

The executive summary sums up the overall findings of the assessment and gives managers and system owners an idea of the overall risk faced.

The language used should be more suited to people who are not technically aware and should include graphs or other charts which show the risk level. It is recommended to include a summary that details when the testing commenced and when it was completed.

Another section that is often overlooked is a paragraph on implications and actions. This allows the system owners to understand what is required to be done to ensure the system remains secure.

1.1 Project Objective:
This section outlines the project objectives and the expected outcome of the assessment.

1.2 Project Scope:
This section outlines the agreed scope.

1.3 Limitations:
This section outlines every limitation which was faced throughout the assessment. For example, limitations of project-focused tests, limitation in the security testing methods, performance or technical issues that the tester come across during the course of assessment, etc.

1.4 Targets:
This section lists the number of applications or targeted systems.

'''2. Technical Management Overview'''

The technical management overview section often appeals to technical managers who require more technical detail than found in the executive summary. This section should include details about the scope of the assessment, the targets included and any caveats, such as system availability etc.

This section also needs to include an introduction on the risk rating used throughout the report. It should also include a technical summary of the findings.

'''3. Assessment Findings'''

The last section of the report includes detailed technical information about the vulnerabilities found and the actions needed to resolve them. This section is aimed at a technical level and should include all the necessary information for the technical teams to understand the issue and resolve it. Each finding should be clear and concise and give the reader of the report a full understanding of the issue at hand.

The findings section should include:

* A reference number for easy reference with screenshots
* The affected item
* A technical description of the issue
* A section on resolving the issue
* The risk rating and impact value

Here is the report (see https://www.owasp.org/index.php/Testing_Checklist for the complete list of tests):

<center>[[Image:tablerep.PNG]]</center>
<center>[[Image:tablerep2.PNG]]</center>
<center>[[Image:tablerep3.PNG]]</center>

'''Appendix'''

This section is often used to describe the commercial and open-source tools that were used in conducting the assessment. When custom scripts or code are utilized during the assessment, it should be disclosed in this section or noted as attachment. Customers appreciate when the methodology used by the consultants is included. It gives them an idea of the thoroughness of the assessment and what areas were included.

Breakers

2014-04-17T13:13:15Z

Amro Ahmed:

==== OWASP Breakers ====

{| width="100%"
|- valign="top"
|
'''Breakers Community'''

A community of security professionals and stakeholders with the common goal of advancing the state of security in the area of security testing.

 '''Examples'''

TBA

 '''Target Audience'''

Application Security Professionals, Infrastructure Security Teams, Pentesters

 '''What Are OWASP Communities?'''

[http://www.owasp.org/index.php/Builders Builders], Breakers and [http://www.owasp.org/index.php/Defenders Defenders]; the idea of OWASP Communities is to bring together experts in the area that they are best at with the common goal of advancing the state of application security. This approach allows similar groups of professionals and experts to tackle security problems with the involvement of the most relevant stakeholders. The intent is to drive high quality output that is immediately usable by the target audience. More information about this vision can be found [http://michael-coates.blogspot.com/2011/02/vision-for-owasp.html here]

|
[[Image:OWASP-vision.jpg]]

|}

==== The Community ====
      

{| cellspacing="1" cellpadding="1" style="width: 404px; height: 413px;"
|-
|   
| '''Erwin Geirnaert''' ''ZION SECURITY'' ''erwin.geirnaert@zionsecurity.com'' ''http://www.zionsecurity.com/'' ''@ZIONSECURITY''
|
|
|-
| [[Image:SimonBennetts-OWASP.jpg]] 
| '''Simon Bennetts''' [[:OWASP Zed Attack Proxy Project|OWASP Zed Attack Proxy Project]] Lead psiinon@owasp.org http://pentest4devs.blogspot.com/ @psiinon
|
|
|-
|   
| '''Axel Neumann''' [[:OWASP Zed Attack Proxy Project|OWASP Zed Attack Proxy Project]] @x3l_ch
|
|
|-
| [[File:2f726dc85913c41ad3c18138d49ba3bc.png|100px]] 
| '''Amro AlOlaqi''' [[:OWASP Zed Attack Proxy Project|OWASP Zed Attack Proxy Project]] [[Cheat Sheets]] [[OWASP Testing Project]] amro@owasp.org ''https://www.owasp.org/index.php/User:Amro_Ahmed'' @Amro_AlOlaqi
|
|
|-
| Your pic; 
| '''Your name''' ''Your company/project'' ''Your email'' ''Your website'' ''Your twitter''
|
|}

Want to contribute to the OWASP Breakers Community? Add your info here!
 

==== Roadmap ====
To be determined

==== Official Breaker Projects ====

To be determined

==== All Breaker Related Projects ====
All projects that are related to the OWASP Breakers community can be found at the following link: [[:Category:OWASP_Breakers]]

__NOTOC__ <headertabs />

File:2f726dc85913c41ad3c18138d49ba3bc.png

2014-04-17T12:59:59Z

Amro Ahmed: Amro Ahmed uploaded a new version of "File:2f726dc85913c41ad3c18138d49ba3bc.png"

AMRO ALOLAQI

User:Amro Ahmed

2014-04-17T12:57:58Z

Amro Ahmed:

[[File:2f726dc85913c41ad3c18138d49ba3bc.png|100px]]

Amro AlOlaqi joined OWASP back in 2008. ( My old user account: https://www.owasp.org/index.php/User:Amro )

Amro currently works as a Sr. Consultant at Verizon (Threat & Vulnerability). Prior joining Verizon, Amro worked for BAE Systems, Saudi Aramco, IS, and Red Hat, he has more than 9 years of experience in Information security. He started his professional career at early age, since then, he engaged the field of UNIX/Linux engineering and systems’ security. He carried out penetration tests, application , vulnerability assessments and security audits for prestigious organizations. Moreover, his expertise extends across industry verticals, security technologies plus hacking tools and techniques.

'''''OWASP Involvement'''''
* Chapter leader: Saudi Arabia
* Chapter leader: Untied Arab Emirates
* Contributor: OWASP Testing Guide v4
* Contributor: OWASP Web Application Security Testing Cheat Sheet
* ZAP Core Team: OWASP Zed Attack Proxy Project
* ZAP Evangelist: Middle East
* Contributor: OWASP Speakers Project

'''''Public Speaking'''''
*Speaker: Web Application Security ("Why" "How" and "When") at IDC IT Security Roadshow - Dubai
*Speaker: Application Security at i-safe (ISACA UAE) – UAE
*Speaker: Ethical Hacking at Compliance and Beyond - Saudi.
*Speaker: Web Application Security at F5 - Saudi.
*Speaker: OWASP The Power of Code Review at aSecurity, Netherlands
*Speaker: Web Application Security and the OWASP top 10 at ISACA Jeddah – Saudi
*Speaker: Web App Critical Vulnerabilities and OWASP's ESAPI at The Cyber Information Security Summit - UAE
*Speaker: Information Security Awareness at Arabou University - Saudi.
*Speaker: Threat Modeling and Penetration test at IT for Government Summit - UAE
*Speaker: Ethical Hacking and penetration testing at Microsoft Open Doors – Saudi.
*Speaker: Ethical Hacking and penetration testing at Microsoft Open Doors – Saudi.
*Speaker: OWASP Testing Guide at OWASP KSA - Saudi.
*Speaker: OWASP's introduction and projects at the open university - Saudi

'''Get in touch with Amro on LinkedIn: http://www.linkedin.com/in/iamro'''

File:2f726dc85913c41ad3c18138d49ba3bc.png

2014-04-17T12:52:56Z

Amro Ahmed: AMRO ALOLAQI

AMRO ALOLAQI

User:Amro Ahmed

2014-04-10T21:30:21Z

Amro Ahmed:

Amro AlOlaqi joined OWASP back in 2008. ( My old user account: https://www.owasp.org/index.php/User:Amro )

Amro currently works as a Sr. Consultant at Verizon (Threat & Vulnerability). Prior joining Verizon, Amro worked for BAE Systems, Saudi Aramco, IS, and Red Hat, he has more than 9 years of experience in Information security. He started his professional career at early age, since then, he engaged the field of UNIX/Linux engineering and systems’ security. He carried out penetration tests, application , vulnerability assessments and security audits for prestigious organizations. Moreover, his expertise extends across industry verticals, security technologies plus hacking tools and techniques.

'''''OWASP Involvement'''''
* Chapter leader: Saudi Arabia
* Chapter leader: Untied Arab Emirates
* Contributor: OWASP Testing Guide v4
* Contributor: OWASP Web Application Security Testing Cheat Sheet
* ZAP Core Team: OWASP Zed Attack Proxy Project
* ZAP Evangelist: Middle East
* Contributor: OWASP Speakers Project

'''''Public Speaking'''''
*Speaker: Web Application Security ("Why" "How" and "When") at IDC IT Security Roadshow - Dubai
*Speaker: Application Security at i-safe (ISACA UAE) – UAE
*Speaker: Ethical Hacking at Compliance and Beyond - Saudi.
*Speaker: Web Application Security at F5 - Saudi.
*Speaker: OWASP The Power of Code Review at aSecurity, Netherlands
*Speaker: Web Application Security and the OWASP top 10 at ISACA Jeddah – Saudi
*Speaker: Web App Critical Vulnerabilities and OWASP's ESAPI at The Cyber Information Security Summit - UAE
*Speaker: Information Security Awareness at Arabou University - Saudi.
*Speaker: Threat Modeling and Penetration test at IT for Government Summit - UAE
*Speaker: Ethical Hacking and penetration testing at Microsoft Open Doors – Saudi.
*Speaker: Ethical Hacking and penetration testing at Microsoft Open Doors – Saudi.
*Speaker: OWASP Testing Guide at OWASP KSA - Saudi.
*Speaker: OWASP's introduction and projects at the open university - Saudi

'''Get in touch with Amro on LinkedIn: http://www.linkedin.com/in/iamro'''

Appendix A: Testing Tools

2014-04-02T20:34:01Z

Amro Ahmed:

{{Template:OWASP Testing Guide v4}}

==Open Source Black Box Testing tools==

=== General Testing ===

* '''[[OWASP_WebScarab_Project|OWASP WebScarab]]'''
** WebScarab is a framework for analysing applications that communicate using the HTTP and HTTPS protocols. It is written in Java, and is thus portable to many platforms. WebScarab has several modes of operation, implemented by a number of plugins.
* '''[[OWASP_CAL9000_Project|OWASP CAL9000]]'''
** CAL9000 is a collection of browser-based tools that enable more effective and efficient manual testing efforts.
** Includes an XSS Attack Library, Character Encoder/Decoder, HTTP Request Generator and Response Evaluator, Testing Checklist, Automated Attack Editor and much more.
* '''[[:Category:OWASP Pantera Web Assessment Studio Project|OWASP Pantera Web Assessment Studio Project]]'''
** Pantera uses an improved version of SpikeProxy to provide a powerful web application analysis engine. The primary goal of Pantera is to combine automated capabilities with complete manual testing to get the best penetration testing results.
* '''[[:OWASP Zed Attack Proxy Project]]'''
** The Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing.
** ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.
* '''[[:OWASP Mantra - Security Framework]]'''
**Mantra is a web application security testing framework built on top of a browser. It supports Windows, Linux(both 32 and 64 bit) and Macintosh, in addition, it can work with other software like ZAP using built in proxy management function which makes it much more convenient. Mantra is available in 9 languages: Arabic, Chinese - Simplified, Chinese - Traditional, English, French, Portuguese, Russian, Spanish and Turkish.
* '''SPIKE''' - http://www.immunitysec.com/resources-freesoftware.shtml
** SPIKE designed to analyze new network protocols for buffer overflows or similar weaknesses. It requires a strong knowledge of C to use and only available for the Linux platform.
* '''Burp Proxy''' - http://www.portswigger.net/Burp/
** Burp Proxy is an intercepting proxy server for security testing of web applications it allows Intercepting and modifying all HTTP/S traffic passing in both directions, it can work with custom SSL certificates and non-proxy-aware clients.
* '''Odysseus Proxy''' - http://www.wastelands.gen.nz/odysseus/
** Odysseus is a proxy server, which acts as a man-in-the-middle during an HTTP session. A typical HTTP proxy will relay packets to and from a client browser and a web server. It will intercept an HTTP session's data in either direction.
* '''Webstretch Proxy''' - http://sourceforge.net/projects/webstretch
** Webstretch Proxy enable users to view and alter all aspects of communications with a web site via a proxy. It can also be used for debugging during development.
* '''WATOBO''' - http://sourceforge.net/apps/mediawiki/watobo/index.php?title=Main_Page
** WATOBO works like a local proxy, similar to Webscarab, ZAP or BurpSuite and it supports passive and active checks.
* '''Firefox LiveHTTPHeaders''' - https://addons.mozilla.org/en-US/firefox/addon/live-http-headers/
** View HTTP headers of a page and while browsing.
* '''Firefox Tamper Data''' - https://addons.mozilla.org/en-US/firefox/addon/tamper-data/
** Use tamperdata to view and modify HTTP/HTTPS headers and post parameters
* '''Firefox Web Developer Tools''' - https://addons.mozilla.org/en-US/firefox/addon/web-developer/
** The Web Developer extension adds various web developer tools to the browser.
* '''DOM Inspector''' - https://developer.mozilla.org/en/docs/DOM_Inspector
** DOM Inspector is a developer tool used to inspect, browse, and edit the Document Object Model (DOM)
* '''Firefox Firebug''' - http://getfirebug.com/
** Firebug integrates with Firefox to edit, debug, and monitor CSS, HTML, and JavaScript.
* '''Grendel-Scan''' - http://securitytube-tools.net/index.php?title=Grendel_Scan
** Grendel-Scan is an automated security scanning of web applications and also supports manual penetration testing.
* '''OWASP SWFIntruder''' - http://www.mindedsecurity.com/swfintruder.html
** SWFIntruder (pronounced Swiff Intruder) is the first tool specifically developed for analyzing and testing security of Flash applications at runtime.
* '''SWFScan''' - http://h30499.www3.hp.com/t5/Following-the-Wh1t3-Rabbit/SWFScan-FREE-Flash-decompiler/ba-p/5440167
** Flash decompiler
* '''Wikto''' - http://www.sensepost.com/labs/tools/pentest/wikto
** Wikto features including fuzzy logic error code checking, a back-end miner, Google-assisted directory mining and real time HTTP request/response monitoring.
* '''w3af''' - http://w3af.org
** w3af is a Web Application Attack and Audit Framework. The project’s goal is finding and exploiting web application vulnerabilities.
* '''skipfish''' - http://code.google.com/p/skipfish/
** Skipfish is an active web application security reconnaissance tool.
* '''Web Developer toolbar''' - https://chrome.google.com/webstore/detail/bfbameneiokkgbdmiekhjnmfkcnldhhm
** The Web Developer extension adds a toolbar button to the browser with various web developer tools. This is the official port of the Web Developer extension for Firefox.
* '''HTTP Request Maker''' - https://chrome.google.com/webstore/detail/kajfghlhfkcocafkcjlajldicbikpgnp?hl=en-US
** Request Maker is a tool for penetration testing. With it you can easily capture requests made by web pages, tamper with the URL, headers and POST data and, of course, make new requests
* '''Cookie Editor''' - https://chrome.google.com/webstore/detail/fngmhnnpilhplaeedifhccceomclgfbg?hl=en-US
** Edit This Cookie is a cookie manager. You can add, delete, edit, search, protect and block cookies
* '''Cookie swap''' - https://chrome.google.com/webstore/detail/dffhipnliikkblkhpjapbecpmoilcama?hl=en-US
** Swap My Cookies is a session manager, it manages cookies, letting you login on any website with several different accounts.
* '''Firebug lite for Chrome"" - https://chrome.google.com/webstore/detail/bmagokdooijbeehmkpknfglimnifench
**Firebug Lite is not a substitute for Firebug, or Chrome Developer Tools. It is a tool to be used in conjunction with these tools. Firebug Lite provides the rich visual representation we are used to see in Firebug when it comes to HTML elements, DOM elements, and Box Model shading. It provides also some cool features like inspecting HTML elemements with your mouse, and live editing CSS properties
* '''Session Manager"" - https://chrome.google.com/webstore/detail/bbcnbpafconjjigibnhbfmmgdbbkcjfi
**With Session Manager you can quickly save your current browser state and reload it whenever necessary. You can manage multiple sessions, rename or remove them from the session library. Each session remembers the state of the browser at its creation time, i.e the opened tabs and windows.
* '''Subgraph Vega''' - http://www.subgraph.com/products.html
**Vega is a free and open source scanner and testing platform to test the security of web applications. Vega can help you find and validate SQL Injection, Cross-Site Scripting (XSS), inadvertently disclosed sensitive information, and other vulnerabilities. It is written in Java, GUI based, and runs on Linux, OS X, and Windows.

=== Testing for specific vulnerabilities ===

==== Testing for DOM XSS ====
* DOMinator Pro - https://dominator.mindedsecurity.com

==== Testing AJAX ====
* '''[[:Category:OWASP Sprajax Project|OWASP Sprajax Project]]'''
==== Testing for SQL Injection ====
* '''[[:Category:OWASP_SQLiX_Project|OWASP SQLiX]]'''
* Sqlninja: a SQL Server Injection & Takeover Tool - http://sqlninja.sourceforge.net
* Bernardo Damele A. G.: sqlmap, automatic SQL injection tool - http://sqlmap.org/
* Absinthe 1.1 (formerly SQLSqueal) - http://sourceforge.net/projects/absinthe/
* SQLInjector - Uses inference techniques to extract data and determine the backend database server. http://www.databasesecurity.com/sql-injector.htm
* Bsqlbf-v2: A perl script allows extraction of data from Blind SQL Injections - http://code.google.com/p/bsqlbf-v2/
* Pangolin: An automatic SQL injection penetration testing tool - http://www.darknet.org.uk/2009/05/pangolin-automatic-sql-injection-tool/
* Antonio Parata: Dump Files by sql inference on Mysql - SqlDumper - http://www.ruizata.com/
* Multiple DBMS Sql Injection tool - SQL Power Injector - http://www.sqlpowerinjector.com/
* MySql Blind Injection Bruteforcing, Reversing.org - sqlbftools - http://packetstormsecurity.org/files/43795/sqlbftools-1.2.tar.gz.html

==== Testing Oracle ====
* TNS Listener tool (Perl) - http://www.jammed.com/%7Ejwa/hacks/security/tnscmd/tnscmd-doc.html
* Toad for Oracle - http://www.quest.com/toad
==== Testing SSL ====
* Foundstone SSL Digger - http://www.mcafee.com/us/downloads/free-tools/ssldigger.aspx
==== Testing for Brute Force Password ====
* THC Hydra - http://www.thc.org/thc-hydra/
* John the Ripper - http://www.openwall.com/john/
* Brutus - http://www.hoobie.net/brutus/
* Medusa - http://www.foofus.net/~jmk/medusa/medusa.html
*Ncat - http://nmap.org/ncat/

==== Testing Buffer Overflow ====
* OllyDbg - http://www.ollydbg.de
** "A windows based debugger used for analyzing buffer overflow vulnerabilities"
* Spike - http://www.immunitysec.com/downloads/SPIKE2.9.tgz
** A fuzzer framework that can be used to explore vulnerabilities and perform length testing
* Brute Force Binary Tester (BFB) - http://bfbtester.sourceforge.net
** A proactive binary checker

[[Category:FIXME|link not working

* Metasploit - http://www.metasploit.com/projects/Framework/
** A rapid exploit development and Testing frame work

]]
==== Fuzzer ====
* '''[[:Category:OWASP_WSFuzzer_Project|OWASP WSFuzzer]]'''
* Wfuzz - http://www.darknet.org.uk/2007/07/wfuzz-a-tool-for-bruteforcingfuzzing-web-applications/

==== Googling ====
* Stach & Liu's Google Hacking Diggity Project - http://www.stachliu.com/resources/tools/google-hacking-diggity-project/
* Foundstone Sitedigger (Google cached fault-finding) - http://www.mcafee.com/us/downloads/free-tools/sitedigger.aspx

==Commercial Black Box Testing tools==

* NGS Typhon III - http://www.nccgroup.com/en/our-services/security-testing-audit-compliance/information-security-software/ngs-typhon-iii/
* NGSSQuirreL - http://www.nccgroup.com/en/our-services/security-testing-audit-compliance/information-security-software/ngs-squirrel-vulnerability-scanners/
* IBM AppScan - http://www-01.ibm.com/software/awdtools/appscan/
* Cenzic Hailstorm - http://www.cenzic.com/products_services/cenzic_hailstorm.php
* Burp Intruder - http://www.portswigger.net/burp/intruder.html
* Acunetix Web Vulnerability Scanner - http://www.acunetix.com
* Sleuth - http://www.sandsprite.com
* NT Objectives NTOSpider - http://www.ntobjectives.com/products/ntospider.php
* MaxPatrol Security Scanner - http://www.maxpatrol.com
* Ecyware GreenBlue Inspector - http://www.ecyware.com
* Parasoft SOAtest (more QA-type tool)- http://www.parasoft.com/jsp/products/soatest.jsp?itemId=101
* MatriXay - http://www.dbappsecurity.com/webscan.html
* N-Stalker Web Application Security Scanner - http://www.nstalker.com
* HP WebInspect - http://www.hpenterprisesecurity.com/products/hp-fortify-software-security-center/hp-webinspect
* SoapUI (Web Service security testing) - http://www.soapui.org/Security/getting-started.html
* Netsparker - http://www.mavitunasecurity.com/netsparker/
* SAINT - http://www.saintcorporation.com/
* QualysGuard WAS - http://www.qualys.com/enterprises/qualysguard/web-application-scanning/
* Retina Web - http://www.eeye.com/Products/Retina/Web-Security-Scanner.aspx

[[Category:FIXME|check these links

* Cenzic Hailstorm - http://www.cenzic.com/products_services/cenzic_hailstorm.php

link broken:

* ScanDo - http://www.kavado.com

]]

==Source Code Analyzers==

===Open Source / Freeware===
* [[:Category:OWASP_Orizon_Project|Owasp Orizon]]
* '''[[:Category:OWASP_LAPSE_Project|OWASP LAPSE]]'''
* [[OWASP O2 Platform]]
* Google CodeSearchDiggity - http://www.stachliu.com/resources/tools/google-hacking-diggity-project/attack-tools/
* PMD - http://pmd.sourceforge.net/
* FlawFinder - http://www.dwheeler.com/flawfinder
* Microsoft’s [[FxCop]]
* Splint - http://splint.org
* Boon - http://www.cs.berkeley.edu/~daw/boon
* FindBugs - http://findbugs.sourceforge.net
* Find Security Bugs - http://h3xstream.github.io/find-sec-bugs/
* Oedipus - http://www.darknet.org.uk/2006/06/oedipus-open-source-web-application-security-analysis/
* W3af - http://w3af.sourceforge.net/
* phpcs-security-audit - https://github.com/Pheromone/phpcs-security-audit

[[Category:FIXME|broken link

* Pscan - http://www.striker.ottawa.on.ca/~aland/pscan

]]

===Commercial ===

* Armorize CodeSecure - http://www.armorize.com/index.php?link_id=codesecure
* Parasoft C/C++ test - http://www.parasoft.com/jsp/products/cpptest.jsp/index.htm
* Checkmarx CxSuite - http://www.checkmarx.com
* HP Fortify - http://www.hpenterprisesecurity.com/products/hp-fortify-software-security-center/hp-fortify-static-code-analyzer
* GrammaTech - http://www.grammatech.com
* ITS4 - http://seclab.cs.ucdavis.edu/projects/testing/tools/its4.html
* Appscan - http://www-01.ibm.com/software/rational/products/appscan/source/
* ParaSoft - http://www.parasoft.com
* Virtual Forge CodeProfiler for ABAP - http://www.virtualforge.de
* Veracode - http://www.veracode.com

[[Category:FIXME|link not working

* Armorize CodeSecure - http://www.armorize.com/product/

]]

==Acceptance Testing Tools==
Acceptance testing tools are used to validate the functionality of web applications. Some follow a scripted approach and typically make use of a Unit Testing framework to construct test suites and test cases. Most, if not all, can be adapted to perform security specific tests in addition to functional tests.

===Open Source Tools===

* WATIR - http://wtr.rubyforge.org
** A Ruby based web testing framework that provides an interface into Internet Explorer.
** Windows only.
* HtmlUnit - http://htmlunit.sourceforge.net
** A Java and JUnit based framework that uses the Apache HttpClient as the transport.
** Very robust and configurable and is used as the engine for a number of other testing tools.
* jWebUnit - http://jwebunit.sourceforge.net
** A Java based meta-framework that uses htmlunit or selenium as the testing engine.
* Canoo Webtest - http://webtest.canoo.com
** An XML based testing tool that provides a facade on top of htmlunit.
** No coding is necessary as the tests are completely specified in XML.
** There is the option of scripting some elements in Groovy if XML does not suffice.
** Very actively maintained.
* HttpUnit - http://httpunit.sourceforge.net
** One of the first web testing frameworks, suffers from using the native JDK provided HTTP transport, which can be a bit limiting for security testing.
* Watij - http://watij.com
** A Java implementation of WATIR.
** Windows only because it uses IE for its tests (Mozilla integration is in the works).
* Solex - http://solex.sourceforge.net
** An Eclipse plugin that provides a graphical tool to record HTTP sessions and make assertions based on the results.
* Selenium - http://seleniumhq.org/
** JavaScript based testing framework, cross-platform and provides a GUI for creating tests.
** Mature and popular tool, but the use of JavaScript could hamper certain security tests.

==Other Tools==

===Runtime Analysis===

* Rational PurifyPlus - http://www-01.ibm.com/software/awdtools/purify/
* Seeker by Quotium - http://www.quotium.com/prod/security.php

===Binary Analysis===

* BugScam IDC Package - http://sourceforge.net/projects/bugscam
* Veracode - http://www.veracode.com

===Requirements Management===

* Rational Requisite Pro - http://www-306.ibm.com/software/awdtools/reqpro

===Site Mirroring===
* wget - http://www.gnu.org/software/wget, http://www.interlog.com/~tcharron/wgetwin.html
* curl - http://curl.haxx.se
* Sam Spade - http://www.samspade.org
* Xenu's Link Sleuth - http://home.snafu.de/tilman/xenulink.html

Appendix A: Testing Tools

2014-04-02T18:19:57Z

Amro Ahmed:

{{Template:OWASP Testing Guide v4}}

==Open Source Black Box Testing tools==

=== General Testing ===

* '''[[OWASP_WebScarab_Project|OWASP WebScarab]]'''
** WebScarab is a framework for analysing applications that communicate using the HTTP and HTTPS protocols. It is written in Java, and is thus portable to many platforms. WebScarab has several modes of operation, implemented by a number of plugins.
* '''[[OWASP_CAL9000_Project|OWASP CAL9000]]'''
** CAL9000 is a collection of browser-based tools that enable more effective and efficient manual testing efforts.
** Includes an XSS Attack Library, Character Encoder/Decoder, HTTP Request Generator and Response Evaluator, Testing Checklist, Automated Attack Editor and much more.
* '''[[:Category:OWASP Pantera Web Assessment Studio Project|OWASP Pantera Web Assessment Studio Project]]'''
** Pantera uses an improved version of SpikeProxy to provide a powerful web application analysis engine. The primary goal of Pantera is to combine automated capabilities with complete manual testing to get the best penetration testing results.
* '''[[:OWASP Zed Attack Proxy Project]]'''
** The Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing.
** ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.
* '''[[:OWASP Mantra - Security Framework]]'''
**Mantra is a web application security testing framework built on top of a browser. It supports Windows, Linux(both 32 and 64 bit) and Macintosh, in addition, it can work with other software like ZAP using built in proxy management function which makes it much more convenient. Mantra is available in 9 languages: Arabic, Chinese - Simplified, Chinese - Traditional, English, French, Portuguese, Russian, Spanish and Turkish.
* '''SPIKE''' - http://www.immunitysec.com/resources-freesoftware.shtml
** SPIKE designed to analyze new network protocols for buffer overflows or similar weaknesses. It requires a strong knowledge of C to use and only available for the Linux platform.
* '''Burp Proxy''' - http://www.portswigger.net/Burp/
** Burp Proxy is an intercepting proxy server for security testing of web applications it allows Intercepting and modifying all HTTP/S traffic passing in both directions, it can work with custom SSL certificates and non-proxy-aware clients.
* '''Odysseus Proxy''' - http://www.wastelands.gen.nz/odysseus/
** Odysseus is a proxy server, which acts as a man-in-the-middle during an HTTP session. A typical HTTP proxy will relay packets to and from a client browser and a web server. It will intercept an HTTP session's data in either direction.
* '''Webstretch Proxy''' - http://sourceforge.net/projects/webstretch
** Webstretch Proxy enable users to view and alter all aspects of communications with a web site via a proxy. It can also be used for debugging during development.
* '''WATOBO''' - http://sourceforge.net/apps/mediawiki/watobo/index.php?title=Main_Page
** WATOBO works like a local proxy, similar to Webscarab, ZAP or BurpSuite and it supports passive and active checks.
* '''Firefox LiveHTTPHeaders''' - https://addons.mozilla.org/en-US/firefox/addon/live-http-headers/
** View HTTP headers of a page and while browsing.
* '''Firefox Tamper Data''' - https://addons.mozilla.org/en-US/firefox/addon/tamper-data/
** Use tamperdata to view and modify HTTP/HTTPS headers and post parameters
* '''Firefox Web Developer Tools''' - https://addons.mozilla.org/en-US/firefox/addon/web-developer/
** The Web Developer extension adds various web developer tools to the browser.
* '''DOM Inspector''' - https://developer.mozilla.org/en/docs/DOM_Inspector
** DOM Inspector is a developer tool used to inspect, browse, and edit the Document Object Model (DOM)
* '''Firefox Firebug''' - http://getfirebug.com/
** Firebug integrates with Firefox to edit, debug, and monitor CSS, HTML, and JavaScript.
* '''Grendel-Scan''' - http://securitytube-tools.net/index.php?title=Grendel_Scan
** Grendel-Scan is an automated security scanning of web applications and also supports manual penetration testing.
* '''OWASP SWFIntruder''' - http://www.mindedsecurity.com/swfintruder.html
** SWFIntruder (pronounced Swiff Intruder) is the first tool specifically developed for analyzing and testing security of Flash applications at runtime.
* '''SWFScan''' - http://h30499.www3.hp.com/t5/Following-the-Wh1t3-Rabbit/SWFScan-FREE-Flash-decompiler/ba-p/5440167
** Flash decompiler
* '''Wikto''' - http://www.sensepost.com/labs/tools/pentest/wikto
** Wikto features including fuzzy logic error code checking, a back-end miner, Google-assisted directory mining and real time HTTP request/response monitoring.
* '''w3af''' - http://w3af.org
** w3af is a Web Application Attack and Audit Framework. The project’s goal is finding and exploiting web application vulnerabilities.
* '''skipfish''' - http://code.google.com/p/skipfish/
** Skipfish is an active web application security reconnaissance tool.
* '''Web Developer toolbar''' - https://chrome.google.com/webstore/detail/bfbameneiokkgbdmiekhjnmfkcnldhhm
** The Web Developer extension adds a toolbar button to the browser with various web developer tools. This is the official port of the Web Developer extension for Firefox.
** '''HTTP Request Maker''' - https://chrome.google.com/webstore/detail/kajfghlhfkcocafkcjlajldicbikpgnp?hl=en-US
* Request Maker is a tool for penetration testing. With it you can easily capture requests made by web pages, tamper with the URL, headers and POST data and, of course, make new requests
** '''Cookie Editor''' - https://chrome.google.com/webstore/detail/fngmhnnpilhplaeedifhccceomclgfbg?hl=en-US
* Edit This Cookie is a cookie manager. You can add, delete, edit, search, protect and block cookies
** '''Cookie swap''' - https://chrome.google.com/webstore/detail/dffhipnliikkblkhpjapbecpmoilcama?hl=en-US
* Swap My Cookies is a session manager, it manages cookies, letting you login on any website with several different accounts.
** '''Firebug lite for Chrome"" - https://chrome.google.com/webstore/detail/bmagokdooijbeehmkpknfglimnifench
*Firebug Lite is not a substitute for Firebug, or Chrome Developer Tools. It is a tool to be used in conjunction with these tools. Firebug Lite provides the rich visual representation we are used to see in Firebug when it comes to HTML elements, DOM elements, and Box Model shading. It provides also some cool features like inspecting HTML elemements with your mouse, and live editing CSS properties
** '''Session Manager"" - https://chrome.google.com/webstore/detail/bbcnbpafconjjigibnhbfmmgdbbkcjfi
*With Session Manager you can quickly save your current browser state and reload it whenever necessary. You can manage multiple sessions, rename or remove them from the session library. Each session remembers the state of the browser at its creation time, i.e the opened tabs and windows.
** '''Subgraph Vega''' - http://www.subgraph.com/products.html
*Vega is a free and open source scanner and testing platform to test the security of web applications. Vega can help you find and validate SQL Injection, Cross-Site Scripting (XSS), inadvertently disclosed sensitive information, and other vulnerabilities. It is written in Java, GUI based, and runs on Linux, OS X, and Windows.

=== Testing for specific vulnerabilities ===

==== Testing for DOM XSS ====
* DOMinator Pro - https://dominator.mindedsecurity.com

==== Testing AJAX ====
* '''[[:Category:OWASP Sprajax Project|OWASP Sprajax Project]]'''
==== Testing for SQL Injection ====
* '''[[:Category:OWASP_SQLiX_Project|OWASP SQLiX]]'''
* Sqlninja: a SQL Server Injection & Takeover Tool - http://sqlninja.sourceforge.net
* Bernardo Damele A. G.: sqlmap, automatic SQL injection tool - http://sqlmap.org/
* Absinthe 1.1 (formerly SQLSqueal) - http://sourceforge.net/projects/absinthe/
* SQLInjector - Uses inference techniques to extract data and determine the backend database server. http://www.databasesecurity.com/sql-injector.htm
* Bsqlbf-v2: A perl script allows extraction of data from Blind SQL Injections - http://code.google.com/p/bsqlbf-v2/
* Pangolin: An automatic SQL injection penetration testing tool - http://www.darknet.org.uk/2009/05/pangolin-automatic-sql-injection-tool/
* Antonio Parata: Dump Files by sql inference on Mysql - SqlDumper - http://www.ruizata.com/
* Multiple DBMS Sql Injection tool - SQL Power Injector - http://www.sqlpowerinjector.com/
* MySql Blind Injection Bruteforcing, Reversing.org - sqlbftools - http://packetstormsecurity.org/files/43795/sqlbftools-1.2.tar.gz.html

==== Testing Oracle ====
* TNS Listener tool (Perl) - http://www.jammed.com/%7Ejwa/hacks/security/tnscmd/tnscmd-doc.html
* Toad for Oracle - http://www.quest.com/toad
==== Testing SSL ====
* Foundstone SSL Digger - http://www.mcafee.com/us/downloads/free-tools/ssldigger.aspx
==== Testing for Brute Force Password ====
* THC Hydra - http://www.thc.org/thc-hydra/
* John the Ripper - http://www.openwall.com/john/
* Brutus - http://www.hoobie.net/brutus/
* Medusa - http://www.foofus.net/~jmk/medusa/medusa.html
*Ncat - http://nmap.org/ncat/

==== Testing Buffer Overflow ====
* OllyDbg - http://www.ollydbg.de
** "A windows based debugger used for analyzing buffer overflow vulnerabilities"
* Spike - http://www.immunitysec.com/downloads/SPIKE2.9.tgz
** A fuzzer framework that can be used to explore vulnerabilities and perform length testing
* Brute Force Binary Tester (BFB) - http://bfbtester.sourceforge.net
** A proactive binary checker

[[Category:FIXME|link not working

* Metasploit - http://www.metasploit.com/projects/Framework/
** A rapid exploit development and Testing frame work

]]
==== Fuzzer ====
* '''[[:Category:OWASP_WSFuzzer_Project|OWASP WSFuzzer]]'''
* Wfuzz - http://www.darknet.org.uk/2007/07/wfuzz-a-tool-for-bruteforcingfuzzing-web-applications/

==== Googling ====
* Stach & Liu's Google Hacking Diggity Project - http://www.stachliu.com/resources/tools/google-hacking-diggity-project/
* Foundstone Sitedigger (Google cached fault-finding) - http://www.mcafee.com/us/downloads/free-tools/sitedigger.aspx

==Commercial Black Box Testing tools==

* NGS Typhon III - http://www.nccgroup.com/en/our-services/security-testing-audit-compliance/information-security-software/ngs-typhon-iii/
* NGSSQuirreL - http://www.nccgroup.com/en/our-services/security-testing-audit-compliance/information-security-software/ngs-squirrel-vulnerability-scanners/
* IBM AppScan - http://www-01.ibm.com/software/awdtools/appscan/
* Cenzic Hailstorm - http://www.cenzic.com/products_services/cenzic_hailstorm.php
* Burp Intruder - http://www.portswigger.net/burp/intruder.html
* Acunetix Web Vulnerability Scanner - http://www.acunetix.com
* Sleuth - http://www.sandsprite.com
* NT Objectives NTOSpider - http://www.ntobjectives.com/products/ntospider.php
* MaxPatrol Security Scanner - http://www.maxpatrol.com
* Ecyware GreenBlue Inspector - http://www.ecyware.com
* Parasoft SOAtest (more QA-type tool)- http://www.parasoft.com/jsp/products/soatest.jsp?itemId=101
* MatriXay - http://www.dbappsecurity.com/webscan.html
* N-Stalker Web Application Security Scanner - http://www.nstalker.com
* HP WebInspect - http://www.hpenterprisesecurity.com/products/hp-fortify-software-security-center/hp-webinspect
* SoapUI (Web Service security testing) - http://www.soapui.org/Security/getting-started.html
* Netsparker - http://www.mavitunasecurity.com/netsparker/
* SAINT - http://www.saintcorporation.com/
* QualysGuard WAS - http://www.qualys.com/enterprises/qualysguard/web-application-scanning/
* Retina Web - http://www.eeye.com/Products/Retina/Web-Security-Scanner.aspx

[[Category:FIXME|check these links

* Cenzic Hailstorm - http://www.cenzic.com/products_services/cenzic_hailstorm.php

link broken:

* ScanDo - http://www.kavado.com

]]

==Source Code Analyzers==

===Open Source / Freeware===
* [[:Category:OWASP_Orizon_Project|Owasp Orizon]]
* '''[[:Category:OWASP_LAPSE_Project|OWASP LAPSE]]'''
* [[OWASP O2 Platform]]
* Google CodeSearchDiggity - http://www.stachliu.com/resources/tools/google-hacking-diggity-project/attack-tools/
* PMD - http://pmd.sourceforge.net/
* FlawFinder - http://www.dwheeler.com/flawfinder
* Microsoft’s [[FxCop]]
* Splint - http://splint.org
* Boon - http://www.cs.berkeley.edu/~daw/boon
* FindBugs - http://findbugs.sourceforge.net
* Find Security Bugs - http://h3xstream.github.io/find-sec-bugs/
* Oedipus - http://www.darknet.org.uk/2006/06/oedipus-open-source-web-application-security-analysis/
* W3af - http://w3af.sourceforge.net/
* phpcs-security-audit - https://github.com/Pheromone/phpcs-security-audit

[[Category:FIXME|broken link

* Pscan - http://www.striker.ottawa.on.ca/~aland/pscan

]]

===Commercial ===

* Armorize CodeSecure - http://www.armorize.com/index.php?link_id=codesecure
* Parasoft C/C++ test - http://www.parasoft.com/jsp/products/cpptest.jsp/index.htm
* Checkmarx CxSuite - http://www.checkmarx.com
* HP Fortify - http://www.hpenterprisesecurity.com/products/hp-fortify-software-security-center/hp-fortify-static-code-analyzer
* GrammaTech - http://www.grammatech.com
* ITS4 - http://seclab.cs.ucdavis.edu/projects/testing/tools/its4.html
* Appscan - http://www-01.ibm.com/software/rational/products/appscan/source/
* ParaSoft - http://www.parasoft.com
* Virtual Forge CodeProfiler for ABAP - http://www.virtualforge.de
* Veracode - http://www.veracode.com

[[Category:FIXME|link not working

* Armorize CodeSecure - http://www.armorize.com/product/

]]

==Acceptance Testing Tools==
Acceptance testing tools are used to validate the functionality of web applications. Some follow a scripted approach and typically make use of a Unit Testing framework to construct test suites and test cases. Most, if not all, can be adapted to perform security specific tests in addition to functional tests.

===Open Source Tools===

* WATIR - http://wtr.rubyforge.org
** A Ruby based web testing framework that provides an interface into Internet Explorer.
** Windows only.
* HtmlUnit - http://htmlunit.sourceforge.net
** A Java and JUnit based framework that uses the Apache HttpClient as the transport.
** Very robust and configurable and is used as the engine for a number of other testing tools.
* jWebUnit - http://jwebunit.sourceforge.net
** A Java based meta-framework that uses htmlunit or selenium as the testing engine.
* Canoo Webtest - http://webtest.canoo.com
** An XML based testing tool that provides a facade on top of htmlunit.
** No coding is necessary as the tests are completely specified in XML.
** There is the option of scripting some elements in Groovy if XML does not suffice.
** Very actively maintained.
* HttpUnit - http://httpunit.sourceforge.net
** One of the first web testing frameworks, suffers from using the native JDK provided HTTP transport, which can be a bit limiting for security testing.
* Watij - http://watij.com
** A Java implementation of WATIR.
** Windows only because it uses IE for its tests (Mozilla integration is in the works).
* Solex - http://solex.sourceforge.net
** An Eclipse plugin that provides a graphical tool to record HTTP sessions and make assertions based on the results.
* Selenium - http://seleniumhq.org/
** JavaScript based testing framework, cross-platform and provides a GUI for creating tests.
** Mature and popular tool, but the use of JavaScript could hamper certain security tests.

==Other Tools==

===Runtime Analysis===

* Rational PurifyPlus - http://www-01.ibm.com/software/awdtools/purify/
* Seeker by Quotium - http://www.quotium.com/prod/security.php

===Binary Analysis===

* BugScam IDC Package - http://sourceforge.net/projects/bugscam
* Veracode - http://www.veracode.com

===Requirements Management===

* Rational Requisite Pro - http://www-306.ibm.com/software/awdtools/reqpro

===Site Mirroring===
* wget - http://www.gnu.org/software/wget, http://www.interlog.com/~tcharron/wgetwin.html
* curl - http://curl.haxx.se
* Sam Spade - http://www.samspade.org
* Xenu's Link Sleuth - http://home.snafu.de/tilman/xenulink.html

Test HTTP Methods (OTG-CONFIG-006)

2014-04-01T21:57:25Z

Amro Ahmed:

{{Template:OWASP Testing Guide v4}}

== Brief Summary ==
HTTP offers a number of methods that can be used to perform actions on the web server. Many of theses methods are designed to aid developers in deploying and testing HTTP applications. These HTTP methods can be used for nefarious purposes if the web server is misconfigured. Additionally, Cross Site Tracing (XST), a form of cross site scripting using the server's HTTP TRACE method, is examined. 

== Short Description of the Issue ==
While GET and POST are by far the most common methods that are used to access information provided by a web server, the Hypertext Transfer Protocol (HTTP) allows several other (and somewhat less known) methods. RFC 2616 (which describes HTTP version 1.1 which is the today standard) defines the following eight methods:

* HEAD
* GET
* POST
* PUT
* DELETE
* TRACE
* OPTIONS
* CONNECT

Some of these methods can potentially pose a security risk for a web application, as they allow an attacker to modify the files stored on the web server and, in some scenarios, steal the credentials of legitimate users. More specifically, the methods that should be disabled are the following:

* PUT: This method allows a client to upload new files on the web server. An attacker can exploit it by uploading malicious files (e.g.: an asp file that executes commands by invoking cmd.exe), or by simply using the victim's server as a file repository
* DELETE: This method allows a client to delete a file on the web server. An attacker can exploit it as a very simple and direct way to deface a web site or to mount a DoS attack
* CONNECT: This method could allow a client to use the web server as a proxy
* TRACE: This method simply echoes back to the client whatever string has been sent to the server, and is used mainly for debugging purposes. This method, originally assumed harmless, can be used to mount an attack known as Cross Site Tracing, which has been discovered by Jeremiah Grossman (see links at the bottom of the page)

If an application needs one or more of these methods, such as REST Web Services (which may require PUT or DELETE), it is important to check that their usage is properly limited to trusted users and safe conditions.

== Arbitrary HTTP Methods ==

Arshan Dabirsiaghi (see links) discovered that many web application frameworks allowed well chosen and/or arbitrary HTTP methods to bypass an environment level access control check:

* Many frameworks and languages treat "HEAD" as a "GET" request, albeit one without any body in the response. If a security constraint was set on "GET" requests such that only "authenticatedUsers" could access GET requests for a particular servlet or resource, it would be bypassed for the "HEAD" version. This allowed unauthorized blind submission of any privileged GET request

* Some frameworks allowed arbitrary HTTP methods such as "JEFF" or "CATS" to be used without limitation. These were treated as if a "GET" method was issued, and again were found not to be subject to method role based access control checks on a number of languages and frameworks, again allowing unauthorized blind submission of privileged GET requests.

In many cases, code which explicitly checked for a "GET" or "POST" method would be safe.

== Black Box testing and example ==
'''Discover the Supported Methods''' 
To perform this test, we need some way to figure out which HTTP methods are supported by the web server we are examining. The OPTIONS HTTP method provides us with the most direct and effective way to do that. RFC 2616 states that, "The OPTIONS method represents a request for information about the communication options available on the request/response chain identified by the Request-URI".

The testing method is extremely straightforward and we only need to fire up netcat (or telnet):
<pre>
$ nc www.victim.com 80
OPTIONS / HTTP/1.1
Host: www.victim.com

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Date: Tue, 31 Oct 2006 08:00:29 GMT
Connection: close
Allow: GET, HEAD, POST, TRACE, OPTIONS
Content-Length: 0

</pre>
As we can see in the example, OPTIONS provides a list of the methods that are supported by the web server, and in this case we can see, for instance, that TRACE method is enabled. The danger that is posed by this method is illustrated in the following section 
'''Test XST Potential''' 
Note: in order to understand the logic and the goals of this attack you need to be familiar with [[XSS |Cross Site Scripting attacks]].

The TRACE method, while apparently harmless, can be successfully leveraged in some scenarios to steal legitimate users' credentials. This attack technique was discovered by Jeremiah Grossman in 2003, in an attempt to bypass the [[HTTPOnly]] tag that Microsoft introduced in Internet Explorer 6 sp1 to protect cookies from being accessed by JavaScript. As a matter of fact, one of the most recurring attack patterns in Cross Site Scripting is to access the document.cookie object and send it to a web server controlled by the attacker so that he/she can hijack the victim's session. Tagging a cookie as httpOnly forbids JavaScript to access it, protecting it from being sent to a third party. However, the TRACE method can be used to bypass this protection and access the cookie even in this scenario.

As mentioned before, TRACE simply returns any string that is sent to the web server. In order to verify its presence (or to double-check the results of the OPTIONS request shown above), we can proceed as shown in the following example:
<pre>
$ nc www.victim.com 80
TRACE / HTTP/1.1
Host: www.victim.com

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Date: Tue, 31 Oct 2006 08:01:48 GMT
Connection: close
Content-Type: message/http
Content-Length: 39

TRACE / HTTP/1.1
Host: www.victim.com
</pre>
As we can see, the response body is exactly a copy of our original request, meaning that our target allows this method. Now, where is the danger lurking? If we instruct a browser to issue a TRACE request to the web server, and this browser has a cookie for that domain, the cookie will be automatically included in the request headers, and will therefore be echoed back in the resulting response. At that point, the cookie string will be accessible by JavaScript and it will be finally possible to send it to a third party even when the cookie is tagged as httpOnly.

There are multiple ways to make a browser issue a TRACE request, such as the XMLHTTP ActiveX control in Internet Explorer and XMLDOM in Mozilla and Netscape. However, for security reasons the browser is allowed to start a connection only to the domain where the hostile script resides. This is a mitigating factor, as the attacker needs to combine the TRACE method with another vulnerability in order to mount the attack. Basically, an attacker has two ways to successfully launch a Cross Site Tracing attack:

# Leveraging another server-side vulnerability: the attacker injects the hostile JavaScript snippet that contains the TRACE request in the vulnerable application, as in a normal Cross Site Scripting attack
# Leveraging a client-side vulnerability: the attacker creates a malicious website that contains the hostile JavaScript snippet and exploits some cross-domain vulnerability of the browser of the victim, in order to make the JavaScript code successfully perform a connection to the site that supports the TRACE method and that originated the cookie that the attacker is trying to steal.

More detailed information, together with code samples, can be found in the original whitepaper written by Jeremiah Grossman. 

== Black Box Testing of HTTP method tampering ==

Testing for HTTP method tampering is essentially the same as testing for XST.

=== Testing for arbitrary HTTP methods ===

Find a page you'd like to visit that has a security constraint such that it would normally force a 302 redirect to a login page or forces a login directly. The test URL in this example works like this - as do many web applications. However, if you obtain a "200" response that is not a login page, it is possible to bypass authentication and thus authorization.

<pre>
$ nc www.example.com 80
JEFF / HTTP/1.1
Host: www.example.com

HTTP/1.1 200 OK
Date: Mon, 18 Aug 2008 22:38:40 GMT
Server: Apache
Set-Cookie: PHPSESSID=K53QW...
</pre>

If your framework or firewall or application does not support the "JEFF" method, it should issue an error page (or preferably a 405 Not Allowed or 501 Not implemented error page). If it services the request, it is vulnerable to this issue.

If you feel that the system is vulnerable to this issue, issue CSRF-like attacks to exploit the issue more fully:

* FOOBAR /admin/createUser.php?member=myAdmin
* JEFF /admin/changePw.php?member=myAdmin&passwd=foo123&confirm=foo123
* CATS /admin/groupEdit.php?group=Admins&member=myAdmin&action=add

With some luck, using the above three commands - modified to suit the application under test and testing requirements - a new user would be created, a password assigned, and made an admin.

=== Testing for HEAD access control bypass ===

Find a page you'd like to visit that has a security constraint such that it would normally force a 302 redirect to a login page or forces a login directly. The test URL in this example works like this - as do many web applications. However, if you obtain a "200" response that is not a login page, it is possible to bypass authentication and thus authorization.

<pre>
$ nc www.example.com 80
HEAD /admin HTTP/1.1
Host: www.example.com

HTTP/1.1 200 OK
Date: Mon, 18 Aug 2008 22:44:11 GMT
Server: Apache
Set-Cookie: PHPSESSID=pKi...; path=/; HttpOnly
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: adminOnlyCookie1=...; expires=Tue, 18-Aug-2009 22:44:31 GMT; domain=www.example.com
Set-Cookie: adminOnlyCookie2=...; expires=Mon, 18-Aug-2008 22:54:31 GMT; domain=www.example.com
Set-Cookie: adminOnlyCookie3=...; expires=Sun, 19-Aug-2007 22:44:30 GMT; domain=www.example.com
Content-Language: EN
Connection: close
Content-Type: text/html; charset=ISO-8859-1
</pre>

If you get a "405 Method not allowed" or "501 Method Unimplemented", the application/framework/language/system/firewall is working correctly. If a "200" response code comes back, and the response contains no body, it's likely that the application has processed the request without authentication or authorization and further testing is warranted.

If you feel that the system is vulnerable to this issue, issue CSRF-like attacks to exploit the issue more fully:

* HEAD /admin/createUser.php?member=myAdmin
* HEAD /admin/changePw.php?member=myAdmin&passwd=foo123&confirm=foo123
* HEAD /admin/groupEdit.php?group=Admins&member=myAdmin&action=add

With some luck, using the above three commands - modified to suit the application under test and testing requirements - a new user would be created, a password assigned, and made an admin, all using blind request submission.

== Gray Box testing and example ==
The testing in a Gray Box scenario follows the same steps of a Black Box scenario.

== References ==
'''Whitepapers''' 
* RFC 2616: "Hypertext Transfer Protocol -- HTTP/1.1"
* RFC 2109 and RFC 2965: "HTTP State Management Mechanism"
* Jeremiah Grossman: "Cross Site Tracing (XST)" - http://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf 
* Amit Klein: "XS(T) attack variants which can, in some cases, eliminate the need for TRACE" - http://www.securityfocus.com/archive/107/308433
* Arshan Dabirsiaghi: "Bypassing VBAAC with HTTP Verb Tampering" - http://static.swpag.info/download/Bypassing_VBAAC_with_HTTP_Verb_Tampering.pdf

'''Tools'''
* NetCat - http://nc110.sourceforge.net
*cURL - http://curl.haxx.se/

User:Amro Ahmed

2014-02-24T11:33:47Z

Amro Ahmed:

Amro AlOlaqi joined OWASP back in 2008. ( My old user account: https://www.owasp.org/index.php/User:Amro )

Amro currently works as a Sr. Consultant at Verizon (Threat & Vulnerability). Prior joining Verizon, Amro worked for BAE Systems, Saudi Aramco, IS, and Red Hat, he has more than 9 years of experience in Information security. He started his professional career at early age, since then, he engaged the field of UNIX/Linux engineering and systems’ security. He carried out penetration tests, application , vulnerability assessments and security audits for prestigious organizations. Moreover, his expertise extends across industry verticals, security technologies plus hacking tools and techniques.

'''''OWASP Involvement'''''
* Chapter leader: Saudi Arabia
* Chapter leader: Untied Arab Emirates
* Contributor: OWASP Testing Guide v4
* Contributor: OWASP Web Application Security Testing Cheat Sheet
* ZAP Core Team: OWASP Zed Attack Proxy Project
* ZAP Evangelist: Middle East
* Contributor: OWASP Speakers Project
* Volunteer: OWASP Periodic Table of Vulnerabilities

'''''Public Speaking'''''
*Speaker: Web Application Security ("Why" "How" and "When") at IDC IT Security Roadshow - Dubai
*Speaker: Application Security at i-safe (ISACA UAE) – UAE
*Speaker: Ethical Hacking at Compliance and Beyond - Saudi.
*Speaker: Web Application Security at F5 - Saudi.
*Speaker: OWASP The Power of Code Review at aSecurity, Netherlands
*Speaker: Web Application Security and the OWASP top 10 at ISACA Jeddah – Saudi
*Speaker: Web App Critical Vulnerabilities and OWASP's ESAPI at The Cyber Information Security Summit - UAE
*Speaker: Information Security Awareness at Arabou University - Saudi.
*Speaker: Threat Modeling and Penetration test at IT for Government Summit - UAE
*Speaker: Ethical Hacking and penetration testing at Microsoft Open Doors – Saudi.
*Speaker: Ethical Hacking and penetration testing at Microsoft Open Doors – Saudi.
*Speaker: OWASP Testing Guide at OWASP KSA - Saudi.
*Speaker: OWASP's introduction and projects at the open university - Saudi

'''Get in touch with Amro on LinkedIn: http://www.linkedin.com/in/iamro'''

User:Amro Ahmed

2014-02-24T11:15:09Z

Amro Ahmed:

Amro AlOlaqi joined OWASP back in 2008. ( My old user account: https://www.owasp.org/index.php/User:Amro )

Amro currently works as a Sr. Consultant at Verizon (Threat & Vulnerability). Prior joining Verizon, Amro worked for BAE Systems, Saudi Aramco, IS, and Red Hat, he has more than 9 years of experience in Information security. He started his professional career at early age, since then, he engaged the field of UNIX/Linux engineering and systems’ security. He carried out penetration tests, application , vulnerability assessments and security audits for prestigious organizations. Moreover, his expertise extends across industry verticals, security technologies plus hacking tools and techniques. Amro hold well-recognized international certifications such as CISSP, GCIH, GHTQ, LPT, CEH, CHFI, RHCE, SCSA, Linux+, LPIC1/2 SCSECA, and Certified ISO 27001 LA/LI

'''''OWASP Involvement'''''
* Chapter leader: Saudi Arabia
* Chapter leader: Untied Arab Emirates
* Contributor: OWASP Testing Guide v4
* Contributor: OWASP Web Application Security Testing Cheat Sheet
* Contributor: OWASP Zed Attack Proxy Project
* Volunteer: OWASP Periodic Table of Vulnerabilities

'''''Media Interaction'''''

*Appeared in 13 TV shows, some of which in the biggest news channels in the Middle East.
*Published +20 newspaper articles to increase the public awareness about Information Security.

After my humble interaction with the Middle East media, I shifted my interest and focus to increase the Application Security awareness among business corporates and GCC governments. Please refer to Public Speaking for more information.

'''''Public Speaking'''''
*Speaker: IDC's IT Security Roadshow - Dubai
*Speaker: Application Security and OWASP at i-safe – UAE
*Speaker: Ethical Hacking at the ‘Compliance and Beyond’ - Saudi.
*Speaker: Web Application Security at F5 - Saudi.
*Speaker: OWASP The Power of Code Review, Netherlands
*Speaker: Web Application Security and OWASP top 10 at ISACA Jeddah – Saudi
*Speaker: Web App Critical Vulnerabilities and OWASP's ESAPI at The Cyber Information Security Summit - UAE
*Speaker: Information Security Awareness at Arabou University - Saudi.
*Speaker: Threat Modeling and Penetration test at IT for Government - UAE
*Speaker: Ethical Hacking and penetration testing at Microsoft Open Doors – Saudi.
*Speaker: Ethical Hacking and penetration testing at Microsoft Open Doors – Saudi.
*Speaker: OWASP Testing Guide at OWASP - Saudi.

* Speaker: OWASP's introduction and projects at the open university - Saudi

'''Get in touch with me. https://twitter.com/Amro_AlOlaqi LinkedIn: http://www.linkedin.com/in/iamro'''

Projects/OWASP Testing Project/Releases/Testing Guide V 4.0

2014-01-15T16:42:48Z

Amro Ahmed:

{{Template: <includeonly>{{{1}}}</includeonly><noinclude>Release About</noinclude>
| project_name = OWASP Testing Project
| project_home_page = :Category:OWASP Testing Project
| release_name = Testing Guide V 4.0
| release_date = 15th February 2013
The new project is available [https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents here]
| release_description =
* Review all the control numbers to adhere to the [http://www.owasp.org/index.php/Common_OWASP_Numbering OWASP Common numbering],
* Review all the sections in v3,
* Create a more readable guide, eliminating some sections that are not really useful,
* Insert new testing techniques: HTTP Verb tampering, HTTP Parameter Pollutions, etc.,
* Rationalize some sections as Session Management Testing,
* Create a new section: Client side security and Firefox extensions testing.
| release_license = [http://creativecommons.org/licenses/by-sa/3.0/ '''Creative Commons Attribution Share Alike 3.0''']
| release_download_link =
| leader_name1 = Matteo Meucci
| leader_username1 = Mmeucci
| leader_email1 = matteo.meucci@owasp.org

| contributor_name1 = Roberto Suggi Liverani
| contributor_email1 =
| contributor_username1 =

| contributor_name2 = Nick Freeman
| contributor_email2 =
| contributor_username2 =

| contributor_name3 = Stefano Di Paola
| contributor_email3 = stefano.dipaola@gmail.com
| contributor_username3 =

| contributor_name4 = Marco Morana
| contributor_email4 = marco.morana@owasp.org
| contributor_username4 =

| contributor_name5 = Giorgio Fedon
| contributor_email5 = giorgio.fedon@gmail.com
| contributor_username5 =

| contributor_name6 = Kevin Horvath
| contributor_email6 = kevin.horvath@gmail.com
| contributor_username6 =

| contributor_name6 = Amro AlOlaqi
| contributor_email6 = amro@owasp.org
| contributor_username7 =

| release_notes = http://www.owasp.org/index.php/Projects/OWASP_Testing_Project/Releases/Testing_Guide_V_4.0/Roadmap
| links_url1 = https://spreadsheets.google.com/ccc?key=0An4Puwz7EA41dDV6cUY2YWpGaHdEbFktbklNMUFiSEE&hl=en
| links_name1 = Testing Guide's (Version 4.0) Approved Budget
}}

Dubai

2013-12-20T23:30:55Z

Amro Ahmed:

{{Chapter Template|chaptername=Dubai|extra=The chapter leaders are [mailto:amro@owasp.org Amro AlOlaqi] and [mailto:tarek@owasp.org Tarek N]|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-dubai|emailarchives=http://lists.owasp.org/pipermail/owasp-dubai}}

 

== Local News ==

'''OWASP Moves to MediaWiki Portal - 11:15, 20 May 2006 (EDT)'''

OWASP is pleased to announce the arrival of OWASP 2.0!

OWASP 2.0 utilizes the MediaWiki portal to manage and provide the latest OWASP related information. Enjoy!

 

 

----
'''Our next gathering is on the 14th of Dec 2013 at 6-8pm.'''

MAKE Business Hub [https://maps.google.com/maps?ie=UTF8&q=MAKE+Business+Hub+Cafe&fb=1&hq=make+business+hub&cid=1882949530944650280&hnear=&ll=25.079127,55.136797&spn=0.011816,0.021136&t=m&z=16&vpsrc=0&iwloc=A MAP ]
Al Fattan Tower - Dubai
United Arab Emirate
+971 4 392 9216
Speaker: Peter Dowley
Topic: Security Architecture for Applications, titled "What's the difference between a security bug and a security flaw?"

Speaker bio : Peter has been working in computer security for over 10 years, after
another decade in other areas of IT - System & infrastructure architecture,
Windows desktop & server design & management, database modelling & design,
programming. He has strong expertise in security architecture (especially
for banking systems) and how this relates to risk and fraud management. He
is a senior security consultant with Hewlett-Packard (HP) in Dubai and has
been based in the Gulf region for 5 years.

'''Download the presentation:''' [https://www.owasp.org/index.php/File:Security_Bugs_vs_Flaws.pptx "What's the difference between a security bug and a security flaw"]

----

This will be our first meeting in a while. It will be an opportunity to get introduced to the other members of the OWASP UAE Chapter and discuss the type of events you'd like to see in the future.

This will be a casual meeting at a Caribou Coffee at DIFC

http://www.mealadvisors.com/uae/dubai/restaurant/map/branch_id/1294

Gathering agenda will be:

Meeting on Saturday the 9th of November 2013 at 6pm.
Introductions
Intro to OWASP
Open discussion about Dubai chapter
Networking
Conclude at 8pm

----

'''IDC's IT Security Roadshow 2013 - Dubai '''

Date and Time : Wednesday, April 3, 2013
Venue: Mina A' Salam Hotel (Madinat Jumeirah)
Web Application Security "Think like a hacker"
Speaker: Amro Alolaqi

Reference: http://idc-cema.com/eng/events/50679-idc-s-it-security-roadshow-2013/11-speakers

----

'''Cyber Security Summit 2012- DUBAI'''

Date and Time : 2nd & 3rd of October 2012 - 9:00 AM to 4:00 PM
Venue: Grand Hayat - Dubai
Web Application Critical Vulnerabilities (OWASP top ten)
Speaker: Amro AlOlaqi

http://we-initiative.com/wp-content/uploads/2012/07/Cyber-Security-UAE-2012-EM12.pdf
----

'''ISACA UAE - ISAFE conference 2011 - Dubai'''

Date and Time : 18th - 9:00 AM to 4:00 PM
Venue: The Address Hotel - Dubai Mall
Web Application Critical Vulnerabilities and Threat Modeling
Speaker: Amro AlOlaqi

http://www.isacauae.org/isafe2011/doc/isafe2011brochure.pdf

https://plus.google.com/photos/117947441088827793360/albums/5712379217298867441?banner=pwa

----

'''IT For Government 2011- DUBAI'''

''Location: Dusit Thani Hotel - 133, Sheikh Zayed Road ''

''Date: 4/Oct/2011''

''Registration 8:00 AM''

''NAUGURAL KEYNOTE PRESENTATION BY His Excellency Salem Khamis Al Shair Al Suwaidi Emirates e-Government Director General''

OWASP's session: 11:20 PM
Speaker: Amro AlOlaqi
Subject: The Ten Web Application Critical Risks

For more information about the event, please visit http://www.fleminggulf.com/cms/uploads/conference/downloads/Postshow_report_DBTC15.pdf

[[Category:Middle_East]]

Dubai

2013-12-20T23:29:28Z

Amro Ahmed:

{{Chapter Template|chaptername=Dubai|extra=The chapter leaders are [mailto:amro@owasp.org Amro AlOlaqi] and [mailto:tarek@owasp.org Tarek N]|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-dubai|emailarchives=http://lists.owasp.org/pipermail/owasp-dubai}}

 

== Local News ==

'''OWASP Moves to MediaWiki Portal - 11:15, 20 May 2006 (EDT)'''

OWASP is pleased to announce the arrival of OWASP 2.0!

OWASP 2.0 utilizes the MediaWiki portal to manage and provide the latest OWASP related information. Enjoy!

 

 

----
'''Our next gathering is on the 14th of Dec 2013 at 6-8pm.'''

MAKE Business Hub [https://maps.google.com/maps?ie=UTF8&q=MAKE+Business+Hub+Cafe&fb=1&hq=make+business+hub&cid=1882949530944650280&hnear=&ll=25.079127,55.136797&spn=0.011816,0.021136&t=m&z=16&vpsrc=0&iwloc=A MAP ]
Al Fattan Tower - Dubai
United Arab Emirate
+971 4 392 9216

Speaker: Peter Dowley
Topic: Security Architecture for Applications, titled "What's the difference between a security bug and a security flaw?"

Speaker bio : Peter has been working in computer security for over 10 years, after
another decade in other areas of IT - System & infrastructure architecture,
Windows desktop & server design & management, database modelling & design,
programming. He has strong expertise in security architecture (especially
for banking systems) and how this relates to risk and fraud management. He
is a senior security consultant with Hewlett-Packard (HP) in Dubai and has
been based in the Gulf region for 5 years.

'''Download the presentation:''' [https://www.owasp.org/index.php/File:Security_Bugs_vs_Flaws.pptx "What's the difference between a security bug and a security flaw"]

----

This will be our first meeting in a while. It will be an opportunity to get introduced to the other members of the OWASP UAE Chapter and discuss the type of events you'd like to see in the future.

This will be a casual meeting at a Caribou Coffee at DIFC

http://www.mealadvisors.com/uae/dubai/restaurant/map/branch_id/1294

Gathering agenda will be:

Meeting on Saturday the 9th of November 2013 at 6pm.
Introductions
Intro to OWASP
Open discussion about Dubai chapter
Networking
Conclude at 8pm

----

'''IDC's IT Security Roadshow 2013 - Dubai '''

Date and Time : Wednesday, April 3, 2013
Venue: Mina A' Salam Hotel (Madinat Jumeirah)
Web Application Security "Think like a hacker"
Speaker: Amro Alolaqi

Reference: http://idc-cema.com/eng/events/50679-idc-s-it-security-roadshow-2013/11-speakers

----

'''Cyber Security Summit 2012- DUBAI'''

Date and Time : 2nd & 3rd of October 2012 - 9:00 AM to 4:00 PM
Venue: Grand Hayat - Dubai
Web Application Critical Vulnerabilities (OWASP top ten)
Speaker: Amro AlOlaqi

http://we-initiative.com/wp-content/uploads/2012/07/Cyber-Security-UAE-2012-EM12.pdf
----

'''ISACA UAE - ISAFE conference 2011 - Dubai'''

Date and Time : 18th - 9:00 AM to 4:00 PM
Venue: The Address Hotel - Dubai Mall
Web Application Critical Vulnerabilities and Threat Modeling
Speaker: Amro AlOlaqi

http://www.isacauae.org/isafe2011/doc/isafe2011brochure.pdf

https://plus.google.com/photos/117947441088827793360/albums/5712379217298867441?banner=pwa

----

'''IT For Government 2011- DUBAI'''

''Location: Dusit Thani Hotel - 133, Sheikh Zayed Road ''

''Date: 4/Oct/2011''

''Registration 8:00 AM''

''NAUGURAL KEYNOTE PRESENTATION BY His Excellency Salem Khamis Al Shair Al Suwaidi Emirates e-Government Director General''

OWASP's session: 11:20 PM
Speaker: Amro AlOlaqi
Subject: The Ten Web Application Critical Risks

For more information about the event, please visit http://www.fleminggulf.com/cms/uploads/conference/downloads/Postshow_report_DBTC15.pdf

[[Category:Middle_East]]

Dubai

2013-12-20T23:15:44Z

Amro Ahmed:

{{Chapter Template|chaptername=Dubai|extra=The chapter leaders are [mailto:amro@owasp.org Amro AlOlaqi] and [mailto:tarek@owasp.org Tarek N]|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-dubai|emailarchives=http://lists.owasp.org/pipermail/owasp-dubai}}

 

== Local News ==

'''OWASP Moves to MediaWiki Portal - 11:15, 20 May 2006 (EDT)'''

OWASP is pleased to announce the arrival of OWASP 2.0!

OWASP 2.0 utilizes the MediaWiki portal to manage and provide the latest OWASP related information. Enjoy!

 

 

----
Our next gathering is on the 14th of Dec 2013 at 6-8pm.

Address is Make Business Hub [https://maps.google.com/maps?ie=UTF8&q=MAKE+Business+Hub+Cafe&fb=1&hq=make+business+hub&cid=1882949530944650280&hnear=&ll=25.079127,55.136797&spn=0.011816,0.021136&t=m&z=16&vpsrc=0&iwloc=A MAP ]

MAKE Business Hub
Al Fattan Tower - Dubai
United Arab Emirates
+971 4 392 9216

Our presenter Peter Dowley will give a talk on Security Architecture for
Applications, titled "What's the difference between a security bug and a
security flaw?"

Peter has been working in computer security for over 10 years, after
another decade in other areas of IT - System & infrastructure architecture,
Windows desktop & server design & management, database modelling & design,
programming. He has strong expertise in security architecture (especially
for banking systems) and how this relates to risk and fraud management. He
is a senior security consultant with Hewlett-Packard (HP) in Dubai and has
been based in the Gulf region for 5 years.

'''Download the presentation:''' [https://www.owasp.org/index.php/File:Security_Bugs_vs_Flaws.pptx "What's the difference between a security bug and a security flaw"]

----

This will be our first meeting in a while. It will be an opportunity to get introduced to the other members of the OWASP UAE Chapter and discuss the type of events you'd like to see in the future.

This will be a casual meeting at a Caribou Coffee at DIFC

http://www.mealadvisors.com/uae/dubai/restaurant/map/branch_id/1294

Gathering agenda will be:

Meeting on Saturday the 9th of November 2013 at 6pm.
Introductions
Intro to OWASP
Open discussion about Dubai chapter
Networking
Conclude at 8pm

----

'''IDC's IT Security Roadshow 2013 - Dubai '''

Date and Time : Wednesday, April 3, 2013

Venue: Mina A' Salam Hotel (Madinat Jumeirah)

Web Application Security "Think like a hacker"

Presented by : Amro Alolaqi

Reference: http://idc-cema.com/eng/events/50679-idc-s-it-security-roadshow-2013/11-speakers

----

'''Cyber Security Summit 2012- DUBAI'''

Date and Time : 2nd & 3rd of October 2012 - 9:00 AM to 4:00 PM

Venue: Grand Hayat - Dubai

Web Application Critical Vulnerabilities (OWASP top ten)

Presented by: Amro AlOlaqi

http://we-initiative.com/wp-content/uploads/2012/07/Cyber-Security-UAE-2012-EM12.pdf
----

'''ISACA UAE - ISAFE conference 2011 - Dubai'''

Date and Time : 18th - 9:00 AM to 4:00 PM

Venue: The Address Hotel - Dubai Mall

Web Application Critical Vulnerabilities and Threat Modeling

Presented by: Amro AlOlaqi

http://www.isacauae.org/isafe2011/doc/isafe2011brochure.pdf

https://plus.google.com/photos/117947441088827793360/albums/5712379217298867441?banner=pwa

----

'''IT For Government 2011- DUBAI'''

''Location: Dusit Thani Hotel - 133, Sheikh Zayed Road ''

''Date: 4/Oct/2011''

''Registration 8:00 AM''

''NAUGURAL KEYNOTE PRESENTATION BY His Excellency Salem Khamis Al Shair Al Suwaidi Emirates e-Government Director General''

OWASP's session: 11:20 PM Amro AlOlaqi ( The Ten Web Application Critical Risks )

For more information about the event, please visit http://www.fleminggulf.com/cms/uploads/conference/downloads/Postshow_report_DBTC15.pdf

[[Category:Middle_East]]

File:Security Bugs vs Flaws.pptx

2013-12-20T23:07:53Z

Amro Ahmed: Security Architecture for Applications, titled "What's the difference between a security bug and a security flaw? presented at the UAE chapter by Peter.

Security Architecture for Applications, titled "What's the difference between a security bug and a security flaw? presented at the UAE chapter by Peter.

Dubai

2013-12-03T18:44:45Z

Amro Ahmed:

{{Chapter Template|chaptername=Dubai|extra=The chapter leaders are [mailto:amro@owasp.org Amro AlOlaqi] and [mailto:tarek@owasp.org Tarek N]|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-dubai|emailarchives=http://lists.owasp.org/pipermail/owasp-dubai}}

 

== Local News ==

'''OWASP Moves to MediaWiki Portal - 11:15, 20 May 2006 (EDT)'''

OWASP is pleased to announce the arrival of OWASP 2.0!

OWASP 2.0 utilizes the MediaWiki portal to manage and provide the latest OWASP related information. Enjoy!

 

 

----
Our next gathering is on the 14th of Dec 2013 at 6-8pm.

Address is Make Business Hub [https://maps.google.com/maps?ie=UTF8&q=MAKE+Business+Hub+Cafe&fb=1&hq=make+business+hub&cid=1882949530944650280&hnear=&ll=25.079127,55.136797&spn=0.011816,0.021136&t=m&z=16&vpsrc=0&iwloc=A MAP ]

MAKE Business Hub
Al Fattan Tower - Dubai
United Arab Emirates
+971 4 392 9216

Our presenter Peter Dowley will give a talk on Security Architecture for
Applications, titled "What's the difference between a security bug and a
security flaw?"

Peter has been working in computer security for over 10 years, after
another decade in other areas of IT - System & infrastructure architecture,
Windows desktop & server design & management, database modelling & design,
programming. He has strong expertise in security architecture (especially
for banking systems) and how this relates to risk and fraud management. He
is a senior security consultant with Hewlett-Packard (HP) in Dubai and has
been based in the Gulf region for 5 years.
----

This will be our first meeting in a while. It will be an opportunity to get introduced to the other members of the OWASP UAE Chapter and discuss the type of events you'd like to see in the future.

This will be a casual meeting at a Caribou Coffee at DIFC

http://www.mealadvisors.com/uae/dubai/restaurant/map/branch_id/1294

Gathering agenda will be:

Meeting on Saturday the 9th of November 2013 at 6pm.
Introductions
Intro to OWASP
Open discussion about Dubai chapter
Networking
Conclude at 8pm

----

'''IDC's IT Security Roadshow 2013 - Dubai '''

Date and Time : Wednesday, April 3, 2013

Venue: Mina A' Salam Hotel (Madinat Jumeirah)

Web Application Security "Think like a hacker"

Presented by : Amro Alolaqi

Reference: http://idc-cema.com/eng/events/50679-idc-s-it-security-roadshow-2013/11-speakers

----

'''Cyber Security Summit 2012- DUBAI'''

Date and Time : 2nd & 3rd of October 2012 - 9:00 AM to 4:00 PM

Venue: Grand Hayat - Dubai

Web Application Critical Vulnerabilities (OWASP top ten)

Presented by: Amro AlOlaqi

http://we-initiative.com/wp-content/uploads/2012/07/Cyber-Security-UAE-2012-EM12.pdf
----

'''ISACA UAE - ISAFE conference 2011 - Dubai'''

Date and Time : 18th - 9:00 AM to 4:00 PM

Venue: The Address Hotel - Dubai Mall

Web Application Critical Vulnerabilities and Threat Modeling

Presented by: Amro AlOlaqi

http://www.isacauae.org/isafe2011/doc/isafe2011brochure.pdf

https://plus.google.com/photos/117947441088827793360/albums/5712379217298867441?banner=pwa

----

'''IT For Government 2011- DUBAI'''

''Location: Dusit Thani Hotel - 133, Sheikh Zayed Road ''

''Date: 4/Oct/2011''

''Registration 8:00 AM''

''NAUGURAL KEYNOTE PRESENTATION BY His Excellency Salem Khamis Al Shair Al Suwaidi Emirates e-Government Director General''

OWASP's session: 11:20 PM Amro AlOlaqi ( The Ten Web Application Critical Risks )

For more information about the event, please visit http://www.fleminggulf.com/cms/uploads/conference/downloads/Postshow_report_DBTC15.pdf

[[Category:Middle_East]]

Saudi Arabia

2013-11-04T22:37:39Z

Amro Ahmed:

{{Chapter Template|chaptername=Saudi Arabia|extra=The chapter leaders are [mailto:amro@owasp.org Amro AlOlaqi] [mailto:mohannad.shahat@owasp.org Mohannad Shahat]
<paypal>Saudi Arabia</paypal>
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-SA|emailarchives=http://lists.owasp.org/pipermail/owasp-SA}}

 

== Local News ==

-----

The Saudi Chapter is pleased to announce that we've successfully transalted The Zed Attack Proxy (ZAP) to Arabic - you can now download the ZAP 2.2.2 Language Pack 1 from the following link

https://code.google.com/p/zaproxy/downloads/detail?name=ZAP_2.2.2_language_pack.1.zaplang

-----

-------
December - 10th/2013 (Members gathering)

The agenda for this gathering would be as follows:

*OWASP introduction for new members
*OWASP Saudi Arabia, event planning for 2014
*OWASP Top 10 translation initiative and discuss the possibility of translating the new testing guide when released.

Date: 10th of December Time: 18:00 - 19:00
Venue: Costa Coffee, Olaya Street, Riyadh

Direction: https://maps.google.com.sa/maps?hl=en&sig=BZ4&ie=UTF-8&q=costa+coffee+in+riyadh&fb=1&gl=sacid=0,0,2944591365254196345&ei=OTUeUaOaN8rIswa2x4HYBw&ved=0CAEQ5xgwAA

-------
'''February - 25th/2013 (Members gathering)'''

''The agenda for this gathering would be as follows:''

- Catch up with new members

- OWASP Saudi Arabia and its involvement with other non-profit organizations

- Planning for our next conference/technical session

''Date: 25th of Feb
Time: 18:00 - 19:00
Venue: Costa Coffee, Olaya Street, Riyadh''

Direction: https://maps.google.com.sa/maps?hl=en&sig=BZ4&ie=UTF-8&q=costa+coffee+in+riyadh&fb=1&gl=sacid=0,0,2944591365254196345&ei=OTUeUaOaN8rIswa2x4HYBw&ved=0CAEQ5xgwAA

------

'''Date:''' 24th May 2012, starting at 8:30 PM to 9:30 PM

'''Agenda:'''

1- Welcoming to OWASP Sharqiyah ''Jalsah''#1

2- OWASP?

3- Discussion: How to Start in Web Application Security?

3- Closing

Detailed Agenda document [https://docs.google.com/open?id=0B4eUULYLYNDsLUFOVlJEVkFhRzQ]

'''Location:'''

Al-Liwan Coffee Shop in Khobar opposite to SAAD Hospital.

= '''Application Security and OWASP top 10 - Jeddah''' =

We'll have a technical session to talk about application security and OWASP top 10, as we'll demonstrate the top critical vulnerabilities against web applications.

'''The OWASP Top 10 Web Application Security Risks are:'''

A1: Injection

----

A2: Cross-Site Scripting (XSS)

----

A3: Broken Authentication and Session Management

----

A4: Insecure Direct Object References

----

A5: Cross-Site Request Forgery (CSRF)

----

A6: Security Misconfiguration

----

A7: Insecure Cryptographic Storage

----

A8: Failure to Restrict URL Access

----

A9: Insufficient Transport Layer Protection

----

A10: Unvalidated Redirects and Forwards

 

'''''Date: 21 Jun 2011'''''

'''''Location: Rosewood Corniche - Jeddah'''''

'''''Start: 19:00 End: 21:00'''''

'''''Speaker: Amro AlOlaqi'''''

 

If you're interested to attend the session please confirm by sending your information to amro at owasp.org. 

= '''Jeddah meeting''' =

'''The agenda of the inaugural meeting will be as follows:'''

1. Introduction to OWASP

2. Discuss local OWASP awareness and image programs for Jeddah members.

Date: Sunday, 3, 2010

Location: Costa Coffee, alHamrah, Jeddah.

Sponsored by: SAIS technology

Please do not hesitate to contact me at amro (at) owasp.org for any clarification or inquires

= '''Information Security and beyond - Event''' =

'''Location'''

Venue: Makarim Hall - Marriott Hotel

City : Riyadh - KSA

Date: 25 May 2009

Time: 08:30 - 15:00

 '''''Seminar Agenda'''''

08:00 – 08:30 Registration
08:30 – 09:00 Key note ( SAMA Speaker )
09:00 – 10:00 ISO 27001 ( BSI Speaker )
10:00 – 10:20 Refreshment
10:20 – 11:0 Application Security ( Verizon Business Speaker )
11:00 – 12:00 Penetration Testing using OWASP methodology ( OWASP )
12:00 – 12:30 Prayer time
12:30 - 01:20 Enterprise Security ( F5 Speaker )
01:20 – 01:40 Q & A
01:40 – 02:30 Lunch

 '''''Event Speaker'''''

 

''''Mr. Saqer Al-Orabi Al-Harthi.''' Information System and Control Manager Saudi Arabian Monetary Agency (SAMA)

Mr. Saqer Al-Orabi Al-Harthi is responsible for the Information System and Control at SAMA – Banking Technology Department. Mr. Al-Harthi has been the chairman of various committees at SAMA such as: SAMA and Banks Information Security Managers Committee, Information Security Awareness Committee and Security Training Committee. Mr. Al-Harthi has been instrumental in building Information Security for the Saudi financial industry by initiating and executing major projects such as SARIE Security, SPAN Security, PKI, and he has been the champion in PCI development within Saudi Arabia along with other security related projects. Furthermore, Mr. Al-Harthi has presented in many IT Security seminars and events. Mr. Al-Harthi holds a Masters degree in Computer and Information System from U.S.A. and he is a Certified Information Security Manager (CISM).

''''Amro AlOlaqi''' Information Security Consultant 

Amro has more than 7 years of experience in Information security. He started his professional career at early age, since then, he engaged the field of UNIX/Linux engineering and systems’ security. Throughout his extraordinary achievements and accomplishments, he became amongst the most recognized experts in the field of penetration testing, application security and vulnerability assessment within Saudi Arabia. He carried out penetration tests, application , vulnerability assessments and security audits for prestigious organizations. Moreover, his expertise extends across industry verticals, security technologies plus hacking tools and techniques. Amro is the OWASP chapter leader for Saudi Arabia and United Arab Emirates, also he is specialized at cyber crime investigations and digital forensics. Nevertheles, Amro hold well-recognized international certifications such as GCIH, GHTQ, ECSA/LPT, CEH, CHFI, Security+, RHCE, SCSA, Linux+, LPIC1, LPIC2 and SCSECA.

 ''''Theuns Kotze''' Regional Director BSI – Middle East and Africa

Mr. Kotze holds a B. Comm. Degree from the University of Pretoria. He is currently the Regional Director for BSI – Management Systems in Middle East and Africa. In BSI he was the Sales and Marketing Director for BSI- Management Systems in Europe based in London. He was an Executive Director of Nosa International responsible for Auditing and Certification Globally. During 2002 he developed an Aids management standard now known as AMS 16001. The AMS 16001 is now the South African Standard for Aids management and could become the ISO standard for aids management in future. He gained extensive knowledge and experience in Europe and Middle East in the last 2 years. He conducted more than 2000 assessments on various standards in the last 20 years. Theuns had a private pilot’s license for 20 years and has flown many types of airplanes. He is married to Maria and has a son John 8 and they now live in Dubai.

'''Ali Akl''' Principal Consultant Verizon Business Security Solutions

Ali has over 10 years experience in Information Security, Business Continuity and Disaster Recovery. He has a unique blend of technical expertise along with management consulting experience, which has made him a valuable consultant to many organizations in the public and private sectors. He has contributed to the OPM3 standard development project, he is also CISSP and CISM, and has earned the GIAC Fundamentals of Security Policy certificate and recently has earned the Member Status of the Business Continuity Institute as well Certified in Disaster Recovery and Planning and finally he has been invited into the Fellowship Program of the International Multilateral Partnership Against Cyber-Terrorism (‘IMPACT’).

 ''''Zakeer Zubair''' Field Systems Engineer

Zakeer Zubair is a senior technical team player in F5’s Middle East operation. Since obtaining his Bachelor degree in Mathematics, Zubair has spent the last 9 years working in networking and security for a variety of systems integrators including Schlumberger and Atos Origin. This role has involved integrating best of breed vendor networking and security devices and necessitated skills in routing, switching, security and application switching. Zubair has technical certifications from F5, Cisco, Juniper, Nortel Networks, Extreme Networks, Microsoft and CISSP.

----

= '''PCI compliance seminar''' =

----

'''Location'''

Venue: Makarim Hall - Marriott Hotel

City : Riyadh - KSA

Date: 2nd March 2009

Time: 08:30 - 15:00

'''Seminar Agenda'''

08:30 – 09:00 Registration Team
09:00 – 09:30 Introduction
09:30 – 10:20 PCI (Applications Firewalls/SSL VPN)
10:20 – 10:40 Refreshment
10:40 – 11:20 OWASP and PCI compliance
11:20 – 12:10 Application Delivery Controller
12:10 – 12:40 Prayer
12:40 – 01:00 Last Session + Questions +Closing Session
01:00 – 02:00 Lunch

'''''Speakers'''''

'''Peter Draper''', Security Specialist: has been providing guidance, design and implementation of Info Sec solutions for some 17+ years. The last ten years have been focused on Application delivery and security with the most recent focus following the main hacking attempts into the Web Application Security space. Peter has been instrumental in delivering Web Application Security into a wide and varied range of customers including finance, government, ecommerce and travel industry companies. Within the Middle East region Peter had delivered solutions to Government, Finance and Corporate customers ensuring the best possible protection is in place to secure customer sensitive data.

Peter’s presentation will focus on:

1) What is the “PCI Journey”?
2) What do I need to do and when?
3) Is PCI the only reason to deploy security solutions?
4) Where should I concentrate my $
5) What happens once I have it?

 '''Nigel Ashworth''', F5 MEA Technical Director: has been F5’s Technical Director for Middle East and Africa since September 2005. In that time he has driven the region’s increasing importance to F5’s global business, managing the pre sales engineering team, and investing technical resources in key verticals to drive double-digit sales growth. Nigel has been with F5 for nine years in a number of senior technical roles, including Technical Director responsible for driving EMEA Strategic Alliances with key partners including Microsoft, SAP and Oracle, and Technical Director responsible for pre-sales in Europe. Prior to joining F5, Nigel held technical leadership positions for companies including Reuters and UB Networks. He received his B.S in Electrical Engineering from Portsmouth University.

 

''''Amro AlOlaqi, ''' Information Security Consultant Amro has more than 7 years of experience in Information security. He started his professional career at early age, since then, he engaged the field of UNIX/Linux engineering and systems’ security. Throughout his extraordinary achievements and accomplishments, he became amongst the most recognized experts in the field of penetration testing, application security and vulnerability assessment within Saudi Arabia. He carried out penetration tests, application , vulnerability assessments and security audits for prestigious organizations. Moreover, his expertise extends across industry verticals, security technologies plus hacking tools and techniques. Amro is the OWASP chapter leader for Saudi Arabia and United Arab Emirates, also he is specialized at cyber crime investigations and digital forensics. Nevertheles, Amro hold well-recognized international certifications such as GCIH, GHTQ, ECSA/LPT, CEH, CHFI, Security+, RHCE, SCSA, Linux+, LPIC1, LPIC2 and SCSECA. ''' '''

Amro’s presentation will focus on:

1) Web application attacks and security trends.
2) OWASP "thinking out of the box".
2) OWASP and application security.
4) The relation between OWASP and PCI.

[[Category:OWASP_Chapter]]
[[Category:Saudi Arabia]]

Saudi Arabia

2013-11-04T22:35:53Z

Amro Ahmed:

{{Chapter Template|chaptername=Saudi Arabia|extra=The chapter leaders are [mailto:amro@owasp.org Amro AlOlaqi] [mailto:mohannad.shahat@owasp.org Mohannad Shahat]
<paypal>Saudi Arabia</paypal>
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-SA|emailarchives=http://lists.owasp.org/pipermail/owasp-SA}}

 

== Local News ==

---
The Saudi Chapter is pleased to announce that we've successfully transalted The Zed Attack Proxy (ZAP) to Arabic - you can now download the ZAP 2.2.2 Language Pack 1 from the following link

https://code.google.com/p/zaproxy/downloads/detail?name=ZAP_2.2.2_language_pack.1.zaplang

---

-------
December - 10th/2013 (Members gathering)

The agenda for this gathering would be as follows:

*OWASP introduction for new members
*OWASP Saudi Arabia, event planning for 2014
*OWASP Top 10 translation initiative and discuss the possibility of translating the new testing guide when released.

Date: 10th of December Time: 18:00 - 19:00
Venue: Costa Coffee, Olaya Street, Riyadh

Direction: https://maps.google.com.sa/maps?hl=en&sig=BZ4&ie=UTF-8&q=costa+coffee+in+riyadh&fb=1&gl=sacid=0,0,2944591365254196345&ei=OTUeUaOaN8rIswa2x4HYBw&ved=0CAEQ5xgwAA

-------
'''February - 25th/2013 (Members gathering)'''

''The agenda for this gathering would be as follows:''

- Catch up with new members

- OWASP Saudi Arabia and its involvement with other non-profit organizations

- Planning for our next conference/technical session

''Date: 25th of Feb
Time: 18:00 - 19:00
Venue: Costa Coffee, Olaya Street, Riyadh''

Direction: https://maps.google.com.sa/maps?hl=en&sig=BZ4&ie=UTF-8&q=costa+coffee+in+riyadh&fb=1&gl=sacid=0,0,2944591365254196345&ei=OTUeUaOaN8rIswa2x4HYBw&ved=0CAEQ5xgwAA

------
'''Khobar gathering lead by Mohannad Shahat'''

'''Date:''' 24th May 2012, starting at 8:30 PM to 9:30 PM

'''Agenda:'''

1- Welcoming to OWASP Sharqiyah ''Jalsah''#1

2- OWASP?

3- Discussion: How to Start in Web Application Security?

3- Closing

Detailed Agenda document [https://docs.google.com/open?id=0B4eUULYLYNDsLUFOVlJEVkFhRzQ]

'''Location:'''

Al-Liwan Coffee Shop in Khobar opposite to SAAD Hospital.

= '''Application Security and OWASP top 10 - Jeddah''' =

We'll have a technical session to talk about application security and OWASP top 10, as we'll demonstrate the top critical vulnerabilities against web applications.

'''The OWASP Top 10 Web Application Security Risks are:'''

A1: Injection

----

A2: Cross-Site Scripting (XSS)

----

A3: Broken Authentication and Session Management

----

A4: Insecure Direct Object References

----

A5: Cross-Site Request Forgery (CSRF)

----

A6: Security Misconfiguration

----

A7: Insecure Cryptographic Storage

----

A8: Failure to Restrict URL Access

----

A9: Insufficient Transport Layer Protection

----

A10: Unvalidated Redirects and Forwards

 

'''''Date: 21 Jun 2011'''''

'''''Location: Rosewood Corniche - Jeddah'''''

'''''Start: 19:00 End: 21:00'''''

'''''Speaker: Amro AlOlaqi'''''

 

If you're interested to attend the session please confirm by sending your information to amro at owasp.org. 

= '''Jeddah meeting''' =

'''The agenda of the inaugural meeting will be as follows:'''

1. Introduction to OWASP

2. Discuss local OWASP awareness and image programs for Jeddah members.

Date: Sunday, 3, 2010

Location: Costa Coffee, alHamrah, Jeddah.

Sponsored by: SAIS technology

Please do not hesitate to contact me at amro (at) owasp.org for any clarification or inquires

= '''Information Security and beyond - Event''' =

'''Location'''

Venue: Makarim Hall - Marriott Hotel

City : Riyadh - KSA

Date: 25 May 2009

Time: 08:30 - 15:00

 '''''Seminar Agenda'''''

08:00 – 08:30 Registration
08:30 – 09:00 Key note ( SAMA Speaker )
09:00 – 10:00 ISO 27001 ( BSI Speaker )
10:00 – 10:20 Refreshment
10:20 – 11:0 Application Security ( Verizon Business Speaker )
11:00 – 12:00 Penetration Testing using OWASP methodology ( OWASP )
12:00 – 12:30 Prayer time
12:30 - 01:20 Enterprise Security ( F5 Speaker )
01:20 – 01:40 Q & A
01:40 – 02:30 Lunch

 '''''Event Speaker'''''

 

''''Mr. Saqer Al-Orabi Al-Harthi.''' Information System and Control Manager Saudi Arabian Monetary Agency (SAMA)

Mr. Saqer Al-Orabi Al-Harthi is responsible for the Information System and Control at SAMA – Banking Technology Department. Mr. Al-Harthi has been the chairman of various committees at SAMA such as: SAMA and Banks Information Security Managers Committee, Information Security Awareness Committee and Security Training Committee. Mr. Al-Harthi has been instrumental in building Information Security for the Saudi financial industry by initiating and executing major projects such as SARIE Security, SPAN Security, PKI, and he has been the champion in PCI development within Saudi Arabia along with other security related projects. Furthermore, Mr. Al-Harthi has presented in many IT Security seminars and events. Mr. Al-Harthi holds a Masters degree in Computer and Information System from U.S.A. and he is a Certified Information Security Manager (CISM).

''''Amro AlOlaqi''' Information Security Consultant 

Amro has more than 7 years of experience in Information security. He started his professional career at early age, since then, he engaged the field of UNIX/Linux engineering and systems’ security. Throughout his extraordinary achievements and accomplishments, he became amongst the most recognized experts in the field of penetration testing, application security and vulnerability assessment within Saudi Arabia. He carried out penetration tests, application , vulnerability assessments and security audits for prestigious organizations. Moreover, his expertise extends across industry verticals, security technologies plus hacking tools and techniques. Amro is the OWASP chapter leader for Saudi Arabia and United Arab Emirates, also he is specialized at cyber crime investigations and digital forensics. Nevertheles, Amro hold well-recognized international certifications such as GCIH, GHTQ, ECSA/LPT, CEH, CHFI, Security+, RHCE, SCSA, Linux+, LPIC1, LPIC2 and SCSECA.

 ''''Theuns Kotze''' Regional Director BSI – Middle East and Africa

Mr. Kotze holds a B. Comm. Degree from the University of Pretoria. He is currently the Regional Director for BSI – Management Systems in Middle East and Africa. In BSI he was the Sales and Marketing Director for BSI- Management Systems in Europe based in London. He was an Executive Director of Nosa International responsible for Auditing and Certification Globally. During 2002 he developed an Aids management standard now known as AMS 16001. The AMS 16001 is now the South African Standard for Aids management and could become the ISO standard for aids management in future. He gained extensive knowledge and experience in Europe and Middle East in the last 2 years. He conducted more than 2000 assessments on various standards in the last 20 years. Theuns had a private pilot’s license for 20 years and has flown many types of airplanes. He is married to Maria and has a son John 8 and they now live in Dubai.

'''Ali Akl''' Principal Consultant Verizon Business Security Solutions

Ali has over 10 years experience in Information Security, Business Continuity and Disaster Recovery. He has a unique blend of technical expertise along with management consulting experience, which has made him a valuable consultant to many organizations in the public and private sectors. He has contributed to the OPM3 standard development project, he is also CISSP and CISM, and has earned the GIAC Fundamentals of Security Policy certificate and recently has earned the Member Status of the Business Continuity Institute as well Certified in Disaster Recovery and Planning and finally he has been invited into the Fellowship Program of the International Multilateral Partnership Against Cyber-Terrorism (‘IMPACT’).

 ''''Zakeer Zubair''' Field Systems Engineer

Zakeer Zubair is a senior technical team player in F5’s Middle East operation. Since obtaining his Bachelor degree in Mathematics, Zubair has spent the last 9 years working in networking and security for a variety of systems integrators including Schlumberger and Atos Origin. This role has involved integrating best of breed vendor networking and security devices and necessitated skills in routing, switching, security and application switching. Zubair has technical certifications from F5, Cisco, Juniper, Nortel Networks, Extreme Networks, Microsoft and CISSP.

----

= '''PCI compliance seminar''' =

----

'''Location'''

Venue: Makarim Hall - Marriott Hotel

City : Riyadh - KSA

Date: 2nd March 2009

Time: 08:30 - 15:00

'''Seminar Agenda'''

08:30 – 09:00 Registration Team
09:00 – 09:30 Introduction
09:30 – 10:20 PCI (Applications Firewalls/SSL VPN)
10:20 – 10:40 Refreshment
10:40 – 11:20 OWASP and PCI compliance
11:20 – 12:10 Application Delivery Controller
12:10 – 12:40 Prayer
12:40 – 01:00 Last Session + Questions +Closing Session
01:00 – 02:00 Lunch

'''''Speakers'''''

'''Peter Draper''', Security Specialist: has been providing guidance, design and implementation of Info Sec solutions for some 17+ years. The last ten years have been focused on Application delivery and security with the most recent focus following the main hacking attempts into the Web Application Security space. Peter has been instrumental in delivering Web Application Security into a wide and varied range of customers including finance, government, ecommerce and travel industry companies. Within the Middle East region Peter had delivered solutions to Government, Finance and Corporate customers ensuring the best possible protection is in place to secure customer sensitive data.

Peter’s presentation will focus on:

1) What is the “PCI Journey”?
2) What do I need to do and when?
3) Is PCI the only reason to deploy security solutions?
4) Where should I concentrate my $
5) What happens once I have it?

 '''Nigel Ashworth''', F5 MEA Technical Director: has been F5’s Technical Director for Middle East and Africa since September 2005. In that time he has driven the region’s increasing importance to F5’s global business, managing the pre sales engineering team, and investing technical resources in key verticals to drive double-digit sales growth. Nigel has been with F5 for nine years in a number of senior technical roles, including Technical Director responsible for driving EMEA Strategic Alliances with key partners including Microsoft, SAP and Oracle, and Technical Director responsible for pre-sales in Europe. Prior to joining F5, Nigel held technical leadership positions for companies including Reuters and UB Networks. He received his B.S in Electrical Engineering from Portsmouth University.

 

''''Amro AlOlaqi, ''' Information Security Consultant Amro has more than 7 years of experience in Information security. He started his professional career at early age, since then, he engaged the field of UNIX/Linux engineering and systems’ security. Throughout his extraordinary achievements and accomplishments, he became amongst the most recognized experts in the field of penetration testing, application security and vulnerability assessment within Saudi Arabia. He carried out penetration tests, application , vulnerability assessments and security audits for prestigious organizations. Moreover, his expertise extends across industry verticals, security technologies plus hacking tools and techniques. Amro is the OWASP chapter leader for Saudi Arabia and United Arab Emirates, also he is specialized at cyber crime investigations and digital forensics. Nevertheles, Amro hold well-recognized international certifications such as GCIH, GHTQ, ECSA/LPT, CEH, CHFI, Security+, RHCE, SCSA, Linux+, LPIC1, LPIC2 and SCSECA. ''' '''

Amro’s presentation will focus on:

1) Web application attacks and security trends.
2) OWASP "thinking out of the box".
2) OWASP and application security.
4) The relation between OWASP and PCI.

[[Category:OWASP_Chapter]]
[[Category:Saudi Arabia]]

Saudi Arabia

2013-11-04T22:30:05Z

Amro Ahmed:

{{Chapter Template|chaptername=Saudi Arabia|extra=The chapter leaders are [mailto:amro@owasp.org Amro AlOlaqi] [mailto:mohannad.shahat@owasp.org Mohannad Shahat]
<paypal>Saudi Arabia</paypal>
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-SA|emailarchives=http://lists.owasp.org/pipermail/owasp-SA}}

 

== Local News ==

-------
December - 10th/2013 (Members gathering)

The agenda for this gathering would be as follows:

*OWASP introduction for new members
*OWASP Saudi Arabia, event planning for 2014
*OWASP Top 10 translation initiative and discuss the possibility of translating the new testing guide when released.

Date: 10th of December Time: 18:00 - 19:00
Venue: Costa Coffee, Olaya Street, Riyadh

Direction: https://maps.google.com.sa/maps?hl=en&sig=BZ4&ie=UTF-8&q=costa+coffee+in+riyadh&fb=1&gl=sacid=0,0,2944591365254196345&ei=OTUeUaOaN8rIswa2x4HYBw&ved=0CAEQ5xgwAA

-------
'''February - 25th/2013 (Members gathering)'''

''The agenda for this gathering would be as follows:''

- Catch up with new members

- OWASP Saudi Arabia and its involvement with other non-profit organizations

- Planning for our next conference/technical session

''Date: 25th of Feb
Time: 18:00 - 19:00
Venue: Costa Coffee, Olaya Street, Riyadh''

Direction: https://maps.google.com.sa/maps?hl=en&sig=BZ4&ie=UTF-8&q=costa+coffee+in+riyadh&fb=1&gl=sacid=0,0,2944591365254196345&ei=OTUeUaOaN8rIswa2x4HYBw&ved=0CAEQ5xgwAA

------
'''Khobar gathering lead by Mohannad Shahat'''

'''Date:''' 24th May 2012, starting at 8:30 PM to 9:30 PM

'''Agenda:'''

1- Welcoming to OWASP Sharqiyah ''Jalsah''#1

2- OWASP?

3- Discussion: How to Start in Web Application Security?

3- Closing

Detailed Agenda document [https://docs.google.com/open?id=0B4eUULYLYNDsLUFOVlJEVkFhRzQ]

'''Location:'''

Al-Liwan Coffee Shop in Khobar opposite to SAAD Hospital.

= '''Application Security and OWASP top 10 - Jeddah''' =

We'll have a technical session to talk about application security and OWASP top 10, as we'll demonstrate the top critical vulnerabilities against web applications.

'''The OWASP Top 10 Web Application Security Risks are:'''

A1: Injection

----

A2: Cross-Site Scripting (XSS)

----

A3: Broken Authentication and Session Management

----

A4: Insecure Direct Object References

----

A5: Cross-Site Request Forgery (CSRF)

----

A6: Security Misconfiguration

----

A7: Insecure Cryptographic Storage

----

A8: Failure to Restrict URL Access

----

A9: Insufficient Transport Layer Protection

----

A10: Unvalidated Redirects and Forwards

 

'''''Date: 21 Jun 2011'''''

'''''Location: Rosewood Corniche - Jeddah'''''

'''''Start: 19:00 End: 21:00'''''

'''''Speaker: Amro AlOlaqi'''''

 

If you're interested to attend the session please confirm by sending your information to amro at owasp.org. 

= '''Jeddah meeting''' =

'''The agenda of the inaugural meeting will be as follows:'''

1. Introduction to OWASP

2. Discuss local OWASP awareness and image programs for Jeddah members.

Date: Sunday, 3, 2010

Location: Costa Coffee, alHamrah, Jeddah.

Sponsored by: SAIS technology

Please do not hesitate to contact me at amro (at) owasp.org for any clarification or inquires

= '''Information Security and beyond - Event''' =

'''Location'''

Venue: Makarim Hall - Marriott Hotel

City : Riyadh - KSA

Date: 25 May 2009

Time: 08:30 - 15:00

 '''''Seminar Agenda'''''

08:00 – 08:30 Registration
08:30 – 09:00 Key note ( SAMA Speaker )
09:00 – 10:00 ISO 27001 ( BSI Speaker )
10:00 – 10:20 Refreshment
10:20 – 11:0 Application Security ( Verizon Business Speaker )
11:00 – 12:00 Penetration Testing using OWASP methodology ( OWASP )
12:00 – 12:30 Prayer time
12:30 - 01:20 Enterprise Security ( F5 Speaker )
01:20 – 01:40 Q & A
01:40 – 02:30 Lunch

 '''''Event Speaker'''''

 

''''Mr. Saqer Al-Orabi Al-Harthi.''' Information System and Control Manager Saudi Arabian Monetary Agency (SAMA)

Mr. Saqer Al-Orabi Al-Harthi is responsible for the Information System and Control at SAMA – Banking Technology Department. Mr. Al-Harthi has been the chairman of various committees at SAMA such as: SAMA and Banks Information Security Managers Committee, Information Security Awareness Committee and Security Training Committee. Mr. Al-Harthi has been instrumental in building Information Security for the Saudi financial industry by initiating and executing major projects such as SARIE Security, SPAN Security, PKI, and he has been the champion in PCI development within Saudi Arabia along with other security related projects. Furthermore, Mr. Al-Harthi has presented in many IT Security seminars and events. Mr. Al-Harthi holds a Masters degree in Computer and Information System from U.S.A. and he is a Certified Information Security Manager (CISM).

''''Amro AlOlaqi''' Information Security Consultant 

Amro has more than 7 years of experience in Information security. He started his professional career at early age, since then, he engaged the field of UNIX/Linux engineering and systems’ security. Throughout his extraordinary achievements and accomplishments, he became amongst the most recognized experts in the field of penetration testing, application security and vulnerability assessment within Saudi Arabia. He carried out penetration tests, application , vulnerability assessments and security audits for prestigious organizations. Moreover, his expertise extends across industry verticals, security technologies plus hacking tools and techniques. Amro is the OWASP chapter leader for Saudi Arabia and United Arab Emirates, also he is specialized at cyber crime investigations and digital forensics. Nevertheles, Amro hold well-recognized international certifications such as GCIH, GHTQ, ECSA/LPT, CEH, CHFI, Security+, RHCE, SCSA, Linux+, LPIC1, LPIC2 and SCSECA.

 ''''Theuns Kotze''' Regional Director BSI – Middle East and Africa

Mr. Kotze holds a B. Comm. Degree from the University of Pretoria. He is currently the Regional Director for BSI – Management Systems in Middle East and Africa. In BSI he was the Sales and Marketing Director for BSI- Management Systems in Europe based in London. He was an Executive Director of Nosa International responsible for Auditing and Certification Globally. During 2002 he developed an Aids management standard now known as AMS 16001. The AMS 16001 is now the South African Standard for Aids management and could become the ISO standard for aids management in future. He gained extensive knowledge and experience in Europe and Middle East in the last 2 years. He conducted more than 2000 assessments on various standards in the last 20 years. Theuns had a private pilot’s license for 20 years and has flown many types of airplanes. He is married to Maria and has a son John 8 and they now live in Dubai.

'''Ali Akl''' Principal Consultant Verizon Business Security Solutions

Ali has over 10 years experience in Information Security, Business Continuity and Disaster Recovery. He has a unique blend of technical expertise along with management consulting experience, which has made him a valuable consultant to many organizations in the public and private sectors. He has contributed to the OPM3 standard development project, he is also CISSP and CISM, and has earned the GIAC Fundamentals of Security Policy certificate and recently has earned the Member Status of the Business Continuity Institute as well Certified in Disaster Recovery and Planning and finally he has been invited into the Fellowship Program of the International Multilateral Partnership Against Cyber-Terrorism (‘IMPACT’).

 ''''Zakeer Zubair''' Field Systems Engineer

Zakeer Zubair is a senior technical team player in F5’s Middle East operation. Since obtaining his Bachelor degree in Mathematics, Zubair has spent the last 9 years working in networking and security for a variety of systems integrators including Schlumberger and Atos Origin. This role has involved integrating best of breed vendor networking and security devices and necessitated skills in routing, switching, security and application switching. Zubair has technical certifications from F5, Cisco, Juniper, Nortel Networks, Extreme Networks, Microsoft and CISSP.

----

= '''PCI compliance seminar''' =

----

'''Location'''

Venue: Makarim Hall - Marriott Hotel

City : Riyadh - KSA

Date: 2nd March 2009

Time: 08:30 - 15:00

'''Seminar Agenda'''

08:30 – 09:00 Registration Team
09:00 – 09:30 Introduction
09:30 – 10:20 PCI (Applications Firewalls/SSL VPN)
10:20 – 10:40 Refreshment
10:40 – 11:20 OWASP and PCI compliance
11:20 – 12:10 Application Delivery Controller
12:10 – 12:40 Prayer
12:40 – 01:00 Last Session + Questions +Closing Session
01:00 – 02:00 Lunch

'''''Speakers'''''

'''Peter Draper''', Security Specialist: has been providing guidance, design and implementation of Info Sec solutions for some 17+ years. The last ten years have been focused on Application delivery and security with the most recent focus following the main hacking attempts into the Web Application Security space. Peter has been instrumental in delivering Web Application Security into a wide and varied range of customers including finance, government, ecommerce and travel industry companies. Within the Middle East region Peter had delivered solutions to Government, Finance and Corporate customers ensuring the best possible protection is in place to secure customer sensitive data.

Peter’s presentation will focus on:

1) What is the “PCI Journey”?
2) What do I need to do and when?
3) Is PCI the only reason to deploy security solutions?
4) Where should I concentrate my $
5) What happens once I have it?

 '''Nigel Ashworth''', F5 MEA Technical Director: has been F5’s Technical Director for Middle East and Africa since September 2005. In that time he has driven the region’s increasing importance to F5’s global business, managing the pre sales engineering team, and investing technical resources in key verticals to drive double-digit sales growth. Nigel has been with F5 for nine years in a number of senior technical roles, including Technical Director responsible for driving EMEA Strategic Alliances with key partners including Microsoft, SAP and Oracle, and Technical Director responsible for pre-sales in Europe. Prior to joining F5, Nigel held technical leadership positions for companies including Reuters and UB Networks. He received his B.S in Electrical Engineering from Portsmouth University.

 

''''Amro AlOlaqi, ''' Information Security Consultant Amro has more than 7 years of experience in Information security. He started his professional career at early age, since then, he engaged the field of UNIX/Linux engineering and systems’ security. Throughout his extraordinary achievements and accomplishments, he became amongst the most recognized experts in the field of penetration testing, application security and vulnerability assessment within Saudi Arabia. He carried out penetration tests, application , vulnerability assessments and security audits for prestigious organizations. Moreover, his expertise extends across industry verticals, security technologies plus hacking tools and techniques. Amro is the OWASP chapter leader for Saudi Arabia and United Arab Emirates, also he is specialized at cyber crime investigations and digital forensics. Nevertheles, Amro hold well-recognized international certifications such as GCIH, GHTQ, ECSA/LPT, CEH, CHFI, Security+, RHCE, SCSA, Linux+, LPIC1, LPIC2 and SCSECA. ''' '''

Amro’s presentation will focus on:

1) Web application attacks and security trends.
2) OWASP "thinking out of the box".
2) OWASP and application security.
4) The relation between OWASP and PCI.

[[Category:OWASP_Chapter]]
[[Category:Saudi Arabia]]

Dubai

2013-11-04T16:40:45Z

Amro Ahmed:

Dubai

2013-11-04T16:23:39Z

Amro Ahmed:

Category:OWASP Speakers Project

2013-11-04T14:41:11Z

Amro Ahmed:

This program lead by [[:user:Knoblochmartin|Martin Knobloch]] helps local chapters or application security conferences to find OWASP related speakers to have OWASP presenters on site.

This program allows two parties to find each other:

* Local chapters or application security events that want to attract an OWASP speaker
* OWASP speakers to entertain OWASP presentations and that want to see the world

For sponsorship, see the [[:Category:OWASP_on_the_Move_Project|OWASP on the Move Project]] page

== available presentations ==

== available speakers ==

If you want to (re)do an OWASP related presentation, propose them here with your availability boundaries (timing/geographical)

*Add your name, contact and bio information to become available as OWASP Speaker!

{| class="prettytable"
|-
! Name
! Introduction
! Available Area
! Bios
|-
| [mailto:Robert(at)ZakonGroup.com Robert H'obbes' Zakon]
| Presenter on Web Application Security, OWASP Top 10, PHP Security, and assorted other topics. Training sessions taught at events such as [http://www.zakongroup.com/technology/services-training.shtml OWASP, ACSAC, and CCS]. Based in New Hampshire, and available for travel worldwide. Fluent in English, and able to converse in Portuguese. A developer and consultant for the past decade, formerly a Principal Engineer with MITRE's InfoSec Group.
| Global (USA/NH-based)
| [http://www.zakon.org/robert/vitae.html BIO]
|-
| [mailto:jmcgovern@virtusa.com James McGovern]
| Presenter on Enterprise Architecture and Web Application Security, SOA Web Services Security and Federated Identity.
| Global (USA/CT-based)
| [http://www.linkedin.com/in/jamesmcgovern BIO]
|-
| [mailto:chuck(at)McCulloughAssociates.com Chuck McCullough]
| Chuck provides training sessions to developers on the Top 10. Chuck welcomes speaking opportunities to any group. Chuck is available in the Texas area and at various other locations in the USA.
| USA/Texas
| [http://www.linkedin.com/in/chuckmccullough BIO]
|-
| Marc Curphey
| Marc will happily speak about the WebAppSec industry, SDLC etc. around Europe. You can see him in action at [http://video.hitb.org/2006.html HITB with John Viega] (big download)
| Europe
| [http://www.linkedin.com/in/curphey BIO]
|-
| [mailto:tomb(at)owasp.org Tom Brennan]
| based in NYC Metro Tom is a long time volunteer and OWASP contributor and [http://www.owasp.org/index.php/About_OWASP International Board Member]. He is available for global speaking venues to educate audiences about the OWASP Foundation core mission, how it works and various projects. In addition he also provides regular talks on honeypot research and case-studies about tactical experiences when conducting [http://en.wikipedia.org/wiki/Red_Team Red Team]/Tiger Team assessments involving the application, network, wireless and physical security - [https://www.owasp.org/index.php/User:Brennan BIO]
| Global
| [http://www.linkedin.com/in/tombrennan BIO]
|-
| [mailto:thesp0nge@owasp.org Paolo Perego]
| Paolo is available to talk about [http://www.owasp.org/index.php/Category:OWASP_Orizon_Project Orizon project], safe coding and code review issues around Europe in the near October-December.
| Europe
| [http://www.linkedin.com/in/thesp0nge BIO]
|-
| [mailto:marc.m.morana@gmail.org Marco Morana]
| Marco is available to talk about [http://iac.dtic.mil/iatac/download/security.pdf Software Security Frameworks]and Secure Code Reviews [https://www.cmpevents.com/CSI33/a.asp?option=G&V=3&id=443342 see 07 CSI conference as reference] in USA around November-December and in Europe around January-February
| Europe
| [http://www.linkedin.com/pub/2/a7a/59b BIO]
|-
|-
| [mailto:amro@owasp.org Amro Alolaqi]
| Amro is leading the OWASP Saudi Arabia and UAE chapters, futhermore a contributor for the OWASP Testing Guide v4, OWASP Zed Attack Proxy (ZAP) and OWASP Web Application Security Testing Cheat Sheet. He is a frequent speaker at various industry conferences and events; topics of interest include Web App Critical Vulnerabilities, OWASP Zed Attack Proxy (ZAP), OWASP Testing Guide, Web Application Security Testing and Threat Modeling.
| Global (Middle East-based)
| [https://www.owasp.org/index.php/User:Amro_Ahmed BIO]
|-
| [mailto:sebastien.gioria@owasp.fr Sébastien Gioria]
| Sebastien is available to talk about WebAppSec, educational purpose on AppSec in French or at least in english around France/Europe/Canada from middle of March 08. You can find some Talk on the [http://www.owasp.fr Owasp France Chapter]
| France/Europe/Canada
| [http://www.linkedin.com/in/gioria BIO]
|-
| [mailto:mordecai.kraushar@owasp.org Mordecai Kraushar]
| Mordecai is available to talk about different topics within the Web application security space. Discussions typically involve either the Broken Web Application project or the Vicnum project, [http://www.owasp.org/index.php/Category:OWASP_Vicnum_Project], a flexible vulnerable web application that can be used in many scenarios including 'capture the flag' exercises.
| Global
| [http://www.linkedin.com/in/mkraushar BIO]
|-
| [mailto:michael.coates@owasp.org Michael Coates]
| Michael is available to talk on a variety of web application security topics. Talks are interactive and include live demos and code examples. Michael has spoken at multiple OWASP conferences and University security courses on topics such as Introduction to Application Security, Automated Defense Systems in Applications, Real Time Detection and Prevention of Application Worms, and security risks in SSL/TLS.
| USA/San Francisco & Virtual Presentations
| [http://www.linkedin.com/in/mcoates BIO]
|-
| [mailto:tobias.gondrom@owasp.org Tobias Gondrom]
| Tobias is on the London chapter board (and previously Germany chapter lead) and currently member of the OWASP Global Industry committee. He is available to talk on a variety of web application and information security and risk management topics. He gives two different types of presentations - preferred in Asia or Europe: - CISO level: information security, risk management from Secure SDLCs, maturity models, standards and security strategy, to change management and managing application security in large organisations and the OWASP CISO Guide. - Deep technical talks: new security standards and research, involving his work in web security research and as the chair of the web security working group at the IETF. Tobias has spoken at multiple OWASP AppSec and other security conferences, given university guest lectures and full training days on topics like CISO training, browser security, web security, new technologies for channel protection with SSL/TLS, electronic signatures, ...
| Asia and Europe (dual based in both regions)
| [http://uk.linkedin.com/in/gondrom BIO]
|-
| [mailto:dan.cornell@owasp.org Dan Cornell]
| Dan Cornell has over twelve years of experience architecting, developing and securing web-based software systems. He speaks on a variety of software development and software security topics such as Vulnerability Management, Software Security Remediation, and Code Review/Static Analysis. Dan is based in San Antonio, TX and available to fly/drive as needed to the site.
| USA/San Antonio
| [http://www.denimgroup.com/about_team_dan.html BIO]
|-
| [mailto:John.Steven@owasp.org John Steven]
| John speaks on a variety of topics including "How to build your own application security group", "Threat Modeling", "Code Review and Static analysis", as well as other topics. John has spoken at and given tutorials for multiple OWASP conferences. John frequents New York, Boston, Washington DC, and Charlotte, but is available for travel elsewhere.
| Washington, DC/USA
| [http://www.cigital.com/about/team/management.php#jsteven BIO]
|-
| [mailto:blake@owasp.org Blake Cornell]
| Blake is available to speak regarding topics including Security v. HIPPA, Penetration Testing Methodologies, Fuzzing and Blended Threats such as attacking VoIP with the OWASP Top 10. Blake lives in the NY Metro area and is available for speaking at regional, national and world wide events.
| New York, NY/USA
| [http://www.linkedin.com/in/blakecornell BIO]
|-
| [mailto:Nick.Coblentz@gmail.com Nick Coblentz]
| Nick regularly performs research related to secure software development. He is available to present on topics such as the [http://www.owasp.org/index.php/Category:Software_Assurance_Maturity_Model Software Assurance Maturity Model (SAMM)], the [http://nickcoblentz.blogspot.com/2009/06/samm-inteview-template-version-10.html SAMM Interview Template], [http://nickcoblentz.blogspot.com/2009/05/issa-journal-web-application-security.html Building Web Application Security Portfolios], and [http://nickcoblentz.blogspot.com/2009/11/owasp-presentation-on-dec-10-microsoft.html The Microsoft SDL for Agile Development]. Please email Nick if you see articles on his [http://nickcoblentz.blogspot.com/ blog] that you would like him to present.
| USA/Kansas, Oklahoma, Missouri
| [http://www.linkedin.com/in/ncoblentz BIO]
|-
| [mailto:johnccr@yahoo.com Juan Carlos Calderon]
| Juan has being part of the Appliction Security industry for 9 years, currently performs research on application and information security arena. He is available to present "Preparing an strategy for application vulnerability detection", "Owasp Spanish and Internationalization" and "Análisis y efectos del cibercrimen en Mexico"(Analysis and effects of cibercrime in México). He is also open to talk about other topics related to OWASP materials and tools, send him a note to verify the coverage.
| Aguascalientes/México
| [http://www.linkedin.com/in/juancarloscalderon BIO]
|-
| [mailto:edward@owasp.org Edward Bonver]
| Edward has over a decade of experience in the software security field. He currently works for Symantec's Product Security Team, where he brings all aspects of secure software development to product teams across the company. He is a frequent speaker at various industry conferences and OWASP events; topics of interest include Threat Modeling and Security Testing.
| Global(USA/Los Angeles-based)
| [http://www.linkedin.com/in/bonver BIO]
|-
| [mailto:ludovic.petit@owasp.org Ludovic Petit]
| Chapter Leader OWASP France and OWASP Global Connections Committee Member, [https://www.owasp.org/index.php/User:Ludovic_Petit '''Ludovic'''] is living in Paris and is willing to talk about Web Application Security topics with a Corporate dimension, including about Legal and Law Enforcement, the OWASP Foundation approach, and explain why WebApp Security is also linked to Legal and Regulatory aspects, so Corporate responsibility, to protect your business.
| France, Europe and elsewhere, according to my availabilities and if you pay yourself the travel and accommodation expenses.
| [http://www.linkedin.com/in/lpetit BIO]
|-
| [mailto:magno.logan@owasp.org Magno Logan]
| OWASP Paraiba Chapter Leader and OWASP Portuguese Language Project Member. Magno (Logan) Rodrigues has an MBA in Information Security and studied Computer Forensics for one year in New York. He has done many talks about OWASP and it's main projects at national and international events such as [http://www.ensol.org.br/ ENSOL], [http://gts.nic.br/ GTS] and [https://www.owasp.org/index.php/AppSecLatam2011 App Sec Latam 2011]. Topics of interest include: OWASP Top 10, WebGoat, Java Security, E-commerce Security and Computer Forensics.

| Latin America
| [https://www.owasp.org/index.php/User:Magno_Logan BIO]
|-
| [mailto:wagner.elias@owasp.org Wagner Elias]
| Wagner founded the Brazil chapter is currently Curitiba-Brazil Chapter Leader and available to talk on a variety of web application security topics. Talks are interactive and include live demos and code examples. Wagner has spoken at various conferences in Brazil.

Topics of interest: Mobile Security; SDL Process and Implementation; Code Review and Application Test

| Brazil
| [https://www.owasp.org/index.php/User:wagner.elias BIO]
|-
| [mailto:ramiro.pulgar@owasp.org Ramiro Pulgar]
| Chapter Leader OWASP Ecuador. [https://www.owasp.org/index.php/User:Ramiro_Pulgar '''milovisho'''] OWASP Ecuador Chapter Leader
| Ecuador, Latin America, Global
| [http://ec.linkedin.com/in/ramiropulgar BIO]
|-
| [mailto:john.vargas@owasp.org John Vargas]
| Chapter Leader OWASP Perú. [https://www.owasp.org/index.php/User:Jvargas '''John Vargas'''] OWASP Perú Chapter Leader
| Perú, Latin America, Global
| [http://pe.linkedin.com/in/jvargasp BIO]
|-
|[mailto:Ahmed.neil@owasp.org Ahmed Neil]
|Neil is available to speak regarding topics including Digital forensics,Wep Application threats and security, Medical Information System Security, Wep application Penetration Testing,Always like to discuss OWASP Top 10. I am in Mansoura, Egypt now and available for speaking at regional,and world wide events.
[https://www.owasp.org/index.php/User:Ahmed_M_Neil '''Ahmed Neil'''] OWASP Mansoura Chapter Leader
| Africa,Global
|}
*Add your name, contact and bio information to become available as OWASP Speaker!

Saudi Arabia

2013-11-03T19:22:45Z

Amro Ahmed:

{{Chapter Template|chaptername=Saudi Arabia|extra=The chapter leaders are [mailto:amro@owasp.org Amro AlOlaqi] [mailto:mohannad.shahat@owasp.org Mohannad Shahat]
<paypal>Saudi Arabia</paypal>
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-SA|emailarchives=http://lists.owasp.org/pipermail/owasp-SA}}

 

== Local News ==

'''February - 25th/2013 (Members gathering)'''

''The agenda for this gathering would be as follows:''

- Catch up with new members

- OWASP Saudi Arabia and its involvement with other non-profit organizations

- Planning for our next conference/technical session

''Date: 25th of Feb
Time: 18:00 - 19:00
Venue: Costa Coffee, Olaya Street, Riyadh''

Direction: https://maps.google.com.sa/maps?hl=en&sig=BZ4&ie=UTF-8&q=costa+coffee+in+riyadh&fb=1&gl=sacid=0,0,2944591365254196345&ei=OTUeUaOaN8rIswa2x4HYBw&ved=0CAEQ5xgwAA

'''Khobar gathering lead by Mohannad Shahat'''

'''Date:''' 24th May 2012, starting at 8:30 PM to 9:30 PM

'''Agenda:'''

1- Welcoming to OWASP Sharqiyah ''Jalsah''#1

2- OWASP?

3- Discussion: How to Start in Web Application Security?

3- Closing

Detailed Agenda document [https://docs.google.com/open?id=0B4eUULYLYNDsLUFOVlJEVkFhRzQ]

'''Location:'''

Al-Liwan Coffee Shop in Khobar opposite to SAAD Hospital.

= '''Application Security and OWASP top 10 - Jeddah''' =

We'll have a technical session to talk about application security and OWASP top 10, as we'll demonstrate the top critical vulnerabilities against web applications.

'''The OWASP Top 10 Web Application Security Risks are:'''

A1: Injection

----

A2: Cross-Site Scripting (XSS)

----

A3: Broken Authentication and Session Management

----

A4: Insecure Direct Object References

----

A5: Cross-Site Request Forgery (CSRF)

----

A6: Security Misconfiguration

----

A7: Insecure Cryptographic Storage

----

A8: Failure to Restrict URL Access

----

A9: Insufficient Transport Layer Protection

----

A10: Unvalidated Redirects and Forwards

 

'''''Date: 21 Jun 2011'''''

'''''Location: Rosewood Corniche - Jeddah'''''

'''''Start: 19:00 End: 21:00'''''

'''''Speaker: Amro AlOlaqi'''''

 

If you're interested to attend the session please confirm by sending your information to amro at owasp.org. 

= '''Jeddah meeting''' =

'''The agenda of the inaugural meeting will be as follows:'''

1. Introduction to OWASP

2. Discuss local OWASP awareness and image programs for Jeddah members.

Date: Sunday, 3, 2010

Location: Costa Coffee, alHamrah, Jeddah.

Sponsored by: SAIS technology

Please do not hesitate to contact me at amro (at) owasp.org for any clarification or inquires

= '''Information Security and beyond - Event''' =

'''Location'''

Venue: Makarim Hall - Marriott Hotel

City : Riyadh - KSA

Date: 25 May 2009

Time: 08:30 - 15:00

 '''''Seminar Agenda'''''

08:00 – 08:30 Registration
08:30 – 09:00 Key note ( SAMA Speaker )
09:00 – 10:00 ISO 27001 ( BSI Speaker )
10:00 – 10:20 Refreshment
10:20 – 11:0 Application Security ( Verizon Business Speaker )
11:00 – 12:00 Penetration Testing using OWASP methodology ( OWASP )
12:00 – 12:30 Prayer time
12:30 - 01:20 Enterprise Security ( F5 Speaker )
01:20 – 01:40 Q & A
01:40 – 02:30 Lunch

 '''''Event Speaker'''''

 

''''Mr. Saqer Al-Orabi Al-Harthi.''' Information System and Control Manager Saudi Arabian Monetary Agency (SAMA)

Mr. Saqer Al-Orabi Al-Harthi is responsible for the Information System and Control at SAMA – Banking Technology Department. Mr. Al-Harthi has been the chairman of various committees at SAMA such as: SAMA and Banks Information Security Managers Committee, Information Security Awareness Committee and Security Training Committee. Mr. Al-Harthi has been instrumental in building Information Security for the Saudi financial industry by initiating and executing major projects such as SARIE Security, SPAN Security, PKI, and he has been the champion in PCI development within Saudi Arabia along with other security related projects. Furthermore, Mr. Al-Harthi has presented in many IT Security seminars and events. Mr. Al-Harthi holds a Masters degree in Computer and Information System from U.S.A. and he is a Certified Information Security Manager (CISM).

''''Amro AlOlaqi''' Information Security Consultant 

Amro has more than 7 years of experience in Information security. He started his professional career at early age, since then, he engaged the field of UNIX/Linux engineering and systems’ security. Throughout his extraordinary achievements and accomplishments, he became amongst the most recognized experts in the field of penetration testing, application security and vulnerability assessment within Saudi Arabia. He carried out penetration tests, application , vulnerability assessments and security audits for prestigious organizations. Moreover, his expertise extends across industry verticals, security technologies plus hacking tools and techniques. Amro is the OWASP chapter leader for Saudi Arabia and United Arab Emirates, also he is specialized at cyber crime investigations and digital forensics. Nevertheles, Amro hold well-recognized international certifications such as GCIH, GHTQ, ECSA/LPT, CEH, CHFI, Security+, RHCE, SCSA, Linux+, LPIC1, LPIC2 and SCSECA.

 ''''Theuns Kotze''' Regional Director BSI – Middle East and Africa

Mr. Kotze holds a B. Comm. Degree from the University of Pretoria. He is currently the Regional Director for BSI – Management Systems in Middle East and Africa. In BSI he was the Sales and Marketing Director for BSI- Management Systems in Europe based in London. He was an Executive Director of Nosa International responsible for Auditing and Certification Globally. During 2002 he developed an Aids management standard now known as AMS 16001. The AMS 16001 is now the South African Standard for Aids management and could become the ISO standard for aids management in future. He gained extensive knowledge and experience in Europe and Middle East in the last 2 years. He conducted more than 2000 assessments on various standards in the last 20 years. Theuns had a private pilot’s license for 20 years and has flown many types of airplanes. He is married to Maria and has a son John 8 and they now live in Dubai.

'''Ali Akl''' Principal Consultant Verizon Business Security Solutions

Ali has over 10 years experience in Information Security, Business Continuity and Disaster Recovery. He has a unique blend of technical expertise along with management consulting experience, which has made him a valuable consultant to many organizations in the public and private sectors. He has contributed to the OPM3 standard development project, he is also CISSP and CISM, and has earned the GIAC Fundamentals of Security Policy certificate and recently has earned the Member Status of the Business Continuity Institute as well Certified in Disaster Recovery and Planning and finally he has been invited into the Fellowship Program of the International Multilateral Partnership Against Cyber-Terrorism (‘IMPACT’).

 ''''Zakeer Zubair''' Field Systems Engineer

Zakeer Zubair is a senior technical team player in F5’s Middle East operation. Since obtaining his Bachelor degree in Mathematics, Zubair has spent the last 9 years working in networking and security for a variety of systems integrators including Schlumberger and Atos Origin. This role has involved integrating best of breed vendor networking and security devices and necessitated skills in routing, switching, security and application switching. Zubair has technical certifications from F5, Cisco, Juniper, Nortel Networks, Extreme Networks, Microsoft and CISSP.

----

= '''PCI compliance seminar''' =

----

'''Location'''

Venue: Makarim Hall - Marriott Hotel

City : Riyadh - KSA

Date: 2nd March 2009

Time: 08:30 - 15:00

'''Seminar Agenda'''

08:30 – 09:00 Registration Team
09:00 – 09:30 Introduction
09:30 – 10:20 PCI (Applications Firewalls/SSL VPN)
10:20 – 10:40 Refreshment
10:40 – 11:20 OWASP and PCI compliance
11:20 – 12:10 Application Delivery Controller
12:10 – 12:40 Prayer
12:40 – 01:00 Last Session + Questions +Closing Session
01:00 – 02:00 Lunch

'''''Speakers'''''

'''Peter Draper''', Security Specialist: has been providing guidance, design and implementation of Info Sec solutions for some 17+ years. The last ten years have been focused on Application delivery and security with the most recent focus following the main hacking attempts into the Web Application Security space. Peter has been instrumental in delivering Web Application Security into a wide and varied range of customers including finance, government, ecommerce and travel industry companies. Within the Middle East region Peter had delivered solutions to Government, Finance and Corporate customers ensuring the best possible protection is in place to secure customer sensitive data.

Peter’s presentation will focus on:

1) What is the “PCI Journey”?
2) What do I need to do and when?
3) Is PCI the only reason to deploy security solutions?
4) Where should I concentrate my $
5) What happens once I have it?

 '''Nigel Ashworth''', F5 MEA Technical Director: has been F5’s Technical Director for Middle East and Africa since September 2005. In that time he has driven the region’s increasing importance to F5’s global business, managing the pre sales engineering team, and investing technical resources in key verticals to drive double-digit sales growth. Nigel has been with F5 for nine years in a number of senior technical roles, including Technical Director responsible for driving EMEA Strategic Alliances with key partners including Microsoft, SAP and Oracle, and Technical Director responsible for pre-sales in Europe. Prior to joining F5, Nigel held technical leadership positions for companies including Reuters and UB Networks. He received his B.S in Electrical Engineering from Portsmouth University.

 

''''Amro AlOlaqi, ''' Information Security Consultant Amro has more than 7 years of experience in Information security. He started his professional career at early age, since then, he engaged the field of UNIX/Linux engineering and systems’ security. Throughout his extraordinary achievements and accomplishments, he became amongst the most recognized experts in the field of penetration testing, application security and vulnerability assessment within Saudi Arabia. He carried out penetration tests, application , vulnerability assessments and security audits for prestigious organizations. Moreover, his expertise extends across industry verticals, security technologies plus hacking tools and techniques. Amro is the OWASP chapter leader for Saudi Arabia and United Arab Emirates, also he is specialized at cyber crime investigations and digital forensics. Nevertheles, Amro hold well-recognized international certifications such as GCIH, GHTQ, ECSA/LPT, CEH, CHFI, Security+, RHCE, SCSA, Linux+, LPIC1, LPIC2 and SCSECA. ''' '''

Amro’s presentation will focus on:

1) Web application attacks and security trends.
2) OWASP "thinking out of the box".
2) OWASP and application security.
4) The relation between OWASP and PCI.

[[Category:OWASP_Chapter]]
[[Category:Saudi Arabia]]

User:Amro Ahmed

2013-11-02T17:48:23Z

Amro Ahmed:

Amro AlOlaqi joined OWASP back in 2008. ( My old user account: https://www.owasp.org/index.php/User:Amro )

Amro currently works as a Sr. Consultant at Verizon (Threat & Vulnerability). Prior joining Verizon, Amro worked for BAE Systems, Saudi Aramco, IS, and Red Hat, he has more than 8 years of experience in Information security. He started his professional career at early age, since then, he engaged the field of UNIX/Linux engineering and systems’ security. He carried out penetration tests, application , vulnerability assessments and security audits for prestigious organizations. Moreover, his expertise extends across industry verticals, security technologies plus hacking tools and techniques. Amro hold well-recognized international certifications such as CISSP, GCIH, GHTQ, LPT, CEH, CHFI, RHCE, SCSA, Linux+, LPIC1/2 SCSECA, and Certified ISO 27001 LA/LI

'''''OWASP Involvement'''''
* Chapter leader: Saudi Arabia
* Chapter leader: Untied Arab Emirates
* Contributor: OWASP Testing Guide v4
* Contributor: OWASP Web Application Security Testing Cheat Sheet
* Contributor: OWASP Zed Attack Proxy Project
* Volunteer: OWASP Periodic Table of Vulnerabilities

'''''Media Interaction'''''

*Appeared in 13 TV shows, some of which in the biggest news channels in the Middle East.
*Published +20 newspaper articles to increase the public awareness about Information Security.

After my humble interaction with the Middle East media, I shifted my interest and focus to increase the Application Security awareness among business corporates and GCC governments. Please refer to Public Speaking for more information.

'''''Public Speaking'''''
*Speaker: IDC's IT Security Roadshow - Dubai
*Speaker: Application Security and OWASP at i-safe – UAE
*Speaker: Ethical Hacking at the ‘Compliance and Beyond’ - Saudi.
*Speaker: Web Application Security at F5 - Saudi.
*Speaker: OWASP The Power of Code Review, Netherlands
*Speaker: Web Application Security and OWASP top 10 at ISACA Jeddah – Saudi
*Speaker: Web App Critical Vulnerabilities and OWASP's ESAPI at The Cyber Information Security Summit - UAE
*Speaker: Information Security Awareness at Arabou University - Saudi.
*Speaker: Threat Modeling and Penetration test at IT for Government - UAE
*Speaker: Ethical Hacking and penetration testing at Microsoft Open Doors – Saudi.
*Speaker: Ethical Hacking and penetration testing at Microsoft Open Doors – Saudi.
*Speaker: OWASP Testing Guide at OWASP - Saudi.

* Speaker: OWASP's introduction and projects at the open university - Saudi

'''Get in touch with me. https://twitter.com/Amro_AlOlaqi LinkedIn: http://www.linkedin.com/in/iamro'''

Identify application entry points (OTG-INFO-006)

2013-10-30T21:27:29Z

Amro Ahmed:

{{Template:OWASP Testing Guide v4}}

== Summary ==
Enumerating the application and its attack surface is a key precursor before any thorough testing can be undertaken, as it allows the tester to identify likely areas of weakness. This section aims to help identify and map out areas within the application that should be investigated once enumeration and mapping have been completed.

== Test Objectives ==

Understand how requests are formed and typical responses from the application

== How to Test ==

Before any testing begins, always get a good understanding of the application and how the user/browser communicates with it. As you walk through the application, pay special attention to all HTTP requests (GET and POST Methods, also known as Verbs), as well as every parameter and form field that is passed to the application. In addition, pay attention to when GET requests are used and when POST requests are used to pass parameters to the application. It is very common that GET requests are used, but when sensitive information is passed, it is often done within the body of a POST request. Note that to see the parameters sent in a POST request, you will need to use a tool such as an intercepting proxy (for example, OWASP: [[OWASP_Zed_Attack_Proxy_Project| Zed Attack Proxy (ZAP)]]) or a browser plug-in. Within the POST request, also make special note of any hidden form fields that are being passed to the application, as these usually contain sensitive information, such as state information, quantity of items, the price of items, that the developer never intended for you to see or change.

In the author's experience, it has been very useful to use an intercepting proxy and a spreadsheet for this stage of the testing. The proxy will keep track of every request and response between you and the application as you walk through it. Additionally, at this point, testers usually trap every request and response so that they can see exactly every header, parameter, etc. that is being passed to the application and what is being returned. This can be quite tedious at times, especially on large interactive sites (think of a banking application). However, experience will teach you what to look for, and, therefore, this phase can be significantly reduced. As you walk through the application, take note of any interesting parameters in the URL, custom headers, or body of the requests/responses, and save them in your spreadsheet. The spreadsheet should include the page you requested (it might be good to also add the request number from the proxy, for future reference), the interesting parameters, the type of request (POST/GET), if access is authenticated/unauthenticated, if SSL is used, if it's part of a multi-step process, and any other relevant notes. Once you have every area of the application mapped out, then you can go through the application and test each of the areas that you have identified and make notes for what worked and what didn't work. The rest of this guide will identify how to test each of these areas of interest, but this section must be undertaken before any of the actual testing can commence.

Below are some points of interests for all requests and responses. Within the requests section, focus on the GET and POST methods, as these appear the majority of the requests. Note that other methods, such as PUT and DELETE, can be used. Often, these more rare requests, if allowed, can expose vulnerabilities. There is a special section in this guide dedicated for testing these HTTP methods.

'''Requests:'''
* Identify where GETs are used and where POSTs are used.
* Identify all parameters used in a POST request (these are in the body of the request).
* Within the POST request, pay special attention to any hidden parameters. When a POST is sent all the form fields (including hidden parameters) will be sent in the body of the HTTP message to the application. These typically aren't seen unless you are using a proxy or view the HTML source code. In addition, the next page you see, its data, and your access can all be different depending on the value of the hidden parameter(s).
* Identify all parameters used in a GET request (i.e., URL), in particular the query string (usually after a ? mark).
* Identify all the parameters of the query string. These usually are in a pair format, such as foo=bar. Also note that many parameters can be in one query string such as separated by a &, ~, :, or any other special character or encoding.
* A special note when it comes to identifying multiple parameters in one string or within a POST request is that some or all of the parameters will be needed to execute your attacks. You need to identify all of the parameters (even if encoded or encrypted) and identify which ones are processed by the application. Later sections of the guide will identify how to test these parameters. At this point, just make sure you identify each one of them.
* Also pay attention to any additional or custom type headers not typically seen (such as debug=False).

'''Responses:'''
*Identify where new cookies are set (Set-Cookie header), modified, or added to.
*Identify where there are any redirects (300 HTTP status code), 400 status codes, in particular 403 Forbidden, and 500 internal server errors during normal responses (i.e., unmodified requests).
*Also note where any interesting headers are used. For example, "Server: BIG-IP" indicates that the site is load balanced. Thus, if a site is load balanced and one server is incorrectly configured, then you might have to make multiple requests to access the vulnerable server, depending on the type of load balancing used.

=== Black Box testing and example ===
'''Testing for application entry points:''' 
The following are two examples on how to check for application entry points. 

====EXAMPLE 1====
This example shows a GET request that would purchase an item from an online shopping application.

GET https://x.x.x.x/shoppingApp/buyme.asp?CUSTOMERID=100&ITEM=z101a&PRICE=62.50&IP=x.x.x.x
Host: x.x.x.x
Cookie: SESSIONID=Z29vZCBqb2IgcGFkYXdhIG15IHVzZXJuYW1lIGlzIGZvbyBhbmQgcGFzc3dvcmQgaXMgYmFy

'''Result Expected:'''

Here you would note all the parameters of the request such as CUSTOMERID, ITEM, PRICE, IP, and the Cookie (which could just be encoded parameters or used for session state).

====EXAMPLE 2====
This example shows a POST request that would log you into an application.

POST https://x.x.x.x/KevinNotSoGoodApp/authenticate.asp?service=login
Host: x.x.x.x
Cookie: SESSIONID=dGhpcyBpcyBhIGJhZCBhcHAgdGhhdCBzZXRzIHByZWRpY3RhYmxlIGNvb2tpZXMgYW5kIG1pbmUgaXMgMTIzNA==
CustomCookie=00my00trusted00ip00is00x.x.x.x00

Body of the POST message:

user=admin&pass=pass123&debug=true&fromtrustIP=true

'''Result Expected:'''

In this example you would note all the parameters as you have before but notice that the parameters are passed in the body of the message and not in the URL. Additionally, note that there is a custom cookie that is being used.

=== Gray Box testing and example ===

Testing for application entry points via a Gray Box methodology would consist of everything already identified above with one caveat. This would be if there are any external sources from which the application receives data and processes it (such as SNMP traps, syslog messages, SMTP, or SOAP messages from other servers). If there are any external sources of input into the application then a meeting with the application developers could identify any functions that would accept or expect user input and how it's formatted. For example, the developer could help in understanding how to formulate a correct SOAP request that the application would accept and where the web service resides (if the web service or any other function hasn't already been identified during the black box testing).

== Tools ==

'''Intercepting Proxy:''' 

*OWASP: [[OWASP_Zed_Attack_Proxy_Project| Zed Attack Proxy (ZAP)]]
*OWASP: [[OWASP_WebScarab_Project| WebScarab]]
* [http://www.portswigger.net/burp/ Burp Suite]
* [http://www.contextis.com/research/tools/cat/ CAT]

'''Browser Plug-in:''' 

*[http://www.bayden.com/TamperIE/ TamperIE for Internet Explorer]
*[https://addons.mozilla.org/en-US/firefox/addon/966 Tamper Data for Firefox]

== References ==

'''Whitepapers''' 

*RFC 2616 – Hypertext Transfer Protocol – HTTP 1.1 -
http://tools.ietf.org/html/rfc2616

Identify application entry points (OTG-INFO-006)

2013-10-30T21:21:10Z

Amro Ahmed:

{{Template:OWASP Testing Guide v4}}

== Summary ==
Enumerating the application and its attack surface is a key precursor before any thorough testing can be undertaken, as it allows the tester to identify likely areas of weakness. This section aims to help identify and map out areas within the application that should be investigated once enumeration and mapping have been completed.

== Test Objectives ==

Understand how requests are formed and typical responses from the application

== How to Test ==

Before any testing begins, always get a good understanding of the application and how the user/browser communicates with it. As you walk through the application, pay special attention to all HTTP requests (GET and POST Methods, also known as Verbs), as well as every parameter and form field that is passed to the application. In addition, pay attention to when GET requests are used and when POST requests are used to pass parameters to the application. It is very common that GET requests are used, but when sensitive information is passed, it is often done within the body of a POST request. Note that to see the parameters sent in a POST request, you will need to use a tool such as an intercepting proxy (for example, [[OWASP WebScarab Project|OWASP's WebScarab]]) or a browser plug-in. Within the POST request, also make special note of any hidden form fields that are being passed to the application, as these usually contain sensitive information, such as state information, quantity of items, the price of items, that the developer never intended for you to see or change.

In the author's experience, it has been very useful to use an intercepting proxy and a spreadsheet for this stage of the testing. The proxy will keep track of every request and response between you and the application as you walk through it. Additionally, at this point, testers usually trap every request and response so that they can see exactly every header, parameter, etc. that is being passed to the application and what is being returned. This can be quite tedious at times, especially on large interactive sites (think of a banking application). However, experience will teach you what to look for, and, therefore, this phase can be significantly reduced. As you walk through the application, take note of any interesting parameters in the URL, custom headers, or body of the requests/responses, and save them in your spreadsheet. The spreadsheet should include the page you requested (it might be good to also add the request number from the proxy, for future reference), the interesting parameters, the type of request (POST/GET), if access is authenticated/unauthenticated, if SSL is used, if it's part of a multi-step process, and any other relevant notes. Once you have every area of the application mapped out, then you can go through the application and test each of the areas that you have identified and make notes for what worked and what didn't work. The rest of this guide will identify how to test each of these areas of interest, but this section must be undertaken before any of the actual testing can commence.

Below are some points of interests for all requests and responses. Within the requests section, focus on the GET and POST methods, as these appear the majority of the requests. Note that other methods, such as PUT and DELETE, can be used. Often, these more rare requests, if allowed, can expose vulnerabilities. There is a special section in this guide dedicated for testing these HTTP methods.

'''Requests:'''
* Identify where GETs are used and where POSTs are used.
* Identify all parameters used in a POST request (these are in the body of the request).
* Within the POST request, pay special attention to any hidden parameters. When a POST is sent all the form fields (including hidden parameters) will be sent in the body of the HTTP message to the application. These typically aren't seen unless you are using a proxy or view the HTML source code. In addition, the next page you see, its data, and your access can all be different depending on the value of the hidden parameter(s).
* Identify all parameters used in a GET request (i.e., URL), in particular the query string (usually after a ? mark).
* Identify all the parameters of the query string. These usually are in a pair format, such as foo=bar. Also note that many parameters can be in one query string such as separated by a &, ~, :, or any other special character or encoding.
* A special note when it comes to identifying multiple parameters in one string or within a POST request is that some or all of the parameters will be needed to execute your attacks. You need to identify all of the parameters (even if encoded or encrypted) and identify which ones are processed by the application. Later sections of the guide will identify how to test these parameters. At this point, just make sure you identify each one of them.
* Also pay attention to any additional or custom type headers not typically seen (such as debug=False).

'''Responses:'''
*Identify where new cookies are set (Set-Cookie header), modified, or added to.
*Identify where there are any redirects (300 HTTP status code), 400 status codes, in particular 403 Forbidden, and 500 internal server errors during normal responses (i.e., unmodified requests).
*Also note where any interesting headers are used. For example, "Server: BIG-IP" indicates that the site is load balanced. Thus, if a site is load balanced and one server is incorrectly configured, then you might have to make multiple requests to access the vulnerable server, depending on the type of load balancing used.

=== Black Box testing and example ===
'''Testing for application entry points:''' 
The following are two examples on how to check for application entry points. 

====EXAMPLE 1====
This example shows a GET request that would purchase an item from an online shopping application.

GET https://x.x.x.x/shoppingApp/buyme.asp?CUSTOMERID=100&ITEM=z101a&PRICE=62.50&IP=x.x.x.x
Host: x.x.x.x
Cookie: SESSIONID=Z29vZCBqb2IgcGFkYXdhIG15IHVzZXJuYW1lIGlzIGZvbyBhbmQgcGFzc3dvcmQgaXMgYmFy

'''Result Expected:'''

Here you would note all the parameters of the request such as CUSTOMERID, ITEM, PRICE, IP, and the Cookie (which could just be encoded parameters or used for session state).

====EXAMPLE 2====
This example shows a POST request that would log you into an application.

POST https://x.x.x.x/KevinNotSoGoodApp/authenticate.asp?service=login
Host: x.x.x.x
Cookie: SESSIONID=dGhpcyBpcyBhIGJhZCBhcHAgdGhhdCBzZXRzIHByZWRpY3RhYmxlIGNvb2tpZXMgYW5kIG1pbmUgaXMgMTIzNA==
CustomCookie=00my00trusted00ip00is00x.x.x.x00

Body of the POST message:

user=admin&pass=pass123&debug=true&fromtrustIP=true

'''Result Expected:'''

In this example you would note all the parameters as you have before but notice that the parameters are passed in the body of the message and not in the URL. Additionally, note that there is a custom cookie that is being used.

=== Gray Box testing and example ===

Testing for application entry points via a Gray Box methodology would consist of everything already identified above with one caveat. This would be if there are any external sources from which the application receives data and processes it (such as SNMP traps, syslog messages, SMTP, or SOAP messages from other servers). If there are any external sources of input into the application then a meeting with the application developers could identify any functions that would accept or expect user input and how it's formatted. For example, the developer could help in understanding how to formulate a correct SOAP request that the application would accept and where the web service resides (if the web service or any other function hasn't already been identified during the black box testing).

== Tools ==

'''Intercepting Proxy:''' 

*OWASP: [[OWASP_Zed_Attack_Proxy_Project| Zed Attack Proxy (ZAP)]]
* [http://www.portswigger.net/burp/ Burp Suite]
* [http://www.contextis.com/research/tools/cat/ CAT]

'''Browser Plug-in:''' 

*[http://www.bayden.com/TamperIE/ TamperIE for Internet Explorer]
*[https://addons.mozilla.org/en-US/firefox/addon/966 Tamper Data for Firefox]

== References ==

'''Whitepapers''' 

*RFC 2616 – Hypertext Transfer Protocol – HTTP 1.1 -
http://tools.ietf.org/html/rfc2616

Map execution paths through application (OTG-INFO-007)

2013-10-28T08:36:35Z

Amro Ahmed:

{{Template:OWASP Testing Guide v4}}

== Summary ==

Before commencing security testing, understanding the structure of the application is paramount. Without a thorough understanding of the layout of the application, it is unlkely that it will be tested thoroughly.

== Test Objectives ==

== How to Test ==

In black box testing it is extremely difficult to test the entire code base. Not just because the tester has no view of the code paths through the application, but even if they did, to test all code paths would be very time consuming. One way to reconcile this is to document what code paths were discovered and tested.

There are several ways to approach the testing and measurement of code coverage:

* '''Path''' - test each of the paths through an application which includes combinatorial and boundary value analysis testing for each decision path. While this approach offers thoroughness, the number of testable paths grows exponentially with each decision branch.
* '''Data flow (or taint analysis)''' - tests the assignment of variables via external interaction (normally users). Focuses on mapping the flow, transformation and use of data throughout an application.
* '''Race''' - tests multiple concurrent instances of the application manipulating the same data.

The trade off as to what method is used and to what degree each method is used should be negotiated with the application owner. Simpler approaches could also be adopted, including asking the application owner what functions or code sections they are particularly concerned about and how those code segments can be reached.

''' Black Box testing '''

The demonstrate code coverage to the application owner the tester can start with a spreadsheet and documenting the links discovered by spidering the application (either manually or automatically). Then the tester can being looking more closely at decision points in the application and investigating how many significant code paths are discovered, documenting them in the spreadsheet with URLs, prose and screenshot descriptions of the paths discovered.

''' Gray/White Box testing '''

Ensuring sufficient code coverage for the application owner is far easier with the gray and white box approach to testing. Information solicited by and provided to the tester will ensure the minimum requirements for code coverage are met.

=== Example ===

''' Automatic Spidering '''

The automatic spider is a tool than is used to automatically discover new resources (URLs) on a particular Site. It begins with a list of URLs to visit, called the seeds, which depends on how the Spider is started. While there are a lot of Spidering tools, we will use the [https://code.google.com/p/zaproxy/ Zed Attack Proxy (ZAP)] in the following example

[[File:OWASPZAPSP.png |1050px|]]

[https://code.google.com/p/zaproxy/ ZAP] offers the following automatic spidering features, which can be selected based on the tester needs

*Spider Site - The seed list contains all the existing URIs already found for the selected site.
*Spider Subtree - The seed list contains all the existing URIs already found and present in the subtree of the selected node.
*Spider URL - The seed list contains only the URI corresponding to the selected node (in the Site Tree).
*Spider all in Scope - The seed list contains all the URIs the user has selected as being 'In Scope'.

== Tools ==

* [https://code.google.com/p/zaproxy/ Zed Attack Proxy (ZAP)]

* [http://en.wikipedia.org/wiki/List_of_spreadsheet_software List of spreadsheet software]

* [http://en.wikipedia.org/wiki/Diagramming_software Diagramming software]

== Vulnerability References ==

'''Whitepapers'''

[1] http://en.wikipedia.org/wiki/Code_coverage

== Remediation ==

Map execution paths through application (OTG-INFO-007)

2013-10-28T08:06:21Z

Amro Ahmed:

{{Template:OWASP Testing Guide v4}}

== Summary ==

Before commencing security testing, understanding the structure of the application is paramount. Without a thorough understanding of the layout of the application, it is unlkely that it will be tested thoroughly.

== Test Objectives ==

== How to Test ==

In black box testing it is extremely difficult to test the entire code base. Not just because the tester has no view of the code paths through the application, but even if they did, to test all code paths would be very time consuming. One way to reconcile this is to document what code paths were discovered and tested.

There are several ways to approach the testing and measurement of code coverage:

* '''Path''' - test each of the paths through an application which includes combinatorial and boundary value analysis testing for each decision path. While this approach offers thoroughness, the number of testable paths grows exponentially with each decision branch.
* '''Data flow (or taint analysis)''' - tests the assignment of variables via external interaction (normally users). Focuses on mapping the flow, transformation and use of data throughout an application.
* '''Race''' - tests multiple concurrent instances of the application manipulating the same data.

The trade off as to what method is used and to what degree each method is used should be negotiated with the application owner. Simpler approaches could also be adopted, including asking the application owner what functions or code sections they are particularly concerned about and how those code segments can be reached.

''' Black Box testing '''

The demonstrate code coverage to the application owner the tester can start with a spreadsheet and documenting the links discovered by spidering the application (either manually or automatically). Then the tester can being looking more closely at decision points in the application and investigating how many significant code paths are discovered, documenting them in the spreadsheet with URLs, prose and screenshot descriptions of the paths discovered.

''' Gray/White Box testing '''

Ensuring sufficient code coverage for the application owner is far easier with the gray and white box approach to testing. Information solicited by and provided to the tester will ensure the minimum requirements for code coverage are met.

=== Example ===

''' Automatic Spidering '''

The automatic spider is a tool than is used to automatically discover new resources (URLs) on a particular Site. It begins with a list of URLs to visit, called the seeds, which depends on how the Spider is started. While there are a lot of Spidering tools, we will use the Zed Attack Proxy (ZAP) in the below screenshot

[[File:OWASPZAPSP.png |1050px|]]

ZAP offers the following automatic spidering features, which can be selected based on the tester needs

*Spider Site - The seed list contains all the existing URIs already found for the selected site.
*Spider Subtree - The seed list contains all the existing URIs already found and present in the subtree of the selected node.
*Spider URL - The seed list contains only the URI corresponding to the selected node (in the Site Tree).
*Spider all in Scope - The seed list contains all the URIs the user has selected as being 'In Scope'.

== Tools ==

* Spidering (either manual or software assisted)

* Spreadsheet software

* Screenshot software

* Diagramming software

== Vulnerability References ==

'''Whitepapers'''

[1] http://en.wikipedia.org/wiki/Code_coverage

== Remediation ==

File:OWASPZAPSP.png

2013-10-28T07:05:37Z

Amro Ahmed:

User:Amro Ahmed

2013-10-22T12:07:24Z

Amro Ahmed:

Amro AlOlaqi joined OWASP back in 2008. ( My old user account: https://www.owasp.org/index.php/User:Amro )

Amro currently works as a Sr. Consultant at Verizon (Threat & Vulnerability). Prior joining Verizon, Amro worked for BAE Systems, Saudi Aramco, IS, and Red Hat, he has more than 8 years of experience in Information security. He started his professional career at early age, since then, he engaged the field of UNIX/Linux engineering and systems’ security. He carried out penetration tests, application , vulnerability assessments and security audits for prestigious organizations. Moreover, his expertise extends across industry verticals, security technologies plus hacking tools and techniques. Amro hold well-recognized international certifications such as CISSP, GCIH, GHTQ, LPT, CEH, CHFI, RHCE, SCSA, Linux+, LPIC1/2 SCSECA, and Certified ISO 27001 LA/LI

'''''OWASP Involvement'''''
* Chapter leader: Saudi Arabia
* Chapter leader: Untied Arab Emirates
* Contributor: OWASP Testing Guide v4
* Contributor: OWASP Web Application Security Testing Cheat Sheet
* Contributor: OWASP Zed Attack Proxy Project
* Volunteer: OWASP Periodic Table of Vulnerabilities
* Volunteer: OWASP AppSec USA 2013.

'''''Media Interaction'''''

*Appeared in 13 TV shows, some of which in the biggest news channels in the Middle East.
*Published +20 newspaper articles to increase the public awareness about Information Security.

After my humble interaction with the Middle East media, I shifted my interest and focus to increase the Application Security awareness among business corporates and GCC governments. Please refer to Public Speaking for more information.

'''''Public Speaking'''''
*Speaker: IDC's IT Security Roadshow - Dubai
*Speaker: Application Security and OWASP at i-safe – UAE
*Speaker: Ethical Hacking at the ‘Compliance and Beyond’ - Saudi.
*Speaker: Web Application Security at F5 - Saudi.
*Speaker: OWASP The Power of Code Review, Netherlands
*Speaker: Web Application Security and OWASP top 10 at ISACA Jeddah – Saudi
*Speaker: Web App Critical Vulnerabilities and OWASP's ESAPI at The Cyber Information Security Summit - UAE
*Speaker: Information Security Awareness at Arabou University - Saudi.
*Speaker: Threat Modeling and Penetration test at IT for Government - UAE
*Speaker: Ethical Hacking and penetration testing at Microsoft Open Doors – Saudi.
*Speaker: Ethical Hacking and penetration testing at Microsoft Open Doors – Saudi.
*Speaker: OWASP Testing Guide at OWASP - Saudi.

* Speaker: OWASP's introduction and projects at the open university - Saudi

'''Get in touch with me. https://twitter.com/Amro_AlOlaqi LinkedIn: http://www.linkedin.com/in/iamro'''

OWASP Testing Guide v4 Table of Contents

2013-10-21T21:44:43Z

Amro Ahmed:

{{OWASP Breakers}}
__NOTOC__

'''This is the DRAFT of the table of content of the New Testing Guide v4.''' 
 You can download the stable version v3 [http://www.owasp.org/images/5/56/OWASP_Testing_Guide_v3.pdf here] 

Back to the OWASP Testing Guide Project:
http://www.owasp.org/index.php/OWASP_Testing_Project

'''Updated: 15th February 2013'''

[[ OWTGv4 Contributors list|'''Contributors List]]

----

The following is a DRAFT of the Toc based on the feedback already received.

== Table of Contents ==

==[[Testing Guide Foreword|Foreword by Eoin Keary]]==
[To review--> Eoin Keary -> Done!!]

==[[Testing Guide Frontispiece |1. Frontispiece]]==
[To review--> Mat]

'''[[Testing Guide Frontispiece|1.1 About the OWASP Testing Guide Project]]'''
[To review--> Mat]

'''[[About The Open Web Application Security Project|1.2 About The Open Web Application Security Project]]'''
[To review--> ]

==[[Testing Guide Introduction|2. Introduction]]==

'''2.1 The OWASP Testing Project'''

'''2.2 Principles of Testing'''

'''2.3 Testing Techniques Explained'''

2.4 [https://www.owasp.org/index.php/Testing_Guide_Introduction#Security_Requirements_Test_Derivation Security requirements test derivation],[https://www.owasp.org/index.php/Testing_Guide_Introduction#Functional_and_Non_Functional_Test_Requirements functional and non functional test requirements], and [https://www.owasp.org/index.php/Testing_Guide_Introduction#Test_Cases_Through_Use_and_Misuse_Cases test cases through use and misuse cases]

2.5 [https://www.owasp.org/index.php/Testing_Guide_Introduction#Security_Test_Data_Analysis_and_Reporting Security test data analysis and reporting: root cause identification and business/role case test data reporting]

==[[The OWASP Testing Framework|3. The OWASP Testing Framework]]==

'''3.1. Overview'''

'''3.2. Phase 1: Before Development Begins '''

'''3.3. Phase 2: During Definition and Design'''

'''3.4. Phase 3: During Development'''

'''3.5. Phase 4: During Deployment'''

'''3.6. Phase 5: Maintenance and Operations'''

'''3.7. A Typical SDLC Testing Workflow '''

==[[Web Application Penetration Testing |4. Web Application Penetration Testing ]]==

[[Testing: Introduction and objectives|'''4.1 Introduction and Objectives''']] [To review--> Mat]

[[Testing Checklist| 4.1.1 Testing Checklist]] [To review at the end of brainstorming --> Mat]

[[Testing Information Gathering|'''4.2 Information Gathering ''']]

[[Testing: Search engine discovery/reconnaissance (OWASP-IG-002)|4.2.1 Conduct Search Engine Discovery and Reconnaissance for Information Leakage (OTG-INFO-001) ]] formerly "Search Engine Discovery/Reconnaissance (OWASP-IG-002)"

[[Fingerprint Web Server (OTG-INFO-002)|4.2.2 Fingerprint Web Server (OTG-INFO-002) ]] formerly "Testing for Web Application Fingerprint (OWASP-IG-004)"

[[Testing: Spiders, Robots, and Crawlers (OWASP-IG-001)|4.2.3 Review Webserver Metafiles for Information Leakage (OTG-INFO-003) ]] formerly "Spiders, Robots and Crawlers (OWASP-IG-001)"

[[Testing for Application Discovery (OWASP-IG-005)|4.2.4 Enumerate Applications on Webserver (OTG-INFO-004) ]] formerly "Application Discovery (OWASP-IG-005)"

[[Testing Review webpage comments and metadata(OWASP-IG-007)|4.2.5 Review Webpage Comments and Metadata for Information Leakage (OTG-INFO-005) ]] formerly "Review webpage comments and metadata(OWASP-IG-007)"

[[Testing: Identify application entry points (OWASP-IG-003)|4.2.6 Identify application entry points (OTG-INFO-006) ]] formerly "Identify application entry points (OWASP-IG-003)"

[[Testing Identify application exit/handover points (OWASP-IG-008)|4.2.7 Identify application exit/handover points (OTG-INFO-007) ]] formerly "Identify application exit/handover points (OWASP-IG-008)"

[[Testing Map execution paths through application (OWASP-IG-009)|4.2.8 Map execution paths through application (OTG-INFO-008)]] formerly "Map execution paths through application (OWASP-IG-009)"

[[Fingerprint Web Application Framework (OTG-INFO-009)|4.2.9 Fingerprint Web Application Framework (OTG-INFO-009) ]] formerly "Testing for Web Application Fingerprint (OWASP-IG-010)" '''Ready to be reviewed'''

[[Testing for Web Application (OTG-INFO-011)|4.2.10 Fingerprint Web Application (OTG-INFO-010) ]] formerly "Testing for Web Application Fingerprint (OWASP-IG-010)" [Amro AlOlaqi] '''Ready to be reviewed'''

[[Map Network and Application Architecture (OTG-INFO-012)|4.2.11 Map Network and Application Architecture (OTG-INFO-011) ]] formerly "Testing for Infrastructure Configuration Management Testing weakness (OWASP-CM-001)" [Amro AlOlaqi] '''Ready to be reviewed'''

[[Testing for configuration management|'''4.3 Configuration and Deploy Management Testing ''']]

[[Testing for infrastructure configuration management (OWASP-CM-003)|4.3.1 Test Network/Infrastructure Configuration (OTG-CONFIG-001) ]] formerly "Testing for Infrastructure Configuration Management Testing weakness (OWASP-CM-001)"

[[Testing for application configuration management (OWASP-CM-004)|4.3.2 Test Application Platform Configuration (OTG-CONFIG-002) ]] formerly "Testing for Application Configuration Management weakness (OWASP-CM-002)" [Amro AlOlaqi] '''Ready to be reviewed'''

[[Testing for file extensions handling (OWASP-CM-005)|4.3.3 Test File Extensions Handling for Sensitive Information (OTG-CONFIG-003) ]] formerly "Testing for File Extensions Handling (OWASP-CM-003)"

[[Testing for Old, Backup and Unreferenced Files (OWASP-CM-006)|4.3.4 Review Old, Backup and Unreferenced Files for Sensitive Information (OTG-CONFIG-004) ]] formerly "Old, Backup and Unreferenced Files (OWASP-CM-004)"

[[Testing for Admin Interfaces (OWASP-CM-007)|4.3.5 Enumerate Infrastructure and Application Admin Interfaces (OTG-CONFIG-005) ]] formerly "Infrastructure and Application Admin Interfaces (OWASP-CM-005)" [Amro AlOlaqi] '''Ready to be reviewed'''

[[Testing for HTTP Methods and XST (OWASP-CM-008)|4.3.6 Test HTTP Methods (OTG-CONFIG-006) ]] formerly "Testing for Bad HTTP Methods (OWASP-CM-006)"

[[Testing for Database credentials/connection strings available|4.3.7 Testing for Database credentials/connection strings available (OTG-CONFIG-007) ]] formerly "Testing for Database credentials/connection strings available (OWASP-CM-007)"

[[Testing for Content Security Policy weakness|4.3.8 Test Content Security Policy (OTG-CONFIG-008) ]] formerly "Testing for Content Security Policy weakness (OWASP-CM-008)"

[[Testing for Missing HSTS header|4.3.9 Test HTTP Strict Transport Security (OTG-CONFIG-009) ]] formerly "Testing for Missing HSTS header (OWASP-CM-009)"

[[Testing for Frame Options|4.3.10 Test Frame Options (OTG-CONFIG-010) ]]

[[Testing for RIA policy files weakness|4.3.11 Test RIA cross domain policy (OTG-CONFIG-011) ]] formerly "Testing for RIA policy files weakness (OWASP-CM-010)"

[[Testing for Content Type Options|4.3.12 Test Content Type Options (OTG-CONFIG-012) ]] new

[[Testing Identity Management|'''4.4 Identity Management Testing''']]

[[Test Role Definitions (OTG-IDENT-001)|4.4.1 Test Role Definitions (OTG-IDENT-001)]] New

[[Test User Registration Process (OTG-IDENT-002)|4.4.2 Test User Registration Process (OTG-IDENT-002)]] New

[[Test Account Provisioning Process (OTG-IDENT-003)|4.4.3 Test Account Provisioning Process (OTG-IDENT-003)]] New

[[Testing for Account Enumeration and Guessable User Account (OWASP-AT-002)|4.4.4 Testing for Account Enumeration and Guessable User Account (OTG-IDENT-004) ]] formerly "Testing for Account Enumeration and Guessable User Account (OWASP-AT-002)"

[[Testing for Weak or unenforced username policy (OWASP-AT-009)| 4.4.5 Testing for Weak or unenforced username policy (OTG-IDENT-005)]] formerly "Testing for Weak or unenforced username policy (OWASP-AT-009)

[[Test Permissions of Guest/Training Accounts (OTG-IDENT-006)|4.4.6 Test Permissions of Guest/Training Accounts (OTG-IDENT-006)]] New

[[Test Account Suspension/Resumption Process (OTG-IDENT-007)|4.4.7 Test Account Suspension/Resumption Process (OTG-IDENT-007)]] New

[[Test User Deregistration Process (OTG-IDENT-008)|4.4.8 Test User Deregistration Process (OTG-IDENT-008)]] New

[[Test Account Deregistration Process (OTG-IDENT-009)|4.4.9 Test Account Deregistration Process (OTG-IDENT-009)]] New

[[Testing for authentication|'''4.5 Authentication Testing ''']]

[[Testing for Credentials Transported over an Encrypted Channel (OWASP-AT-001)|4.5.1 Testing for Credentials Transported over an Encrypted Channel (OTG-AUTHN-001)]] formerly "Testing for Credentials Transported over an Encrypted Channel (OWASP-AT-001)"

[[Testing for default credentials (OWASP-AT-003)|4.5.2 Testing for default credentials (OTG-AUTHN-002)]] formerly "Testing for default credentials (OWASP-AT-003)"

[[Testing for Weak lock out mechanism (OWASP-AT-004)|4.5.3 Testing for Weak lock out mechanism (OTG-AUTHN-003)]] formerly "Testing for Weak lock out mechanism (OWASP-AT-004)"

[[Testing for Bypassing Authentication Schema (OWASP-AT-005)|4.5.4 Testing for bypassing authentication schema (OTG-AUTHN-004)]] formerly "Testing for bypassing authentication schema (OWASP-AT-005)"

[[Testing for Vulnerable Remember Password (OWASP-AT-006)|4.5.5 Test remember password functionality (OTG-AUTHN-005)]] formerly "Testing for vulnerable remember password functionality (OWASP-AT-006)"

[[Testing for Browser cache weakness (OWASP-AT-007)|4.5.6 Testing for Browser cache weakness (OTG-AUTHN-006)]] formerly "Testing for Browser cache weakness (OWASP-AT-007)"

[[Testing for Weak password policy (OWASP-AT-008)|4.5.7 Testing for Weak password policy (OTG-AUTHN-007)]] formerly "Testing for Weak password policy (OWASP-AT-008)"

[[Testing for Weak security question/answer (OTG-AUTHN-008)|4.5.8 Testing for Weak security question/answer (OTG-AUTHN-008)]] New! - Robert Winkel

[[Testing for weak password change or reset functionalities (OWASP-AT-011)|4.5.9 Testing for weak password change or reset functionalities (OTG-AUTHN-009)]] formerly "Testing for weak password change or reset functionalities (OWASP-AT-011)"

[[Testing for Weaker authentication in alternative channel (OTG-AUTHN-010)|4.5.10 Testing for Weaker authentication in alternative channel (OTG-AUTHN-010)]] (e.g. mobile app, IVR, help desk)

[[Testing for Authorization|'''4.6 Authorization Testing''']]

[[Test Management of Account Permissions (OTG-AUTHZ-001)|4.6.1 Test Management of Account Permissions (OTG-AUTHZ-001)]] New

[[Testing for Path Traversal (OWASP-AZ-001)|4.6.2 Testing Directory traversal/file include (OTG-AUTHZ-002)]] formerly "Testing Directory traversal/file include (OWASP-AZ-001)"

[[Testing for Bypassing Authorization Schema (OWASP-AZ-002)|4.6.3 Testing for bypassing authorization schema (OTG-AUTHZ-003)]] formerly "Testing for bypassing authorization schema (OWASP-AZ-002)"

[[Testing for Privilege escalation (OWASP-AZ-003)|4.6.4 Testing for Privilege Escalation (OTG-AUTHZ-004)]] formerly "Testing for Privilege Escalation (OWASP-AZ-003)"

[[Testing for Insecure Direct Object References (OWASP-AZ-004)|4.6.5 Testing for Insecure Direct Object References (OTG-AUTHZ-005)]] formerly "Testing for Insecure Direct Object References (OWASP-AZ-004)"

[[Testing for Failure to Restrict access to authorized resource (OWASP-AZ-005)|4.6.6 Testing for Failure to Restrict access to authorized resource (OTG-AUTHZ-006)]] formerly "Testing for Failure to Restrict access to authorized resource (OWASP-AZ-005)"

[[Test privileges of server components (OTG-AUTHZ-007)|4.6.7 Test privileges of server components (OTG-AUTHZ-007)]] (e.g. indexing service, reporting interface, file generator)

[[Test enforcement of application entry points (OTG-AUTHZ-008)|4.6.8 Test enforcement of application entry points (OTG-AUTHZ-008)]] (including exposure of objects)

[[Testing for failure to restrict access to authenticated resource(OWASP-AT-010)|4.6.9 Testing for failure to restrict access to authenticated resource (OTG-AUTHZ-009)]] formerly "Testing for failure to restrict access to authenticated resource (OWASP-AT-010)"

[[Testing for Session Management|'''4.7 Session Management Testing''']]

[[Testing for Session_Management_Schema (OWASP-SM-001)|4.7.1 Testing for Bypassing Session Management Schema (OTG-SESS-001)]] formerly "Testing for Bypassing Session Management Schema (OWASP-SM-001)"

[[Testing for cookies attributes (OWASP-SM-002)|4.7.2 Testing for Cookies attributes (OTG-SESS-002)]] formerly "Testing for Cookies attributes (OWASP-SM-002)" (Cookies are set not ‘HTTP Only’, ‘Secure’, and no time validity)

[[Testing for Session Fixation (OWASP-SM-003)|4.7.3 Testing for Session Fixation (OTG-SESS-003)]] formerly "Testing for Session Fixation (OWASP-SM-003)"

[[Testing for Exposed Session Variables (OWASP-SM-004)|4.7.4 Testing for Exposed Session Variables (OTG-SESS-004)]] formerly "Testing for Exposed Session Variables (OWASP-SM-004)"

[[Testing for CSRF (OWASP-SM-005)|4.7.5 Testing for Cross Site Request Forgery (CSRF) (OTG-SESS-005)]] formerly "Testing for Cross Site Request Forgery (CSRF) (OWASP-SM-005)"

[[Test Session Token Strength (OTG-SESS-006)|4.7.6 Test Session Token Strength (OTG-SESS-006)]]

[[Testing for logout functionality (OWASP-SM-007)|4.7.7 Testing for logout functionality (OTG-SESS-007)]] formerly "Testing for logout functionality (OWASP-SM-007)"

[[Testing for Session puzzling (OWASP-SM-008)|4.7.8 Testing for Session puzzling (OWASP-SM-008)]]

[[Test Session Timeout (OTG-SESS-008)|4.7.8 Test Session Timeout (OTG-SESS-008)]]

[[Test multiple concurrent sessions (OTG-SESS-009)|4.7.9 Test multiple concurrent sessions (OTG-SESS-009)]]

[[Testing for Data Validation|'''4.8 Data Validation Testing''']]

[[Testing for Reflected Cross site scripting (OWASP-DV-001) |4.8.1 Testing for Reflected Cross Site Scripting (OTG-INPVAL-001)]] formerly "Testing for Reflected Cross Site Scripting (OWASP-DV-001)"

[[Testing for Stored Cross site scripting (OWASP-DV-002) |4.8.2 Testing for Stored Cross Site Scripting (OTG-INPVAL-002)]] formerly "Testing for Stored Cross Site Scripting (OWASP-DV-002)"

[[Testing for HTTP Verb Tampering (OWASP-DV-003)|4.8.3 Testing for HTTP Verb Tampering (OTG-INPVAL-003)]] formerly "Testing for HTTP Verb Tampering (OWASP-DV-003)"

[[Testing for HTTP Parameter pollution (OWASP-DV-004)|4.8.4 Testing for HTTP Parameter pollution (OTG-INPVAL-004) ]] formerly "Testing for HTTP Parameter pollution (OWASP-DV-004)"

[[Testing for Unvalidated Redirects and Forwards (OWASP-DV-004)|4.8.5 Testing for Unvalidated Redirects and Forwards (OTG-INPVAL-005) ]] formerly "Testing for Unvalidated Redirects and Forwards (OWASP-DV-004)"

[[Testing for SQL Injection (OWASP-DV-005)| 4.8.6 Testing for SQL Injection (OTG-INPVAL-006)]] formerly "Testing for SQL Injection (OWASP-DV-005)" '''Ready to be reviewed'''

[[Testing for Oracle|4.8.6.1 Oracle Testing]]

[[Testing for MySQL|4.8.6.2 MySQL Testing [Ismael Gonçalves]]]

[[Testing for SQL Server|4.8.6.3 SQL Server Testing]]

[[OWASP_Backend_Security_Project_Testing_PostgreSQL|4.8.6.4 Testing PostgreSQL (from OWASP BSP) ]]

[[Testing for MS Access |4.8.6.5 MS Access Testing]]

[[Testing for NoSQL injection|4.8.6.6 Testing for NoSQL injection [New!]]]

[[Testing for LDAP Injection (OWASP-DV-006)|4.8.7 Testing for LDAP Injection (OTG-INPVAL-007)]] formerly "Testing for LDAP Injection (OWASP-DV-006)"

[[Testing for ORM Injection (OWASP-DV-007)|4.8.8 Testing for ORM Injection (OTG-INPVAL-008)]] formerly "Testing for ORM Injection (OWASP-DV-007)"

[[Testing for XML Injection (OWASP-DV-008)|4.8.9 Testing for XML Injection (OTG-INPVAL-009)]] formerly "Testing for XML Injection (OWASP-DV-008)"

[[Testing for SSI Injection (OWASP-DV-009)|4.8.10 Testing for SSI Injection (OTG-INPVAL-010)]] formerly "Testing for SSI Injection (OWASP-DV-009)"

[[Testing for XPath Injection (OWASP-DV-010)|4.8.11 Testing for XPath Injection (OTG-INPVAL-011)]] formerly "Testing for XPath Injection (OWASP-DV-010)"

[[Testing for IMAP/SMTP Injection (OWASP-DV-011)|4.8.12 IMAP/SMTP Injection (OTG-INPVAL-012)]] formerly "IMAP/SMTP Injection (OWASP-DV-011)"

[[Testing for Code Injection (OWASP-DV-012)|4.8.13 Testing for Code Injection (OTG-INPVAL-013)]] formerly "Testing for Code Injection (OWASP-DV-012)"

[[Testing for Local File Inclusion|4.8.13.1 Testing for Local File Inclusion]] [Alexander Antukh]

[[Testing for Remote File Inclusion|4.8.13.2 Testing for Remote File Inclusion]] [Alexander Antukh]

[[Testing for Command Injection (OWASP-DV-013)|4.8.14 Testing for Command Injection (OTG-INPVAL-014)]] formerly "Testing for Command Injection (OWASP-DV-013)"

[[Testing for Buffer Overflow (OWASP-DV-014)|4.8.15 Testing for Buffer overflow (OTG-INPVAL-015)]] formerly "Testing for Buffer overflow (OWASP-DV-014)"

[[Testing for Heap Overflow|4.8.15.1 Testing for Heap overflow]]

[[Testing for Stack Overflow|4.8.15.2 Testing for Stack overflow]]

[[Testing for Format String|4.8.15.3 Testing for Format string]]

[[Testing for Incubated Vulnerability (OWASP-DV-015)|4.8.16 Testing for incubated vulnerabilities (OTG-INPVAL-016)]] formerly "Testing for incubated vulnerabilities (OWASP-DV-015)"

[[Testing for HTTP Splitting/Smuggling (OWASP-DV-016)|4.8.17 Testing for HTTP Splitting/Smuggling (OTG-INPVAL-017) ]] formerly "Testing for HTTP Splitting/Smuggling (OWASP-DV-016)" [Juan Galiana]

[[Error Handling|'''4.9 Error Handling''']]

[[Testing for Error Code (OWASP-IG-006)|4.9.1 Analysis of Error Codes (OTG-ERR-001)]] formerly "Analysis of Error Codes (OWASP-IG-006)"

[[Testing for Stack Traces (OWASP-IG-XXX)|4.9.2 Analysis of Stack Traces (OTG-ERR-002)]] formerly "Analysis of Stack Traces"

[[Cryptography|'''4.10 Cryptography''']]

[[Testing for Insecure encryption usage (OWASP-EN-001)| 4.10.1 Testing for Insecure encryption usage (OTG-CRYPST-001)]] formerly "Testing for Insecure encryption usage (OWASP-EN-001)"

[[Testing for Weak SSL/TSL Ciphers, Insufficient Transport Layer Protection (OWASP-EN-002)| 4.10.2 Testing for Weak SSL/TSL Ciphers, Insufficient Transport Layer Protection (OTG-CRYPST-002)]] formerly "Testing for Weak SSL/TSL Ciphers, Insufficient Transport Layer Protection (OWASP-EN-002)"

[[Testing for Padding Oracle (OWASP-EN-003)| 4.10.3 Testing for Padding Oracle (OTG-CRYPST-003)]] formerly "Testing for Padding Oracle (OWASP-EN-003)"

[[Testing for Cacheable HTTPS Response (OTG-CRYPST-004)| 4.10.4 Testing for Cacheable HTTPS Response (OTG-CRYPST-004)]]

[[Test Cache Directives (OTG-CRYPST-005)|4.10.5 Test Cache Directives (OTG-CRYPST-005)]]

[[Testing for Insecure Cryptographic Storage (OTG-CRYPST-006)|4.10.6 Testing for Insecure Cryptographic Storage (OTG-CRYPST-006)]]

[[Testing for Sensitive information sent via unencrypted channels (OTG-CRYPST-007)|4.10.7 Testing for Sensitive information sent via unencrypted channels (OTG-CRYPST-007)]]

[[Test Cryptographic Key Management (OTG-CRYPST-008)|4.10.8 Test Cryptographic Key Management (OTG-CRYPST-008)]]

[[Logging|'''4.11 Logging''']] Not convinced Logging should be included as it requires access to logs to test

[[Test time synchronisation (OTG-LOG-001)|4.11.1 Test time synchronisation (OTG-LOG-001) ]] formerly "Incorrect time"

[[Test user-viewable log of authentication events (OTG-LOG-002)|4.11.2 Test user-viewable log of authentication events (OTG-LOG-002)]]

[[Testing for business logic (OWASP-BL-001)|'''4.12 Business Logic Testing (OWASP-BL-001)''']] [To review--> David Fern]
Business Logic 

[[Test business logic data validation (OTG-BUSLOGIC-001)|4.12.1 Test business logic data validation (OTG-BUSLOGIC-001)]] [New!] NOTE MAT: to discuss this section

[[Test Ability to forge requests (OTG-BUSLOGIC-002)|4.12.2 Test Ability to forge requests (OTG-BUSLOGIC-002)]] [New!]

[[Test integrity checks (OTG-BUSLOGIC-003)|4.12.3 Test integrity checks (OTG-BUSLOGIC-003)]] (e.g. overwriting updates) [New!]

[[Test tamper evidence (OTG-BUSLOGIC-004)|4.12.4 Test tamper evidence (OTG-BUSLOGIC-004)]] [New!]

[[Test excessive rate (speed) of use limits (OTG-BUSLOGIC-005)|4.12.5 Test excessive rate (speed) of use limits (OTG-BUSLOGIC-005)]] [New!]

[[Test size of request limits (OTG-BUSLOGIC-006)|4.12.6 Test size of request limits (OTG-BUSLOGIC-006)]] [New!]

[[Test number of times a function can be used limits (OTG-BUSLOGIC-007)|4.12.7 Test number of times a function can be used limits (OTG-BUSLOGIC-002)]] [New!]

[[Test bypass of correct sequence (OTG-BUSLOGIC-008)|4.12.8 Test bypass of correct sequence (OTG-BUSLOGIC-008)]] [New!]

[[Test self-hosted payment cardholder data processing (OTG-BUSLOGIC-009)|4.12.9 Test self-hosted payment cardholder data processing (OTG-BUSLOGIC-009)]] [New!]

[[Test security incident reporting information (OTG-BUSLOGIC-010)|4.12.10 Test security incident reporting information (OTG-BUSLOGIC-010)]] [New!]

[[Test defenses against application mis-use (OTG-BUSLOGIC-011)|4.12.11 Test defenses against application mis-use (OTG-BUSLOGIC-011)]] [New!]

[[Denial of Service|'''4.13 Denial of Service''']]

[[Test Regular expression DoS (OTG-DOS-001)| 4.13.1 Test Regular expression DoS (OTG-DOS-001)]] [New!] note: to understand better 

[[Test XML DoS (OTG-DOS-002)| 4.13.2 Test XML DoS (OTG-DOS-002)]] [New! - Andrew Muller]

[[Testing for Captcha (OWASP-AT-012)|4.13.3 Testing for CAPTCHA (OTG-DOS-003)]] formerly "Testing for CAPTCHA (OWASP-AT-012)"

[[Web Service (XML Interpreter)|'''4.14 Web Service Testing''']] [Tom Eston]

[[Scoping a Web Service Test (OWASP-WS-001)|4.14.1 Scoping a Web Service Test (OTG-WEBSVC-001)]] formerly "Scoping a Web Service Test (OWASP-WS-001)"

[[WS Information Gathering (OWASP-WS-002)|4.14.2 WS Information Gathering (OTG-WEBSVC-002)]] formerly "WS Information Gathering (OWASP-WS-002)"

[[WS Authentication Testing (OWASP-WS-003)|4.14.3 WS Authentication Testing (OTG-WEBSVC-003)]] formerly "WS Authentication Testing (OWASP-WS-003)"

[[WS Management Interface Testing (OWASP-WS-004)|4.14.4 WS Management Interface Testing (OTG-WEBSVC-004)]] formerly "WS Management Interface Testing (OWASP-WS-004)"

[[Weak XML Structure Testing (OWASP-WS-005)|4.14.5 Weak XML Structure Testing (OTG-WEBSVC-005)]] formerly "Weak XML Structure Testing (OWASP-WS-005)"

[[XML Content-Level Testing (OWASP-WS-006)|4.14.6 XML Content-Level Testing (OTG-WEBSVC-006)]] formerly "XML Content-Level Testing (OWASP-WS-006)"

[[WS HTTP GET Parameters/REST Testing (OWASP-WS-007)|4.14.7 WS HTTP GET Parameters/REST Testing (OTG-WEBSVC-007)]] formerly "WS HTTP GET Parameters/REST Testing (OWASP-WS-007)"

[[WS Naughty SOAP Attachment Testing (OWASP-WS-008)|4.14.8 WS Naughty SOAP Attachment Testing (OTG-WEBSVC-008)]] formerly "WS Naughty SOAP Attachment Testing (OWASP-WS-008)"

[[WS Replay/MiTM Testing (OWASP-WS-009)|4.14.9 WS Replay/MiTM Testing (OTG-WEBSVC-009)]] formerly "WS Replay/MiTM Testing (OWASP-WS-009)"

[[WS BEPL Testing (OWASP-WS-010)|4.14.10 WS BEPL Testing (OTG-WEBSVC-010)]] formerly "WS BEPL Testing (OWASP-WS-010)"

[[Client Side Testing|'''4.15 Client Side Testing''']] [New!]

[[Testing for DOM-based Cross site scripting (OWASP-DV-003)|4.15.1 Testing for DOM based Cross Site Scripting (OTG-CLIENT-001)]] formerly "Testing for DOM based Cross Site Scripting (OWASP-CS-001)" [Stefano Di Paola]

[[Test Cross Origin Resource Sharing (OTG-CLIENT-002)|4.15.2 Test Cross Origin Resource Sharing (OTG-CLIENT-002)]] formerly "Testing for HTML5 (OWASP CS-002)" [Juan Galiana]

[[Testing for Cross site flashing (OWASP-DV-004)|4.15.3 Testing for Cross Site Flashing (OTG-CLIENT-003)]] formerly "Testing for Cross Site Flashing (OWASP-CS-003)"

[[Testing for Clickjacking (OWASP-CS-004)|4.15.4 Testing for Clickjacking (OTG-CLIENT-004)]] formerly "Testing for Clickjacking (OWASP-CS-004)" [Davide Danelon]

[[Testing WebSockets (OTG-CLIENT-005)|4.15.5 Testing WebSockets (OTG-CLIENT-005)]] [Ryan Dewhurst]

[[Test Web Messaging (OTG-CLIENT-006)|4.15.6 Test Web Messaging (OTG-CLIENT-006)]] [Juan Galiana]

[[Test Local Storage (OTG-CLIENT-007)|4.15.7 Test Local Storage (OTG-CLIENT-007)]] [Juan Galiana]

==[[Writing Reports: value the real risk |5. Writing Reports: value the real risk ]]==

[[How to value the real risk |5.1 How to value the real risk]] [To review--> Amro AlOlaqi] '''Ready to be reviewed'''

[[How to write the report of the testing |5.2 How to write the report of the testing]] [To review--> Amro AlOlaqi] '''Ready to be reviewed'''

==[[Appendix A: Testing Tools |Appendix A: Testing Tools ]]==

* Black Box Testing Tools [To review--> Amro AlOlaqi] '''Ready to be reviewed'''

==[[OWASP Testing Guide Appendix B: Suggested Reading | Appendix B: Suggested Reading]]==
* Whitepapers [To review--> David Fern]
* Books [To review--> David Fern]
* Useful Websites [To review--> David Fern]

==[[OWASP Testing Guide Appendix C: Fuzz Vectors | Appendix C: Fuzz Vectors]]==

* Fuzz Categories [To review--> Amro AlOlaqi] '''Ready to be reviewed'''

==[[OWASP Testing Guide Appendix D: Encoded Injection | Appendix D: Encoded Injection]]==
[To review--> Amro AlOlaqi] '''Ready to be reviewed'''

----

[[Category:OWASP Testing Project]]

OWASP Testing Guide v4 Table of Contents

2013-10-19T00:49:46Z

Amro Ahmed:

{{OWASP Breakers}}
__NOTOC__

'''This is the DRAFT of the table of content of the New Testing Guide v4.''' 
 You can download the stable version v3 [http://www.owasp.org/images/5/56/OWASP_Testing_Guide_v3.pdf here] 

Back to the OWASP Testing Guide Project:
http://www.owasp.org/index.php/OWASP_Testing_Project

'''Updated: 15th February 2013'''

[[ OWTGv4 Contributors list|'''Contributors List]]

----

The following is a DRAFT of the Toc based on the feedback already received.

== Table of Contents ==

==[[Testing Guide Foreword|Foreword by Eoin Keary]]==
[To review--> Eoin Keary -> Done!!]

==[[Testing Guide Frontispiece |1. Frontispiece]]==
[To review--> Mat]

'''[[Testing Guide Frontispiece|1.1 About the OWASP Testing Guide Project]]'''
[To review--> Mat]

'''[[About The Open Web Application Security Project|1.2 About The Open Web Application Security Project]]'''
[To review--> ]

==[[Testing Guide Introduction|2. Introduction]]==

'''2.1 The OWASP Testing Project'''

'''2.2 Principles of Testing'''

'''2.3 Testing Techniques Explained'''

2.4 [https://www.owasp.org/index.php/Testing_Guide_Introduction#Security_Requirements_Test_Derivation Security requirements test derivation],[https://www.owasp.org/index.php/Testing_Guide_Introduction#Functional_and_Non_Functional_Test_Requirements functional and non functional test requirements], and [https://www.owasp.org/index.php/Testing_Guide_Introduction#Test_Cases_Through_Use_and_Misuse_Cases test cases through use and misuse cases]

2.5 [https://www.owasp.org/index.php/Testing_Guide_Introduction#Security_Test_Data_Analysis_and_Reporting Security test data analysis and reporting: root cause identification and business/role case test data reporting]

==[[The OWASP Testing Framework|3. The OWASP Testing Framework]]==

'''3.1. Overview'''

'''3.2. Phase 1: Before Development Begins '''

'''3.3. Phase 2: During Definition and Design'''

'''3.4. Phase 3: During Development'''

'''3.5. Phase 4: During Deployment'''

'''3.6. Phase 5: Maintenance and Operations'''

'''3.7. A Typical SDLC Testing Workflow '''

==[[Web Application Penetration Testing |4. Web Application Penetration Testing ]]==

[[Testing: Introduction and objectives|'''4.1 Introduction and Objectives''']] [To review--> Mat]

[[Testing Checklist| 4.1.1 Testing Checklist]] [To review at the end of brainstorming --> Mat]

[[Testing Information Gathering|'''4.2 Information Gathering ''']]

[[Testing: Search engine discovery/reconnaissance (OWASP-IG-002)|4.2.1 Conduct Search Engine Discovery and Reconnaissance for Information Leakage (OTG-INFO-001) ]] formerly "Search Engine Discovery/Reconnaissance (OWASP-IG-002)"

[[Fingerprint Web Server (OTG-INFO-002)|4.2.2 Fingerprint Web Server (OTG-INFO-002) ]] formerly "Testing for Web Application Fingerprint (OWASP-IG-004)"

[[Testing: Spiders, Robots, and Crawlers (OWASP-IG-001)|4.2.3 Review Webserver Metafiles for Information Leakage (OTG-INFO-003) ]] formerly "Spiders, Robots and Crawlers (OWASP-IG-001)"

[[Testing for Application Discovery (OWASP-IG-005)|4.2.4 Enumerate Applications on Webserver (OTG-INFO-004) ]] formerly "Application Discovery (OWASP-IG-005)"

[[Testing Review webpage comments and metadata(OWASP-IG-007)|4.2.5 Review Webpage Comments and Metadata for Information Leakage (OTG-INFO-005) ]] formerly "Review webpage comments and metadata(OWASP-IG-007)"

[[Testing: Identify application entry points (OWASP-IG-003)|4.2.6 Identify application entry points (OTG-INFO-006) ]] formerly "Identify application entry points (OWASP-IG-003)"

[[Testing Identify application exit/handover points (OWASP-IG-008)|4.2.7 Identify application exit/handover points (OTG-INFO-007) ]] formerly "Identify application exit/handover points (OWASP-IG-008)"

[[Testing Map execution paths through application (OWASP-IG-009)|4.2.8 Map execution paths through application (OTG-INFO-008)]] formerly "Map execution paths through application (OWASP-IG-009)"

[[Fingerprint Web Application Framework (OTG-INFO-009)|4.2.9 Fingerprint Web Application Framework (OTG-INFO-009) ]] formerly "Testing for Web Application Fingerprint (OWASP-IG-010)" '''Ready to be reviewed'''

[[Testing for Web Application (OTG-INFO-011)|4.2.10 Fingerprint Web Application (OTG-INFO-010) ]] formerly "Testing for Web Application Fingerprint (OWASP-IG-010)" [Amro AlOlaqi] '''Ready to be reviewed'''

[[Map Network and Application Architecture (OTG-INFO-012)|4.2.11 Map Network and Application Architecture (OTG-INFO-011) ]] formerly "Testing for Infrastructure Configuration Management Testing weakness (OWASP-CM-001)" [Amro AlOlaqi] '''Ready to be reviewed'''

[[Testing for configuration management|'''4.3 Configuration and Deploy Management Testing ''']]

[[Testing for infrastructure configuration management (OWASP-CM-003)|4.3.1 Test Network/Infrastructure Configuration (OTG-CONFIG-001) ]] formerly "Testing for Infrastructure Configuration Management Testing weakness (OWASP-CM-001)"

[[Testing for application configuration management (OWASP-CM-004)|4.3.2 Test Application Platform Configuration (OTG-CONFIG-002) ]] formerly "Testing for Application Configuration Management weakness (OWASP-CM-002)"

[[Testing for file extensions handling (OWASP-CM-005)|4.3.3 Test File Extensions Handling for Sensitive Information (OTG-CONFIG-003) ]] formerly "Testing for File Extensions Handling (OWASP-CM-003)"

[[Testing for Old, Backup and Unreferenced Files (OWASP-CM-006)|4.3.4 Review Old, Backup and Unreferenced Files for Sensitive Information (OTG-CONFIG-004) ]] formerly "Old, Backup and Unreferenced Files (OWASP-CM-004)"

[[Testing for Admin Interfaces (OWASP-CM-007)|4.3.5 Enumerate Infrastructure and Application Admin Interfaces (OTG-CONFIG-005) ]] formerly "Infrastructure and Application Admin Interfaces (OWASP-CM-005)" [Amro AlOlaqi] '''Ready to be reviewed'''

[[Testing for HTTP Methods and XST (OWASP-CM-008)|4.3.6 Test HTTP Methods (OTG-CONFIG-006) ]] formerly "Testing for Bad HTTP Methods (OWASP-CM-006)"

[[Testing for Database credentials/connection strings available|4.3.7 Testing for Database credentials/connection strings available (OTG-CONFIG-007) ]] formerly "Testing for Database credentials/connection strings available (OWASP-CM-007)"

[[Testing for Content Security Policy weakness|4.3.8 Test Content Security Policy (OTG-CONFIG-008) ]] formerly "Testing for Content Security Policy weakness (OWASP-CM-008)"

[[Testing for Missing HSTS header|4.3.9 Test HTTP Strict Transport Security (OTG-CONFIG-009) ]] formerly "Testing for Missing HSTS header (OWASP-CM-009)"

[[Testing for Frame Options|4.3.10 Test Frame Options (OTG-CONFIG-010) ]]

[[Testing for RIA policy files weakness|4.3.11 Test RIA cross domain policy (OTG-CONFIG-011) ]] formerly "Testing for RIA policy files weakness (OWASP-CM-010)"

[[Testing for Content Type Options|4.3.12 Test Content Type Options (OTG-CONFIG-012) ]] new

[[Testing Identity Management|'''4.4 Identity Management Testing''']]

[[Test Role Definitions (OTG-IDENT-001)|4.4.1 Test Role Definitions (OTG-IDENT-001)]] New

[[Test User Registration Process (OTG-IDENT-002)|4.4.2 Test User Registration Process (OTG-IDENT-002)]] New

[[Test Account Provisioning Process (OTG-IDENT-003)|4.4.3 Test Account Provisioning Process (OTG-IDENT-003)]] New

[[Testing for Account Enumeration and Guessable User Account (OWASP-AT-002)|4.4.4 Testing for Account Enumeration and Guessable User Account (OTG-IDENT-004) ]] formerly "Testing for Account Enumeration and Guessable User Account (OWASP-AT-002)"

[[Testing for Weak or unenforced username policy (OWASP-AT-009)| 4.4.5 Testing for Weak or unenforced username policy (OTG-IDENT-005)]] formerly "Testing for Weak or unenforced username policy (OWASP-AT-009)

[[Test Permissions of Guest/Training Accounts (OTG-IDENT-006)|4.4.6 Test Permissions of Guest/Training Accounts (OTG-IDENT-006)]] New

[[Test Account Suspension/Resumption Process (OTG-IDENT-007)|4.4.7 Test Account Suspension/Resumption Process (OTG-IDENT-007)]] New

[[Test User Deregistration Process (OTG-IDENT-008)|4.4.8 Test User Deregistration Process (OTG-IDENT-008)]] New

[[Test Account Deregistration Process (OTG-IDENT-009)|4.4.9 Test Account Deregistration Process (OTG-IDENT-009)]] New

[[Testing for authentication|'''4.5 Authentication Testing ''']]

[[Testing for Credentials Transported over an Encrypted Channel (OWASP-AT-001)|4.5.1 Testing for Credentials Transported over an Encrypted Channel (OTG-AUTHN-001)]] formerly "Testing for Credentials Transported over an Encrypted Channel (OWASP-AT-001)"

[[Testing for default credentials (OWASP-AT-003)|4.5.2 Testing for default credentials (OTG-AUTHN-002)]] formerly "Testing for default credentials (OWASP-AT-003)"

[[Testing for Weak lock out mechanism (OWASP-AT-004)|4.5.3 Testing for Weak lock out mechanism (OTG-AUTHN-003)]] formerly "Testing for Weak lock out mechanism (OWASP-AT-004)"

[[Testing for Bypassing Authentication Schema (OWASP-AT-005)|4.5.4 Testing for bypassing authentication schema (OTG-AUTHN-004)]] formerly "Testing for bypassing authentication schema (OWASP-AT-005)"

[[Testing for Vulnerable Remember Password (OWASP-AT-006)|4.5.5 Test remember password functionality (OTG-AUTHN-005)]] formerly "Testing for vulnerable remember password functionality (OWASP-AT-006)"

[[Testing for Browser cache weakness (OWASP-AT-007)|4.5.6 Testing for Browser cache weakness (OTG-AUTHN-006)]] formerly "Testing for Browser cache weakness (OWASP-AT-007)"

[[Testing for Weak password policy (OWASP-AT-008)|4.5.7 Testing for Weak password policy (OTG-AUTHN-007)]] formerly "Testing for Weak password policy (OWASP-AT-008)"

[[Testing for Weak security question/answer (OTG-AUTHN-008)|4.5.8 Testing for Weak security question/answer (OTG-AUTHN-008)]] New! - Robert Winkel

[[Testing for weak password change or reset functionalities (OWASP-AT-011)|4.5.9 Testing for weak password change or reset functionalities (OTG-AUTHN-009)]] formerly "Testing for weak password change or reset functionalities (OWASP-AT-011)"

[[Testing for Weaker authentication in alternative channel (OTG-AUTHN-010)|4.5.10 Testing for Weaker authentication in alternative channel (OTG-AUTHN-010)]] (e.g. mobile app, IVR, help desk)

[[Testing for Authorization|'''4.6 Authorization Testing''']]

[[Test Management of Account Permissions (OTG-AUTHZ-001)|4.6.1 Test Management of Account Permissions (OTG-AUTHZ-001)]] New

[[Testing for Path Traversal (OWASP-AZ-001)|4.6.2 Testing Directory traversal/file include (OTG-AUTHZ-002)]] formerly "Testing Directory traversal/file include (OWASP-AZ-001)"

[[Testing for Bypassing Authorization Schema (OWASP-AZ-002)|4.6.3 Testing for bypassing authorization schema (OTG-AUTHZ-003)]] formerly "Testing for bypassing authorization schema (OWASP-AZ-002)"

[[Testing for Privilege escalation (OWASP-AZ-003)|4.6.4 Testing for Privilege Escalation (OTG-AUTHZ-004)]] formerly "Testing for Privilege Escalation (OWASP-AZ-003)"

[[Testing for Insecure Direct Object References (OWASP-AZ-004)|4.6.5 Testing for Insecure Direct Object References (OTG-AUTHZ-005)]] formerly "Testing for Insecure Direct Object References (OWASP-AZ-004)"

[[Testing for Failure to Restrict access to authorized resource (OWASP-AZ-005)|4.6.6 Testing for Failure to Restrict access to authorized resource (OTG-AUTHZ-006)]] formerly "Testing for Failure to Restrict access to authorized resource (OWASP-AZ-005)"

[[Test privileges of server components (OTG-AUTHZ-007)|4.6.7 Test privileges of server components (OTG-AUTHZ-007)]] (e.g. indexing service, reporting interface, file generator)

[[Test enforcement of application entry points (OTG-AUTHZ-008)|4.6.8 Test enforcement of application entry points (OTG-AUTHZ-008)]] (including exposure of objects)

[[Testing for failure to restrict access to authenticated resource(OWASP-AT-010)|4.6.9 Testing for failure to restrict access to authenticated resource (OTG-AUTHZ-009)]] formerly "Testing for failure to restrict access to authenticated resource (OWASP-AT-010)"

[[Testing for Session Management|'''4.7 Session Management Testing''']]

[[Testing for Session_Management_Schema (OWASP-SM-001)|4.7.1 Testing for Bypassing Session Management Schema (OTG-SESS-001)]] formerly "Testing for Bypassing Session Management Schema (OWASP-SM-001)"

[[Testing for cookies attributes (OWASP-SM-002)|4.7.2 Testing for Cookies attributes (OTG-SESS-002)]] formerly "Testing for Cookies attributes (OWASP-SM-002)" (Cookies are set not ‘HTTP Only’, ‘Secure’, and no time validity)

[[Testing for Session Fixation (OWASP-SM-003)|4.7.3 Testing for Session Fixation (OTG-SESS-003)]] formerly "Testing for Session Fixation (OWASP-SM-003)"

[[Testing for Exposed Session Variables (OWASP-SM-004)|4.7.4 Testing for Exposed Session Variables (OTG-SESS-004)]] formerly "Testing for Exposed Session Variables (OWASP-SM-004)"

[[Testing for CSRF (OWASP-SM-005)|4.7.5 Testing for Cross Site Request Forgery (CSRF) (OTG-SESS-005)]] formerly "Testing for Cross Site Request Forgery (CSRF) (OWASP-SM-005)"

[[Test Session Token Strength (OTG-SESS-006)|4.7.6 Test Session Token Strength (OTG-SESS-006)]]

[[Testing for logout functionality (OWASP-SM-007)|4.7.7 Testing for logout functionality (OTG-SESS-007)]] formerly "Testing for logout functionality (OWASP-SM-007)"

[[Testing for Session puzzling (OWASP-SM-008)|4.7.8 Testing for Session puzzling (OWASP-SM-008)]]

[[Test Session Timeout (OTG-SESS-008)|4.7.8 Test Session Timeout (OTG-SESS-008)]]

[[Test multiple concurrent sessions (OTG-SESS-009)|4.7.9 Test multiple concurrent sessions (OTG-SESS-009)]]

[[Testing for Data Validation|'''4.8 Data Validation Testing''']]

[[Testing for Reflected Cross site scripting (OWASP-DV-001) |4.8.1 Testing for Reflected Cross Site Scripting (OTG-INPVAL-001)]] formerly "Testing for Reflected Cross Site Scripting (OWASP-DV-001)"

[[Testing for Stored Cross site scripting (OWASP-DV-002) |4.8.2 Testing for Stored Cross Site Scripting (OTG-INPVAL-002)]] formerly "Testing for Stored Cross Site Scripting (OWASP-DV-002)"

[[Testing for HTTP Verb Tampering (OWASP-DV-003)|4.8.3 Testing for HTTP Verb Tampering (OTG-INPVAL-003)]] formerly "Testing for HTTP Verb Tampering (OWASP-DV-003)"

[[Testing for HTTP Parameter pollution (OWASP-DV-004)|4.8.4 Testing for HTTP Parameter pollution (OTG-INPVAL-004) ]] formerly "Testing for HTTP Parameter pollution (OWASP-DV-004)"

[[Testing for Unvalidated Redirects and Forwards (OWASP-DV-004)|4.8.5 Testing for Unvalidated Redirects and Forwards (OTG-INPVAL-005) ]] formerly "Testing for Unvalidated Redirects and Forwards (OWASP-DV-004)"

[[Testing for SQL Injection (OWASP-DV-005)| 4.8.6 Testing for SQL Injection (OTG-INPVAL-006)]] formerly "Testing for SQL Injection (OWASP-DV-005)" '''Ready to be reviewed'''

[[Testing for Oracle|4.8.6.1 Oracle Testing]]

[[Testing for MySQL|4.8.6.2 MySQL Testing [Ismael Gonçalves]]]

[[Testing for SQL Server|4.8.6.3 SQL Server Testing]]

[[OWASP_Backend_Security_Project_Testing_PostgreSQL|4.8.6.4 Testing PostgreSQL (from OWASP BSP) ]]

[[Testing for MS Access |4.8.6.5 MS Access Testing]]

[[Testing for NoSQL injection|4.8.6.6 Testing for NoSQL injection [New!]]]

[[Testing for LDAP Injection (OWASP-DV-006)|4.8.7 Testing for LDAP Injection (OTG-INPVAL-007)]] formerly "Testing for LDAP Injection (OWASP-DV-006)"

[[Testing for ORM Injection (OWASP-DV-007)|4.8.8 Testing for ORM Injection (OTG-INPVAL-008)]] formerly "Testing for ORM Injection (OWASP-DV-007)"

[[Testing for XML Injection (OWASP-DV-008)|4.8.9 Testing for XML Injection (OTG-INPVAL-009)]] formerly "Testing for XML Injection (OWASP-DV-008)"

[[Testing for SSI Injection (OWASP-DV-009)|4.8.10 Testing for SSI Injection (OTG-INPVAL-010)]] formerly "Testing for SSI Injection (OWASP-DV-009)"

[[Testing for XPath Injection (OWASP-DV-010)|4.8.11 Testing for XPath Injection (OTG-INPVAL-011)]] formerly "Testing for XPath Injection (OWASP-DV-010)"

[[Testing for IMAP/SMTP Injection (OWASP-DV-011)|4.8.12 IMAP/SMTP Injection (OTG-INPVAL-012)]] formerly "IMAP/SMTP Injection (OWASP-DV-011)"

[[Testing for Code Injection (OWASP-DV-012)|4.8.13 Testing for Code Injection (OTG-INPVAL-013)]] formerly "Testing for Code Injection (OWASP-DV-012)"

[[Testing for Local File Inclusion|4.8.13.1 Testing for Local File Inclusion]] [Alexander Antukh]

[[Testing for Remote File Inclusion|4.8.13.2 Testing for Remote File Inclusion]] [Alexander Antukh]

[[Testing for Command Injection (OWASP-DV-013)|4.8.14 Testing for Command Injection (OTG-INPVAL-014)]] formerly "Testing for Command Injection (OWASP-DV-013)"

[[Testing for Buffer Overflow (OWASP-DV-014)|4.8.15 Testing for Buffer overflow (OTG-INPVAL-015)]] formerly "Testing for Buffer overflow (OWASP-DV-014)"

[[Testing for Heap Overflow|4.8.15.1 Testing for Heap overflow]]

[[Testing for Stack Overflow|4.8.15.2 Testing for Stack overflow]]

[[Testing for Format String|4.8.15.3 Testing for Format string]]

[[Testing for Incubated Vulnerability (OWASP-DV-015)|4.8.16 Testing for incubated vulnerabilities (OTG-INPVAL-016)]] formerly "Testing for incubated vulnerabilities (OWASP-DV-015)"

[[Testing for HTTP Splitting/Smuggling (OWASP-DV-016)|4.8.17 Testing for HTTP Splitting/Smuggling (OTG-INPVAL-017) ]] formerly "Testing for HTTP Splitting/Smuggling (OWASP-DV-016)" [Juan Galiana]

[[Error Handling|'''4.9 Error Handling''']]

[[Testing for Error Code (OWASP-IG-006)|4.9.1 Analysis of Error Codes (OTG-ERR-001)]] formerly "Analysis of Error Codes (OWASP-IG-006)"

[[Testing for Stack Traces (OWASP-IG-XXX)|4.9.2 Analysis of Stack Traces (OTG-ERR-002)]] formerly "Analysis of Stack Traces"

[[Cryptography|'''4.10 Cryptography''']]

[[Testing for Insecure encryption usage (OWASP-EN-001)| 4.10.1 Testing for Insecure encryption usage (OTG-CRYPST-001)]] formerly "Testing for Insecure encryption usage (OWASP-EN-001)"

[[Testing for Weak SSL/TSL Ciphers, Insufficient Transport Layer Protection (OWASP-EN-002)| 4.10.2 Testing for Weak SSL/TSL Ciphers, Insufficient Transport Layer Protection (OTG-CRYPST-002)]] formerly "Testing for Weak SSL/TSL Ciphers, Insufficient Transport Layer Protection (OWASP-EN-002)"

[[Testing for Padding Oracle (OWASP-EN-003)| 4.10.3 Testing for Padding Oracle (OTG-CRYPST-003)]] formerly "Testing for Padding Oracle (OWASP-EN-003)"

[[Testing for Cacheable HTTPS Response (OTG-CRYPST-004)| 4.10.4 Testing for Cacheable HTTPS Response (OTG-CRYPST-004)]]

[[Test Cache Directives (OTG-CRYPST-005)|4.10.5 Test Cache Directives (OTG-CRYPST-005)]]

[[Testing for Insecure Cryptographic Storage (OTG-CRYPST-006)|4.10.6 Testing for Insecure Cryptographic Storage (OTG-CRYPST-006)]]

[[Testing for Sensitive information sent via unencrypted channels (OTG-CRYPST-007)|4.10.7 Testing for Sensitive information sent via unencrypted channels (OTG-CRYPST-007)]]

[[Test Cryptographic Key Management (OTG-CRYPST-008)|4.10.8 Test Cryptographic Key Management (OTG-CRYPST-008)]]

[[Logging|'''4.11 Logging''']] Not convinced Logging should be included as it requires access to logs to test

[[Test time synchronisation (OTG-LOG-001)|4.11.1 Test time synchronisation (OTG-LOG-001) ]] formerly "Incorrect time"

[[Test user-viewable log of authentication events (OTG-LOG-002)|4.11.2 Test user-viewable log of authentication events (OTG-LOG-002)]]

[[Testing for business logic (OWASP-BL-001)|'''4.12 Business Logic Testing (OWASP-BL-001)''']] [To review--> David Fern]
Business Logic 

[[Test business logic data validation (OTG-BUSLOGIC-001)|4.12.1 Test business logic data validation (OTG-BUSLOGIC-001)]] [New!] NOTE MAT: to discuss this section

[[Test Ability to forge requests (OTG-BUSLOGIC-002)|4.12.2 Test Ability to forge requests (OTG-BUSLOGIC-002)]] [New!]

[[Test integrity checks (OTG-BUSLOGIC-003)|4.12.3 Test integrity checks (OTG-BUSLOGIC-003)]] (e.g. overwriting updates) [New!]

[[Test tamper evidence (OTG-BUSLOGIC-004)|4.12.4 Test tamper evidence (OTG-BUSLOGIC-004)]] [New!]

[[Test excessive rate (speed) of use limits (OTG-BUSLOGIC-005)|4.12.5 Test excessive rate (speed) of use limits (OTG-BUSLOGIC-005)]] [New!]

[[Test size of request limits (OTG-BUSLOGIC-006)|4.12.6 Test size of request limits (OTG-BUSLOGIC-006)]] [New!]

[[Test number of times a function can be used limits (OTG-BUSLOGIC-007)|4.12.7 Test number of times a function can be used limits (OTG-BUSLOGIC-002)]] [New!]

[[Test bypass of correct sequence (OTG-BUSLOGIC-008)|4.12.8 Test bypass of correct sequence (OTG-BUSLOGIC-008)]] [New!]

[[Test self-hosted payment cardholder data processing (OTG-BUSLOGIC-009)|4.12.9 Test self-hosted payment cardholder data processing (OTG-BUSLOGIC-009)]] [New!]

[[Test security incident reporting information (OTG-BUSLOGIC-010)|4.12.10 Test security incident reporting information (OTG-BUSLOGIC-010)]] [New!]

[[Test defenses against application mis-use (OTG-BUSLOGIC-011)|4.12.11 Test defenses against application mis-use (OTG-BUSLOGIC-011)]] [New!]

[[Denial of Service|'''4.13 Denial of Service''']]

[[Test Regular expression DoS (OTG-DOS-001)| 4.13.1 Test Regular expression DoS (OTG-DOS-001)]] [New!] note: to understand better 

[[Test XML DoS (OTG-DOS-002)| 4.13.2 Test XML DoS (OTG-DOS-002)]] [New! - Andrew Muller]

[[Testing for Captcha (OWASP-AT-012)|4.13.3 Testing for CAPTCHA (OTG-DOS-003)]] formerly "Testing for CAPTCHA (OWASP-AT-012)"

[[Web Service (XML Interpreter)|'''4.14 Web Service Testing''']] [Tom Eston]

[[Scoping a Web Service Test (OWASP-WS-001)|4.14.1 Scoping a Web Service Test (OTG-WEBSVC-001)]] formerly "Scoping a Web Service Test (OWASP-WS-001)"

[[WS Information Gathering (OWASP-WS-002)|4.14.2 WS Information Gathering (OTG-WEBSVC-002)]] formerly "WS Information Gathering (OWASP-WS-002)"

[[WS Authentication Testing (OWASP-WS-003)|4.14.3 WS Authentication Testing (OTG-WEBSVC-003)]] formerly "WS Authentication Testing (OWASP-WS-003)"

[[WS Management Interface Testing (OWASP-WS-004)|4.14.4 WS Management Interface Testing (OTG-WEBSVC-004)]] formerly "WS Management Interface Testing (OWASP-WS-004)"

[[Weak XML Structure Testing (OWASP-WS-005)|4.14.5 Weak XML Structure Testing (OTG-WEBSVC-005)]] formerly "Weak XML Structure Testing (OWASP-WS-005)"

[[XML Content-Level Testing (OWASP-WS-006)|4.14.6 XML Content-Level Testing (OTG-WEBSVC-006)]] formerly "XML Content-Level Testing (OWASP-WS-006)"

[[WS HTTP GET Parameters/REST Testing (OWASP-WS-007)|4.14.7 WS HTTP GET Parameters/REST Testing (OTG-WEBSVC-007)]] formerly "WS HTTP GET Parameters/REST Testing (OWASP-WS-007)"

[[WS Naughty SOAP Attachment Testing (OWASP-WS-008)|4.14.8 WS Naughty SOAP Attachment Testing (OTG-WEBSVC-008)]] formerly "WS Naughty SOAP Attachment Testing (OWASP-WS-008)"

[[WS Replay/MiTM Testing (OWASP-WS-009)|4.14.9 WS Replay/MiTM Testing (OTG-WEBSVC-009)]] formerly "WS Replay/MiTM Testing (OWASP-WS-009)"

[[WS BEPL Testing (OWASP-WS-010)|4.14.10 WS BEPL Testing (OTG-WEBSVC-010)]] formerly "WS BEPL Testing (OWASP-WS-010)"

[[Client Side Testing|'''4.15 Client Side Testing''']] [New!]

[[Testing for DOM-based Cross site scripting (OWASP-DV-003)|4.15.1 Testing for DOM based Cross Site Scripting (OTG-CLIENT-001)]] formerly "Testing for DOM based Cross Site Scripting (OWASP-CS-001)" [Stefano Di Paola]

[[Test Cross Origin Resource Sharing (OTG-CLIENT-002)|4.15.2 Test Cross Origin Resource Sharing (OTG-CLIENT-002)]] formerly "Testing for HTML5 (OWASP CS-002)" [Juan Galiana]

[[Testing for Cross site flashing (OWASP-DV-004)|4.15.3 Testing for Cross Site Flashing (OTG-CLIENT-003)]] formerly "Testing for Cross Site Flashing (OWASP-CS-003)"

[[Testing for Clickjacking (OWASP-CS-004)|4.15.4 Testing for Clickjacking (OTG-CLIENT-004)]] formerly "Testing for Clickjacking (OWASP-CS-004)" [Davide Danelon]

[[Testing WebSockets (OTG-CLIENT-005)|4.15.5 Testing WebSockets (OTG-CLIENT-005)]] [Ryan Dewhurst]

[[Test Web Messaging (OTG-CLIENT-006)|4.15.6 Test Web Messaging (OTG-CLIENT-006)]] [Juan Galiana]

[[Test Local Storage (OTG-CLIENT-007)|4.15.7 Test Local Storage (OTG-CLIENT-007)]] [Juan Galiana]

==[[Writing Reports: value the real risk |5. Writing Reports: value the real risk ]]==

[[How to value the real risk |5.1 How to value the real risk]] [To review--> Amro AlOlaqi] '''Ready to be reviewed'''

[[How to write the report of the testing |5.2 How to write the report of the testing]] [To review--> Amro AlOlaqi] '''Ready to be reviewed'''

==[[Appendix A: Testing Tools |Appendix A: Testing Tools ]]==

* Black Box Testing Tools [To review--> Amro AlOlaqi] '''Ready to be reviewed'''

==[[OWASP Testing Guide Appendix B: Suggested Reading | Appendix B: Suggested Reading]]==
* Whitepapers [To review--> David Fern]
* Books [To review--> David Fern]
* Useful Websites [To review--> David Fern]

==[[OWASP Testing Guide Appendix C: Fuzz Vectors | Appendix C: Fuzz Vectors]]==

* Fuzz Categories [To review--> Amro AlOlaqi] '''Ready to be reviewed'''

==[[OWASP Testing Guide Appendix D: Encoded Injection | Appendix D: Encoded Injection]]==
[To review--> Amro AlOlaqi] '''Ready to be reviewed'''

----

[[Category:OWASP Testing Project]]

OWASP Testing Guide v4 Table of Contents

2013-10-19T00:40:51Z

Amro Ahmed:

{{OWASP Breakers}}
__NOTOC__

'''This is the DRAFT of the table of content of the New Testing Guide v4.''' 
 You can download the stable version v3 [http://www.owasp.org/images/5/56/OWASP_Testing_Guide_v3.pdf here] 

Back to the OWASP Testing Guide Project:
http://www.owasp.org/index.php/OWASP_Testing_Project

'''Updated: 15th February 2013'''

[[ OWTGv4 Contributors list|'''Contributors List]]

----

The following is a DRAFT of the Toc based on the feedback already received.

== Table of Contents ==

==[[Testing Guide Foreword|Foreword by Eoin Keary]]==
[To review--> Eoin Keary -> Done!!]

==[[Testing Guide Frontispiece |1. Frontispiece]]==
[To review--> Mat]

'''[[Testing Guide Frontispiece|1.1 About the OWASP Testing Guide Project]]'''
[To review--> Mat]

'''[[About The Open Web Application Security Project|1.2 About The Open Web Application Security Project]]'''
[To review--> ]

==[[Testing Guide Introduction|2. Introduction]]==

'''2.1 The OWASP Testing Project'''

'''2.2 Principles of Testing'''

'''2.3 Testing Techniques Explained'''

2.4 [https://www.owasp.org/index.php/Testing_Guide_Introduction#Security_Requirements_Test_Derivation Security requirements test derivation],[https://www.owasp.org/index.php/Testing_Guide_Introduction#Functional_and_Non_Functional_Test_Requirements functional and non functional test requirements], and [https://www.owasp.org/index.php/Testing_Guide_Introduction#Test_Cases_Through_Use_and_Misuse_Cases test cases through use and misuse cases]

2.5 [https://www.owasp.org/index.php/Testing_Guide_Introduction#Security_Test_Data_Analysis_and_Reporting Security test data analysis and reporting: root cause identification and business/role case test data reporting]

==[[The OWASP Testing Framework|3. The OWASP Testing Framework]]==

'''3.1. Overview'''

'''3.2. Phase 1: Before Development Begins '''

'''3.3. Phase 2: During Definition and Design'''

'''3.4. Phase 3: During Development'''

'''3.5. Phase 4: During Deployment'''

'''3.6. Phase 5: Maintenance and Operations'''

'''3.7. A Typical SDLC Testing Workflow '''

==[[Web Application Penetration Testing |4. Web Application Penetration Testing ]]==

[[Testing: Introduction and objectives|'''4.1 Introduction and Objectives''']] [To review--> Mat]

[[Testing Checklist| 4.1.1 Testing Checklist]] [To review at the end of brainstorming --> Mat]

[[Testing Information Gathering|'''4.2 Information Gathering ''']]

[[Testing: Search engine discovery/reconnaissance (OWASP-IG-002)|4.2.1 Conduct Search Engine Discovery and Reconnaissance for Information Leakage (OTG-INFO-001) ]] formerly "Search Engine Discovery/Reconnaissance (OWASP-IG-002)"

[[Fingerprint Web Server (OTG-INFO-002)|4.2.2 Fingerprint Web Server (OTG-INFO-002) ]] formerly "Testing for Web Application Fingerprint (OWASP-IG-004)"

[[Testing: Spiders, Robots, and Crawlers (OWASP-IG-001)|4.2.3 Review Webserver Metafiles for Information Leakage (OTG-INFO-003) ]] formerly "Spiders, Robots and Crawlers (OWASP-IG-001)"

[[Testing for Application Discovery (OWASP-IG-005)|4.2.4 Enumerate Applications on Webserver (OTG-INFO-004) ]] formerly "Application Discovery (OWASP-IG-005)"

[[Testing Review webpage comments and metadata(OWASP-IG-007)|4.2.5 Review Webpage Comments and Metadata for Information Leakage (OTG-INFO-005) ]] formerly "Review webpage comments and metadata(OWASP-IG-007)"

[[Testing: Identify application entry points (OWASP-IG-003)|4.2.6 Identify application entry points (OTG-INFO-006) ]] formerly "Identify application entry points (OWASP-IG-003)"

[[Testing Identify application exit/handover points (OWASP-IG-008)|4.2.7 Identify application exit/handover points (OTG-INFO-007) ]] formerly "Identify application exit/handover points (OWASP-IG-008)"

[[Testing Map execution paths through application (OWASP-IG-009)|4.2.8 Map execution paths through application (OTG-INFO-008)]] formerly "Map execution paths through application (OWASP-IG-009)"

[[Fingerprint Web Application Framework (OTG-INFO-009)|4.2.9 Fingerprint Web Application Framework (OTG-INFO-009) ]] formerly "Testing for Web Application Fingerprint (OWASP-IG-010)" '''Ready to be reviewed'''

[[Testing for Web Application (OTG-INFO-011)|4.2.10 Fingerprint Web Application (OTG-INFO-010) ]] formerly "Testing for Web Application Fingerprint (OWASP-IG-010)" [Amro AlOlaqi] '''Ready to be reviewed'''

[[Map Network and Application Architecture (OTG-INFO-012)|4.2.11 Map Network and Application Architecture (OTG-INFO-011) ]] formerly "Testing for Infrastructure Configuration Management Testing weakness (OWASP-CM-001)" [Amro AlOlaqi] '''Ready to be reviewed'''

[[Testing for configuration management|'''4.3 Configuration and Deploy Management Testing ''']]

[[Testing for infrastructure configuration management (OWASP-CM-003)|4.3.1 Test Network/Infrastructure Configuration (OTG-CONFIG-001) ]] formerly "Testing for Infrastructure Configuration Management Testing weakness (OWASP-CM-001)"

[[Testing for application configuration management (OWASP-CM-004)|4.3.2 Test Application Platform Configuration (OTG-CONFIG-002) ]] formerly "Testing for Application Configuration Management weakness (OWASP-CM-002)"

[[Testing for file extensions handling (OWASP-CM-005)|4.3.3 Test File Extensions Handling for Sensitive Information (OTG-CONFIG-003) ]] formerly "Testing for File Extensions Handling (OWASP-CM-003)"

[[Testing for Old, Backup and Unreferenced Files (OWASP-CM-006)|4.3.4 Review Old, Backup and Unreferenced Files for Sensitive Information (OTG-CONFIG-004) ]] formerly "Old, Backup and Unreferenced Files (OWASP-CM-004)"

[[Testing for Admin Interfaces (OWASP-CM-007)|4.3.5 Enumerate Infrastructure and Application Admin Interfaces (OTG-CONFIG-005) ]] formerly "Infrastructure and Application Admin Interfaces (OWASP-CM-005)" [Amro AlOlaqi] '''Ready to be reviewed'''

[[Testing for HTTP Methods and XST (OWASP-CM-008)|4.3.6 Test HTTP Methods (OTG-CONFIG-006) ]] formerly "Testing for Bad HTTP Methods (OWASP-CM-006)"

[[Testing for Database credentials/connection strings available|4.3.7 Testing for Database credentials/connection strings available (OTG-CONFIG-007) ]] formerly "Testing for Database credentials/connection strings available (OWASP-CM-007)"

[[Testing for Content Security Policy weakness|4.3.8 Test Content Security Policy (OTG-CONFIG-008) ]] formerly "Testing for Content Security Policy weakness (OWASP-CM-008)"

[[Testing for Missing HSTS header|4.3.9 Test HTTP Strict Transport Security (OTG-CONFIG-009) ]] formerly "Testing for Missing HSTS header (OWASP-CM-009)"

[[Testing for Frame Options|4.3.10 Test Frame Options (OTG-CONFIG-010) ]]

[[Testing for RIA policy files weakness|4.3.11 Test RIA cross domain policy (OTG-CONFIG-011) ]] formerly "Testing for RIA policy files weakness (OWASP-CM-010)"

[[Testing for Content Type Options|4.3.12 Test Content Type Options (OTG-CONFIG-012) ]] new

[[Testing Identity Management|'''4.4 Identity Management Testing''']]

[[Test Role Definitions (OTG-IDENT-001)|4.4.1 Test Role Definitions (OTG-IDENT-001)]] New

[[Test User Registration Process (OTG-IDENT-002)|4.4.2 Test User Registration Process (OTG-IDENT-002)]] New

[[Test Account Provisioning Process (OTG-IDENT-003)|4.4.3 Test Account Provisioning Process (OTG-IDENT-003)]] New

[[Testing for Account Enumeration and Guessable User Account (OWASP-AT-002)|4.4.4 Testing for Account Enumeration and Guessable User Account (OTG-IDENT-004) ]] formerly "Testing for Account Enumeration and Guessable User Account (OWASP-AT-002)"

[[Testing for Weak or unenforced username policy (OWASP-AT-009)| 4.4.5 Testing for Weak or unenforced username policy (OTG-IDENT-005)]] formerly "Testing for Weak or unenforced username policy (OWASP-AT-009)

[[Test Permissions of Guest/Training Accounts (OTG-IDENT-006)|4.4.6 Test Permissions of Guest/Training Accounts (OTG-IDENT-006)]] New

[[Test Account Suspension/Resumption Process (OTG-IDENT-007)|4.4.7 Test Account Suspension/Resumption Process (OTG-IDENT-007)]] New

[[Test User Deregistration Process (OTG-IDENT-008)|4.4.8 Test User Deregistration Process (OTG-IDENT-008)]] New

[[Test Account Deregistration Process (OTG-IDENT-009)|4.4.9 Test Account Deregistration Process (OTG-IDENT-009)]] New

[[Testing for authentication|'''4.5 Authentication Testing ''']]

[[Testing for Credentials Transported over an Encrypted Channel (OWASP-AT-001)|4.5.1 Testing for Credentials Transported over an Encrypted Channel (OTG-AUTHN-001)]] formerly "Testing for Credentials Transported over an Encrypted Channel (OWASP-AT-001)"

[[Testing for default credentials (OWASP-AT-003)|4.5.2 Testing for default credentials (OTG-AUTHN-002)]] formerly "Testing for default credentials (OWASP-AT-003)"

[[Testing for Weak lock out mechanism (OWASP-AT-004)|4.5.3 Testing for Weak lock out mechanism (OTG-AUTHN-003)]] formerly "Testing for Weak lock out mechanism (OWASP-AT-004)"

[[Testing for Bypassing Authentication Schema (OWASP-AT-005)|4.5.4 Testing for bypassing authentication schema (OTG-AUTHN-004)]] formerly "Testing for bypassing authentication schema (OWASP-AT-005)"

[[Testing for Vulnerable Remember Password (OWASP-AT-006)|4.5.5 Test remember password functionality (OTG-AUTHN-005)]] formerly "Testing for vulnerable remember password functionality (OWASP-AT-006)"

[[Testing for Browser cache weakness (OWASP-AT-007)|4.5.6 Testing for Browser cache weakness (OTG-AUTHN-006)]] formerly "Testing for Browser cache weakness (OWASP-AT-007)"

[[Testing for Weak password policy (OWASP-AT-008)|4.5.7 Testing for Weak password policy (OTG-AUTHN-007)]] formerly "Testing for Weak password policy (OWASP-AT-008)"

[[Testing for Weak security question/answer (OTG-AUTHN-008)|4.5.8 Testing for Weak security question/answer (OTG-AUTHN-008)]] New! - Robert Winkel

[[Testing for weak password change or reset functionalities (OWASP-AT-011)|4.5.9 Testing for weak password change or reset functionalities (OTG-AUTHN-009)]] formerly "Testing for weak password change or reset functionalities (OWASP-AT-011)"

[[Testing for Weaker authentication in alternative channel (OTG-AUTHN-010)|4.5.10 Testing for Weaker authentication in alternative channel (OTG-AUTHN-010)]] (e.g. mobile app, IVR, help desk)

[[Testing for Authorization|'''4.6 Authorization Testing''']]

[[Test Management of Account Permissions (OTG-AUTHZ-001)|4.6.1 Test Management of Account Permissions (OTG-AUTHZ-001)]] New

[[Testing for Path Traversal (OWASP-AZ-001)|4.6.2 Testing Directory traversal/file include (OTG-AUTHZ-002)]] formerly "Testing Directory traversal/file include (OWASP-AZ-001)"

[[Testing for Bypassing Authorization Schema (OWASP-AZ-002)|4.6.3 Testing for bypassing authorization schema (OTG-AUTHZ-003)]] formerly "Testing for bypassing authorization schema (OWASP-AZ-002)"

[[Testing for Privilege escalation (OWASP-AZ-003)|4.6.4 Testing for Privilege Escalation (OTG-AUTHZ-004)]] formerly "Testing for Privilege Escalation (OWASP-AZ-003)"

[[Testing for Insecure Direct Object References (OWASP-AZ-004)|4.6.5 Testing for Insecure Direct Object References (OTG-AUTHZ-005)]] formerly "Testing for Insecure Direct Object References (OWASP-AZ-004)"

[[Testing for Failure to Restrict access to authorized resource (OWASP-AZ-005)|4.6.6 Testing for Failure to Restrict access to authorized resource (OTG-AUTHZ-006)]] formerly "Testing for Failure to Restrict access to authorized resource (OWASP-AZ-005)"

[[Test privileges of server components (OTG-AUTHZ-007)|4.6.7 Test privileges of server components (OTG-AUTHZ-007)]] (e.g. indexing service, reporting interface, file generator)

[[Test enforcement of application entry points (OTG-AUTHZ-008)|4.6.8 Test enforcement of application entry points (OTG-AUTHZ-008)]] (including exposure of objects)

[[Testing for failure to restrict access to authenticated resource(OWASP-AT-010)|4.6.9 Testing for failure to restrict access to authenticated resource (OTG-AUTHZ-009)]] formerly "Testing for failure to restrict access to authenticated resource (OWASP-AT-010)"

[[Testing for Session Management|'''4.7 Session Management Testing''']]

[[Testing for Session_Management_Schema (OWASP-SM-001)|4.7.1 Testing for Bypassing Session Management Schema (OTG-SESS-001)]] formerly "Testing for Bypassing Session Management Schema (OWASP-SM-001)"

[[Testing for cookies attributes (OWASP-SM-002)|4.7.2 Testing for Cookies attributes (OTG-SESS-002)]] formerly "Testing for Cookies attributes (OWASP-SM-002)" (Cookies are set not ‘HTTP Only’, ‘Secure’, and no time validity)

[[Testing for Session Fixation (OWASP-SM-003)|4.7.3 Testing for Session Fixation (OTG-SESS-003)]] formerly "Testing for Session Fixation (OWASP-SM-003)"

[[Testing for Exposed Session Variables (OWASP-SM-004)|4.7.4 Testing for Exposed Session Variables (OTG-SESS-004)]] formerly "Testing for Exposed Session Variables (OWASP-SM-004)"

[[Testing for CSRF (OWASP-SM-005)|4.7.5 Testing for Cross Site Request Forgery (CSRF) (OTG-SESS-005)]] formerly "Testing for Cross Site Request Forgery (CSRF) (OWASP-SM-005)"

[[Test Session Token Strength (OTG-SESS-006)|4.7.6 Test Session Token Strength (OTG-SESS-006)]]

[[Testing for logout functionality (OWASP-SM-007)|4.7.7 Testing for logout functionality (OTG-SESS-007)]] formerly "Testing for logout functionality (OWASP-SM-007)"

[[Testing for Session puzzling (OWASP-SM-008)|4.7.8 Testing for Session puzzling (OWASP-SM-008)]]

[[Test Session Timeout (OTG-SESS-008)|4.7.8 Test Session Timeout (OTG-SESS-008)]]

[[Test multiple concurrent sessions (OTG-SESS-009)|4.7.9 Test multiple concurrent sessions (OTG-SESS-009)]]

[[Testing for Data Validation|'''4.8 Data Validation Testing''']]

[[Testing for Reflected Cross site scripting (OWASP-DV-001) |4.8.1 Testing for Reflected Cross Site Scripting (OTG-INPVAL-001)]] formerly "Testing for Reflected Cross Site Scripting (OWASP-DV-001)"

[[Testing for Stored Cross site scripting (OWASP-DV-002) |4.8.2 Testing for Stored Cross Site Scripting (OTG-INPVAL-002)]] formerly "Testing for Stored Cross Site Scripting (OWASP-DV-002)"

[[Testing for HTTP Verb Tampering (OWASP-DV-003)|4.8.3 Testing for HTTP Verb Tampering (OTG-INPVAL-003)]] formerly "Testing for HTTP Verb Tampering (OWASP-DV-003)"

[[Testing for HTTP Parameter pollution (OWASP-DV-004)|4.8.4 Testing for HTTP Parameter pollution (OTG-INPVAL-004) ]] formerly "Testing for HTTP Parameter pollution (OWASP-DV-004)"

[[Testing for Unvalidated Redirects and Forwards (OWASP-DV-004)|4.8.5 Testing for Unvalidated Redirects and Forwards (OTG-INPVAL-005) ]] formerly "Testing for Unvalidated Redirects and Forwards (OWASP-DV-004)"

[[Testing for SQL Injection (OWASP-DV-005)| 4.8.6 Testing for SQL Injection (OTG-INPVAL-006)]] formerly "Testing for SQL Injection (OWASP-DV-005)" '''Ready to be reviewed'''

[[Testing for Oracle|4.8.6.1 Oracle Testing]]

[[Testing for MySQL|4.8.6.2 MySQL Testing [Ismael Gonçalves]]]

[[Testing for SQL Server|4.8.6.3 SQL Server Testing]]

[[OWASP_Backend_Security_Project_Testing_PostgreSQL|4.8.6.4 Testing PostgreSQL (from OWASP BSP) ]]

[[Testing for MS Access |4.8.6.5 MS Access Testing]]

[[Testing for NoSQL injection|4.8.6.6 Testing for NoSQL injection [New!]]]

[[Testing for LDAP Injection (OWASP-DV-006)|4.8.7 Testing for LDAP Injection (OTG-INPVAL-007)]] formerly "Testing for LDAP Injection (OWASP-DV-006)"

[[Testing for ORM Injection (OWASP-DV-007)|4.8.8 Testing for ORM Injection (OTG-INPVAL-008)]] formerly "Testing for ORM Injection (OWASP-DV-007)"

[[Testing for XML Injection (OWASP-DV-008)|4.8.9 Testing for XML Injection (OTG-INPVAL-009)]] formerly "Testing for XML Injection (OWASP-DV-008)"

[[Testing for SSI Injection (OWASP-DV-009)|4.8.10 Testing for SSI Injection (OTG-INPVAL-010)]] formerly "Testing for SSI Injection (OWASP-DV-009)"

[[Testing for XPath Injection (OWASP-DV-010)|4.8.11 Testing for XPath Injection (OTG-INPVAL-011)]] formerly "Testing for XPath Injection (OWASP-DV-010)"

[[Testing for IMAP/SMTP Injection (OWASP-DV-011)|4.8.12 IMAP/SMTP Injection (OTG-INPVAL-012)]] formerly "IMAP/SMTP Injection (OWASP-DV-011)"

[[Testing for Code Injection (OWASP-DV-012)|4.8.13 Testing for Code Injection (OTG-INPVAL-013)]] formerly "Testing for Code Injection (OWASP-DV-012)"

[[Testing for Local File Inclusion|4.8.13.1 Testing for Local File Inclusion]] [Alexander Antukh]

[[Testing for Remote File Inclusion|4.8.13.2 Testing for Remote File Inclusion]] [Alexander Antukh]

[[Testing for Command Injection (OWASP-DV-013)|4.8.14 Testing for Command Injection (OTG-INPVAL-014)]] formerly "Testing for Command Injection (OWASP-DV-013)"

[[Testing for Buffer Overflow (OWASP-DV-014)|4.8.15 Testing for Buffer overflow (OTG-INPVAL-015)]] formerly "Testing for Buffer overflow (OWASP-DV-014)"

[[Testing for Heap Overflow|4.8.15.1 Testing for Heap overflow]]

[[Testing for Stack Overflow|4.8.15.2 Testing for Stack overflow]]

[[Testing for Format String|4.8.15.3 Testing for Format string]]

[[Testing for Incubated Vulnerability (OWASP-DV-015)|4.8.16 Testing for incubated vulnerabilities (OTG-INPVAL-016)]] formerly "Testing for incubated vulnerabilities (OWASP-DV-015)"

[[Testing for HTTP Splitting/Smuggling (OWASP-DV-016)|4.8.17 Testing for HTTP Splitting/Smuggling (OTG-INPVAL-017) ]] formerly "Testing for HTTP Splitting/Smuggling (OWASP-DV-016)" [Juan Galiana]

[[Error Handling|'''4.9 Error Handling''']]

[[Testing for Error Code (OWASP-IG-006)|4.9.1 Analysis of Error Codes (OTG-ERR-001)]] formerly "Analysis of Error Codes (OWASP-IG-006)"

[[Testing for Stack Traces (OWASP-IG-XXX)|4.9.2 Analysis of Stack Traces (OTG-ERR-002)]] formerly "Analysis of Stack Traces"

[[Cryptography|'''4.10 Cryptography''']]

[[Testing for Insecure encryption usage (OWASP-EN-001)| 4.10.1 Testing for Insecure encryption usage (OTG-CRYPST-001)]] formerly "Testing for Insecure encryption usage (OWASP-EN-001)"

[[Testing for Weak SSL/TSL Ciphers, Insufficient Transport Layer Protection (OWASP-EN-002)| 4.10.2 Testing for Weak SSL/TSL Ciphers, Insufficient Transport Layer Protection (OTG-CRYPST-002)]] formerly "Testing for Weak SSL/TSL Ciphers, Insufficient Transport Layer Protection (OWASP-EN-002)"

[[Testing for Padding Oracle (OWASP-EN-003)| 4.10.3 Testing for Padding Oracle (OTG-CRYPST-003)]] formerly "Testing for Padding Oracle (OWASP-EN-003)"

[[Testing for Cacheable HTTPS Response (OTG-CRYPST-004)| 4.10.4 Testing for Cacheable HTTPS Response (OTG-CRYPST-004)]]

[[Test Cache Directives (OTG-CRYPST-005)|4.10.5 Test Cache Directives (OTG-CRYPST-005)]]

[[Testing for Insecure Cryptographic Storage (OTG-CRYPST-006)|4.10.6 Testing for Insecure Cryptographic Storage (OTG-CRYPST-006)]]

[[Testing for Sensitive information sent via unencrypted channels (OTG-CRYPST-007)|4.10.7 Testing for Sensitive information sent via unencrypted channels (OTG-CRYPST-007)]]

[[Test Cryptographic Key Management (OTG-CRYPST-008)|4.10.8 Test Cryptographic Key Management (OTG-CRYPST-008)]]

[[Logging|'''4.11 Logging''']] Not convinced Logging should be included as it requires access to logs to test

[[Test time synchronisation (OTG-LOG-001)|4.11.1 Test time synchronisation (OTG-LOG-001) ]] formerly "Incorrect time"

[[Test user-viewable log of authentication events (OTG-LOG-002)|4.11.2 Test user-viewable log of authentication events (OTG-LOG-002)]]

[[Testing for business logic (OWASP-BL-001)|'''4.12 Business Logic Testing (OWASP-BL-001)''']] [To review--> David Fern]
Business Logic 

[[Test business logic data validation (OTG-BUSLOGIC-001)|4.12.1 Test business logic data validation (OTG-BUSLOGIC-001)]] [New!] NOTE MAT: to discuss this section

[[Test Ability to forge requests (OTG-BUSLOGIC-002)|4.12.2 Test Ability to forge requests (OTG-BUSLOGIC-002)]] [New!]

[[Test integrity checks (OTG-BUSLOGIC-003)|4.12.3 Test integrity checks (OTG-BUSLOGIC-003)]] (e.g. overwriting updates) [New!]

[[Test tamper evidence (OTG-BUSLOGIC-004)|4.12.4 Test tamper evidence (OTG-BUSLOGIC-004)]] [New!]

[[Test excessive rate (speed) of use limits (OTG-BUSLOGIC-005)|4.12.5 Test excessive rate (speed) of use limits (OTG-BUSLOGIC-005)]] [New!]

[[Test size of request limits (OTG-BUSLOGIC-006)|4.12.6 Test size of request limits (OTG-BUSLOGIC-006)]] [New!]

[[Test number of times a function can be used limits (OTG-BUSLOGIC-007)|4.12.7 Test number of times a function can be used limits (OTG-BUSLOGIC-002)]] [New!]

[[Test bypass of correct sequence (OTG-BUSLOGIC-008)|4.12.8 Test bypass of correct sequence (OTG-BUSLOGIC-008)]] [New!]

[[Test self-hosted payment cardholder data processing (OTG-BUSLOGIC-009)|4.12.9 Test self-hosted payment cardholder data processing (OTG-BUSLOGIC-009)]] [New!]

[[Test security incident reporting information (OTG-BUSLOGIC-010)|4.12.10 Test security incident reporting information (OTG-BUSLOGIC-010)]] [New!]

[[Test defenses against application mis-use (OTG-BUSLOGIC-011)|4.12.11 Test defenses against application mis-use (OTG-BUSLOGIC-011)]] [New!]

[[Denial of Service|'''4.13 Denial of Service''']]

[[Test Regular expression DoS (OTG-DOS-001)| 4.13.1 Test Regular expression DoS (OTG-DOS-001)]] [New!] note: to understand better 

[[Test XML DoS (OTG-DOS-002)| 4.13.2 Test XML DoS (OTG-DOS-002)]] [New! - Andrew Muller]

[[Testing for Captcha (OWASP-AT-012)|4.13.3 Testing for CAPTCHA (OTG-DOS-003)]] formerly "Testing for CAPTCHA (OWASP-AT-012)"

[[Web Service (XML Interpreter)|'''4.14 Web Service Testing''']] [Tom Eston]

[[Scoping a Web Service Test (OWASP-WS-001)|4.14.1 Scoping a Web Service Test (OTG-WEBSVC-001)]] formerly "Scoping a Web Service Test (OWASP-WS-001)"

[[WS Information Gathering (OWASP-WS-002)|4.14.2 WS Information Gathering (OTG-WEBSVC-002)]] formerly "WS Information Gathering (OWASP-WS-002)"

[[WS Authentication Testing (OWASP-WS-003)|4.14.3 WS Authentication Testing (OTG-WEBSVC-003)]] formerly "WS Authentication Testing (OWASP-WS-003)"

[[WS Management Interface Testing (OWASP-WS-004)|4.14.4 WS Management Interface Testing (OTG-WEBSVC-004)]] formerly "WS Management Interface Testing (OWASP-WS-004)"

[[Weak XML Structure Testing (OWASP-WS-005)|4.14.5 Weak XML Structure Testing (OTG-WEBSVC-005)]] formerly "Weak XML Structure Testing (OWASP-WS-005)"

[[XML Content-Level Testing (OWASP-WS-006)|4.14.6 XML Content-Level Testing (OTG-WEBSVC-006)]] formerly "XML Content-Level Testing (OWASP-WS-006)"

[[WS HTTP GET Parameters/REST Testing (OWASP-WS-007)|4.14.7 WS HTTP GET Parameters/REST Testing (OTG-WEBSVC-007)]] formerly "WS HTTP GET Parameters/REST Testing (OWASP-WS-007)"

[[WS Naughty SOAP Attachment Testing (OWASP-WS-008)|4.14.8 WS Naughty SOAP Attachment Testing (OTG-WEBSVC-008)]] formerly "WS Naughty SOAP Attachment Testing (OWASP-WS-008)"

[[WS Replay/MiTM Testing (OWASP-WS-009)|4.14.9 WS Replay/MiTM Testing (OTG-WEBSVC-009)]] formerly "WS Replay/MiTM Testing (OWASP-WS-009)"

[[WS BEPL Testing (OWASP-WS-010)|4.14.10 WS BEPL Testing (OTG-WEBSVC-010)]] formerly "WS BEPL Testing (OWASP-WS-010)"

[[Client Side Testing|'''4.15 Client Side Testing''']] [New!]

[[Testing for DOM-based Cross site scripting (OWASP-DV-003)|4.15.1 Testing for DOM based Cross Site Scripting (OTG-CLIENT-001)]] formerly "Testing for DOM based Cross Site Scripting (OWASP-CS-001)" [Stefano Di Paola]

[[Test Cross Origin Resource Sharing (OTG-CLIENT-002)|4.15.2 Test Cross Origin Resource Sharing (OTG-CLIENT-002)]] formerly "Testing for HTML5 (OWASP CS-002)" [Juan Galiana]

[[Testing for Cross site flashing (OWASP-DV-004)|4.15.3 Testing for Cross Site Flashing (OTG-CLIENT-003)]] formerly "Testing for Cross Site Flashing (OWASP-CS-003)"

[[Testing for Clickjacking (OWASP-CS-004)|4.15.4 Testing for Clickjacking (OTG-CLIENT-004)]] formerly "Testing for Clickjacking (OWASP-CS-004)" [Davide Danelon]

[[Testing WebSockets (OTG-CLIENT-005)|4.15.5 Testing WebSockets (OTG-CLIENT-005)]] [Ryan Dewhurst]

[[Test Web Messaging (OTG-CLIENT-006)|4.15.6 Test Web Messaging (OTG-CLIENT-006)]] [Juan Galiana]

[[Test Local Storage (OTG-CLIENT-007)|4.15.7 Test Local Storage (OTG-CLIENT-007)]] [Juan Galiana]

==[[Writing Reports: value the real risk |5. Writing Reports: value the real risk ]]==

[[How to value the real risk |5.1 How to value the real risk]] [To review--> Amro AlOlaqi] '''Ready to be reviewed'''

[[How to write the report of the testing |5.2 How to write the report of the testing]] [To review--> Amro AlOlaqi] '''Ready to be reviewed'''

==[[Appendix A: Testing Tools |Appendix A: Testing Tools ]]==

* Black Box Testing Tools [To review--> Amro AlOlaqi] '''Ready to be reviewed'''

==[[OWASP Testing Guide Appendix B: Suggested Reading | Appendix B: Suggested Reading]]==
* Whitepapers [To review--> David Fern]
* Books [To review--> David Fern]
* Useful Websites [To review--> David Fern]

==[[OWASP Testing Guide Appendix C: Fuzz Vectors | Appendix C: Fuzz Vectors]]==

* Fuzz Categories [To review--> Amro AlOlaqi] '''Ready to be reviewed'''

==[[OWASP Testing Guide Appendix D: Encoded Injection | Appendix D: Encoded Injection]]== [To review--> Amro AlOlaqi] '''Ready to be reviewed'''

----

[[Category:OWASP Testing Project]]

OWASP Risk Rating Methodology

2013-10-19T00:32:22Z

Amro Ahmed:

{{Template:OWASP Testing Guide v4}}

==The OWASP Risk Rating Methodology==

Discovering vulnerabilities is important, but just as important is being able to estimate the associated risk to the business. Early in the lifecycle, you may identify security concerns in the architecture or design by using [[threat modeling]]. Later, you may find security issues using [[code review]] or [[penetration testing]]. Or you may not discover a problem until the application is in production and is actually compromised.

By following the approach here, you'll be able to estimate the severity of all of these risks to your business, and make an informed decision about what to do about them. Having a system in place for rating risks will save time and eliminate arguing about priorities. This system will help to ensure that you don't get distracted by minor risks while ignoring more serious risks that are less well understood.

Ideally, there would be a universal risk rating system that would accurately estimate all risks for all organizations. But a vulnerability that is critical to one organization may not be very important to another. So a basic framework is presented here that you ''should customize'' for your organization.

The authors have tried hard to make this model simple enough to use, while keeping enough detail for accurate risk estimates to be made. Please reference the section below on customization for more information about tailoring the model for use in your organization.

==Approach==

There are many different approaches to risk analysis. See the reference section below for some of the most common ones. The OWASP approach presented here is based on these standard methodologies and is customized for application security.

Let's start with the standard risk model:

'''Risk = Likelihood * Impact'''

In the sections below, we break down the factors that make up "likelihood" and "impact" for application security and show how to combine them to determine the overall severity for the risk.

* [[#Step 1: Identifying a Risk]]
* [[#Step 2: Factors for Estimating Likelihood]]
* [[#Step 3: Factors for Estimating Impact]]
* [[#Step 4: Determining Severity of the Risk]]
* [[#Step 5: Deciding What to Fix]]
* [[#Step 6: Customizing Your Risk Rating Model]]

==Step 1: Identifying a Risk==

The first step is to identify a security risk that needs to be rated. You'll need to gather information about the [[threat agent]] involved, the [[attack]] they're using, the [[vulnerability]] involved, and the [[impact]] of a successful exploit on your business. There may be multiple possible groups of attackers, or even multiple possible business impacts. In general, it's best to err on the side of caution by using the worst-case option, as that will result in the highest overall risk.

==Step 2: Factors for Estimating Likelihood==

Once you've identified a potential risk, and want to figure out how serious it is, the first step is to estimate the "likelihood". At the highest level, this is a rough measure of how likely this particular vulnerability is to be uncovered and exploited by an attacker. We do not need to be over-precise in this estimate. Generally, identifying whether the likelihood is low, medium, or high is sufficient.

There are a number of factors that can help us figure this out. The first set of factors are related to the [[threat agent]] involved. The goal is to estimate the likelihood of a successful attack from a group of possible attackers. Note that there may be multiple threat agents that can exploit a particular vulnerability, so it's usually best to use the worst-case scenario. For example, an insider may be a much more likely attacker than an anonymous outsider - but it depends on a number of factors.

Note that each factor has a set of options, and each option has a likelihood rating from 0 to 9 associated with it. We'll use these numbers later to estimate the overall likelihood.

===[[Threat Agent]] Factors===

The first set of factors are related to the [[threat agent]] involved. The goal here is to estimate the likelihood of a successful attack by this group of threat agents. Use the worst-case threat agent.

; Skill level
: How technically skilled is this group of threat agents? Security penetration skills (9), network and programming skills (6), advanced computer user (4), some technical skills (3), no technical skills (1)

; Motive
: How motivated is this group of threat agents to find and exploit this vulnerability? Low or no reward (1), possible reward (4), high reward (9)

; Opportunity
: What resources and opportunity are required for this group of threat agents to find and exploit this vulnerability? full access or expensive resources required (0), special access or resources required (4), some access or resources required (7), no access or resources required (9)

; Size
: How large is this group of threat agents? Developers (2), system administrators (2), intranet users (4), partners (5), authenticated users (6), anonymous Internet users (9)

===[[Vulnerability]] Factors===

The next set of factors are related to the [[vulnerability]] involved. The goal here is to estimate the likelihood of the particular vulnerability involved being discovered and exploited. Assume the threat agent selected above.

; Ease of discovery
: How easy is it for this group of threat agents to discover this vulnerability? Practically impossible (1), difficult (3), easy (7), automated tools available (9)

; Ease of exploit
: How easy is it for this group of threat agents to actually exploit this vulnerability? Theoretical (1), difficult (3), easy (5), automated tools available (9)

; Awareness
: How well known is this vulnerability to this group of threat agents? Unknown (1), hidden (4), obvious (6), public knowledge (9)

; Intrusion detection
: How likely is an exploit to be detected? Active detection in application (1), logged and reviewed (3), logged without review (8), not logged (9)

==Step 3: Factors for Estimating Impact==

When considering the impact of a successful attack, it's important to realize that there are two kinds of impacts. The first is the "technical impact" on the application, the data it uses, and the functions it provides. The other is the "business impact" on the business and company operating the application.

Ultimately, the business impact is more important. However, you may not have access to all the information required to figure out the business consequences of a successful exploit. In this case, providing as much detail about the technical risk will enable the appropriate business representative to make a decision about the business risk.

Again, each factor has a set of options, and each option has an impact rating from 0 to 9 associated with it. We'll use these numbers later to estimate the overall impact.

===Technical Impact Factors===

Technical impact can be broken down into factors aligned with the traditional security areas of concern: confidentiality, integrity, availability, and accountability. The goal is to estimate the magnitude of the impact on the system if the vulnerability were to be exploited.

; Loss of confidentiality
: How much data could be disclosed and how sensitive is it? Minimal non-sensitive data disclosed (2), minimal critical data disclosed (6), extensive non-sensitive data disclosed (6), extensive critical data disclosed (7), all data disclosed (9)

; Loss of integrity
: How much data could be corrupted and how damaged is it? Minimal slightly corrupt data (1), minimal seriously corrupt data (3), extensive slightly corrupt data (5), extensive seriously corrupt data (7), all data totally corrupt (9)

; Loss of availability
: How much service could be lost and how vital is it? Minimal secondary services interrupted (1), minimal primary services interrupted (5), extensive secondary services interrupted (5), extensive primary services interrupted (7), all services completely lost (9)

; Loss of accountability
: Are the threat agents' actions traceable to an individual? Fully traceable (1), possibly traceable (7), completely anonymous (9)

===Business Impact Factors===

The business impact stems from the technical impact, but requires a deep understanding of what is important to the company running the application. In general, you should be aiming to support your risks with business impact, particularly if your audience is executive level. The business risk is what justifies investment in fixing security problems.

Many companies have an asset classification guide and/or a business impact reference to help formalize what is important to their business. These standards can help you focus on what's truly important for security. If these aren't available, then talk with people who understand the business to get their take on what's important.

The factors below are common areas for many businesses, but this area is even more unique to a company than the factors related to threat agent, vulnerability, and technical impact.

; Financial damage
: How much financial damage will result from an exploit? Less than the cost to fix the vulnerability (1), minor effect on annual profit (3), significant effect on annual profit (7), bankruptcy (9)

; Reputation damage
: Would an exploit result in reputation damage that would harm the business? Minimal damage (1), Loss of major accounts (4), loss of goodwill (5), brand damage (9)

; Non-compliance
: How much exposure does non-compliance introduce? Minor violation (2), clear violation (5), high profile violation (7)

; Privacy violation
: How much personally identifiable information could be disclosed? One individual (3), hundreds of people (5), thousands of people (7), millions of people (9)

==Step 4: Determining the Severity of the Risk==

In this step we're going to put together the likelihood estimate and the impact estimate to calculate an overall severity for this risk. All you need to do here is figure out whether the likelihood is LOW, MEDIUM, or HIGH and then do the same for impact. We'll just split our 0 to 9 scale into three parts.

<table border="1" width="40%" align="center">
<tr>
<td align="center" colspan="2">Likelihood and Impact Levels</td>
</tr>
<tr>
<td align="center" width="50%">0 to <3</td>
<td align="center" width="50%" bgcolor="lightgreen">LOW</td>
</tr>
<tr>
<td align="center">3 to <6</td>
<td align="center" bgcolor="yellow">MEDIUM</td>
</tr>
<tr>
<td align="center">6 to 9</td>
<td align="center" bgcolor="red">HIGH</td>
</tr>
</table>

===Informal Method===

In many environments, there is nothing wrong with "eyeballing" the factors and simply capturing the answers. You should think through the factors and identify the key "driving" factors that are controlling the result. You may discover that your initial impression was wrong by considering aspects of the risk that weren't obvious.

===Repeatable Method===

If you need to defend your ratings or make them repeatable, then you may want to go through a more formal process of rating the factors and calculating the result. Remember that there is quite a lot of uncertainty in these estimates, and that these factors are intended to help you arrive at a sensible result. This process can be supported by automated tools to make the calculation easier.

The first step is to select one of the options associated with each factor and enter the associated number in the table. Then you simply take the average of the scores to calculate the overall likelihood. For example:

<table border="1" align="center">
<tr>
<td colspan="4" align="center">Threat agent factors</td>
<td></td>
<td colspan="4" align="center">Vulnerability factors</td>
</tr>
<tr>
<td align="center" width="10%">Skill level</td>
<td align="center" width="10%">Motive</td>
<td align="center" width="10%">Opportunity</td>
<td align="center" width="10%">Size</td>
<td align="center" width="2%"></td>
<td align="center" width="10%">Ease of discovery</td>
<td align="center" width="10%">Ease of exploit</td>
<td align="center" width="10%">Awareness</td>
<td align="center" width="10%">Intrusion detection</td>
</tr>
<tr>
<td align="center">5</td>
<td align="center">2</td>
<td align="center">7</td>
<td align="center">1</td>
<td align="center"></td>
<td align="center">3</td>
<td align="center">6</td>
<td align="center">9</td>
<td align="center">2</td>
</tr>
<tr>
<td colspan="9" align="center" bgcolor="lightblue">Overall likelihood=4.375 (MEDIUM)</td>
</tr>
</table>

Next, we need to figure out the overall impact. The process is similar here. In many cases the answer will be obvious, but you can make an estimate based on the factors, or you can average the scores for each of the factors. Again, less than 3 is LOW, 3 to less than 6 is MEDIUM, and 6 to 9 is HIGH. For example:

<table border="1" align="center">
<tr>
<td colspan="4" align="center">Technical Impact</td>
<td></td>
<td colspan="4" align="center">Business Impact</td>
</tr>
<tr>
<td align="center" width="10%">Loss of confidentiality</td>
<td align="center" width="10%">Loss of integrity</td>
<td align="center" width="10%">Loss of availability</td>
<td align="center" width="10%">Loss of accountability</td>
<td align="center" width="2%"></td>
<td align="center" width="10%">Financial damage</td>
<td align="center" width="10%">Reputation damage</td>
<td align="center" width="10%">Non-compliance</td>
<td align="center" width="10%">Privacy violation</td>
</tr>
<tr>
<td align="center">9</td>
<td align="center">7</td>
<td align="center">5</td>
<td align="center">8</td>
<td align="center"></td>
<td align="center">1</td>
<td align="center">2</td>
<td align="center">1</td>
<td align="center">5</td>
</tr>
<tr>
<td colspan="4" align="center" bgcolor="lightblue">Overall technical impact=7.25 (HIGH)</td>
<td></td>
<td colspan="4" align="center" bgcolor="lightblue">Overall business impact=2.25 (LOW)</td>
</tr>
</table>

===Determining Severity===

However we arrived at the likelihood and impact estimates, we can now combine them to get a final severity rating for this risk. Note that if you have good business impact information, you should use that instead of the technical impact information. But if you have no information about the business, then technical impact is the next best thing.

<table border="1" align="center">
<tr>
<td align="center" colspan="5">Overall Risk Severity</td>
</tr>
<tr>
<td align="center" width="15%" rowspan="4">Impact</td>
<td align="center" width="15%">HIGH</td>
<td align="center" width="15%" bgcolor="orange">Medium</td>
<td align="center" width="15%" bgcolor="red">High</td>
<td align="center" width="15%" bgcolor="pink">Critical</td>
</tr>
<tr>
<td align="center">MEDIUM</td>
<td align="center" bgcolor="yellow">Low</td>
<td align="center" bgcolor="orange">Medium</td>
<td align="center" bgcolor="red">High</td>
</tr>
<tr>
<td align="center">LOW</td>
<td align="center" bgcolor="lightgreen">Note</td>
<td align="center" bgcolor="yellow">Low</td>
<td align="center" bgcolor="orange">Medium</td>
</tr>
<tr>
<td align="center"> </td>
<td align="center">LOW</td>
<td align="center">MEDIUM</td>
<td align="center">HIGH</td>
</tr>
<tr>
<td align="center"> </td>
<td align="center" colspan="4">Likelihood</td>
</tr>
</table>

In the example above, the likelihood is MEDIUM, and the technical impact is HIGH, so from a purely technical perspective, it appears that the overall severity is HIGH. However, note that the business impact is actually LOW, so the overall severity is best described as LOW as well. This is why understanding the business context of the vulnerabilities you are evaluating is so critical to making good risk decisions. Failure to understand this context can lead to the lack of trust between the business and security teams that is present in many organizations.

==Step 5: Deciding What to Fix==

After you've classified the risks to your application, you'll have a prioritized list of what to fix. As a general rule, you should fix the most severe risks first. It simply doesn't help your overall risk profile to fix less important risks, even if they're easy or cheap to fix.

Remember, not all risks are worth fixing, and some loss is not only expected, but justifiable based upon the cost of fixing the issue. For example, if it would cost $100,000 to implement controls to stem $2,000 of fraud per year, it would take 50 years return on investment to stamp out the loss. But remember there may be reputation damage from the fraud that could cost the organization much more.

==Step 6: Customizing Your Risk Rating Model==

Having a risk ranking framework that's customizable for a business is critical for adoption. A tailored model is much more likely to produce results that match people's perceptions about what is a serious risk. You can waste lots of time arguing about the risk ratings if they're not supported by a model like this. There are several ways to tailor this model for your organization.

===Adding factors===

You can choose different factors that better represent what's important for your organization. For example, a military application might add impact factors related to loss of human life or classified information. You might also add likelihood factors, such as the window of opportunity for an attacker or encryption algorithm strength.

===Customizing options===

There are some sample options associated with each factor, but the model will be much more effective if you customize these options to your business. For example, use the names of the different teams and your names for different classifications of information. You can also change the scores associated with the options. The best way to identify the right scores is to compare the ratings produced by the model with ratings produced by a team of experts. You can tune the model by carefully adjusting the scores to match.

===Weighting factors===

The model above assumes that all the factors are equally important. You can weight the factors to emphasize the factors that are more significant for your business. This makes the model a bit more complex, as you'll need to use a weighted average. But otherwise everything works the same. Again, you can tune the model by matching it against risk ratings you agree are accurate.

==References==

* Managing Information Security Risk: Organization, Mission, and Information System View [http://csrc.nist.gov/publications/nistpubs/800-39/SP800-39-final.pdf]

* Industry standard vulnerability severity and risk rankings (CVSS) [http://www.first.org/cvss/]

* Security-enhancing process models (CLASP) [http://www.owasp.org/index.php/Category:OWASP_CLASP_Project]

* Cheat Sheet: Web Application Security Frame - MSDN - Microsoft [http://msdn.microsoft.com/en-us/library/ff649461.aspx]

* [[Threat_Risk_Modeling|Threat Risk Modeling]]

* Pratical Threat Analysis [http://www.ptatechnologies.com/]

* Application Security Risk Assessment Guidelines [http://kb.wisc.edu/page.php?id=20262]

* A Platform for Risk Analysis of Security Critical Systems [http://sourceforge.net/projects/coras/]

* Model-driven Development and Analysis of Secure Information Systems [http://heim.ifi.uio.no/~ketils/securis/]

* Value Driven Security Threat Modeling Based on Attack Path Analysis [http://origin-www.computer.org/csdl/proceedings/hicss/2007/2755/00/27550280a.pdf]

OWASP Risk Rating Methodology

2013-10-19T00:29:42Z

Amro Ahmed:

{{Template:OWASP Testing Guide v4}}

==The OWASP Risk Rating Methodology==

Discovering vulnerabilities is important, but just as important is being able to estimate the associated risk to the business. Early in the lifecycle, you may identify security concerns in the architecture or design by using [[threat modeling]]. Later, you may find security issues using [[code review]] or [[penetration testing]]. Or you may not discover a problem until the application is in production and is actually compromised.

By following the approach here, you'll be able to estimate the severity of all of these risks to your business, and make an informed decision about what to do about them. Having a system in place for rating risks will save time and eliminate arguing about priorities. This system will help to ensure that you don't get distracted by minor risks while ignoring more serious risks that are less well understood.

Ideally, there would be a universal risk rating system that would accurately estimate all risks for all organizations. But a vulnerability that is critical to one organization may not be very important to another. So a basic framework is presented here that you ''should customize'' for your organization.

The authors have tried hard to make this model simple enough to use, while keeping enough detail for accurate risk estimates to be made. Please reference the section below on customization for more information about tailoring the model for use in your organization.

==Approach==

There are many different approaches to risk analysis. See the reference section below for some of the most common ones. The OWASP approach presented here is based on these standard methodologies and is customized for application security.

Let's start with the standard risk model:

'''Risk = Likelihood * Impact'''

In the sections below, we break down the factors that make up "likelihood" and "impact" for application security and show how to combine them to determine the overall severity for the risk.

* [[#Step 1: Identifying a Risk]]
* [[#Step 2: Factors for Estimating Likelihood]]
* [[#Step 3: Factors for Estimating Impact]]
* [[#Step 4: Determining Severity of the Risk]]
* [[#Step 5: Deciding What to Fix]]
* [[#Step 6: Customizing Your Risk Rating Model]]

==Step 1: Identifying a Risk==

The first step is to identify a security risk that needs to be rated. You'll need to gather information about the [[threat agent]] involved, the [[attack]] they're using, the [[vulnerability]] involved, and the [[impact]] of a successful exploit on your business. There may be multiple possible groups of attackers, or even multiple possible business impacts. In general, it's best to err on the side of caution by using the worst-case option, as that will result in the highest overall risk.

==Step 2: Factors for Estimating Likelihood==

Once you've identified a potential risk, and want to figure out how serious it is, the first step is to estimate the "likelihood". At the highest level, this is a rough measure of how likely this particular vulnerability is to be uncovered and exploited by an attacker. We do not need to be over-precise in this estimate. Generally, identifying whether the likelihood is low, medium, or high is sufficient.

There are a number of factors that can help us figure this out. The first set of factors are related to the [[threat agent]] involved. The goal is to estimate the likelihood of a successful attack from a group of possible attackers. Note that there may be multiple threat agents that can exploit a particular vulnerability, so it's usually best to use the worst-case scenario. For example, an insider may be a much more likely attacker than an anonymous outsider - but it depends on a number of factors.

Note that each factor has a set of options, and each option has a likelihood rating from 0 to 9 associated with it. We'll use these numbers later to estimate the overall likelihood.

===[[Threat Agent]] Factors===

The first set of factors are related to the [[threat agent]] involved. The goal here is to estimate the likelihood of a successful attack by this group of threat agents. Use the worst-case threat agent.

; Skill level
: How technically skilled is this group of threat agents? Security penetration skills (9), network and programming skills (6), advanced computer user (4), some technical skills (3), no technical skills (1)

; Motive
: How motivated is this group of threat agents to find and exploit this vulnerability? Low or no reward (1), possible reward (4), high reward (9)

; Opportunity
: What resources and opportunity are required for this group of threat agents to find and exploit this vulnerability? full access or expensive resources required (0), special access or resources required (4), some access or resources required (7), no access or resources required (9)

; Size
: How large is this group of threat agents? Developers (2), system administrators (2), intranet users (4), partners (5), authenticated users (6), anonymous Internet users (9)

===[[Vulnerability]] Factors===

The next set of factors are related to the [[vulnerability]] involved. The goal here is to estimate the likelihood of the particular vulnerability involved being discovered and exploited. Assume the threat agent selected above.

; Ease of discovery
: How easy is it for this group of threat agents to discover this vulnerability? Practically impossible (1), difficult (3), easy (7), automated tools available (9)

; Ease of exploit
: How easy is it for this group of threat agents to actually exploit this vulnerability? Theoretical (1), difficult (3), easy (5), automated tools available (9)

; Awareness
: How well known is this vulnerability to this group of threat agents? Unknown (1), hidden (4), obvious (6), public knowledge (9)

; Intrusion detection
: How likely is an exploit to be detected? Active detection in application (1), logged and reviewed (3), logged without review (8), not logged (9)

==Step 3: Factors for Estimating Impact==

When considering the impact of a successful attack, it's important to realize that there are two kinds of impacts. The first is the "technical impact" on the application, the data it uses, and the functions it provides. The other is the "business impact" on the business and company operating the application.

Ultimately, the business impact is more important. However, you may not have access to all the information required to figure out the business consequences of a successful exploit. In this case, providing as much detail about the technical risk will enable the appropriate business representative to make a decision about the business risk.

Again, each factor has a set of options, and each option has an impact rating from 0 to 9 associated with it. We'll use these numbers later to estimate the overall impact.

===Technical Impact Factors===

Technical impact can be broken down into factors aligned with the traditional security areas of concern: confidentiality, integrity, availability, and accountability. The goal is to estimate the magnitude of the impact on the system if the vulnerability were to be exploited.

; Loss of confidentiality
: How much data could be disclosed and how sensitive is it? Minimal non-sensitive data disclosed (2), minimal critical data disclosed (6), extensive non-sensitive data disclosed (6), extensive critical data disclosed (7), all data disclosed (9)

; Loss of integrity
: How much data could be corrupted and how damaged is it? Minimal slightly corrupt data (1), minimal seriously corrupt data (3), extensive slightly corrupt data (5), extensive seriously corrupt data (7), all data totally corrupt (9)

; Loss of availability
: How much service could be lost and how vital is it? Minimal secondary services interrupted (1), minimal primary services interrupted (5), extensive secondary services interrupted (5), extensive primary services interrupted (7), all services completely lost (9)

; Loss of accountability
: Are the threat agents' actions traceable to an individual? Fully traceable (1), possibly traceable (7), completely anonymous (9)

===Business Impact Factors===

The business impact stems from the technical impact, but requires a deep understanding of what is important to the company running the application. In general, you should be aiming to support your risks with business impact, particularly if your audience is executive level. The business risk is what justifies investment in fixing security problems.

Many companies have an asset classification guide and/or a business impact reference to help formalize what is important to their business. These standards can help you focus on what's truly important for security. If these aren't available, then talk with people who understand the business to get their take on what's important.

The factors below are common areas for many businesses, but this area is even more unique to a company than the factors related to threat agent, vulnerability, and technical impact.

; Financial damage
: How much financial damage will result from an exploit? Less than the cost to fix the vulnerability (1), minor effect on annual profit (3), significant effect on annual profit (7), bankruptcy (9)

; Reputation damage
: Would an exploit result in reputation damage that would harm the business? Minimal damage (1), Loss of major accounts (4), loss of goodwill (5), brand damage (9)

; Non-compliance
: How much exposure does non-compliance introduce? Minor violation (2), clear violation (5), high profile violation (7)

; Privacy violation
: How much personally identifiable information could be disclosed? One individual (3), hundreds of people (5), thousands of people (7), millions of people (9)

==Step 4: Determining the Severity of the Risk==

In this step we're going to put together the likelihood estimate and the impact estimate to calculate an overall severity for this risk. All you need to do here is figure out whether the likelihood is LOW, MEDIUM, or HIGH and then do the same for impact. We'll just split our 0 to 9 scale into three parts.

<table border="1" width="40%" align="center">
<tr>
<td align="center" colspan="2">Likelihood and Impact Levels</td>
</tr>
<tr>
<td align="center" width="50%">0 to <3</td>
<td align="center" width="50%" bgcolor="lightgreen">LOW</td>
</tr>
<tr>
<td align="center">3 to <6</td>
<td align="center" bgcolor="yellow">MEDIUM</td>
</tr>
<tr>
<td align="center">6 to 9</td>
<td align="center" bgcolor="red">HIGH</td>
</tr>
</table>

===Informal Method===

In many environments, there is nothing wrong with "eyeballing" the factors and simply capturing the answers. You should think through the factors and identify the key "driving" factors that are controlling the result. You may discover that your initial impression was wrong by considering aspects of the risk that weren't obvious.

===Repeatable Method===

If you need to defend your ratings or make them repeatable, then you may want to go through a more formal process of rating the factors and calculating the result. Remember that there is quite a lot of uncertainty in these estimates, and that these factors are intended to help you arrive at a sensible result. This process can be supported by automated tools to make the calculation easier.

The first step is to select one of the options associated with each factor and enter the associated number in the table. Then you simply take the average of the scores to calculate the overall likelihood. For example:

<table border="1" align="center">
<tr>
<td colspan="4" align="center">Threat agent factors</td>
<td></td>
<td colspan="4" align="center">Vulnerability factors</td>
</tr>
<tr>
<td align="center" width="10%">Skill level</td>
<td align="center" width="10%">Motive</td>
<td align="center" width="10%">Opportunity</td>
<td align="center" width="10%">Size</td>
<td align="center" width="2%"></td>
<td align="center" width="10%">Ease of discovery</td>
<td align="center" width="10%">Ease of exploit</td>
<td align="center" width="10%">Awareness</td>
<td align="center" width="10%">Intrusion detection</td>
</tr>
<tr>
<td align="center">5</td>
<td align="center">2</td>
<td align="center">7</td>
<td align="center">1</td>
<td align="center"></td>
<td align="center">3</td>
<td align="center">6</td>
<td align="center">9</td>
<td align="center">2</td>
</tr>
<tr>
<td colspan="9" align="center" bgcolor="lightblue">Overall likelihood=4.375 (MEDIUM)</td>
</tr>
</table>

Next, we need to figure out the overall impact. The process is similar here. In many cases the answer will be obvious, but you can make an estimate based on the factors, or you can average the scores for each of the factors. Again, less than 3 is LOW, 3 to less than 6 is MEDIUM, and 6 to 9 is HIGH. For example:

<table border="1" align="center">
<tr>
<td colspan="4" align="center">Technical Impact</td>
<td></td>
<td colspan="4" align="center">Business Impact</td>
</tr>
<tr>
<td align="center" width="10%">Loss of confidentiality</td>
<td align="center" width="10%">Loss of integrity</td>
<td align="center" width="10%">Loss of availability</td>
<td align="center" width="10%">Loss of accountability</td>
<td align="center" width="2%"></td>
<td align="center" width="10%">Financial damage</td>
<td align="center" width="10%">Reputation damage</td>
<td align="center" width="10%">Non-compliance</td>
<td align="center" width="10%">Privacy violation</td>
</tr>
<tr>
<td align="center">9</td>
<td align="center">7</td>
<td align="center">5</td>
<td align="center">8</td>
<td align="center"></td>
<td align="center">1</td>
<td align="center">2</td>
<td align="center">1</td>
<td align="center">5</td>
</tr>
<tr>
<td colspan="4" align="center" bgcolor="lightblue">Overall technical impact=7.25 (HIGH)</td>
<td></td>
<td colspan="4" align="center" bgcolor="lightblue">Overall business impact=2.25 (LOW)</td>
</tr>
</table>

===Determining Severity===

However we arrived at the likelihood and impact estimates, we can now combine them to get a final severity rating for this risk. Note that if you have good business impact information, you should use that instead of the technical impact information. But if you have no information about the business, then technical impact is the next best thing.

<table border="1" align="center">
<tr>
<td align="center" colspan="5">Overall Risk Severity</td>
</tr>
<tr>
<td align="center" width="15%" rowspan="4">Impact</td>
<td align="center" width="15%">HIGH</td>
<td align="center" width="15%" bgcolor="orange">Medium</td>
<td align="center" width="15%" bgcolor="red">High</td>
<td align="center" width="15%" bgcolor="pink">Critical</td>
</tr>
<tr>
<td align="center">MEDIUM</td>
<td align="center" bgcolor="yellow">Low</td>
<td align="center" bgcolor="orange">Medium</td>
<td align="center" bgcolor="red">High</td>
</tr>
<tr>
<td align="center">LOW</td>
<td align="center" bgcolor="lightgreen">Note</td>
<td align="center" bgcolor="yellow">Low</td>
<td align="center" bgcolor="orange">Medium</td>
</tr>
<tr>
<td align="center"> </td>
<td align="center">LOW</td>
<td align="center">MEDIUM</td>
<td align="center">HIGH</td>
</tr>
<tr>
<td align="center"> </td>
<td align="center" colspan="4">Likelihood</td>
</tr>
</table>

In the example above, the likelihood is MEDIUM, and the technical impact is HIGH, so from a purely technical perspective, it appears that the overall severity is HIGH. However, note that the business impact is actually LOW, so the overall severity is best described as LOW as well. This is why understanding the business context of the vulnerabilities you are evaluating is so critical to making good risk decisions. Failure to understand this context can lead to the lack of trust between the business and security teams that is present in many organizations.

==Step 5: Deciding What to Fix==

After you've classified the risks to your application, you'll have a prioritized list of what to fix. As a general rule, you should fix the most severe risks first. It simply doesn't help your overall risk profile to fix less important risks, even if they're easy or cheap to fix.

Remember, not all risks are worth fixing, and some loss is not only expected, but justifiable based upon the cost of fixing the issue. For example, if it would cost $100,000 to implement controls to stem $2,000 of fraud per year, it would take 50 years return on investment to stamp out the loss. But remember there may be reputation damage from the fraud that could cost the organization much more.

==Step 6: Customizing Your Risk Rating Model==

Having a risk ranking framework that's customizable for a business is critical for adoption. A tailored model is much more likely to produce results that match people's perceptions about what is a serious risk. You can waste lots of time arguing about the risk ratings if they're not supported by a model like this. There are several ways to tailor this model for your organization.

===Adding factors===

You can choose different factors that better represent what's important for your organization. For example, a military application might add impact factors related to loss of human life or classified information. You might also add likelihood factors, such as the window of opportunity for an attacker or encryption algorithm strength.

===Customizing options===

There are some sample options associated with each factor, but the model will be much more effective if you customize these options to your business. For example, use the names of the different teams and your names for different classifications of information. You can also change the scores associated with the options. The best way to identify the right scores is to compare the ratings produced by the model with ratings produced by a team of experts. You can tune the model by carefully adjusting the scores to match.

===Weighting factors===

The model above assumes that all the factors are equally important. You can weight the factors to emphasize the factors that are more significant for your business. This makes the model a bit more complex, as you'll need to use a weighted average. But otherwise everything works the same. Again, you can tune the model by matching it against risk ratings you agree are accurate.

==References==

* Managing Information Security Risk: Organization, Mission, and Information System View [http://csrc.nist.gov/publications/nistpubs/800-39/SP800-39-final.pdf]

* Industry standard vulnerability severity and risk rankings (CVSS) [http://www.first.org/cvss/]

* Security-enhancing process models (CLASP) [http://www.owasp.org/index.php/Category:OWASP_CLASP_Project]

* Cheat Sheet: Web Application Security Frame - MSDN - Microsoft [http://msdn.microsoft.com/en-us/library/ff649461.aspx]

* Security In The Software Lifecycle from DHS [https://buildsecurityin.us-cert.gov/daisy/bsi/87/version/12/part/4/data/Draft+Security+in+the+Software+Lifcycle+v1.2.pdf?branch=main&language=default]

* [[Threat_Risk_Modeling|Threat Risk Modeling]]

* Pratical Threat Analysis [http://www.ptatechnologies.com/]

* Application Security Risk Assessment Guidelines [http://kb.wisc.edu/page.php?id=20262]

* A Platform for Risk Analysis of Security Critical Systems [http://sourceforge.net/projects/coras/]

* Model-driven Development and Analysis of Secure Information Systems [http://heim.ifi.uio.no/~ketils/securis/]

* Value Driven Security Threat Modeling Based on Attack Path Analysis [http://origin-www.computer.org/csdl/proceedings/hicss/2007/2755/00/27550280a.pdf]

OWASP Risk Rating Methodology

2013-10-19T00:24:57Z

Amro Ahmed:

{{Template:OWASP Testing Guide v4}}

==The OWASP Risk Rating Methodology==

Discovering vulnerabilities is important, but just as important is being able to estimate the associated risk to the business. Early in the lifecycle, you may identify security concerns in the architecture or design by using [[threat modeling]]. Later, you may find security issues using [[code review]] or [[penetration testing]]. Or you may not discover a problem until the application is in production and is actually compromised.

By following the approach here, you'll be able to estimate the severity of all of these risks to your business, and make an informed decision about what to do about them. Having a system in place for rating risks will save time and eliminate arguing about priorities. This system will help to ensure that you don't get distracted by minor risks while ignoring more serious risks that are less well understood.

Ideally, there would be a universal risk rating system that would accurately estimate all risks for all organizations. But a vulnerability that is critical to one organization may not be very important to another. So a basic framework is presented here that you ''should customize'' for your organization.

The authors have tried hard to make this model simple enough to use, while keeping enough detail for accurate risk estimates to be made. Please reference the section below on customization for more information about tailoring the model for use in your organization.

==Approach==

There are many different approaches to risk analysis. See the reference section below for some of the most common ones. The OWASP approach presented here is based on these standard methodologies and is customized for application security.

Let's start with the standard risk model:

'''Risk = Likelihood * Impact'''

In the sections below, we break down the factors that make up "likelihood" and "impact" for application security and show how to combine them to determine the overall severity for the risk.

* [[#Step 1: Identifying a Risk]]
* [[#Step 2: Factors for Estimating Likelihood]]
* [[#Step 3: Factors for Estimating Impact]]
* [[#Step 4: Determining Severity of the Risk]]
* [[#Step 5: Deciding What to Fix]]
* [[#Step 6: Customizing Your Risk Rating Model]]

==Step 1: Identifying a Risk==

The first step is to identify a security risk that needs to be rated. You'll need to gather information about the [[threat agent]] involved, the [[attack]] they're using, the [[vulnerability]] involved, and the [[impact]] of a successful exploit on your business. There may be multiple possible groups of attackers, or even multiple possible business impacts. In general, it's best to err on the side of caution by using the worst-case option, as that will result in the highest overall risk.

==Step 2: Factors for Estimating Likelihood==

Once you've identified a potential risk, and want to figure out how serious it is, the first step is to estimate the "likelihood". At the highest level, this is a rough measure of how likely this particular vulnerability is to be uncovered and exploited by an attacker. We do not need to be over-precise in this estimate. Generally, identifying whether the likelihood is low, medium, or high is sufficient.

There are a number of factors that can help us figure this out. The first set of factors are related to the [[threat agent]] involved. The goal is to estimate the likelihood of a successful attack from a group of possible attackers. Note that there may be multiple threat agents that can exploit a particular vulnerability, so it's usually best to use the worst-case scenario. For example, an insider may be a much more likely attacker than an anonymous outsider - but it depends on a number of factors.

Note that each factor has a set of options, and each option has a likelihood rating from 0 to 9 associated with it. We'll use these numbers later to estimate the overall likelihood.

===[[Threat Agent]] Factors===

The first set of factors are related to the [[threat agent]] involved. The goal here is to estimate the likelihood of a successful attack by this group of threat agents. Use the worst-case threat agent.

; Skill level
: How technically skilled is this group of threat agents? Security penetration skills (9), network and programming skills (6), advanced computer user (4), some technical skills (3), no technical skills (1)

; Motive
: How motivated is this group of threat agents to find and exploit this vulnerability? Low or no reward (1), possible reward (4), high reward (9)

; Opportunity
: What resources and opportunity are required for this group of threat agents to find and exploit this vulnerability? full access or expensive resources required (0), special access or resources required (4), some access or resources required (7), no access or resources required (9)

; Size
: How large is this group of threat agents? Developers (2), system administrators (2), intranet users (4), partners (5), authenticated users (6), anonymous Internet users (9)

===[[Vulnerability]] Factors===

The next set of factors are related to the [[vulnerability]] involved. The goal here is to estimate the likelihood of the particular vulnerability involved being discovered and exploited. Assume the threat agent selected above.

; Ease of discovery
: How easy is it for this group of threat agents to discover this vulnerability? Practically impossible (1), difficult (3), easy (7), automated tools available (9)

; Ease of exploit
: How easy is it for this group of threat agents to actually exploit this vulnerability? Theoretical (1), difficult (3), easy (5), automated tools available (9)

; Awareness
: How well known is this vulnerability to this group of threat agents? Unknown (1), hidden (4), obvious (6), public knowledge (9)

; Intrusion detection
: How likely is an exploit to be detected? Active detection in application (1), logged and reviewed (3), logged without review (8), not logged (9)

==Step 3: Factors for Estimating Impact==

When considering the impact of a successful attack, it's important to realize that there are two kinds of impacts. The first is the "technical impact" on the application, the data it uses, and the functions it provides. The other is the "business impact" on the business and company operating the application.

Ultimately, the business impact is more important. However, you may not have access to all the information required to figure out the business consequences of a successful exploit. In this case, providing as much detail about the technical risk will enable the appropriate business representative to make a decision about the business risk.

Again, each factor has a set of options, and each option has an impact rating from 0 to 9 associated with it. We'll use these numbers later to estimate the overall impact.

===Technical Impact Factors===

Technical impact can be broken down into factors aligned with the traditional security areas of concern: confidentiality, integrity, availability, and accountability. The goal is to estimate the magnitude of the impact on the system if the vulnerability were to be exploited.

; Loss of confidentiality
: How much data could be disclosed and how sensitive is it? Minimal non-sensitive data disclosed (2), minimal critical data disclosed (6), extensive non-sensitive data disclosed (6), extensive critical data disclosed (7), all data disclosed (9)

; Loss of integrity
: How much data could be corrupted and how damaged is it? Minimal slightly corrupt data (1), minimal seriously corrupt data (3), extensive slightly corrupt data (5), extensive seriously corrupt data (7), all data totally corrupt (9)

; Loss of availability
: How much service could be lost and how vital is it? Minimal secondary services interrupted (1), minimal primary services interrupted (5), extensive secondary services interrupted (5), extensive primary services interrupted (7), all services completely lost (9)

; Loss of accountability
: Are the threat agents' actions traceable to an individual? Fully traceable (1), possibly traceable (7), completely anonymous (9)

===Business Impact Factors===

The business impact stems from the technical impact, but requires a deep understanding of what is important to the company running the application. In general, you should be aiming to support your risks with business impact, particularly if your audience is executive level. The business risk is what justifies investment in fixing security problems.

Many companies have an asset classification guide and/or a business impact reference to help formalize what is important to their business. These standards can help you focus on what's truly important for security. If these aren't available, then talk with people who understand the business to get their take on what's important.

The factors below are common areas for many businesses, but this area is even more unique to a company than the factors related to threat agent, vulnerability, and technical impact.

; Financial damage
: How much financial damage will result from an exploit? Less than the cost to fix the vulnerability (1), minor effect on annual profit (3), significant effect on annual profit (7), bankruptcy (9)

; Reputation damage
: Would an exploit result in reputation damage that would harm the business? Minimal damage (1), Loss of major accounts (4), loss of goodwill (5), brand damage (9)

; Non-compliance
: How much exposure does non-compliance introduce? Minor violation (2), clear violation (5), high profile violation (7)

; Privacy violation
: How much personally identifiable information could be disclosed? One individual (3), hundreds of people (5), thousands of people (7), millions of people (9)

==Step 4: Determining the Severity of the Risk==

In this step we're going to put together the likelihood estimate and the impact estimate to calculate an overall severity for this risk. All you need to do here is figure out whether the likelihood is LOW, MEDIUM, or HIGH and then do the same for impact. We'll just split our 0 to 9 scale into three parts.

<table border="1" width="40%" align="center">
<tr>
<td align="center" colspan="2">Likelihood and Impact Levels</td>
</tr>
<tr>
<td align="center" width="50%">0 to <3</td>
<td align="center" width="50%" bgcolor="lightgreen">LOW</td>
</tr>
<tr>
<td align="center">3 to <6</td>
<td align="center" bgcolor="yellow">MEDIUM</td>
</tr>
<tr>
<td align="center">6 to 9</td>
<td align="center" bgcolor="red">HIGH</td>
</tr>
</table>

===Informal Method===

In many environments, there is nothing wrong with "eyeballing" the factors and simply capturing the answers. You should think through the factors and identify the key "driving" factors that are controlling the result. You may discover that your initial impression was wrong by considering aspects of the risk that weren't obvious.

===Repeatable Method===

If you need to defend your ratings or make them repeatable, then you may want to go through a more formal process of rating the factors and calculating the result. Remember that there is quite a lot of uncertainty in these estimates, and that these factors are intended to help you arrive at a sensible result. This process can be supported by automated tools to make the calculation easier.

The first step is to select one of the options associated with each factor and enter the associated number in the table. Then you simply take the average of the scores to calculate the overall likelihood. For example:

<table border="1" align="center">
<tr>
<td colspan="4" align="center">Threat agent factors</td>
<td></td>
<td colspan="4" align="center">Vulnerability factors</td>
</tr>
<tr>
<td align="center" width="10%">Skill level</td>
<td align="center" width="10%">Motive</td>
<td align="center" width="10%">Opportunity</td>
<td align="center" width="10%">Size</td>
<td align="center" width="2%"></td>
<td align="center" width="10%">Ease of discovery</td>
<td align="center" width="10%">Ease of exploit</td>
<td align="center" width="10%">Awareness</td>
<td align="center" width="10%">Intrusion detection</td>
</tr>
<tr>
<td align="center">5</td>
<td align="center">2</td>
<td align="center">7</td>
<td align="center">1</td>
<td align="center"></td>
<td align="center">3</td>
<td align="center">6</td>
<td align="center">9</td>
<td align="center">2</td>
</tr>
<tr>
<td colspan="9" align="center" bgcolor="lightblue">Overall likelihood=4.375 (MEDIUM)</td>
</tr>
</table>

Next, we need to figure out the overall impact. The process is similar here. In many cases the answer will be obvious, but you can make an estimate based on the factors, or you can average the scores for each of the factors. Again, less than 3 is LOW, 3 to less than 6 is MEDIUM, and 6 to 9 is HIGH. For example:

<table border="1" align="center">
<tr>
<td colspan="4" align="center">Technical Impact</td>
<td></td>
<td colspan="4" align="center">Business Impact</td>
</tr>
<tr>
<td align="center" width="10%">Loss of confidentiality</td>
<td align="center" width="10%">Loss of integrity</td>
<td align="center" width="10%">Loss of availability</td>
<td align="center" width="10%">Loss of accountability</td>
<td align="center" width="2%"></td>
<td align="center" width="10%">Financial damage</td>
<td align="center" width="10%">Reputation damage</td>
<td align="center" width="10%">Non-compliance</td>
<td align="center" width="10%">Privacy violation</td>
</tr>
<tr>
<td align="center">9</td>
<td align="center">7</td>
<td align="center">5</td>
<td align="center">8</td>
<td align="center"></td>
<td align="center">1</td>
<td align="center">2</td>
<td align="center">1</td>
<td align="center">5</td>
</tr>
<tr>
<td colspan="4" align="center" bgcolor="lightblue">Overall technical impact=7.25 (HIGH)</td>
<td></td>
<td colspan="4" align="center" bgcolor="lightblue">Overall business impact=2.25 (LOW)</td>
</tr>
</table>

===Determining Severity===

However we arrived at the likelihood and impact estimates, we can now combine them to get a final severity rating for this risk. Note that if you have good business impact information, you should use that instead of the technical impact information. But if you have no information about the business, then technical impact is the next best thing.

<table border="1" align="center">
<tr>
<td align="center" colspan="5">Overall Risk Severity</td>
</tr>
<tr>
<td align="center" width="15%" rowspan="4">Impact</td>
<td align="center" width="15%">HIGH</td>
<td align="center" width="15%" bgcolor="orange">Medium</td>
<td align="center" width="15%" bgcolor="red">High</td>
<td align="center" width="15%" bgcolor="pink">Critical</td>
</tr>
<tr>
<td align="center">MEDIUM</td>
<td align="center" bgcolor="yellow">Low</td>
<td align="center" bgcolor="orange">Medium</td>
<td align="center" bgcolor="red">High</td>
</tr>
<tr>
<td align="center">LOW</td>
<td align="center" bgcolor="lightgreen">Note</td>
<td align="center" bgcolor="yellow">Low</td>
<td align="center" bgcolor="orange">Medium</td>
</tr>
<tr>
<td align="center"> </td>
<td align="center">LOW</td>
<td align="center">MEDIUM</td>
<td align="center">HIGH</td>
</tr>
<tr>
<td align="center"> </td>
<td align="center" colspan="4">Likelihood</td>
</tr>
</table>

In the example above, the likelihood is MEDIUM, and the technical impact is HIGH, so from a purely technical perspective, it appears that the overall severity is HIGH. However, note that the business impact is actually LOW, so the overall severity is best described as LOW as well. This is why understanding the business context of the vulnerabilities you are evaluating is so critical to making good risk decisions. Failure to understand this context can lead to the lack of trust between the business and security teams that is present in many organizations.

==Step 5: Deciding What to Fix==

After you've classified the risks to your application, you'll have a prioritized list of what to fix. As a general rule, you should fix the most severe risks first. It simply doesn't help your overall risk profile to fix less important risks, even if they're easy or cheap to fix.

Remember, not all risks are worth fixing, and some loss is not only expected, but justifiable based upon the cost of fixing the issue. For example, if it would cost $100,000 to implement controls to stem $2,000 of fraud per year, it would take 50 years return on investment to stamp out the loss. But remember there may be reputation damage from the fraud that could cost the organization much more.

==Step 6: Customizing Your Risk Rating Model==

Having a risk ranking framework that's customizable for a business is critical for adoption. A tailored model is much more likely to produce results that match people's perceptions about what is a serious risk. You can waste lots of time arguing about the risk ratings if they're not supported by a model like this. There are several ways to tailor this model for your organization.

===Adding factors===

You can choose different factors that better represent what's important for your organization. For example, a military application might add impact factors related to loss of human life or classified information. You might also add likelihood factors, such as the window of opportunity for an attacker or encryption algorithm strength.

===Customizing options===

There are some sample options associated with each factor, but the model will be much more effective if you customize these options to your business. For example, use the names of the different teams and your names for different classifications of information. You can also change the scores associated with the options. The best way to identify the right scores is to compare the ratings produced by the model with ratings produced by a team of experts. You can tune the model by carefully adjusting the scores to match.

===Weighting factors===

The model above assumes that all the factors are equally important. You can weight the factors to emphasize the factors that are more significant for your business. This makes the model a bit more complex, as you'll need to use a weighted average. But otherwise everything works the same. Again, you can tune the model by matching it against risk ratings you agree are accurate.

==References==

* Managing Information Security Risk: Organization, Mission, and Information System View [http://csrc.nist.gov/publications/nistpubs/800-39/SP800-39-final.pdf]

* AS/NZS 4360 Risk Management [http://www.saiglobal.com/shop/script/Details.asp?docn=AS564557616854]

* Industry standard vulnerability severity and risk rankings (CVSS) [http://www.first.org/cvss/]

* Security-enhancing process models (CLASP) [http://www.owasp.org/index.php/Category:OWASP_CLASP_Project]

* Cheat Sheet: Web Application Security Frame - MSDN - Microsoft [http://msdn.microsoft.com/en-us/library/ff649461.aspx]

* Security In The Software Lifecycle from DHS [https://buildsecurityin.us-cert.gov/daisy/bsi/87/version/12/part/4/data/Draft+Security+in+the+Software+Lifcycle+v1.2.pdf?branch=main&language=default]

* [[Threat_Risk_Modeling|Threat Risk Modeling]]

* Pratical Threat Analysis [http://www.ptatechnologies.com/]

* A Platform for Risk Analysis of Security Critical Systems [http://sourceforge.net/projects/coras/]

* Model-driven Development and Analysis of Secure Information Systems [http://heim.ifi.uio.no/~ketils/securis/]

* Value Driven Security Threat Modeling Based on Attack Path Analysis [http://origin-www.computer.org/csdl/proceedings/hicss/2007/2755/00/27550280a.pdf]

Reporting

2013-10-19T00:16:44Z

Amro Ahmed:

{{Template:OWASP Testing Guide v4}}

Performing the technical side of the assessment is only half of the overall assessment process; the final product is the production of a well-written, and informative, report.
A report should be easy to understand and highlight all the risks found during the assessment phase and appeal to both executive management and technical staff.

The report needs to have three major sections and be created in a manner that allows each section to be split off and printed and given to the appropriate teams, such as the developers or system managers.

The sections generally recommended are:

'''1.0 Executive Summary'''

The executive summary sums up the overall findings of the assessment and gives managers, or system owners, an idea of the overall risk faced.

The language used should be more suited to people who are not technically aware and should include graphs or other charts which show the risk level. It is recommended that a summary be included, which details when the testing commenced and when it was completed.

Another section, which is often overlooked, is a paragraph on implications and actions. This allows the system owners to understand what is required to be done in order to ensure the system remains secure.

1.1 Project Objective:
In this section you will need to outline the project objectives and what is expected as an outcome of the assessment.

1.2 Project Scope:
In this section you will need to outline the agreed scope.

1.3 Limitations:
This section is dedicated for every and each limitation which you faced throughout the assessment, for instance, limitations of project-focused tests, limitation in your security testing methods, performance or technical issues that you come across during the course of assessment etc ....

1.4 Targets:
In this section you will need to list the number of applications and/or targeted systems.

'''2.0 Technical Management Overview'''

The technical management overview section often appeals to technical managers who require more technical detail than found in the executive summary. This section should include details about the scope of the assessment, the targets included and any caveats, such as system availability etc.
This section also needs to include an introduction on the risk rating used throughout the report and then finally a technical summary of the findings.

'''3.0 Assessment Findings'''

The last section of the report is the section, which includes detailed technical detail about the vulnerabilities found, and the approaches needed to ensure they are resolved. This section is aimed at a technical level and should include all the necessary information for the technical teams to understand the issue and be able to solve it.

The findings section should include:

* A reference number for easy reference with screenshots
* The affected item
* A technical description of the issue
* A section on resolving the issue
* The risk rating and impact value

Each finding should be clear and concise and give the reader of the report a full understanding of the issue at hand.

Here is the report (see https://www.owasp.org/index.php/Testing_Checklist for the complete list of tests):

<center>[[Image:tablerep.PNG]]</center>
<center>[[Image:tablerep2.PNG]]</center>
<center>[[Image:tablerep3.PNG]]</center>

'''Appendix'''

This section is often used to describe the commercial and open-source tools that were used in conducting the assessment. When custom scripts/code are utilized during the assessment, it should be disclosed in this section or noted as attachment.
It is often appreciated by the customer when the methodology used by the consultants is included. It gives them an idea of the thoroughness of the assessment and also an idea what areas were included.

OWASP Testing Guide v4 Table of Contents

2013-10-18T23:48:28Z

Amro Ahmed:

{{OWASP Breakers}}
__NOTOC__

'''This is the DRAFT of the table of content of the New Testing Guide v4.''' 
 You can download the stable version v3 [http://www.owasp.org/images/5/56/OWASP_Testing_Guide_v3.pdf here] 

Back to the OWASP Testing Guide Project:
http://www.owasp.org/index.php/OWASP_Testing_Project

'''Updated: 15th February 2013'''

[[ OWTGv4 Contributors list|'''Contributors List]]

----

The following is a DRAFT of the Toc based on the feedback already received.

== Table of Contents ==

==[[Testing Guide Foreword|Foreword by Eoin Keary]]==
[To review--> Eoin Keary -> Done!!]

==[[Testing Guide Frontispiece |1. Frontispiece]]==
[To review--> Mat]

'''[[Testing Guide Frontispiece|1.1 About the OWASP Testing Guide Project]]'''
[To review--> Mat]

'''[[About The Open Web Application Security Project|1.2 About The Open Web Application Security Project]]'''
[To review--> ]

==[[Testing Guide Introduction|2. Introduction]]==

'''2.1 The OWASP Testing Project'''

'''2.2 Principles of Testing'''

'''2.3 Testing Techniques Explained'''

2.4 [https://www.owasp.org/index.php/Testing_Guide_Introduction#Security_Requirements_Test_Derivation Security requirements test derivation],[https://www.owasp.org/index.php/Testing_Guide_Introduction#Functional_and_Non_Functional_Test_Requirements functional and non functional test requirements], and [https://www.owasp.org/index.php/Testing_Guide_Introduction#Test_Cases_Through_Use_and_Misuse_Cases test cases through use and misuse cases]

2.5 [https://www.owasp.org/index.php/Testing_Guide_Introduction#Security_Test_Data_Analysis_and_Reporting Security test data analysis and reporting: root cause identification and business/role case test data reporting]

==[[The OWASP Testing Framework|3. The OWASP Testing Framework]]==

'''3.1. Overview'''

'''3.2. Phase 1: Before Development Begins '''

'''3.3. Phase 2: During Definition and Design'''

'''3.4. Phase 3: During Development'''

'''3.5. Phase 4: During Deployment'''

'''3.6. Phase 5: Maintenance and Operations'''

'''3.7. A Typical SDLC Testing Workflow '''

==[[Web Application Penetration Testing |4. Web Application Penetration Testing ]]==

[[Testing: Introduction and objectives|'''4.1 Introduction and Objectives''']] [To review--> Mat]

[[Testing Checklist| 4.1.1 Testing Checklist]] [To review at the end of brainstorming --> Mat]

[[Testing Information Gathering|'''4.2 Information Gathering ''']]

[[Testing: Search engine discovery/reconnaissance (OWASP-IG-002)|4.2.1 Conduct Search Engine Discovery and Reconnaissance for Information Leakage (OTG-INFO-001) ]] formerly "Search Engine Discovery/Reconnaissance (OWASP-IG-002)"

[[Fingerprint Web Server (OTG-INFO-002)|4.2.2 Fingerprint Web Server (OTG-INFO-002) ]] formerly "Testing for Web Application Fingerprint (OWASP-IG-004)"

[[Testing: Spiders, Robots, and Crawlers (OWASP-IG-001)|4.2.3 Review Webserver Metafiles for Information Leakage (OTG-INFO-003) ]] formerly "Spiders, Robots and Crawlers (OWASP-IG-001)"

[[Testing for Application Discovery (OWASP-IG-005)|4.2.4 Enumerate Applications on Webserver (OTG-INFO-004) ]] formerly "Application Discovery (OWASP-IG-005)"

[[Testing Review webpage comments and metadata(OWASP-IG-007)|4.2.5 Review Webpage Comments and Metadata for Information Leakage (OTG-INFO-005) ]] formerly "Review webpage comments and metadata(OWASP-IG-007)"

[[Testing: Identify application entry points (OWASP-IG-003)|4.2.6 Identify application entry points (OTG-INFO-006) ]] formerly "Identify application entry points (OWASP-IG-003)"

[[Testing Identify application exit/handover points (OWASP-IG-008)|4.2.7 Identify application exit/handover points (OTG-INFO-007) ]] formerly "Identify application exit/handover points (OWASP-IG-008)"

[[Testing Map execution paths through application (OWASP-IG-009)|4.2.8 Map execution paths through application (OTG-INFO-008)]] formerly "Map execution paths through application (OWASP-IG-009)"

[[Fingerprint Web Application Framework (OTG-INFO-009)|4.2.9 Fingerprint Web Application Framework (OTG-INFO-009) ]] formerly "Testing for Web Application Fingerprint (OWASP-IG-010)" '''Ready to be reviewed'''

[[Testing for Web Application (OTG-INFO-011)|4.2.10 Fingerprint Web Application (OTG-INFO-010) ]] formerly "Testing for Web Application Fingerprint (OWASP-IG-010)" '''Ready to be reviewed'''

[[Map Network and Application Architecture (OTG-INFO-012)|4.2.11 Map Network and Application Architecture (OTG-INFO-011) ]] formerly "Testing for Infrastructure Configuration Management Testing weakness (OWASP-CM-001)" '''Ready to be reviewed'''

[[Testing for configuration management|'''4.3 Configuration and Deploy Management Testing ''']]

[[Testing for infrastructure configuration management (OWASP-CM-003)|4.3.1 Test Network/Infrastructure Configuration (OTG-CONFIG-001) ]] formerly "Testing for Infrastructure Configuration Management Testing weakness (OWASP-CM-001)"

[[Testing for application configuration management (OWASP-CM-004)|4.3.2 Test Application Platform Configuration (OTG-CONFIG-002) ]] formerly "Testing for Application Configuration Management weakness (OWASP-CM-002)"

[[Testing for file extensions handling (OWASP-CM-005)|4.3.3 Test File Extensions Handling for Sensitive Information (OTG-CONFIG-003) ]] formerly "Testing for File Extensions Handling (OWASP-CM-003)"

[[Testing for Old, Backup and Unreferenced Files (OWASP-CM-006)|4.3.4 Review Old, Backup and Unreferenced Files for Sensitive Information (OTG-CONFIG-004) ]] formerly "Old, Backup and Unreferenced Files (OWASP-CM-004)"

[[Testing for Admin Interfaces (OWASP-CM-007)|4.3.5 Enumerate Infrastructure and Application Admin Interfaces (OTG-CONFIG-005) ]] formerly "Infrastructure and Application Admin Interfaces (OWASP-CM-005)" '''Ready to be reviewed'''

[[Testing for HTTP Methods and XST (OWASP-CM-008)|4.3.6 Test HTTP Methods (OTG-CONFIG-006) ]] formerly "Testing for Bad HTTP Methods (OWASP-CM-006)"

[[Testing for Database credentials/connection strings available|4.3.7 Testing for Database credentials/connection strings available (OTG-CONFIG-007) ]] formerly "Testing for Database credentials/connection strings available (OWASP-CM-007)"

[[Testing for Content Security Policy weakness|4.3.8 Test Content Security Policy (OTG-CONFIG-008) ]] formerly "Testing for Content Security Policy weakness (OWASP-CM-008)"

[[Testing for Missing HSTS header|4.3.9 Test HTTP Strict Transport Security (OTG-CONFIG-009) ]] formerly "Testing for Missing HSTS header (OWASP-CM-009)"

[[Testing for Frame Options|4.3.10 Test Frame Options (OTG-CONFIG-010) ]]

[[Testing for RIA policy files weakness|4.3.11 Test RIA cross domain policy (OTG-CONFIG-011) ]] formerly "Testing for RIA policy files weakness (OWASP-CM-010)"

[[Testing for Content Type Options|4.3.12 Test Content Type Options (OTG-CONFIG-012) ]] new

[[Testing Identity Management|'''4.4 Identity Management Testing''']]

[[Test Role Definitions (OTG-IDENT-001)|4.4.1 Test Role Definitions (OTG-IDENT-001)]] New

[[Test User Registration Process (OTG-IDENT-002)|4.4.2 Test User Registration Process (OTG-IDENT-002)]] New

[[Test Account Provisioning Process (OTG-IDENT-003)|4.4.3 Test Account Provisioning Process (OTG-IDENT-003)]] New

[[Testing for Account Enumeration and Guessable User Account (OWASP-AT-002)|4.4.4 Testing for Account Enumeration and Guessable User Account (OTG-IDENT-004) ]] formerly "Testing for Account Enumeration and Guessable User Account (OWASP-AT-002)"

[[Testing for Weak or unenforced username policy (OWASP-AT-009)| 4.4.5 Testing for Weak or unenforced username policy (OTG-IDENT-005)]] formerly "Testing for Weak or unenforced username policy (OWASP-AT-009)

[[Test Permissions of Guest/Training Accounts (OTG-IDENT-006)|4.4.6 Test Permissions of Guest/Training Accounts (OTG-IDENT-006)]] New

[[Test Account Suspension/Resumption Process (OTG-IDENT-007)|4.4.7 Test Account Suspension/Resumption Process (OTG-IDENT-007)]] New

[[Test User Deregistration Process (OTG-IDENT-008)|4.4.8 Test User Deregistration Process (OTG-IDENT-008)]] New

[[Test Account Deregistration Process (OTG-IDENT-009)|4.4.9 Test Account Deregistration Process (OTG-IDENT-009)]] New

[[Testing for authentication|'''4.5 Authentication Testing ''']]

[[Testing for Credentials Transported over an Encrypted Channel (OWASP-AT-001)|4.5.1 Testing for Credentials Transported over an Encrypted Channel (OTG-AUTHN-001)]] formerly "Testing for Credentials Transported over an Encrypted Channel (OWASP-AT-001)"

[[Testing for default credentials (OWASP-AT-003)|4.5.2 Testing for default credentials (OTG-AUTHN-002)]] formerly "Testing for default credentials (OWASP-AT-003)"

[[Testing for Weak lock out mechanism (OWASP-AT-004)|4.5.3 Testing for Weak lock out mechanism (OTG-AUTHN-003)]] formerly "Testing for Weak lock out mechanism (OWASP-AT-004)"

[[Testing for Bypassing Authentication Schema (OWASP-AT-005)|4.5.4 Testing for bypassing authentication schema (OTG-AUTHN-004)]] formerly "Testing for bypassing authentication schema (OWASP-AT-005)"

[[Testing for Vulnerable Remember Password (OWASP-AT-006)|4.5.5 Test remember password functionality (OTG-AUTHN-005)]] formerly "Testing for vulnerable remember password functionality (OWASP-AT-006)"

[[Testing for Browser cache weakness (OWASP-AT-007)|4.5.6 Testing for Browser cache weakness (OTG-AUTHN-006)]] formerly "Testing for Browser cache weakness (OWASP-AT-007)"

[[Testing for Weak password policy (OWASP-AT-008)|4.5.7 Testing for Weak password policy (OTG-AUTHN-007)]] formerly "Testing for Weak password policy (OWASP-AT-008)"

[[Testing for Weak security question/answer (OTG-AUTHN-008)|4.5.8 Testing for Weak security question/answer (OTG-AUTHN-008)]] New! - Robert Winkel

[[Testing for weak password change or reset functionalities (OWASP-AT-011)|4.5.9 Testing for weak password change or reset functionalities (OTG-AUTHN-009)]] formerly "Testing for weak password change or reset functionalities (OWASP-AT-011)"

[[Testing for Weaker authentication in alternative channel (OTG-AUTHN-010)|4.5.10 Testing for Weaker authentication in alternative channel (OTG-AUTHN-010)]] (e.g. mobile app, IVR, help desk)

[[Testing for Authorization|'''4.6 Authorization Testing''']]

[[Test Management of Account Permissions (OTG-AUTHZ-001)|4.6.1 Test Management of Account Permissions (OTG-AUTHZ-001)]] New

[[Testing for Path Traversal (OWASP-AZ-001)|4.6.2 Testing Directory traversal/file include (OTG-AUTHZ-002)]] formerly "Testing Directory traversal/file include (OWASP-AZ-001)"

[[Testing for Bypassing Authorization Schema (OWASP-AZ-002)|4.6.3 Testing for bypassing authorization schema (OTG-AUTHZ-003)]] formerly "Testing for bypassing authorization schema (OWASP-AZ-002)"

[[Testing for Privilege escalation (OWASP-AZ-003)|4.6.4 Testing for Privilege Escalation (OTG-AUTHZ-004)]] formerly "Testing for Privilege Escalation (OWASP-AZ-003)"

[[Testing for Insecure Direct Object References (OWASP-AZ-004)|4.6.5 Testing for Insecure Direct Object References (OTG-AUTHZ-005)]] formerly "Testing for Insecure Direct Object References (OWASP-AZ-004)"

[[Testing for Failure to Restrict access to authorized resource (OWASP-AZ-005)|4.6.6 Testing for Failure to Restrict access to authorized resource (OTG-AUTHZ-006)]] formerly "Testing for Failure to Restrict access to authorized resource (OWASP-AZ-005)"

[[Test privileges of server components (OTG-AUTHZ-007)|4.6.7 Test privileges of server components (OTG-AUTHZ-007)]] (e.g. indexing service, reporting interface, file generator)

[[Test enforcement of application entry points (OTG-AUTHZ-008)|4.6.8 Test enforcement of application entry points (OTG-AUTHZ-008)]] (including exposure of objects)

[[Testing for failure to restrict access to authenticated resource(OWASP-AT-010)|4.6.9 Testing for failure to restrict access to authenticated resource (OTG-AUTHZ-009)]] formerly "Testing for failure to restrict access to authenticated resource (OWASP-AT-010)"

[[Testing for Session Management|'''4.7 Session Management Testing''']]

[[Testing for Session_Management_Schema (OWASP-SM-001)|4.7.1 Testing for Bypassing Session Management Schema (OTG-SESS-001)]] formerly "Testing for Bypassing Session Management Schema (OWASP-SM-001)"

[[Testing for cookies attributes (OWASP-SM-002)|4.7.2 Testing for Cookies attributes (OTG-SESS-002)]] formerly "Testing for Cookies attributes (OWASP-SM-002)" (Cookies are set not ‘HTTP Only’, ‘Secure’, and no time validity)

[[Testing for Session Fixation (OWASP-SM-003)|4.7.3 Testing for Session Fixation (OTG-SESS-003)]] formerly "Testing for Session Fixation (OWASP-SM-003)"

[[Testing for Exposed Session Variables (OWASP-SM-004)|4.7.4 Testing for Exposed Session Variables (OTG-SESS-004)]] formerly "Testing for Exposed Session Variables (OWASP-SM-004)"

[[Testing for CSRF (OWASP-SM-005)|4.7.5 Testing for Cross Site Request Forgery (CSRF) (OTG-SESS-005)]] formerly "Testing for Cross Site Request Forgery (CSRF) (OWASP-SM-005)"

[[Test Session Token Strength (OTG-SESS-006)|4.7.6 Test Session Token Strength (OTG-SESS-006)]]

[[Testing for logout functionality (OWASP-SM-007)|4.7.7 Testing for logout functionality (OTG-SESS-007)]] formerly "Testing for logout functionality (OWASP-SM-007)"

[[Testing for Session puzzling (OWASP-SM-008)|4.7.8 Testing for Session puzzling (OWASP-SM-008)]]

[[Test Session Timeout (OTG-SESS-008)|4.7.8 Test Session Timeout (OTG-SESS-008)]]

[[Test multiple concurrent sessions (OTG-SESS-009)|4.7.9 Test multiple concurrent sessions (OTG-SESS-009)]]

[[Testing for Data Validation|'''4.8 Data Validation Testing''']]

[[Testing for Reflected Cross site scripting (OWASP-DV-001) |4.8.1 Testing for Reflected Cross Site Scripting (OTG-INPVAL-001)]] formerly "Testing for Reflected Cross Site Scripting (OWASP-DV-001)"

[[Testing for Stored Cross site scripting (OWASP-DV-002) |4.8.2 Testing for Stored Cross Site Scripting (OTG-INPVAL-002)]] formerly "Testing for Stored Cross Site Scripting (OWASP-DV-002)"

[[Testing for HTTP Verb Tampering (OWASP-DV-003)|4.8.3 Testing for HTTP Verb Tampering (OTG-INPVAL-003)]] formerly "Testing for HTTP Verb Tampering (OWASP-DV-003)"

[[Testing for HTTP Parameter pollution (OWASP-DV-004)|4.8.4 Testing for HTTP Parameter pollution (OTG-INPVAL-004) ]] formerly "Testing for HTTP Parameter pollution (OWASP-DV-004)"

[[Testing for Unvalidated Redirects and Forwards (OWASP-DV-004)|4.8.5 Testing for Unvalidated Redirects and Forwards (OTG-INPVAL-005) ]] formerly "Testing for Unvalidated Redirects and Forwards (OWASP-DV-004)"

[[Testing for SQL Injection (OWASP-DV-005)| 4.8.6 Testing for SQL Injection (OTG-INPVAL-006)]] formerly "Testing for SQL Injection (OWASP-DV-005)" '''Ready to be reviewed'''

[[Testing for Oracle|4.8.6.1 Oracle Testing]]

[[Testing for MySQL|4.8.6.2 MySQL Testing [Ismael Gonçalves]]]

[[Testing for SQL Server|4.8.6.3 SQL Server Testing]]

[[OWASP_Backend_Security_Project_Testing_PostgreSQL|4.8.6.4 Testing PostgreSQL (from OWASP BSP) ]]

[[Testing for MS Access |4.8.6.5 MS Access Testing]]

[[Testing for NoSQL injection|4.8.6.6 Testing for NoSQL injection [New!]]]

[[Testing for LDAP Injection (OWASP-DV-006)|4.8.7 Testing for LDAP Injection (OTG-INPVAL-007)]] formerly "Testing for LDAP Injection (OWASP-DV-006)"

[[Testing for ORM Injection (OWASP-DV-007)|4.8.8 Testing for ORM Injection (OTG-INPVAL-008)]] formerly "Testing for ORM Injection (OWASP-DV-007)"

[[Testing for XML Injection (OWASP-DV-008)|4.8.9 Testing for XML Injection (OTG-INPVAL-009)]] formerly "Testing for XML Injection (OWASP-DV-008)"

[[Testing for SSI Injection (OWASP-DV-009)|4.8.10 Testing for SSI Injection (OTG-INPVAL-010)]] formerly "Testing for SSI Injection (OWASP-DV-009)"

[[Testing for XPath Injection (OWASP-DV-010)|4.8.11 Testing for XPath Injection (OTG-INPVAL-011)]] formerly "Testing for XPath Injection (OWASP-DV-010)"

[[Testing for IMAP/SMTP Injection (OWASP-DV-011)|4.8.12 IMAP/SMTP Injection (OTG-INPVAL-012)]] formerly "IMAP/SMTP Injection (OWASP-DV-011)"

[[Testing for Code Injection (OWASP-DV-012)|4.8.13 Testing for Code Injection (OTG-INPVAL-013)]] formerly "Testing for Code Injection (OWASP-DV-012)"

[[Testing for Local File Inclusion|4.8.13.1 Testing for Local File Inclusion]] [Alexander Antukh]

[[Testing for Remote File Inclusion|4.8.13.2 Testing for Remote File Inclusion]] [Alexander Antukh]

[[Testing for Command Injection (OWASP-DV-013)|4.8.14 Testing for Command Injection (OTG-INPVAL-014)]] formerly "Testing for Command Injection (OWASP-DV-013)"

[[Testing for Buffer Overflow (OWASP-DV-014)|4.8.15 Testing for Buffer overflow (OTG-INPVAL-015)]] formerly "Testing for Buffer overflow (OWASP-DV-014)"

[[Testing for Heap Overflow|4.8.15.1 Testing for Heap overflow]]

[[Testing for Stack Overflow|4.8.15.2 Testing for Stack overflow]]

[[Testing for Format String|4.8.15.3 Testing for Format string]]

[[Testing for Incubated Vulnerability (OWASP-DV-015)|4.8.16 Testing for incubated vulnerabilities (OTG-INPVAL-016)]] formerly "Testing for incubated vulnerabilities (OWASP-DV-015)"

[[Testing for HTTP Splitting/Smuggling (OWASP-DV-016)|4.8.17 Testing for HTTP Splitting/Smuggling (OTG-INPVAL-017) ]] formerly "Testing for HTTP Splitting/Smuggling (OWASP-DV-016)" [Juan Galiana]

[[Error Handling|'''4.9 Error Handling''']]

[[Testing for Error Code (OWASP-IG-006)|4.9.1 Analysis of Error Codes (OTG-ERR-001)]] formerly "Analysis of Error Codes (OWASP-IG-006)"

[[Testing for Stack Traces (OWASP-IG-XXX)|4.9.2 Analysis of Stack Traces (OTG-ERR-002)]] formerly "Analysis of Stack Traces"

[[Cryptography|'''4.10 Cryptography''']]

[[Testing for Insecure encryption usage (OWASP-EN-001)| 4.10.1 Testing for Insecure encryption usage (OTG-CRYPST-001)]] formerly "Testing for Insecure encryption usage (OWASP-EN-001)"

[[Testing for Weak SSL/TSL Ciphers, Insufficient Transport Layer Protection (OWASP-EN-002)| 4.10.2 Testing for Weak SSL/TSL Ciphers, Insufficient Transport Layer Protection (OTG-CRYPST-002)]] formerly "Testing for Weak SSL/TSL Ciphers, Insufficient Transport Layer Protection (OWASP-EN-002)"

[[Testing for Padding Oracle (OWASP-EN-003)| 4.10.3 Testing for Padding Oracle (OTG-CRYPST-003)]] formerly "Testing for Padding Oracle (OWASP-EN-003)"

[[Testing for Cacheable HTTPS Response (OTG-CRYPST-004)| 4.10.4 Testing for Cacheable HTTPS Response (OTG-CRYPST-004)]]

[[Test Cache Directives (OTG-CRYPST-005)|4.10.5 Test Cache Directives (OTG-CRYPST-005)]]

[[Testing for Insecure Cryptographic Storage (OTG-CRYPST-006)|4.10.6 Testing for Insecure Cryptographic Storage (OTG-CRYPST-006)]]

[[Testing for Sensitive information sent via unencrypted channels (OTG-CRYPST-007)|4.10.7 Testing for Sensitive information sent via unencrypted channels (OTG-CRYPST-007)]]

[[Test Cryptographic Key Management (OTG-CRYPST-008)|4.10.8 Test Cryptographic Key Management (OTG-CRYPST-008)]]

[[Logging|'''4.11 Logging''']] Not convinced Logging should be included as it requires access to logs to test

[[Test time synchronisation (OTG-LOG-001)|4.11.1 Test time synchronisation (OTG-LOG-001) ]] formerly "Incorrect time"

[[Test user-viewable log of authentication events (OTG-LOG-002)|4.11.2 Test user-viewable log of authentication events (OTG-LOG-002)]]

[[Testing for business logic (OWASP-BL-001)|'''4.12 Business Logic Testing (OWASP-BL-001)''']] [To review--> David Fern]
Business Logic 

[[Test business logic data validation (OTG-BUSLOGIC-001)|4.12.1 Test business logic data validation (OTG-BUSLOGIC-001)]] [New!] NOTE MAT: to discuss this section

[[Test Ability to forge requests (OTG-BUSLOGIC-002)|4.12.2 Test Ability to forge requests (OTG-BUSLOGIC-002)]] [New!]

[[Test integrity checks (OTG-BUSLOGIC-003)|4.12.3 Test integrity checks (OTG-BUSLOGIC-003)]] (e.g. overwriting updates) [New!]

[[Test tamper evidence (OTG-BUSLOGIC-004)|4.12.4 Test tamper evidence (OTG-BUSLOGIC-004)]] [New!]

[[Test excessive rate (speed) of use limits (OTG-BUSLOGIC-005)|4.12.5 Test excessive rate (speed) of use limits (OTG-BUSLOGIC-005)]] [New!]

[[Test size of request limits (OTG-BUSLOGIC-006)|4.12.6 Test size of request limits (OTG-BUSLOGIC-006)]] [New!]

[[Test number of times a function can be used limits (OTG-BUSLOGIC-007)|4.12.7 Test number of times a function can be used limits (OTG-BUSLOGIC-002)]] [New!]

[[Test bypass of correct sequence (OTG-BUSLOGIC-008)|4.12.8 Test bypass of correct sequence (OTG-BUSLOGIC-008)]] [New!]

[[Test self-hosted payment cardholder data processing (OTG-BUSLOGIC-009)|4.12.9 Test self-hosted payment cardholder data processing (OTG-BUSLOGIC-009)]] [New!]

[[Test security incident reporting information (OTG-BUSLOGIC-010)|4.12.10 Test security incident reporting information (OTG-BUSLOGIC-010)]] [New!]

[[Test defenses against application mis-use (OTG-BUSLOGIC-011)|4.12.11 Test defenses against application mis-use (OTG-BUSLOGIC-011)]] [New!]

[[Denial of Service|'''4.13 Denial of Service''']]

[[Test Regular expression DoS (OTG-DOS-001)| 4.13.1 Test Regular expression DoS (OTG-DOS-001)]] [New!] note: to understand better 

[[Test XML DoS (OTG-DOS-002)| 4.13.2 Test XML DoS (OTG-DOS-002)]] [New! - Andrew Muller]

[[Testing for Captcha (OWASP-AT-012)|4.13.3 Testing for CAPTCHA (OTG-DOS-003)]] formerly "Testing for CAPTCHA (OWASP-AT-012)"

[[Web Service (XML Interpreter)|'''4.14 Web Service Testing''']] [Tom Eston]

[[Scoping a Web Service Test (OWASP-WS-001)|4.14.1 Scoping a Web Service Test (OTG-WEBSVC-001)]] formerly "Scoping a Web Service Test (OWASP-WS-001)"

[[WS Information Gathering (OWASP-WS-002)|4.14.2 WS Information Gathering (OTG-WEBSVC-002)]] formerly "WS Information Gathering (OWASP-WS-002)"

[[WS Authentication Testing (OWASP-WS-003)|4.14.3 WS Authentication Testing (OTG-WEBSVC-003)]] formerly "WS Authentication Testing (OWASP-WS-003)"

[[WS Management Interface Testing (OWASP-WS-004)|4.14.4 WS Management Interface Testing (OTG-WEBSVC-004)]] formerly "WS Management Interface Testing (OWASP-WS-004)"

[[Weak XML Structure Testing (OWASP-WS-005)|4.14.5 Weak XML Structure Testing (OTG-WEBSVC-005)]] formerly "Weak XML Structure Testing (OWASP-WS-005)"

[[XML Content-Level Testing (OWASP-WS-006)|4.14.6 XML Content-Level Testing (OTG-WEBSVC-006)]] formerly "XML Content-Level Testing (OWASP-WS-006)"

[[WS HTTP GET Parameters/REST Testing (OWASP-WS-007)|4.14.7 WS HTTP GET Parameters/REST Testing (OTG-WEBSVC-007)]] formerly "WS HTTP GET Parameters/REST Testing (OWASP-WS-007)"

[[WS Naughty SOAP Attachment Testing (OWASP-WS-008)|4.14.8 WS Naughty SOAP Attachment Testing (OTG-WEBSVC-008)]] formerly "WS Naughty SOAP Attachment Testing (OWASP-WS-008)"

[[WS Replay/MiTM Testing (OWASP-WS-009)|4.14.9 WS Replay/MiTM Testing (OTG-WEBSVC-009)]] formerly "WS Replay/MiTM Testing (OWASP-WS-009)"

[[WS BEPL Testing (OWASP-WS-010)|4.14.10 WS BEPL Testing (OTG-WEBSVC-010)]] formerly "WS BEPL Testing (OWASP-WS-010)"

[[Client Side Testing|'''4.15 Client Side Testing''']] [New!]

[[Testing for DOM-based Cross site scripting (OWASP-DV-003)|4.15.1 Testing for DOM based Cross Site Scripting (OTG-CLIENT-001)]] formerly "Testing for DOM based Cross Site Scripting (OWASP-CS-001)" [Stefano Di Paola]

[[Test Cross Origin Resource Sharing (OTG-CLIENT-002)|4.15.2 Test Cross Origin Resource Sharing (OTG-CLIENT-002)]] formerly "Testing for HTML5 (OWASP CS-002)" [Juan Galiana]

[[Testing for Cross site flashing (OWASP-DV-004)|4.15.3 Testing for Cross Site Flashing (OTG-CLIENT-003)]] formerly "Testing for Cross Site Flashing (OWASP-CS-003)"

[[Testing for Clickjacking (OWASP-CS-004)|4.15.4 Testing for Clickjacking (OTG-CLIENT-004)]] formerly "Testing for Clickjacking (OWASP-CS-004)" [Davide Danelon]

[[Testing WebSockets (OTG-CLIENT-005)|4.15.5 Testing WebSockets (OTG-CLIENT-005)]] [Ryan Dewhurst]

[[Test Web Messaging (OTG-CLIENT-006)|4.15.6 Test Web Messaging (OTG-CLIENT-006)]] [Juan Galiana]

[[Test Local Storage (OTG-CLIENT-007)|4.15.7 Test Local Storage (OTG-CLIENT-007)]] [Juan Galiana]

==[[Writing Reports: value the real risk |5. Writing Reports: value the real risk ]]==

[[How to value the real risk |5.1 How to value the real risk]] [To review--> Amro AlOlaqi]

[[How to write the report of the testing |5.2 How to write the report of the testing]] [To review--> Amro AlOlaqi]

==[[Appendix A: Testing Tools |Appendix A: Testing Tools ]]==

* Black Box Testing Tools [To review--> Amro AlOlaqi] '''Ready to be reviewed'''

==[[OWASP Testing Guide Appendix B: Suggested Reading | Appendix B: Suggested Reading]]==
* Whitepapers [To review--> David Fern]
* Books [To review--> David Fern]
* Useful Websites [To review--> David Fern]

==[[OWASP Testing Guide Appendix C: Fuzz Vectors | Appendix C: Fuzz Vectors]]==

* Fuzz Categories [To review--> Amro AlOlaqi]

==[[OWASP Testing Guide Appendix D: Encoded Injection | Appendix D: Encoded Injection]]==

[To review--> Amro AlOlaqi]

----

[[Category:OWASP Testing Project]]

Enumerate Infrastructure and Application Admin Interfaces (OTG-CONFIG-005)

2013-10-18T23:44:38Z

Amro Ahmed:

{{Template:OWASP Testing Guide v4}}

== Brief Summary ==
 
Administrator interfaces may be present in the application or on the application server to allow certain users to undertake privileged activities on the site. Tests should be undertaken to reveal if and how this privileged functionality can be accessed by an unauthorized or standard user.
 

== Description of the Issue ==
An application may require an administrator interface to enable a privileged user to access functionality that may make changes to how the site functions. Such changes may include:

- user account provisioning 
- site design and layout 
- data manipulation 
- configuration changes 

In many instances, such interfaces are usually implemented with little thought of how to separate them from the normal users of the site. Testing is aimed at discovering these administrator interfaces and accessing functionality intended for the privileged users.

== Black Box testing and example ==
The following describes vectors that may be used to test for the presence of administrative interfaces. These techniques may also be used for testing for related issues including privilege escalation, and are described elsewhere in this guide in greater detail:

* Directory and file enumeration - An administrative interface may be present but not visibly available to the tester. Attempting to guess the path of the administrative interface may be as simple as requesting: ''/admin or /administrator etc..'' or in some scenarios can be revealed within seconds using [http://www.exploit-db.com/google-dorks Google dorks].

A tester may have to also identify the filename of the administration page. Forcibly browsing to the identified page may provide access to the interface.

* Comments and links in source - Many sites use common code that is loaded for all site users. By examining all source sent to the client, links to administrator functionality may be discovered and should be investigated.

* Reviewing server and application documentation - If the application server or application is deployed in its default configuration it may be possible to access the administration interface using information described in configuration or help documentation. Default password lists should be consulted if an administrative interface is found and credentials are required.

* Alternative server port - Administration interfaces may be seen on a different port on the host than the main application. For example, Apache Tomcat's Administration interface can often be seen on port 8080.

* Parameter tampering - A GET or POST parameter or a cookie variable may be required to enable the administrator functionality. Clues to this include the presence of hidden fields such as:

<input type="hidden" name="admin" value="no">

or in a cookie:

Cookie: session_cookie; useradmin=0

Once an administrative interface has been discovered, a combination of the above techniques may be used to attempt to bypass authentication. If this fails, the tester may wish to attempt a brute force attack. In such an instance the tester should be aware of the potential for administrative account lockout if such functionality is present.

== Gray Box testing and example ==
A more detailed examination of the server and application components should be undertaken to ensure hardening (i.e. administrator pages are not accessible to everyone through the use of IP filtering or other controls), and where applicable, verification that all components do not use default credentials or configurations.
 
Source code should be reviewed to ensure that the authorization and authentication model ensures clear separation of duties between normal users and site administrators. User interface functions shared between normal and administrator users should be reviewed to ensure clear separation between the drawing of such components and information leakage from such shared functionality.
 

== References ==
* Default Password list: http://www.governmentsecurity.org/articles/DefaultLoginsandPasswordsforNetworkedDevices.php
* Default Password list: http://www.cirt.net/passwords

Enumerate Infrastructure and Application Admin Interfaces (OTG-CONFIG-005)

2013-10-18T23:19:18Z

Amro Ahmed:

{{Template:OWASP Testing Guide v4}}

== Brief Summary ==
 
Administrator interfaces may be present in the application or on the application server to allow certain users to undertake privileged activities on the site. Tests should be undertaken to reveal if and how this privileged functionality can be accessed by an unauthorized or standard user.
 

== Description of the Issue ==
An application may require an administrator interface to enable a privileged user to access functionality that may make changes to how the site functions. Such changes may include:

- user account provisioning 
- site design and layout 
- data manipulation 
- configuration changes 

In many instances, such interfaces are usually implemented with little thought of how to separate them from the normal users of the site. Testing is aimed at discovering these administrator interfaces and accessing functionality intended for the privileged users.

== Black Box testing and example ==
The following describes vectors that may be used to test for the presence of administrative interfaces. These techniques may also be used for testing for related issues including privilege escalation, and are described elsewhere in this guide in greater detail:

* Directory and file enumeration - An administrative interface may be present but not visibly available to the tester. Attempting to guess the path of the administrative interface may be as simple as requesting:
/admin or /administrator etc..
A tester may have to also identify the filename of the administration page. Forcibly browsing to the identified page may provide access to the interface.

* Comments and links in source - Many sites use common code that is loaded for all site users. By examining all source sent to the client, links to administrator functionality may be discovered and should be investigated.

* Reviewing server and application documentation - If the application server or application is deployed in its default configuration it may be possible to access the administration interface using information described in configuration or help documentation. Default password lists should be consulted if an administrative interface is found and credentials are required.

* Alternative server port - Administration interfaces may be seen on a different port on the host than the main application. For example, Apache Tomcat's Administration interface can often be seen on port 8080.

* Parameter tampering - A GET or POST parameter or a cookie variable may be required to enable the administrator functionality. Clues to this include the presence of hidden fields such as:

<input type="hidden" name="admin" value="no">

or in a cookie:

Cookie: session_cookie; useradmin=0

Once an administrative interface has been discovered, a combination of the above techniques may be used to attempt to bypass authentication. If this fails, the tester may wish to attempt a brute force attack. In such an instance the tester should be aware of the potential for administrative account lockout if such functionality is present.

== Gray Box testing and example ==
A more detailed examination of the server and application components should be undertaken to ensure hardening (i.e. administrator pages are not accessible to everyone through the use of IP filtering or other controls), and where applicable, verification that all components do not use default credentials or configurations.
 
Source code should be reviewed to ensure that the authorization and authentication model ensures clear separation of duties between normal users and site administrators. User interface functions shared between normal and administrator users should be reviewed to ensure clear separation between the drawing of such components and information leakage from such shared functionality.
 

== References ==
* Default Password list: http://www.governmentsecurity.org/articles/DefaultLoginsandPasswordsforNetworkedDevices.php
* Default Password list: http://www.cirt.net/passwords

Enumerate Infrastructure and Application Admin Interfaces (OTG-CONFIG-005)

2013-10-18T23:09:41Z

Amro Ahmed:

{{Template:OWASP Testing Guide v4}}

== Brief Summary ==
 
Administrator interfaces may be present in the application or on the application server to allow certain users to undertake privileged activities on the site. Tests should be undertaken to reveal if and how this privileged functionality can be accessed by an unauthorized or standard user.
 

== Description of the Issue ==
An application may require an administrator interface to enable a privileged user to access functionality that may make changes to how the site functions. Such changes may include:

- user account provisioning 
- site design and layout 
- data manipulation 
- configuration changes 

In many instances, such interfaces are usually implemented with little thought of how to separate them from the normal users of the site. Testing is aimed at discovering these administrator interfaces and accessing functionality intended for the privileged users.

== Black Box testing and example ==
The following describes vectors that may be used to test for the presence of administrative interfaces. These techniques may also be used for testing for related issues including privilege escalation, and are described elsewhere in this guide in greater detail:

* Directory and file enumeration - An administrative interface may be present but not visibly available to the tester. Attempting to guess the path of the administrative interface may be as simple as requesting:
/admin or /administrator etc..
A tester may have to also identify the filename of the administration page. Forcibly browsing to the identified page may provide access to the interface.

* Comments and links in source - Many sites use common code that is loaded for all site users. By examining all source sent to the client, links to administrator functionality may be discovered and should be investigated.

* Reviewing server and application documentation - If the application server or application is deployed in its default configuration it may be possible to access the administration interface using information described in configuration or help documentation. Default password lists should be consulted if an administrative interface is found and credentials are required.

* Alternative server port - Administration interfaces may be seen on a different port on the host than the main application. For example, Apache Tomcat's Administration interface can often be seen on port 8080.

* Parameter tampering - A GET or POST parameter or a cookie variable may be required to enable the administrator functionality. Clues to this include the presence of hidden fields such as:

<input type="hidden" name="admin" value="no">

or in a cookie:

Cookie: session_cookie; useradmin=0

Once an administrative interface has been discovered, a combination of the above techniques may be used to attempt to bypass authentication. If this fails, the tester may wish to attempt a brute force attack. In such an instance the tester should be aware of the potential for administrative account lockout if such functionality is present.

== Gray Box testing and example ==
A more detailed examination of the server and application components should be undertaken to ensure hardening (i.e. administrator pages are not accessible to everyone through the use of IP filtering or other controls), and where applicable, verification that all components do not use default credentials or configurations.
 
Source code should be reviewed to ensure that the authorization and authentication model ensures clear separation of duties between normal users and site administrators. User interface functions shared between normal and administrator users should be reviewed to ensure clear separation between the drawing of such components and information leakage from such shared functionality.
 

== References ==
* Default Password list: http://www.governmentsecurity.org/articles/DefaultLoginsandPasswordsforNetworkedDevices.php
* Default Password list: http://www.cirt.net/passwords

OWASP Testing Guide v4 Table of Contents

2013-09-27T17:45:30Z

Amro Ahmed:

{{OWASP Breakers}}
__NOTOC__

'''This is the DRAFT of the table of content of the New Testing Guide v4.''' 
 You can download the stable version v3 [http://www.owasp.org/images/5/56/OWASP_Testing_Guide_v3.pdf here] 

Back to the OWASP Testing Guide Project:
http://www.owasp.org/index.php/OWASP_Testing_Project

'''Updated: 15th February 2013'''

[[ OWTGv4 Contributors list|'''Contributors List]]

----

The following is a DRAFT of the Toc based on the feedback already received.

== Table of Contents ==

==[[Testing Guide Foreword|Foreword by Eoin Keary]]==
[To review--> Eoin Keary -> Done!!]

==[[Testing Guide Frontispiece |1. Frontispiece]]==
[To review--> Mat]

'''[[Testing Guide Frontispiece|1.1 About the OWASP Testing Guide Project]]'''
[To review--> Mat]

'''[[About The Open Web Application Security Project|1.2 About The Open Web Application Security Project]]'''
[To review--> ]

==[[Testing Guide Introduction|2. Introduction]]==

'''2.1 The OWASP Testing Project'''

'''2.2 Principles of Testing'''

'''2.3 Testing Techniques Explained'''

2.4 [https://www.owasp.org/index.php/Testing_Guide_Introduction#Security_Requirements_Test_Derivation Security requirements test derivation],[https://www.owasp.org/index.php/Testing_Guide_Introduction#Functional_and_Non_Functional_Test_Requirements functional and non functional test requirements], and [https://www.owasp.org/index.php/Testing_Guide_Introduction#Test_Cases_Through_Use_and_Misuse_Cases test cases through use and misuse cases]

2.5 [https://www.owasp.org/index.php/Testing_Guide_Introduction#Security_Test_Data_Analysis_and_Reporting Security test data analysis and reporting: root cause identification and business/role case test data reporting]

==[[The OWASP Testing Framework|3. The OWASP Testing Framework]]==

'''3.1. Overview'''

'''3.2. Phase 1: Before Development Begins '''

'''3.3. Phase 2: During Definition and Design'''

'''3.4. Phase 3: During Development'''

'''3.5. Phase 4: During Deployment'''

'''3.6. Phase 5: Maintenance and Operations'''

'''3.7. A Typical SDLC Testing Workflow '''

==[[Web Application Penetration Testing |4. Web Application Penetration Testing ]]==

[[Testing: Introduction and objectives|'''4.1 Introduction and Objectives''']] [To review--> Mat]

[[Testing Checklist| 4.1.1 Testing Checklist]] [To review at the end of brainstorming --> Mat]

[[Testing Information Gathering|'''4.2 Information Gathering ''']]

[[Testing: Search engine discovery/reconnaissance (OWASP-IG-002)|4.2.1 Conduct Search Engine Discovery and Reconnaissance for Information Leakage (OTG-INFO-001) ]] formerly "Search Engine Discovery/Reconnaissance (OWASP-IG-002)"

[[Fingerprint Web Server (OTG-INFO-002)|4.2.2 Fingerprint Web Server (OTG-INFO-002) ]] formerly "Testing for Web Application Fingerprint (OWASP-IG-004)"

[[Testing: Spiders, Robots, and Crawlers (OWASP-IG-001)|4.2.3 Review Webserver Metafiles for Information Leakage (OTG-INFO-003) ]] formerly "Spiders, Robots and Crawlers (OWASP-IG-001)"

[[Testing for Application Discovery (OWASP-IG-005)|4.2.4 Enumerate Applications on Webserver (OTG-INFO-004) ]] formerly "Application Discovery (OWASP-IG-005)"

[[Testing Review webpage comments and metadata(OWASP-IG-007)|4.2.5 Review Webpage Comments and Metadata for Information Leakage (OTG-INFO-005) ]] formerly "Review webpage comments and metadata(OWASP-IG-007)"

[[Testing: Identify application entry points (OWASP-IG-003)|4.2.6 Identify application entry points (OTG-INFO-006) ]] formerly "Identify application entry points (OWASP-IG-003)"

[[Testing Identify application exit/handover points (OWASP-IG-008)|4.2.7 Identify application exit/handover points (OTG-INFO-007) ]] formerly "Identify application exit/handover points (OWASP-IG-008)"

[[Testing Map execution paths through application (OWASP-IG-009)|4.2.8 Map execution paths through application (OTG-INFO-008)]] formerly "Map execution paths through application (OWASP-IG-009)"

[[Fingerprint Web Application Framework (OTG-INFO-009)|4.2.9 Fingerprint Web Application Framework (OTG-INFO-009) ]] formerly "Testing for Web Application Fingerprint (OWASP-IG-010)" '''Ready to be reviewed'''

[[Testing for Web Application (OTG-INFO-011)|4.2.10 Fingerprint Web Application (OTG-INFO-010) ]] formerly "Testing for Web Application Fingerprint (OWASP-IG-010)" '''Ready to be reviewed'''

[[Map Network and Application Architecture (OTG-INFO-012)|4.2.11 Map Network and Application Architecture (OTG-INFO-011) ]] formerly "Testing for Infrastructure Configuration Management Testing weakness (OWASP-CM-001)" '''Ready to be reviewed'''

[[Testing for configuration management|'''4.3 Configuration and Deploy Management Testing ''']]

[[Testing for infrastructure configuration management (OWASP-CM-003)|4.3.1 Test Network/Infrastructure Configuration (OTG-CONFIG-001) ]] formerly "Testing for Infrastructure Configuration Management Testing weakness (OWASP-CM-001)"

[[Testing for application configuration management (OWASP-CM-004)|4.3.2 Test Application Platform Configuration (OTG-CONFIG-002) ]] formerly "Testing for Application Configuration Management weakness (OWASP-CM-002)"

[[Testing for file extensions handling (OWASP-CM-005)|4.3.3 Test File Extensions Handling for Sensitive Information (OTG-CONFIG-003) ]] formerly "Testing for File Extensions Handling (OWASP-CM-003)"

[[Testing for Old, Backup and Unreferenced Files (OWASP-CM-006)|4.3.4 Review Old, Backup and Unreferenced Files for Sensitive Information (OTG-CONFIG-004) ]] formerly "Old, Backup and Unreferenced Files (OWASP-CM-004)"

[[Testing for Admin Interfaces (OWASP-CM-007)|4.3.5 Enumerate Infrastructure and Application Admin Interfaces (OTG-CONFIG-005) ]] formerly "Infrastructure and Application Admin Interfaces (OWASP-CM-005)"

[[Testing for HTTP Methods and XST (OWASP-CM-008)|4.3.6 Test HTTP Methods (OTG-CONFIG-006) ]] formerly "Testing for Bad HTTP Methods (OWASP-CM-006)"

[[Testing for Database credentials/connection strings available|4.3.7 Testing for Database credentials/connection strings available (OTG-CONFIG-007) ]] formerly "Testing for Database credentials/connection strings available (OWASP-CM-007)"

[[Testing for Content Security Policy weakness|4.3.8 Test Content Security Policy (OTG-CONFIG-008) ]] formerly "Testing for Content Security Policy weakness (OWASP-CM-008)"

[[Testing for Missing HSTS header|4.3.9 Test HTTP Strict Transport Security (OTG-CONFIG-009) ]] formerly "Testing for Missing HSTS header (OWASP-CM-009)"

[[Testing for Frame Options|4.3.10 Test Frame Options (OTG-CONFIG-010) ]]

[[Testing for RIA policy files weakness|4.3.11 Test RIA cross domain policy (OTG-CONFIG-011) ]] formerly "Testing for RIA policy files weakness (OWASP-CM-010)"

[[Testing for Content Type Options|4.3.12 Test Content Type Options (OTG-CONFIG-012) ]] new

[[Testing Identity Management|'''4.4 Identity Management Testing''']]

[[Test Role Definitions (OTG-IDENT-001)|4.4.1 Test Role Definitions (OTG-IDENT-001)]] New

[[Test User Registration Process (OTG-IDENT-002)|4.4.2 Test User Registration Process (OTG-IDENT-002)]] New

[[Test Account Provisioning Process (OTG-IDENT-003)|4.4.3 Test Account Provisioning Process (OTG-IDENT-003)]] New

[[Testing for Account Enumeration and Guessable User Account (OWASP-AT-002)|4.4.4 Testing for Account Enumeration and Guessable User Account (OTG-IDENT-004) ]] formerly "Testing for Account Enumeration and Guessable User Account (OWASP-AT-002)"

[[Testing for Weak or unenforced username policy (OWASP-AT-009)| 4.4.5 Testing for Weak or unenforced username policy (OTG-IDENT-005)]] formerly "Testing for Weak or unenforced username policy (OWASP-AT-009)

[[Test Permissions of Guest/Training Accounts (OTG-IDENT-006)|4.4.6 Test Permissions of Guest/Training Accounts (OTG-IDENT-006)]] New

[[Test Account Suspension/Resumption Process (OTG-IDENT-007)|4.4.7 Test Account Suspension/Resumption Process (OTG-IDENT-007)]] New

[[Test User Deregistration Process (OTG-IDENT-008)|4.4.8 Test User Deregistration Process (OTG-IDENT-008)]] New

[[Test Account Deregistration Process (OTG-IDENT-009)|4.4.9 Test Account Deregistration Process (OTG-IDENT-009)]] New

[[Testing for authentication|'''4.5 Authentication Testing ''']]

[[Testing for Credentials Transported over an Encrypted Channel (OWASP-AT-001)|4.5.1 Testing for Credentials Transported over an Encrypted Channel (OTG-AUTHN-001)]] formerly "Testing for Credentials Transported over an Encrypted Channel (OWASP-AT-001)"

[[Testing for default credentials (OWASP-AT-003)|4.5.2 Testing for default credentials (OTG-AUTHN-002)]] formerly "Testing for default credentials (OWASP-AT-003)"

[[Testing for Weak lock out mechanism (OWASP-AT-004)|4.5.3 Testing for Weak lock out mechanism (OTG-AUTHN-003)]] formerly "Testing for Weak lock out mechanism (OWASP-AT-004)"

[[Testing for Bypassing Authentication Schema (OWASP-AT-005)|4.5.4 Testing for bypassing authentication schema (OTG-AUTHN-004)]] formerly "Testing for bypassing authentication schema (OWASP-AT-005)"

[[Testing for Vulnerable Remember Password (OWASP-AT-006)|4.5.5 Test remember password functionality (OTG-AUTHN-005)]] formerly "Testing for vulnerable remember password functionality (OWASP-AT-006)"

[[Testing for Browser cache weakness (OWASP-AT-007)|4.5.6 Testing for Browser cache weakness (OTG-AUTHN-006)]] formerly "Testing for Browser cache weakness (OWASP-AT-007)"

[[Testing for Weak password policy (OWASP-AT-008)|4.5.7 Testing for Weak password policy (OTG-AUTHN-007)]] formerly "Testing for Weak password policy (OWASP-AT-008)"

[[Testing for Weak security question/answer (OTG-AUTHN-008)|4.5.8 Testing for Weak security question/answer (OTG-AUTHN-008)]] New! - Robert Winkel

[[Testing for weak password change or reset functionalities (OWASP-AT-011)|4.5.9 Testing for weak password change or reset functionalities (OTG-AUTHN-009)]] formerly "Testing for weak password change or reset functionalities (OWASP-AT-011)"

[[Testing for Weaker authentication in alternative channel (OTG-AUTHN-010)|4.5.10 Testing for Weaker authentication in alternative channel (OTG-AUTHN-010)]] (e.g. mobile app, IVR, help desk)

[[Testing for Authorization|'''4.6 Authorization Testing''']]

[[Test Management of Account Permissions (OTG-AUTHZ-001)|4.6.1 Test Management of Account Permissions (OTG-AUTHZ-001)]] New

[[Testing for Path Traversal (OWASP-AZ-001)|4.6.2 Testing Directory traversal/file include (OTG-AUTHZ-002)]] formerly "Testing Directory traversal/file include (OWASP-AZ-001)"

[[Testing for Bypassing Authorization Schema (OWASP-AZ-002)|4.6.3 Testing for bypassing authorization schema (OTG-AUTHZ-003)]] formerly "Testing for bypassing authorization schema (OWASP-AZ-002)"

[[Testing for Privilege escalation (OWASP-AZ-003)|4.6.4 Testing for Privilege Escalation (OTG-AUTHZ-004)]] formerly "Testing for Privilege Escalation (OWASP-AZ-003)"

[[Testing for Insecure Direct Object References (OWASP-AZ-004)|4.6.5 Testing for Insecure Direct Object References (OTG-AUTHZ-005)]] formerly "Testing for Insecure Direct Object References (OWASP-AZ-004)"

[[Testing for Failure to Restrict access to authorized resource (OWASP-AZ-005)|4.6.6 Testing for Failure to Restrict access to authorized resource (OTG-AUTHZ-006)]] formerly "Testing for Failure to Restrict access to authorized resource (OWASP-AZ-005)"

[[Test privileges of server components (OTG-AUTHZ-007)|4.6.7 Test privileges of server components (OTG-AUTHZ-007)]] (e.g. indexing service, reporting interface, file generator)

[[Test enforcement of application entry points (OTG-AUTHZ-008)|4.6.8 Test enforcement of application entry points (OTG-AUTHZ-008)]] (including exposure of objects)

[[Testing for failure to restrict access to authenticated resource(OWASP-AT-010)|4.6.9 Testing for failure to restrict access to authenticated resource (OTG-AUTHZ-009)]] formerly "Testing for failure to restrict access to authenticated resource (OWASP-AT-010)"

[[Testing for Session Management|'''4.7 Session Management Testing''']]

[[Testing for Session_Management_Schema (OWASP-SM-001)|4.7.1 Testing for Bypassing Session Management Schema (OTG-SESS-001)]] formerly "Testing for Bypassing Session Management Schema (OWASP-SM-001)"

[[Testing for cookies attributes (OWASP-SM-002)|4.7.2 Testing for Cookies attributes (OTG-SESS-002)]] formerly "Testing for Cookies attributes (OWASP-SM-002)" (Cookies are set not ‘HTTP Only’, ‘Secure’, and no time validity)

[[Testing for Session Fixation (OWASP-SM-003)|4.7.3 Testing for Session Fixation (OTG-SESS-003)]] formerly "Testing for Session Fixation (OWASP-SM-003)"

[[Testing for Exposed Session Variables (OWASP-SM-004)|4.7.4 Testing for Exposed Session Variables (OTG-SESS-004)]] formerly "Testing for Exposed Session Variables (OWASP-SM-004)"

[[Testing for CSRF (OWASP-SM-005)|4.7.5 Testing for Cross Site Request Forgery (CSRF) (OTG-SESS-005)]] formerly "Testing for Cross Site Request Forgery (CSRF) (OWASP-SM-005)"

[[Test Session Token Strength (OTG-SESS-006)|4.7.6 Test Session Token Strength (OTG-SESS-006)]]

[[Testing for logout functionality (OWASP-SM-007)|4.7.7 Testing for logout functionality (OTG-SESS-007)]] formerly "Testing for logout functionality (OWASP-SM-007)"

[[Testing for Session puzzling (OWASP-SM-008)|4.7.8 Testing for Session puzzling (OWASP-SM-008)]]

[[Test Session Timeout (OTG-SESS-008)|4.7.8 Test Session Timeout (OTG-SESS-008)]]

[[Test multiple concurrent sessions (OTG-SESS-009)|4.7.9 Test multiple concurrent sessions (OTG-SESS-009)]]

[[Testing for Data Validation|'''4.8 Data Validation Testing''']]

[[Testing for Reflected Cross site scripting (OWASP-DV-001) |4.8.1 Testing for Reflected Cross Site Scripting (OTG-INPVAL-001)]] formerly "Testing for Reflected Cross Site Scripting (OWASP-DV-001)"

[[Testing for Stored Cross site scripting (OWASP-DV-002) |4.8.2 Testing for Stored Cross Site Scripting (OTG-INPVAL-002)]] formerly "Testing for Stored Cross Site Scripting (OWASP-DV-002)"

[[Testing for HTTP Verb Tampering (OWASP-DV-003)|4.8.3 Testing for HTTP Verb Tampering (OTG-INPVAL-003)]] formerly "Testing for HTTP Verb Tampering (OWASP-DV-003)"

[[Testing for HTTP Parameter pollution (OWASP-DV-004)|4.8.4 Testing for HTTP Parameter pollution (OTG-INPVAL-004) ]] formerly "Testing for HTTP Parameter pollution (OWASP-DV-004)"

[[Testing for Unvalidated Redirects and Forwards (OWASP-DV-004)|4.8.5 Testing for Unvalidated Redirects and Forwards (OTG-INPVAL-005) ]] formerly "Testing for Unvalidated Redirects and Forwards (OWASP-DV-004)"

[[Testing for SQL Injection (OWASP-DV-005)| 4.8.6 Testing for SQL Injection (OTG-INPVAL-006)]] formerly "Testing for SQL Injection (OWASP-DV-005)" '''Ready to be reviewed'''

[[Testing for Oracle|4.8.6.1 Oracle Testing]]

[[Testing for MySQL|4.8.6.2 MySQL Testing [Ismael Gonçalves]]]

[[Testing for SQL Server|4.8.6.3 SQL Server Testing]]

[[OWASP_Backend_Security_Project_Testing_PostgreSQL|4.8.6.4 Testing PostgreSQL (from OWASP BSP) ]]

[[Testing for MS Access |4.8.6.5 MS Access Testing]]

[[Testing for NoSQL injection|4.8.6.6 Testing for NoSQL injection [New!]]]

[[Testing for LDAP Injection (OWASP-DV-006)|4.8.7 Testing for LDAP Injection (OTG-INPVAL-007)]] formerly "Testing for LDAP Injection (OWASP-DV-006)"

[[Testing for ORM Injection (OWASP-DV-007)|4.8.8 Testing for ORM Injection (OTG-INPVAL-008)]] formerly "Testing for ORM Injection (OWASP-DV-007)"

[[Testing for XML Injection (OWASP-DV-008)|4.8.9 Testing for XML Injection (OTG-INPVAL-009)]] formerly "Testing for XML Injection (OWASP-DV-008)"

[[Testing for SSI Injection (OWASP-DV-009)|4.8.10 Testing for SSI Injection (OTG-INPVAL-010)]] formerly "Testing for SSI Injection (OWASP-DV-009)"

[[Testing for XPath Injection (OWASP-DV-010)|4.8.11 Testing for XPath Injection (OTG-INPVAL-011)]] formerly "Testing for XPath Injection (OWASP-DV-010)"

[[Testing for IMAP/SMTP Injection (OWASP-DV-011)|4.8.12 IMAP/SMTP Injection (OTG-INPVAL-012)]] formerly "IMAP/SMTP Injection (OWASP-DV-011)"

[[Testing for Code Injection (OWASP-DV-012)|4.8.13 Testing for Code Injection (OTG-INPVAL-013)]] formerly "Testing for Code Injection (OWASP-DV-012)"

[[Testing for Local File Inclusion|4.8.13.1 Testing for Local File Inclusion]] [Alexander Antukh]

[[Testing for Remote File Inclusion|4.8.13.2 Testing for Remote File Inclusion]] [Alexander Antukh]

[[Testing for Command Injection (OWASP-DV-013)|4.8.14 Testing for Command Injection (OTG-INPVAL-014)]] formerly "Testing for Command Injection (OWASP-DV-013)"

[[Testing for Buffer Overflow (OWASP-DV-014)|4.8.15 Testing for Buffer overflow (OTG-INPVAL-015)]] formerly "Testing for Buffer overflow (OWASP-DV-014)"

[[Testing for Heap Overflow|4.8.15.1 Testing for Heap overflow]]

[[Testing for Stack Overflow|4.8.15.2 Testing for Stack overflow]]

[[Testing for Format String|4.8.15.3 Testing for Format string]]

[[Testing for Incubated Vulnerability (OWASP-DV-015)|4.8.16 Testing for incubated vulnerabilities (OTG-INPVAL-016)]] formerly "Testing for incubated vulnerabilities (OWASP-DV-015)"

[[Testing for HTTP Splitting/Smuggling (OWASP-DV-016)|4.8.17 Testing for HTTP Splitting/Smuggling (OTG-INPVAL-017) ]] formerly "Testing for HTTP Splitting/Smuggling (OWASP-DV-016)" [Juan Galiana]

[[Error Handling|'''4.9 Error Handling''']]

[[Testing for Error Code (OWASP-IG-006)|4.9.1 Analysis of Error Codes (OTG-ERR-001)]] formerly "Analysis of Error Codes (OWASP-IG-006)"

[[Testing for Stack Traces (OWASP-IG-XXX)|4.9.2 Analysis of Stack Traces (OTG-ERR-002)]] formerly "Analysis of Stack Traces"

[[Cryptography|'''4.10 Cryptography''']]

[[Testing for Insecure encryption usage (OWASP-EN-001)| 4.10.1 Testing for Insecure encryption usage (OTG-CRYPST-001)]] formerly "Testing for Insecure encryption usage (OWASP-EN-001)"

[[Testing for Weak SSL/TSL Ciphers, Insufficient Transport Layer Protection (OWASP-EN-002)| 4.10.2 Testing for Weak SSL/TSL Ciphers, Insufficient Transport Layer Protection (OTG-CRYPST-002)]] formerly "Testing for Weak SSL/TSL Ciphers, Insufficient Transport Layer Protection (OWASP-EN-002)"

[[Testing for Padding Oracle (OWASP-EN-003)| 4.10.3 Testing for Padding Oracle (OTG-CRYPST-003)]] formerly "Testing for Padding Oracle (OWASP-EN-003)"

[[Testing for Cacheable HTTPS Response (OTG-CRYPST-004)| 4.10.4 Testing for Cacheable HTTPS Response (OTG-CRYPST-004)]]

[[Test Cache Directives (OTG-CRYPST-005)|4.10.5 Test Cache Directives (OTG-CRYPST-005)]]

[[Testing for Insecure Cryptographic Storage (OTG-CRYPST-006)|4.10.6 Testing for Insecure Cryptographic Storage (OTG-CRYPST-006)]]

[[Testing for Sensitive information sent via unencrypted channels (OTG-CRYPST-007)|4.10.7 Testing for Sensitive information sent via unencrypted channels (OTG-CRYPST-007)]]

[[Test Cryptographic Key Management (OTG-CRYPST-008)|4.10.8 Test Cryptographic Key Management (OTG-CRYPST-008)]]

[[Logging|'''4.11 Logging''']] Not convinced Logging should be included as it requires access to logs to test

[[Test time synchronisation (OTG-LOG-001)|4.11.1 Test time synchronisation (OTG-LOG-001) ]] formerly "Incorrect time"

[[Test user-viewable log of authentication events (OTG-LOG-002)|4.11.2 Test user-viewable log of authentication events (OTG-LOG-002)]]

[[Testing for business logic (OWASP-BL-001)|'''4.12 Business Logic Testing (OWASP-BL-001)''']] [To review--> David Fern]
Business Logic 

[[Test business logic data validation (OTG-BUSLOGIC-001)|4.12.1 Test business logic data validation (OTG-BUSLOGIC-001)]] [New!] NOTE MAT: to discuss this section

[[Test Ability to forge requests (OTG-BUSLOGIC-002)|4.12.2 Test Ability to forge requests (OTG-BUSLOGIC-002)]] [New!]

[[Test integrity checks (OTG-BUSLOGIC-003)|4.12.3 Test integrity checks (OTG-BUSLOGIC-003)]] (e.g. overwriting updates) [New!]

[[Test tamper evidence (OTG-BUSLOGIC-004)|4.12.4 Test tamper evidence (OTG-BUSLOGIC-004)]] [New!]

[[Test excessive rate (speed) of use limits (OTG-BUSLOGIC-005)|4.12.5 Test excessive rate (speed) of use limits (OTG-BUSLOGIC-005)]] [New!]

[[Test size of request limits (OTG-BUSLOGIC-006)|4.12.6 Test size of request limits (OTG-BUSLOGIC-006)]] [New!]

[[Test number of times a function can be used limits (OTG-BUSLOGIC-007)|4.12.7 Test number of times a function can be used limits (OTG-BUSLOGIC-002)]] [New!]

[[Test bypass of correct sequence (OTG-BUSLOGIC-008)|4.12.8 Test bypass of correct sequence (OTG-BUSLOGIC-008)]] [New!]

[[Test self-hosted payment cardholder data processing (OTG-BUSLOGIC-009)|4.12.9 Test self-hosted payment cardholder data processing (OTG-BUSLOGIC-009)]] [New!]

[[Test security incident reporting information (OTG-BUSLOGIC-010)|4.12.10 Test security incident reporting information (OTG-BUSLOGIC-010)]] [New!]

[[Test defenses against application mis-use (OTG-BUSLOGIC-011)|4.12.11 Test defenses against application mis-use (OTG-BUSLOGIC-011)]] [New!]

[[Denial of Service|'''4.13 Denial of Service''']]

[[Test Regular expression DoS (OTG-DOS-001)| 4.13.1 Test Regular expression DoS (OTG-DOS-001)]] [New!] note: to understand better 

[[Test XML DoS (OTG-DOS-002)| 4.13.2 Test XML DoS (OTG-DOS-002)]] [New! - Andrew Muller]

[[Testing for Captcha (OWASP-AT-012)|4.13.3 Testing for CAPTCHA (OTG-DOS-003)]] formerly "Testing for CAPTCHA (OWASP-AT-012)"

[[Web Service (XML Interpreter)|'''4.14 Web Service Testing''']] [Tom Eston]

[[Scoping a Web Service Test (OWASP-WS-001)|4.14.1 Scoping a Web Service Test (OTG-WEBSVC-001)]] formerly "Scoping a Web Service Test (OWASP-WS-001)"

[[WS Information Gathering (OWASP-WS-002)|4.14.2 WS Information Gathering (OTG-WEBSVC-002)]] formerly "WS Information Gathering (OWASP-WS-002)"

[[WS Authentication Testing (OWASP-WS-003)|4.14.3 WS Authentication Testing (OTG-WEBSVC-003)]] formerly "WS Authentication Testing (OWASP-WS-003)"

[[WS Management Interface Testing (OWASP-WS-004)|4.14.4 WS Management Interface Testing (OTG-WEBSVC-004)]] formerly "WS Management Interface Testing (OWASP-WS-004)"

[[Weak XML Structure Testing (OWASP-WS-005)|4.14.5 Weak XML Structure Testing (OTG-WEBSVC-005)]] formerly "Weak XML Structure Testing (OWASP-WS-005)"

[[XML Content-Level Testing (OWASP-WS-006)|4.14.6 XML Content-Level Testing (OTG-WEBSVC-006)]] formerly "XML Content-Level Testing (OWASP-WS-006)"

[[WS HTTP GET Parameters/REST Testing (OWASP-WS-007)|4.14.7 WS HTTP GET Parameters/REST Testing (OTG-WEBSVC-007)]] formerly "WS HTTP GET Parameters/REST Testing (OWASP-WS-007)"

[[WS Naughty SOAP Attachment Testing (OWASP-WS-008)|4.14.8 WS Naughty SOAP Attachment Testing (OTG-WEBSVC-008)]] formerly "WS Naughty SOAP Attachment Testing (OWASP-WS-008)"

[[WS Replay/MiTM Testing (OWASP-WS-009)|4.14.9 WS Replay/MiTM Testing (OTG-WEBSVC-009)]] formerly "WS Replay/MiTM Testing (OWASP-WS-009)"

[[WS BEPL Testing (OWASP-WS-010)|4.14.10 WS BEPL Testing (OTG-WEBSVC-010)]] formerly "WS BEPL Testing (OWASP-WS-010)"

[[Client Side Testing|'''4.15 Client Side Testing''']] [New!]

[[Testing for DOM-based Cross site scripting (OWASP-DV-003)|4.15.1 Testing for DOM based Cross Site Scripting (OTG-CLIENT-001)]] formerly "Testing for DOM based Cross Site Scripting (OWASP-CS-001)" [Stefano Di Paola]

[[Testing Cross Origin Resource Sharing (OWASP CS-002)|4.15.2 Testing Cross Origin Resource Sharing (OTG-CLIENT-002)]] formerly "Testing for HTML5 (OWASP CS-002)" [Juan Galiana]

[[Testing for Cross site flashing (OWASP-DV-004)|4.15.3 Testing for Cross Site Flashing (OTG-CLIENT-003)]] formerly "Testing for Cross Site Flashing (OWASP-CS-003)"

[[Testing for Clickjacking (OWASP-CS-004)|4.15.4 Testing for Clickjacking (OTG-CLIENT-004)]] formerly "Testing for Clickjacking (OWASP-CS-004)" [Davide Danelon]

[[Testing WebSockets (OTG-CLIENT-005)|4.15.5 Testing WebSockets (OTG-CLIENT-005)]] [Ryan Dewhurst]

[[Testing Web Messaging (OWASP CS-006)|4.15.6 Testing Web Messaging (OTG-CLIENT-006)]] [Juan Galiana]

[[Testing Local Storage (OWASP CS-007)|4.15.7 Testing Local Storage (OTG-CLIENT-007)]] [Juan Galiana]

[[Testing Sandboxed Iframes (OWASP CS-008)|4.15.8 Testing Sandboxed Iframes (OTG-CLIENT-008)]] [Juan Galiana]

==[[Writing Reports: value the real risk |5. Writing Reports: value the real risk ]]==

[[How to value the real risk |5.1 How to value the real risk]] [To review--> Amro AlOlaqi]

[[How to write the report of the testing |5.2 How to write the report of the testing]] [To review--> Amro AlOlaqi]

==[[Appendix A: Testing Tools |Appendix A: Testing Tools ]]==

* Black Box Testing Tools [To review--> Amro AlOlaqi] '''Ready to be reviewed'''

==[[OWASP Testing Guide Appendix B: Suggested Reading | Appendix B: Suggested Reading]]==
* Whitepapers [To review--> David Fern]
* Books [To review--> David Fern]
* Useful Websites [To review--> David Fern]

==[[OWASP Testing Guide Appendix C: Fuzz Vectors | Appendix C: Fuzz Vectors]]==

* Fuzz Categories [To review--> Amro AlOlaqi]

==[[OWASP Testing Guide Appendix D: Encoded Injection | Appendix D: Encoded Injection]]==

[To review--> Amro AlOlaqi]

----

[[Category:OWASP Testing Project]]

Map Application Architecture (OTG-INFO-010)

2013-09-27T17:43:52Z

Amro Ahmed: Created page with "{{Template:OWASP Testing Guide v4}} == Brief Summary == The intrinsic complexity of interconnected and heterogeneous web server infrastructure, which can count hundreds of we..."

{{Template:OWASP Testing Guide v4}}

== Brief Summary ==
The intrinsic complexity of interconnected and heterogeneous web server infrastructure, which can count hundreds of web applications, makes configuration management and review a fundamental step in testing and deploying every single application.
In fact it takes only a single vulnerability to undermine the security of the entire infrastructure, and even small and (almost) unimportant problems may evolve into severe risks for another application on the same server.
In order to address these problems, it is of utmost importance to perform an in-depth review of configuration and known security issues.

== Description of the Issue ==

Proper configuration management of the web server infrastructure is very important in order to preserve the security of the application itself. If elements such as the web server software, the back-end database servers, or the authentication servers are not properly reviewed and secured, they might introduce undesired risks or introduce new vulnerabilities that might compromise the application itself.

For example, a web server vulnerability that would allow a remote attacker to disclose the source code of the application itself (a vulnerability that has arisen a number of times in both web servers or application servers) could compromise the application, as anonymous users could use the information disclosed in the source code to leverage attacks against the application or its users.

In order to test the configuration management infrastructure, the following steps need to be taken:

* The different elements that make up the infrastructure need to be determined in order to understand how they interact with a web application and how they affect its security.
* All the elements of the infrastructure need to be reviewed in order to make sure that they don’t hold any known vulnerabilities.
* A review needs to be made of the administrative tools used to maintain all the different elements.
* The authentication systems, if any, need to reviewed in order to assure that they serve the needs of the application and that they cannot be manipulated by external users to leverage access.
* A list of defined ports which are required for the application should be maintained and kept under change control.

== Black Box Testing and examples==

===Review of the application architecture===

The application architecture needs to be reviewed through the test to determine what different components are used to build the web application. In small setups, such as a simple CGI-based application, a single server might be used that runs the web server which executes the C, Perl, or Shell CGIs application, and perhaps also the authentication mechanism. On more complex setups, such as an online bank system, multiple servers might be involved including: a reverse proxy, a front-end web server, an application server and a database server or LDAP server. Each of these servers will be used for different purposes and might be even be divided in different networks with firewalling devices between them, creating different DMZs so that access to the web server will not grant a remote user access to the authentication mechanism itself, and so that compromises of the different elements of the architecture can be isolated in a way such that they will not compromise the whole architecture.

Getting knowledge of the application architecture can be easy if this information is provided to the testing team by the application developers in document form or through interviews, but can also prove to be very difficult if doing a blind penetration test.

In the latter case, a tester will first start with the assumption that there is a simple setup (a single server) and will, through the information retrieved from other tests, derive the different elements and question this assumption that the architecture will be extended. The tester will start by asking simple questions such as: “Is there a firewalling system protecting the web server?” which will be answered based on the results of network scans targeted at the web server and the analysis of whether the network ports of the web server are being filtered in the network edge (no answer or ICMP unreachables are received) or if the server is directly connected to the Internet (i.e. returns RST packets for all non-listening ports). This analysis can be enhanced in order to determine the type of firewall system used based on network packet tests: is it a stateful firewall or is it an access list filter on a router? How is it configured? Can it be bypassed?

Detecting a reverse proxy in front of the web server needs to be done by the analysis of the web server banner, which might directly disclose the existence of a reverse proxy (for example, if ‘WebSEAL’[1] is returned). It can also be determined by obtaining the answers given by the web server to requests and comparing them to the expected answers. For example, some reverse proxies act as “intrusion prevention systems” (or web-shields) by blocking known attacks targeted at the web server. If the web server is known to answer with a 404 message to a request which targets an unavailable page and returns a different error message for some common web attacks like those done by CGI scanners, it might be an indication of a reverse proxy (or an application-level firewall) which is filtering the requests and returning a different error page than the one expected. Another example: if the web server returns a set of available HTTP methods (including TRACE) but the expected methods return errors then there is probably something in between, blocking them. In some cases, even the protection system gives itself away:

<pre>
GET /web-console/ServerInfo.jsp%00 HTTP/1.0

HTTP/1.0 200
Pragma: no-cache
Cache-Control: no-cache
Content-Type: text/html
Content-Length: 83

<TITLE>Error</TITLE>
<BODY>
<H1>Error</H1>
FW-1 at XXXXXX: Access denied.</BODY>
</pre>

'''Example of the security server of Check Point Firewall-1 NG AI “protecting” a web server'''

Reverse proxies can also be introduced as proxy-caches to accelerate the performance of back-end application servers. Detecting these proxies can be done based, again, on the server header or by timing requests that should be cached by the server and comparing the time taken to server the first request with subsequent requests.

Another element that can be detected: network load balancers. Typically, these systems will balance a given TCP/IP port to multiple servers based on different algorithms (round-robin, web server load, number of requests, etc.). Thus, the detection of this architecture element needs to be done by examining multiple requests and comparing results in order to determine if the requests are going to the same or different web servers. For example, based on the Date: header if the server clocks are not synchronized. In some cases, the network load balance process might inject new information in the headers that will make it stand out distinctively, like the AlteonP cookie introduced by Nortel’s Alteon WebSystems load balancer.

Application web servers are usually easy to detect. The request for several resources is handled by the application server itself (not the web server) and the response header will vary significantly (including different or additional values in the answer header). Another way to detect these is to see if the web server tries to set cookies which are indicative of an application web server being used (such as the JSESSIONID provided by some J2EE servers), or to rewrite URLs automatically to do session tracking.

Authentication backends (such as LDAP directories, relational databases, or RADIUS servers) however, are not as easy to detect from an external point of view in an immediate way, since they will be hidden by the application itself.

The use of a database backend can be determined simply by navigating an application. If there is highly dynamic content generated “on the fly," it is probably being extracted from some sort of database by the application itself. Sometimes the way information is requested might give insight to the existence of a database back-end. For example, an online shopping application that uses numeric identifiers (‘id’) when browsing the different articles in the shop. However, when doing a blind application test, knowledge of the underlying database is usually only available when a vulnerability surfaces in the application, such as poor exception handling or susceptibility to SQL injection.

===Known server vulnerabilities===
Vulnerabilities found in the different elements that make up the application architecture, be it the web server or the database backend, can severely compromise the application itself. For example, consider a server vulnerability that allows a remote, unauthenticated user to upload files to the web server, or even to replace files. This vulnerability could compromise the application, since a rogue user may be able to replace the application itself or introduce code that would affect the backend servers, as its application code would be run just like any other application.

Reviewing server vulnerabilities can be hard to do if the test needs to be done through a blind penetration test. In these cases, vulnerabilities need to be tested from a remote site, typically using an automated tool; however, the testing of some vulnerabilities can have unpredictable results to the web server, and testing for others (like those directly involved in denial of service attacks) might not be possible due to the service downtime involved if the test was successful. Also, some automated tools will flag vulnerabilities based on the web server version retrieved. This leads to both false positives and false negatives: on one hand, if the web server version has been removed or obscured by the local site administrator, the scan tool will not flag the server as vulnerable even if it is; on the other hand, if the vendor providing the software does not update the web server version when vulnerabilities are fixed in it, the scan tool will flag vulnerabilities that do not exist. The latter case is actually very common in some operating system vendors that do backport patches of security vulnerabilities to the software they provide in the operating system but do not do a full upload to the latest software version. This happens in most GNU/Linux distributions such as Debian, Red Hat or SuSE. In most cases, vulnerability scanning of an application architecture will only find vulnerabilities associated with the “exposed” elements of the architecture (such as the web server) and will usually be unable to find vulnerabilities associated to elements which are not directly exposed, such as the authentication backends, the database backends, or reverse proxies in use.

Finally, not all software vendors disclose vulnerabilities in a public way, and therefore these weaknesses do not become registered within publicly known vulnerability databases[2]. This information is only disclosed to customers or published through fixes that do not have accompanying advisories. This reduces the usefulness of vulnerability scanning tools. Typically, vulnerability coverage of these tools will be very good for common products (such as the Apache web server, Microsoft’s Internet Information Server, or IBM’s Lotus Domino) but will be lacking for lesser known products.

This is why reviewing vulnerabilities is best done when the tester is provided with internal information of the software used, including versions and releases used and patches applied to the software. With this information, the tester can retrieve the information from the vendor itself and analyze what vulnerabilities might be present in the architecture and how they can affect the application itself. When possible, these vulnerabilities can be tested in order to determine their real effects and to detect if there might be any external elements (such as intrusion detection or prevention systems) that might reduce or negate the possibility of successful exploitation. Testers might even determine, through a configuration review, that the vulnerability is not even present, since it affects a software component that is not in use.

It is also worthwhile to note that vendors will sometimes silently fix vulnerabilities and make the fixes available with new software releases. Different vendors will have different release cycles that determine the support they might provide for older releases. A tester with detailed information of the software versions used by the architecture can analyse the risk associated to the use of old software releases that might be unsupported in the short term or are already unsupported. This is critical, since if a vulnerability were to surface in an old software version that is no longer supported, the systems personnel might not be directly aware of it. No patches will be ever made available for it and advisories might not list that version as vulnerable (as it is unsupported). Even in the event that they are aware that the vulnerability is present and the system is, indeed, vulnerable, they will need to do a full upgrade to a new software release, which might introduce significant downtime in the application architecture or might force the application to be recoded due to incompatibilities with the latest software version.

===Administrative tools===

Any web server infrastructure requires the existence of administrative tools to maintain and update the information used by the application: static content (web pages, graphic files), application source code, user authentication databases, etc. Depending on the site, technology, or software used, administrative tools will differ. For example, some web servers will be managed using administrative interfaces which are, themselves, web servers (such as the iPlanet web server) or will be administrated by plain text configuration files (in the Apache case[3]) or use operating-system GUI tools (when using Microsoft’s IIS server or ASP.Net). In most cases, however, the server configuration will be handled using different file maintenance tools used by the web server, which are managed through FTP servers, WebDAV, network file systems (NFS, CIFS) or other mechanisms. Obviously, the operating system of the elements that make up the application architecture will also be managed using other tools. Applications may also have administrative interfaces embedded in them that are used to manage the application data itself (users, content, etc.).

Review of the administrative interfaces used to manage the different parts of the architecture is very important, since if an attacker gains access to any of them he can then compromise or damage the application architecture. Thus it is important to:

* List all the possible administrative interfaces.
* Determine if administrative interfaces are available from an internal network or are also available from the Internet.
* If available from the Internet, determine the mechanisms that control access to these interfaces and their associated susceptibilities.
* Change the default user and password.

Some companies choose not to manage all aspects of their web server applications, but may have other parties managing the content delivered by the web application. This external company might either provide only parts of the content (news updates or promotions) or might manage the web server completely (including content and code). It is common to find administrative interfaces available from the Internet in these situations, since using the Internet is cheaper than providing a dedicated line that will connect the external company to the application infrastructure through a management-only interface. In this situation, it is very important to test if the administrative interfaces can be vulnerable to attacks.

==References==
* [1] WebSEAL, also known as Tivoli Authentication Manager, is a reverse proxy from IBM which is part of the Tivoli framework.
* [2] Such as Symantec’s Bugtraq, ISS’ X-Force, or NIST’s National Vulnerability Database (NVD).
* [3] There are some GUI-based administration tools for Apache (like NetLoony) but they are not in widespread use yet.

OWASP Testing Guide v4 Table of Contents

2013-09-27T17:41:52Z

Amro Ahmed:

{{OWASP Breakers}}
__NOTOC__

'''This is the DRAFT of the table of content of the New Testing Guide v4.''' 
 You can download the stable version v3 [http://www.owasp.org/images/5/56/OWASP_Testing_Guide_v3.pdf here] 

Back to the OWASP Testing Guide Project:
http://www.owasp.org/index.php/OWASP_Testing_Project

'''Updated: 15th February 2013'''

[[ OWTGv4 Contributors list|'''Contributors List]]

----

The following is a DRAFT of the Toc based on the feedback already received.

== Table of Contents ==

==[[Testing Guide Foreword|Foreword by Eoin Keary]]==
[To review--> Eoin Keary -> Done!!]

==[[Testing Guide Frontispiece |1. Frontispiece]]==
[To review--> Mat]

'''[[Testing Guide Frontispiece|1.1 About the OWASP Testing Guide Project]]'''
[To review--> Mat]

'''[[About The Open Web Application Security Project|1.2 About The Open Web Application Security Project]]'''
[To review--> ]

==[[Testing Guide Introduction|2. Introduction]]==

'''2.1 The OWASP Testing Project'''

'''2.2 Principles of Testing'''

'''2.3 Testing Techniques Explained'''

2.4 [https://www.owasp.org/index.php/Testing_Guide_Introduction#Security_Requirements_Test_Derivation Security requirements test derivation],[https://www.owasp.org/index.php/Testing_Guide_Introduction#Functional_and_Non_Functional_Test_Requirements functional and non functional test requirements], and [https://www.owasp.org/index.php/Testing_Guide_Introduction#Test_Cases_Through_Use_and_Misuse_Cases test cases through use and misuse cases]

2.5 [https://www.owasp.org/index.php/Testing_Guide_Introduction#Security_Test_Data_Analysis_and_Reporting Security test data analysis and reporting: root cause identification and business/role case test data reporting]

==[[The OWASP Testing Framework|3. The OWASP Testing Framework]]==

'''3.1. Overview'''

'''3.2. Phase 1: Before Development Begins '''

'''3.3. Phase 2: During Definition and Design'''

'''3.4. Phase 3: During Development'''

'''3.5. Phase 4: During Deployment'''

'''3.6. Phase 5: Maintenance and Operations'''

'''3.7. A Typical SDLC Testing Workflow '''

==[[Web Application Penetration Testing |4. Web Application Penetration Testing ]]==

[[Testing: Introduction and objectives|'''4.1 Introduction and Objectives''']] [To review--> Mat]

[[Testing Checklist| 4.1.1 Testing Checklist]] [To review at the end of brainstorming --> Mat]

[[Testing Information Gathering|'''4.2 Information Gathering ''']]

[[Testing: Search engine discovery/reconnaissance (OWASP-IG-002)|4.2.1 Conduct Search Engine Discovery and Reconnaissance for Information Leakage (OTG-INFO-001) ]] formerly "Search Engine Discovery/Reconnaissance (OWASP-IG-002)"

[[Fingerprint Web Server (OTG-INFO-002)|4.2.2 Fingerprint Web Server (OTG-INFO-002) ]] formerly "Testing for Web Application Fingerprint (OWASP-IG-004)"

[[Testing: Spiders, Robots, and Crawlers (OWASP-IG-001)|4.2.3 Review Webserver Metafiles for Information Leakage (OTG-INFO-003) ]] formerly "Spiders, Robots and Crawlers (OWASP-IG-001)"

[[Testing for Application Discovery (OWASP-IG-005)|4.2.4 Enumerate Applications on Webserver (OTG-INFO-004) ]] formerly "Application Discovery (OWASP-IG-005)"

[[Testing Review webpage comments and metadata(OWASP-IG-007)|4.2.5 Review Webpage Comments and Metadata for Information Leakage (OTG-INFO-005) ]] formerly "Review webpage comments and metadata(OWASP-IG-007)"

[[Testing: Identify application entry points (OWASP-IG-003)|4.2.6 Identify application entry points (OTG-INFO-006) ]] formerly "Identify application entry points (OWASP-IG-003)"

[[Testing Identify application exit/handover points (OWASP-IG-008)|4.2.7 Identify application exit/handover points (OTG-INFO-007) ]] formerly "Identify application exit/handover points (OWASP-IG-008)"

[[Testing Map execution paths through application (OWASP-IG-009)|4.2.8 Map execution paths through application (OTG-INFO-008)]] formerly "Map execution paths through application (OWASP-IG-009)"

[[Fingerprint Web Application Framework (OTG-INFO-009)|4.2.9 Fingerprint Web Application Framework (OTG-INFO-009) ]] formerly "Testing for Web Application Fingerprint (OWASP-IG-010)" '''Ready to be reviewed'''

[[Testing for Web Application (OTG-INFO-011)|4.2.10 Fingerprint Web Application (OTG-INFO-010) ]] formerly "Testing for Web Application Fingerprint (OWASP-IG-010)" '''Ready to be reviewed'''

[[Map Network and Application Architecture (OTG-INFO-012)|4.2.11 Map Network and Application Architecture (OTG-INFO-011) ]] formerly "Testing for Infrastructure Configuration Management Testing weakness (OWASP-CM-001)"

[[Testing for configuration management|'''4.3 Configuration and Deploy Management Testing ''']]

[[Testing for infrastructure configuration management (OWASP-CM-003)|4.3.1 Test Network/Infrastructure Configuration (OTG-CONFIG-001) ]] formerly "Testing for Infrastructure Configuration Management Testing weakness (OWASP-CM-001)"

[[Testing for application configuration management (OWASP-CM-004)|4.3.2 Test Application Platform Configuration (OTG-CONFIG-002) ]] formerly "Testing for Application Configuration Management weakness (OWASP-CM-002)"

[[Testing for file extensions handling (OWASP-CM-005)|4.3.3 Test File Extensions Handling for Sensitive Information (OTG-CONFIG-003) ]] formerly "Testing for File Extensions Handling (OWASP-CM-003)"

[[Testing for Old, Backup and Unreferenced Files (OWASP-CM-006)|4.3.4 Review Old, Backup and Unreferenced Files for Sensitive Information (OTG-CONFIG-004) ]] formerly "Old, Backup and Unreferenced Files (OWASP-CM-004)"

[[Testing for Admin Interfaces (OWASP-CM-007)|4.3.5 Enumerate Infrastructure and Application Admin Interfaces (OTG-CONFIG-005) ]] formerly "Infrastructure and Application Admin Interfaces (OWASP-CM-005)"

[[Testing for HTTP Methods and XST (OWASP-CM-008)|4.3.6 Test HTTP Methods (OTG-CONFIG-006) ]] formerly "Testing for Bad HTTP Methods (OWASP-CM-006)"

[[Testing for Database credentials/connection strings available|4.3.7 Testing for Database credentials/connection strings available (OTG-CONFIG-007) ]] formerly "Testing for Database credentials/connection strings available (OWASP-CM-007)"

[[Testing for Content Security Policy weakness|4.3.8 Test Content Security Policy (OTG-CONFIG-008) ]] formerly "Testing for Content Security Policy weakness (OWASP-CM-008)"

[[Testing for Missing HSTS header|4.3.9 Test HTTP Strict Transport Security (OTG-CONFIG-009) ]] formerly "Testing for Missing HSTS header (OWASP-CM-009)"

[[Testing for Frame Options|4.3.10 Test Frame Options (OTG-CONFIG-010) ]]

[[Testing for RIA policy files weakness|4.3.11 Test RIA cross domain policy (OTG-CONFIG-011) ]] formerly "Testing for RIA policy files weakness (OWASP-CM-010)"

[[Testing for Content Type Options|4.3.12 Test Content Type Options (OTG-CONFIG-012) ]] new

[[Testing Identity Management|'''4.4 Identity Management Testing''']]

[[Test Role Definitions (OTG-IDENT-001)|4.4.1 Test Role Definitions (OTG-IDENT-001)]] New

[[Test User Registration Process (OTG-IDENT-002)|4.4.2 Test User Registration Process (OTG-IDENT-002)]] New

[[Test Account Provisioning Process (OTG-IDENT-003)|4.4.3 Test Account Provisioning Process (OTG-IDENT-003)]] New

[[Testing for Account Enumeration and Guessable User Account (OWASP-AT-002)|4.4.4 Testing for Account Enumeration and Guessable User Account (OTG-IDENT-004) ]] formerly "Testing for Account Enumeration and Guessable User Account (OWASP-AT-002)"

[[Testing for Weak or unenforced username policy (OWASP-AT-009)| 4.4.5 Testing for Weak or unenforced username policy (OTG-IDENT-005)]] formerly "Testing for Weak or unenforced username policy (OWASP-AT-009)

[[Test Permissions of Guest/Training Accounts (OTG-IDENT-006)|4.4.6 Test Permissions of Guest/Training Accounts (OTG-IDENT-006)]] New

[[Test Account Suspension/Resumption Process (OTG-IDENT-007)|4.4.7 Test Account Suspension/Resumption Process (OTG-IDENT-007)]] New

[[Test User Deregistration Process (OTG-IDENT-008)|4.4.8 Test User Deregistration Process (OTG-IDENT-008)]] New

[[Test Account Deregistration Process (OTG-IDENT-009)|4.4.9 Test Account Deregistration Process (OTG-IDENT-009)]] New

[[Testing for authentication|'''4.5 Authentication Testing ''']]

[[Testing for Credentials Transported over an Encrypted Channel (OWASP-AT-001)|4.5.1 Testing for Credentials Transported over an Encrypted Channel (OTG-AUTHN-001)]] formerly "Testing for Credentials Transported over an Encrypted Channel (OWASP-AT-001)"

[[Testing for default credentials (OWASP-AT-003)|4.5.2 Testing for default credentials (OTG-AUTHN-002)]] formerly "Testing for default credentials (OWASP-AT-003)"

[[Testing for Weak lock out mechanism (OWASP-AT-004)|4.5.3 Testing for Weak lock out mechanism (OTG-AUTHN-003)]] formerly "Testing for Weak lock out mechanism (OWASP-AT-004)"

[[Testing for Bypassing Authentication Schema (OWASP-AT-005)|4.5.4 Testing for bypassing authentication schema (OTG-AUTHN-004)]] formerly "Testing for bypassing authentication schema (OWASP-AT-005)"

[[Testing for Vulnerable Remember Password (OWASP-AT-006)|4.5.5 Test remember password functionality (OTG-AUTHN-005)]] formerly "Testing for vulnerable remember password functionality (OWASP-AT-006)"

[[Testing for Browser cache weakness (OWASP-AT-007)|4.5.6 Testing for Browser cache weakness (OTG-AUTHN-006)]] formerly "Testing for Browser cache weakness (OWASP-AT-007)"

[[Testing for Weak password policy (OWASP-AT-008)|4.5.7 Testing for Weak password policy (OTG-AUTHN-007)]] formerly "Testing for Weak password policy (OWASP-AT-008)"

[[Testing for Weak security question/answer (OTG-AUTHN-008)|4.5.8 Testing for Weak security question/answer (OTG-AUTHN-008)]] New! - Robert Winkel

[[Testing for weak password change or reset functionalities (OWASP-AT-011)|4.5.9 Testing for weak password change or reset functionalities (OTG-AUTHN-009)]] formerly "Testing for weak password change or reset functionalities (OWASP-AT-011)"

[[Testing for Weaker authentication in alternative channel (OTG-AUTHN-010)|4.5.10 Testing for Weaker authentication in alternative channel (OTG-AUTHN-010)]] (e.g. mobile app, IVR, help desk)

[[Testing for Authorization|'''4.6 Authorization Testing''']]

[[Test Management of Account Permissions (OTG-AUTHZ-001)|4.6.1 Test Management of Account Permissions (OTG-AUTHZ-001)]] New

[[Testing for Path Traversal (OWASP-AZ-001)|4.6.2 Testing Directory traversal/file include (OTG-AUTHZ-002)]] formerly "Testing Directory traversal/file include (OWASP-AZ-001)"

[[Testing for Bypassing Authorization Schema (OWASP-AZ-002)|4.6.3 Testing for bypassing authorization schema (OTG-AUTHZ-003)]] formerly "Testing for bypassing authorization schema (OWASP-AZ-002)"

[[Testing for Privilege escalation (OWASP-AZ-003)|4.6.4 Testing for Privilege Escalation (OTG-AUTHZ-004)]] formerly "Testing for Privilege Escalation (OWASP-AZ-003)"

[[Testing for Insecure Direct Object References (OWASP-AZ-004)|4.6.5 Testing for Insecure Direct Object References (OTG-AUTHZ-005)]] formerly "Testing for Insecure Direct Object References (OWASP-AZ-004)"

[[Testing for Failure to Restrict access to authorized resource (OWASP-AZ-005)|4.6.6 Testing for Failure to Restrict access to authorized resource (OTG-AUTHZ-006)]] formerly "Testing for Failure to Restrict access to authorized resource (OWASP-AZ-005)"

[[Test privileges of server components (OTG-AUTHZ-007)|4.6.7 Test privileges of server components (OTG-AUTHZ-007)]] (e.g. indexing service, reporting interface, file generator)

[[Test enforcement of application entry points (OTG-AUTHZ-008)|4.6.8 Test enforcement of application entry points (OTG-AUTHZ-008)]] (including exposure of objects)

[[Testing for failure to restrict access to authenticated resource(OWASP-AT-010)|4.6.9 Testing for failure to restrict access to authenticated resource (OTG-AUTHZ-009)]] formerly "Testing for failure to restrict access to authenticated resource (OWASP-AT-010)"

[[Testing for Session Management|'''4.7 Session Management Testing''']]

[[Testing for Session_Management_Schema (OWASP-SM-001)|4.7.1 Testing for Bypassing Session Management Schema (OTG-SESS-001)]] formerly "Testing for Bypassing Session Management Schema (OWASP-SM-001)"

[[Testing for cookies attributes (OWASP-SM-002)|4.7.2 Testing for Cookies attributes (OTG-SESS-002)]] formerly "Testing for Cookies attributes (OWASP-SM-002)" (Cookies are set not ‘HTTP Only’, ‘Secure’, and no time validity)

[[Testing for Session Fixation (OWASP-SM-003)|4.7.3 Testing for Session Fixation (OTG-SESS-003)]] formerly "Testing for Session Fixation (OWASP-SM-003)"

[[Testing for Exposed Session Variables (OWASP-SM-004)|4.7.4 Testing for Exposed Session Variables (OTG-SESS-004)]] formerly "Testing for Exposed Session Variables (OWASP-SM-004)"

[[Testing for CSRF (OWASP-SM-005)|4.7.5 Testing for Cross Site Request Forgery (CSRF) (OTG-SESS-005)]] formerly "Testing for Cross Site Request Forgery (CSRF) (OWASP-SM-005)"

[[Test Session Token Strength (OTG-SESS-006)|4.7.6 Test Session Token Strength (OTG-SESS-006)]]

[[Testing for logout functionality (OWASP-SM-007)|4.7.7 Testing for logout functionality (OTG-SESS-007)]] formerly "Testing for logout functionality (OWASP-SM-007)"

[[Testing for Session puzzling (OWASP-SM-008)|4.7.8 Testing for Session puzzling (OWASP-SM-008)]]

[[Test Session Timeout (OTG-SESS-008)|4.7.8 Test Session Timeout (OTG-SESS-008)]]

[[Test multiple concurrent sessions (OTG-SESS-009)|4.7.9 Test multiple concurrent sessions (OTG-SESS-009)]]

[[Testing for Data Validation|'''4.8 Data Validation Testing''']]

[[Testing for Reflected Cross site scripting (OWASP-DV-001) |4.8.1 Testing for Reflected Cross Site Scripting (OTG-INPVAL-001)]] formerly "Testing for Reflected Cross Site Scripting (OWASP-DV-001)"

[[Testing for Stored Cross site scripting (OWASP-DV-002) |4.8.2 Testing for Stored Cross Site Scripting (OTG-INPVAL-002)]] formerly "Testing for Stored Cross Site Scripting (OWASP-DV-002)"

[[Testing for HTTP Verb Tampering (OWASP-DV-003)|4.8.3 Testing for HTTP Verb Tampering (OTG-INPVAL-003)]] formerly "Testing for HTTP Verb Tampering (OWASP-DV-003)"

[[Testing for HTTP Parameter pollution (OWASP-DV-004)|4.8.4 Testing for HTTP Parameter pollution (OTG-INPVAL-004) ]] formerly "Testing for HTTP Parameter pollution (OWASP-DV-004)"

[[Testing for Unvalidated Redirects and Forwards (OWASP-DV-004)|4.8.5 Testing for Unvalidated Redirects and Forwards (OTG-INPVAL-005) ]] formerly "Testing for Unvalidated Redirects and Forwards (OWASP-DV-004)"

[[Testing for SQL Injection (OWASP-DV-005)| 4.8.6 Testing for SQL Injection (OTG-INPVAL-006)]] formerly "Testing for SQL Injection (OWASP-DV-005)" '''Ready to be reviewed'''

[[Testing for Oracle|4.8.6.1 Oracle Testing]]

[[Testing for MySQL|4.8.6.2 MySQL Testing [Ismael Gonçalves]]]

[[Testing for SQL Server|4.8.6.3 SQL Server Testing]]

[[OWASP_Backend_Security_Project_Testing_PostgreSQL|4.8.6.4 Testing PostgreSQL (from OWASP BSP) ]]

[[Testing for MS Access |4.8.6.5 MS Access Testing]]

[[Testing for NoSQL injection|4.8.6.6 Testing for NoSQL injection [New!]]]

[[Testing for LDAP Injection (OWASP-DV-006)|4.8.7 Testing for LDAP Injection (OTG-INPVAL-007)]] formerly "Testing for LDAP Injection (OWASP-DV-006)"

[[Testing for ORM Injection (OWASP-DV-007)|4.8.8 Testing for ORM Injection (OTG-INPVAL-008)]] formerly "Testing for ORM Injection (OWASP-DV-007)"

[[Testing for XML Injection (OWASP-DV-008)|4.8.9 Testing for XML Injection (OTG-INPVAL-009)]] formerly "Testing for XML Injection (OWASP-DV-008)"

[[Testing for SSI Injection (OWASP-DV-009)|4.8.10 Testing for SSI Injection (OTG-INPVAL-010)]] formerly "Testing for SSI Injection (OWASP-DV-009)"

[[Testing for XPath Injection (OWASP-DV-010)|4.8.11 Testing for XPath Injection (OTG-INPVAL-011)]] formerly "Testing for XPath Injection (OWASP-DV-010)"

[[Testing for IMAP/SMTP Injection (OWASP-DV-011)|4.8.12 IMAP/SMTP Injection (OTG-INPVAL-012)]] formerly "IMAP/SMTP Injection (OWASP-DV-011)"

[[Testing for Code Injection (OWASP-DV-012)|4.8.13 Testing for Code Injection (OTG-INPVAL-013)]] formerly "Testing for Code Injection (OWASP-DV-012)"

[[Testing for Local File Inclusion|4.8.13.1 Testing for Local File Inclusion]] [Alexander Antukh]

[[Testing for Remote File Inclusion|4.8.13.2 Testing for Remote File Inclusion]] [Alexander Antukh]

[[Testing for Command Injection (OWASP-DV-013)|4.8.14 Testing for Command Injection (OTG-INPVAL-014)]] formerly "Testing for Command Injection (OWASP-DV-013)"

[[Testing for Buffer Overflow (OWASP-DV-014)|4.8.15 Testing for Buffer overflow (OTG-INPVAL-015)]] formerly "Testing for Buffer overflow (OWASP-DV-014)"

[[Testing for Heap Overflow|4.8.15.1 Testing for Heap overflow]]

[[Testing for Stack Overflow|4.8.15.2 Testing for Stack overflow]]

[[Testing for Format String|4.8.15.3 Testing for Format string]]

[[Testing for Incubated Vulnerability (OWASP-DV-015)|4.8.16 Testing for incubated vulnerabilities (OTG-INPVAL-016)]] formerly "Testing for incubated vulnerabilities (OWASP-DV-015)"

[[Testing for HTTP Splitting/Smuggling (OWASP-DV-016)|4.8.17 Testing for HTTP Splitting/Smuggling (OTG-INPVAL-017) ]] formerly "Testing for HTTP Splitting/Smuggling (OWASP-DV-016)" [Juan Galiana]

[[Error Handling|'''4.9 Error Handling''']]

[[Testing for Error Code (OWASP-IG-006)|4.9.1 Analysis of Error Codes (OTG-ERR-001)]] formerly "Analysis of Error Codes (OWASP-IG-006)"

[[Testing for Stack Traces (OWASP-IG-XXX)|4.9.2 Analysis of Stack Traces (OTG-ERR-002)]] formerly "Analysis of Stack Traces"

[[Cryptography|'''4.10 Cryptography''']]

[[Testing for Insecure encryption usage (OWASP-EN-001)| 4.10.1 Testing for Insecure encryption usage (OTG-CRYPST-001)]] formerly "Testing for Insecure encryption usage (OWASP-EN-001)"

[[Testing for Weak SSL/TSL Ciphers, Insufficient Transport Layer Protection (OWASP-EN-002)| 4.10.2 Testing for Weak SSL/TSL Ciphers, Insufficient Transport Layer Protection (OTG-CRYPST-002)]] formerly "Testing for Weak SSL/TSL Ciphers, Insufficient Transport Layer Protection (OWASP-EN-002)"

[[Testing for Padding Oracle (OWASP-EN-003)| 4.10.3 Testing for Padding Oracle (OTG-CRYPST-003)]] formerly "Testing for Padding Oracle (OWASP-EN-003)"

[[Testing for Cacheable HTTPS Response (OTG-CRYPST-004)| 4.10.4 Testing for Cacheable HTTPS Response (OTG-CRYPST-004)]]

[[Test Cache Directives (OTG-CRYPST-005)|4.10.5 Test Cache Directives (OTG-CRYPST-005)]]

[[Testing for Insecure Cryptographic Storage (OTG-CRYPST-006)|4.10.6 Testing for Insecure Cryptographic Storage (OTG-CRYPST-006)]]

[[Testing for Sensitive information sent via unencrypted channels (OTG-CRYPST-007)|4.10.7 Testing for Sensitive information sent via unencrypted channels (OTG-CRYPST-007)]]

[[Test Cryptographic Key Management (OTG-CRYPST-008)|4.10.8 Test Cryptographic Key Management (OTG-CRYPST-008)]]

[[Logging|'''4.11 Logging''']] Not convinced Logging should be included as it requires access to logs to test

[[Test time synchronisation (OTG-LOG-001)|4.11.1 Test time synchronisation (OTG-LOG-001) ]] formerly "Incorrect time"

[[Test user-viewable log of authentication events (OTG-LOG-002)|4.11.2 Test user-viewable log of authentication events (OTG-LOG-002)]]

[[Testing for business logic (OWASP-BL-001)|'''4.12 Business Logic Testing (OWASP-BL-001)''']] [To review--> David Fern]
Business Logic 

[[Test business logic data validation (OTG-BUSLOGIC-001)|4.12.1 Test business logic data validation (OTG-BUSLOGIC-001)]] [New!] NOTE MAT: to discuss this section

[[Test Ability to forge requests (OTG-BUSLOGIC-002)|4.12.2 Test Ability to forge requests (OTG-BUSLOGIC-002)]] [New!]

[[Test integrity checks (OTG-BUSLOGIC-003)|4.12.3 Test integrity checks (OTG-BUSLOGIC-003)]] (e.g. overwriting updates) [New!]

[[Test tamper evidence (OTG-BUSLOGIC-004)|4.12.4 Test tamper evidence (OTG-BUSLOGIC-004)]] [New!]

[[Test excessive rate (speed) of use limits (OTG-BUSLOGIC-005)|4.12.5 Test excessive rate (speed) of use limits (OTG-BUSLOGIC-005)]] [New!]

[[Test size of request limits (OTG-BUSLOGIC-006)|4.12.6 Test size of request limits (OTG-BUSLOGIC-006)]] [New!]

[[Test number of times a function can be used limits (OTG-BUSLOGIC-007)|4.12.7 Test number of times a function can be used limits (OTG-BUSLOGIC-002)]] [New!]

[[Test bypass of correct sequence (OTG-BUSLOGIC-008)|4.12.8 Test bypass of correct sequence (OTG-BUSLOGIC-008)]] [New!]

[[Test self-hosted payment cardholder data processing (OTG-BUSLOGIC-009)|4.12.9 Test self-hosted payment cardholder data processing (OTG-BUSLOGIC-009)]] [New!]

[[Test security incident reporting information (OTG-BUSLOGIC-010)|4.12.10 Test security incident reporting information (OTG-BUSLOGIC-010)]] [New!]

[[Test defenses against application mis-use (OTG-BUSLOGIC-011)|4.12.11 Test defenses against application mis-use (OTG-BUSLOGIC-011)]] [New!]

[[Denial of Service|'''4.13 Denial of Service''']]

[[Test Regular expression DoS (OTG-DOS-001)| 4.13.1 Test Regular expression DoS (OTG-DOS-001)]] [New!] note: to understand better 

[[Test XML DoS (OTG-DOS-002)| 4.13.2 Test XML DoS (OTG-DOS-002)]] [New! - Andrew Muller]

[[Testing for Captcha (OWASP-AT-012)|4.13.3 Testing for CAPTCHA (OTG-DOS-003)]] formerly "Testing for CAPTCHA (OWASP-AT-012)"

[[Web Service (XML Interpreter)|'''4.14 Web Service Testing''']] [Tom Eston]

[[Scoping a Web Service Test (OWASP-WS-001)|4.14.1 Scoping a Web Service Test (OTG-WEBSVC-001)]] formerly "Scoping a Web Service Test (OWASP-WS-001)"

[[WS Information Gathering (OWASP-WS-002)|4.14.2 WS Information Gathering (OTG-WEBSVC-002)]] formerly "WS Information Gathering (OWASP-WS-002)"

[[WS Authentication Testing (OWASP-WS-003)|4.14.3 WS Authentication Testing (OTG-WEBSVC-003)]] formerly "WS Authentication Testing (OWASP-WS-003)"

[[WS Management Interface Testing (OWASP-WS-004)|4.14.4 WS Management Interface Testing (OTG-WEBSVC-004)]] formerly "WS Management Interface Testing (OWASP-WS-004)"

[[Weak XML Structure Testing (OWASP-WS-005)|4.14.5 Weak XML Structure Testing (OTG-WEBSVC-005)]] formerly "Weak XML Structure Testing (OWASP-WS-005)"

[[XML Content-Level Testing (OWASP-WS-006)|4.14.6 XML Content-Level Testing (OTG-WEBSVC-006)]] formerly "XML Content-Level Testing (OWASP-WS-006)"

[[WS HTTP GET Parameters/REST Testing (OWASP-WS-007)|4.14.7 WS HTTP GET Parameters/REST Testing (OTG-WEBSVC-007)]] formerly "WS HTTP GET Parameters/REST Testing (OWASP-WS-007)"

[[WS Naughty SOAP Attachment Testing (OWASP-WS-008)|4.14.8 WS Naughty SOAP Attachment Testing (OTG-WEBSVC-008)]] formerly "WS Naughty SOAP Attachment Testing (OWASP-WS-008)"

[[WS Replay/MiTM Testing (OWASP-WS-009)|4.14.9 WS Replay/MiTM Testing (OTG-WEBSVC-009)]] formerly "WS Replay/MiTM Testing (OWASP-WS-009)"

[[WS BEPL Testing (OWASP-WS-010)|4.14.10 WS BEPL Testing (OTG-WEBSVC-010)]] formerly "WS BEPL Testing (OWASP-WS-010)"

[[Client Side Testing|'''4.15 Client Side Testing''']] [New!]

[[Testing for DOM-based Cross site scripting (OWASP-DV-003)|4.15.1 Testing for DOM based Cross Site Scripting (OTG-CLIENT-001)]] formerly "Testing for DOM based Cross Site Scripting (OWASP-CS-001)" [Stefano Di Paola]

[[Testing Cross Origin Resource Sharing (OWASP CS-002)|4.15.2 Testing Cross Origin Resource Sharing (OTG-CLIENT-002)]] formerly "Testing for HTML5 (OWASP CS-002)" [Juan Galiana]

[[Testing for Cross site flashing (OWASP-DV-004)|4.15.3 Testing for Cross Site Flashing (OTG-CLIENT-003)]] formerly "Testing for Cross Site Flashing (OWASP-CS-003)"

[[Testing for Clickjacking (OWASP-CS-004)|4.15.4 Testing for Clickjacking (OTG-CLIENT-004)]] formerly "Testing for Clickjacking (OWASP-CS-004)" [Davide Danelon]

[[Testing WebSockets (OTG-CLIENT-005)|4.15.5 Testing WebSockets (OTG-CLIENT-005)]] [Ryan Dewhurst]

[[Testing Web Messaging (OWASP CS-006)|4.15.6 Testing Web Messaging (OTG-CLIENT-006)]] [Juan Galiana]

[[Testing Local Storage (OWASP CS-007)|4.15.7 Testing Local Storage (OTG-CLIENT-007)]] [Juan Galiana]

[[Testing Sandboxed Iframes (OWASP CS-008)|4.15.8 Testing Sandboxed Iframes (OTG-CLIENT-008)]] [Juan Galiana]

==[[Writing Reports: value the real risk |5. Writing Reports: value the real risk ]]==

[[How to value the real risk |5.1 How to value the real risk]] [To review--> Amro AlOlaqi]

[[How to write the report of the testing |5.2 How to write the report of the testing]] [To review--> Amro AlOlaqi]

==[[Appendix A: Testing Tools |Appendix A: Testing Tools ]]==

* Black Box Testing Tools [To review--> Amro AlOlaqi] '''Ready to be reviewed'''

==[[OWASP Testing Guide Appendix B: Suggested Reading | Appendix B: Suggested Reading]]==
* Whitepapers [To review--> David Fern]
* Books [To review--> David Fern]
* Useful Websites [To review--> David Fern]

==[[OWASP Testing Guide Appendix C: Fuzz Vectors | Appendix C: Fuzz Vectors]]==

* Fuzz Categories [To review--> Amro AlOlaqi]

==[[OWASP Testing Guide Appendix D: Encoded Injection | Appendix D: Encoded Injection]]==

[To review--> Amro AlOlaqi]

----

[[Category:OWASP Testing Project]]

Appendix A: Testing Tools

2013-09-27T17:38:05Z

Amro Ahmed:

{{Template:OWASP Testing Guide v4}}

==Open Source Black Box Testing tools==

=== General Testing ===

* '''[[OWASP_WebScarab_Project|OWASP WebScarab]]'''
** WebScarab is a framework for analysing applications that communicate using the HTTP and HTTPS protocols. It is written in Java, and is thus portable to many platforms. WebScarab has several modes of operation, implemented by a number of plugins.
* '''[[OWASP_CAL9000_Project|OWASP CAL9000]]'''
** CAL9000 is a collection of browser-based tools that enable more effective and efficient manual testing efforts.
** Includes an XSS Attack Library, Character Encoder/Decoder, HTTP Request Generator and Response Evaluator, Testing Checklist, Automated Attack Editor and much more.
* '''[[:Category:OWASP Pantera Web Assessment Studio Project|OWASP Pantera Web Assessment Studio Project]]'''
** Pantera uses an improved version of SpikeProxy to provide a powerful web application analysis engine. The primary goal of Pantera is to combine automated capabilities with complete manual testing to get the best penetration testing results.
* '''[[:OWASP Zed Attack Proxy Project]]'''
** The Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing.
** ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.
* '''[[:OWASP Mantra - Security Framework]]'''
**Mantra is a web application security testing framework built on top of a browser. It supports Windows, Linux(both 32 and 64 bit) and Macintosh, in addition, it can work with other software like ZAP using built in proxy management function which makes it much more convenient. Mantra is available in 9 languages: Arabic, Chinese - Simplified, Chinese - Traditional, English, French, Portuguese, Russian, Spanish and Turkish.
* '''SPIKE''' - http://www.immunitysec.com/resources-freesoftware.shtml
** SPIKE designed to analyze new network protocols for buffer overflows or similar weaknesses. It requires a strong knowledge of C to use and only available for the Linux platform.
* '''Burp Proxy''' - http://www.portswigger.net/Burp/
** Burp Proxy is an intercepting proxy server for security testing of web applications it allows Intercepting and modifying all HTTP/S traffic passing in both directions, it can work with custom SSL certificates and non-proxy-aware clients.
* '''Odysseus Proxy''' - http://www.wastelands.gen.nz/odysseus/
** Odysseus is a proxy server, which acts as a man-in-the-middle during an HTTP session. A typical HTTP proxy will relay packets to and from a client browser and a web server. It will intercept an HTTP session's data in either direction.
* '''Webstretch Proxy''' - http://sourceforge.net/projects/webstretch
** Webstretch Proxy enable users to view and alter all aspects of communications with a web site via a proxy. It can also be used for debugging during development.
* '''WATOBO''' - http://sourceforge.net/apps/mediawiki/watobo/index.php?title=Main_Page
** WATOBO works like a local proxy, similar to Webscarab, ZAP or BurpSuite and it supports passive and active checks.
* '''Firefox LiveHTTPHeaders''' - https://addons.mozilla.org/en-US/firefox/addon/live-http-headers/
** View HTTP headers of a page and while browsing.
* '''Firefox Tamper Data''' - https://addons.mozilla.org/en-US/firefox/addon/tamper-data/
** Use tamperdata to view and modify HTTP/HTTPS headers and post parameters
* '''Firefox Web Developer Tools''' - https://addons.mozilla.org/en-US/firefox/addon/web-developer/
** The Web Developer extension adds various web developer tools to the browser.
* '''DOM Inspector''' - https://developer.mozilla.org/en/docs/DOM_Inspector
** DOM Inspector is a developer tool used to inspect, browse, and edit the Document Object Model (DOM)
* '''Firefox Firebug''' - http://getfirebug.com/
** Firebug integrates with Firefox to edit, debug, and monitor CSS, HTML, and JavaScript.
* '''Grendel-Scan''' - http://securitytube-tools.net/index.php?title=Grendel_Scan
** Grendel-Scan is an automated security scanning of web applications and also supports manual penetration testing.
* '''OWASP SWFIntruder''' - http://www.mindedsecurity.com/swfintruder.html
** SWFIntruder (pronounced Swiff Intruder) is the first tool specifically developed for analyzing and testing security of Flash applications at runtime.
* '''SWFScan''' - http://h30499.www3.hp.com/t5/Following-the-Wh1t3-Rabbit/SWFScan-FREE-Flash-decompiler/ba-p/5440167
** Flash decompiler
* '''Wikto''' - http://www.sensepost.com/labs/tools/pentest/wikto
** Wikto features including fuzzy logic error code checking, a back-end miner, Google-assisted directory mining and real time HTTP request/response monitoring.
* '''w3af''' - http://w3af.org
** w3af is a Web Application Attack and Audit Framework. The project’s goal is finding and exploiting web application vulnerabilities.
* '''skipfish''' - http://code.google.com/p/skipfish/
** Skipfish is an active web application security reconnaissance tool.
* '''Web Developer toolbar''' - https://chrome.google.com/webstore/detail/bfbameneiokkgbdmiekhjnmfkcnldhhm
** The Web Developer extension adds a toolbar button to the browser with various web developer tools. This is the official port of the Web Developer extension for Firefox.
** '''HTTP Request Maker''' - https://chrome.google.com/webstore/detail/kajfghlhfkcocafkcjlajldicbikpgnp?hl=en-US
* Request Maker is a tool for penetration testing. With it you can easily capture requests made by web pages, tamper with the URL, headers and POST data and, of course, make new requests
** '''Cookie Editor''' - https://chrome.google.com/webstore/detail/fngmhnnpilhplaeedifhccceomclgfbg?hl=en-US
* Edit This Cookie is a cookie manager. You can add, delete, edit, search, protect and block cookies
** '''Cookie swap''' - https://chrome.google.com/webstore/detail/dffhipnliikkblkhpjapbecpmoilcama?hl=en-US
* Swap My Cookies is a session manager, it manages cookies, letting you login on any website with several different accounts.
** '''Firebug lite for Chrome"" - https://chrome.google.com/webstore/detail/bmagokdooijbeehmkpknfglimnifench
*Firebug Lite is not a substitute for Firebug, or Chrome Developer Tools. It is a tool to be used in conjunction with these tools. Firebug Lite provides the rich visual representation we are used to see in Firebug when it comes to HTML elements, DOM elements, and Box Model shading. It provides also some cool features like inspecting HTML elemements with your mouse, and live editing CSS properties
** '''Session Manager"" - https://chrome.google.com/webstore/detail/bbcnbpafconjjigibnhbfmmgdbbkcjfi
*With Session Manager you can quickly save your current browser state and reload it whenever necessary. You can manage multiple sessions, rename or remove them from the session library. Each session remembers the state of the browser at its creation time, i.e the opened tabs and windows.

=== Testing for specific vulnerabilities ===

==== Testing for DOM XSS ====
* DOMinator Pro - https://dominator.mindedsecurity.com

==== Testing AJAX ====
* '''[[:Category:OWASP Sprajax Project|OWASP Sprajax Project]]'''
==== Testing for SQL Injection ====
* '''[[:Category:OWASP_SQLiX_Project|OWASP SQLiX]]'''
* Sqlninja: a SQL Server Injection & Takeover Tool - http://sqlninja.sourceforge.net
* Bernardo Damele A. G.: sqlmap, automatic SQL injection tool - http://sqlmap.org/
* Absinthe 1.1 (formerly SQLSqueal) - http://sourceforge.net/projects/absinthe/
* SQLInjector - Uses inference techniques to extract data and determine the backend database server. http://www.databasesecurity.com/sql-injector.htm
* Bsqlbf-v2: A perl script allows extraction of data from Blind SQL Injections - http://code.google.com/p/bsqlbf-v2/
* Pangolin: An automatic SQL injection penetration testing tool - http://www.darknet.org.uk/2009/05/pangolin-automatic-sql-injection-tool/
* Antonio Parata: Dump Files by sql inference on Mysql - SqlDumper - http://www.ruizata.com/
* Multiple DBMS Sql Injection tool - SQL Power Injector - http://www.sqlpowerinjector.com/
* MySql Blind Injection Bruteforcing, Reversing.org - sqlbftools - http://packetstormsecurity.org/files/43795/sqlbftools-1.2.tar.gz.html

==== Testing Oracle ====
* TNS Listener tool (Perl) - http://www.jammed.com/%7Ejwa/hacks/security/tnscmd/tnscmd-doc.html
* Toad for Oracle - http://www.quest.com/toad
==== Testing SSL ====
* Foundstone SSL Digger - http://www.mcafee.com/us/downloads/free-tools/ssldigger.aspx
==== Testing for Brute Force Password ====
* THC Hydra - http://www.thc.org/thc-hydra/
* John the Ripper - http://www.openwall.com/john/
* Brutus - http://www.hoobie.net/brutus/
* Medusa - http://www.foofus.net/~jmk/medusa/medusa.html
*Ncat - http://nmap.org/ncat/

==== Testing Buffer Overflow ====
* OllyDbg - http://www.ollydbg.de
** "A windows based debugger used for analyzing buffer overflow vulnerabilities"
* Spike - http://www.immunitysec.com/downloads/SPIKE2.9.tgz
** A fuzzer framework that can be used to explore vulnerabilities and perform length testing
* Brute Force Binary Tester (BFB) - http://bfbtester.sourceforge.net
** A proactive binary checker

[[Category:FIXME|link not working

* Metasploit - http://www.metasploit.com/projects/Framework/
** A rapid exploit development and Testing frame work

]]
==== Fuzzer ====
* '''[[:Category:OWASP_WSFuzzer_Project|OWASP WSFuzzer]]'''
* Wfuzz - http://www.darknet.org.uk/2007/07/wfuzz-a-tool-for-bruteforcingfuzzing-web-applications/

==== Googling ====
* Stach & Liu's Google Hacking Diggity Project - http://www.stachliu.com/resources/tools/google-hacking-diggity-project/
* Foundstone Sitedigger (Google cached fault-finding) - http://www.mcafee.com/us/downloads/free-tools/sitedigger.aspx

==Commercial Black Box Testing tools==

* NGS Typhon III - http://www.nccgroup.com/en/our-services/security-testing-audit-compliance/information-security-software/ngs-typhon-iii/
* NGSSQuirreL - http://www.nccgroup.com/en/our-services/security-testing-audit-compliance/information-security-software/ngs-squirrel-vulnerability-scanners/
* IBM AppScan - http://www-01.ibm.com/software/awdtools/appscan/
* Cenzic Hailstorm - http://www.cenzic.com/products_services/cenzic_hailstorm.php
* Burp Intruder - http://www.portswigger.net/burp/intruder.html
* Acunetix Web Vulnerability Scanner - http://www.acunetix.com
* Sleuth - http://www.sandsprite.com
* NT Objectives NTOSpider - http://www.ntobjectives.com/products/ntospider.php
* MaxPatrol Security Scanner - http://www.maxpatrol.com
* Ecyware GreenBlue Inspector - http://www.ecyware.com
* Parasoft SOAtest (more QA-type tool)- http://www.parasoft.com/jsp/products/soatest.jsp?itemId=101
* MatriXay - http://www.dbappsecurity.com/webscan.html
* N-Stalker Web Application Security Scanner - http://www.nstalker.com
* HP WebInspect - http://www.hpenterprisesecurity.com/products/hp-fortify-software-security-center/hp-webinspect
* SoapUI (Web Service security testing) - http://www.soapui.org/Security/getting-started.html
* Netsparker - http://www.mavitunasecurity.com/netsparker/
* SAINT - http://www.saintcorporation.com/
* QualysGuard WAS - http://www.qualys.com/enterprises/qualysguard/web-application-scanning/
* Retina Web - http://www.eeye.com/Products/Retina/Web-Security-Scanner.aspx

[[Category:FIXME|check these links

* Cenzic Hailstorm - http://www.cenzic.com/products_services/cenzic_hailstorm.php

link broken:

* ScanDo - http://www.kavado.com

]]

==Source Code Analyzers==

===Open Source / Freeware===
* [[:Category:OWASP_Orizon_Project|Owasp Orizon]]
* '''[[:Category:OWASP_LAPSE_Project|OWASP LAPSE]]'''
* [[OWASP O2 Platform]]
* Google CodeSearchDiggity - http://www.stachliu.com/resources/tools/google-hacking-diggity-project/attack-tools/
* PMD - http://pmd.sourceforge.net/
* FlawFinder - http://www.dwheeler.com/flawfinder
* Microsoft’s [[FxCop]]
* Splint - http://splint.org
* Boon - http://www.cs.berkeley.edu/~daw/boon
* FindBugs - http://findbugs.sourceforge.net
* Oedipus - http://www.darknet.org.uk/2006/06/oedipus-open-source-web-application-security-analysis/
* W3af - http://w3af.sourceforge.net/

[[Category:FIXME|broken link

* Pscan - http://www.striker.ottawa.on.ca/~aland/pscan

]]

===Commercial ===

* Armorize CodeSecure - http://www.armorize.com/index.php?link_id=codesecure
* Parasoft C/C++ test - http://www.parasoft.com/jsp/products/cpptest.jsp/index.htm
* Checkmarx CxSuite - http://www.checkmarx.com
* HP Fortify - http://www.hpenterprisesecurity.com/products/hp-fortify-software-security-center/hp-fortify-static-code-analyzer
* GrammaTech - http://www.grammatech.com
* ITS4 - http://seclab.cs.ucdavis.edu/projects/testing/tools/its4.html
* Appscan - http://www-01.ibm.com/software/rational/products/appscan/source/
* ParaSoft - http://www.parasoft.com
* Virtual Forge CodeProfiler for ABAP - http://www.virtualforge.de
* Veracode - http://www.veracode.com

[[Category:FIXME|link not working

* Armorize CodeSecure - http://www.armorize.com/product/

]]

==Acceptance Testing Tools==
Acceptance testing tools are used to validate the functionality of web applications. Some follow a scripted approach and typically make use of a Unit Testing framework to construct test suites and test cases. Most, if not all, can be adapted to perform security specific tests in addition to functional tests.

===Open Source Tools===

* WATIR - http://wtr.rubyforge.org
** A Ruby based web testing framework that provides an interface into Internet Explorer.
** Windows only.
* HtmlUnit - http://htmlunit.sourceforge.net
** A Java and JUnit based framework that uses the Apache HttpClient as the transport.
** Very robust and configurable and is used as the engine for a number of other testing tools.
* jWebUnit - http://jwebunit.sourceforge.net
** A Java based meta-framework that uses htmlunit or selenium as the testing engine.
* Canoo Webtest - http://webtest.canoo.com
** An XML based testing tool that provides a facade on top of htmlunit.
** No coding is necessary as the tests are completely specified in XML.
** There is the option of scripting some elements in Groovy if XML does not suffice.
** Very actively maintained.
* HttpUnit - http://httpunit.sourceforge.net
** One of the first web testing frameworks, suffers from using the native JDK provided HTTP transport, which can be a bit limiting for security testing.
* Watij - http://watij.com
** A Java implementation of WATIR.
** Windows only because it uses IE for its tests (Mozilla integration is in the works).
* Solex - http://solex.sourceforge.net
** An Eclipse plugin that provides a graphical tool to record HTTP sessions and make assertions based on the results.
* Selenium - http://seleniumhq.org/
** JavaScript based testing framework, cross-platform and provides a GUI for creating tests.
** Mature and popular tool, but the use of JavaScript could hamper certain security tests.

==Other Tools==

===Runtime Analysis===

* Rational PurifyPlus - http://www-01.ibm.com/software/awdtools/purify/

===Binary Analysis===

* BugScam IDC Package - http://sourceforge.net/projects/bugscam
* Veracode - http://www.veracode.com

===Requirements Management===

* Rational Requisite Pro - http://www-306.ibm.com/software/awdtools/reqpro

===Site Mirroring===
* wget - http://www.gnu.org/software/wget, http://www.interlog.com/~tcharron/wgetwin.html
* curl - http://curl.haxx.se
* Sam Spade - http://www.samspade.org
* Xenu's Link Sleuth - http://home.snafu.de/tilman/xenulink.html