OWASP - User contributions [en]

OWASP Testing Guide v2 Table of Contents

2007-02-14T11:43:03Z

Jopi:

__NOTOC__

==[[Testing Guide Foreword|Foreword by OWASP Chair]]==

==[[Testing Guide Frontispiece |1. Frontispiece]]==

'''[[Testing Guide Frontispiece|1.1 About the OWASP Testing Guide Project]]'''

1.1.1 Copyright

1.1.2 Editors

1.1.3 Authors and Reviewers

1.1.4 Revision History

1.1.5 Trademarks

'''[[About The Open Web Application Security Project|1.2 About The Open Web Application Security Project]]'''

1.2.1 Overview

1.2.2 Structure

1.2.3 Licensing

1.2.4 Participation and Membership

1.2.5 Projects

1.2.6 OWASP Privacy Policy

==[[Testing Guide Introduction|2. Introduction]]==

'''2.1 The OWASP Testing Project'''

'''2.2 Principles of Testing'''

'''2.3 Testing Techniques Explained'''

==[[The OWASP Testing Framework|3. The OWASP Testing Framework]]==

'''3.1. Overview'''

'''3.2. Phase 1: Before Development Begins '''

'''3.3. Phase 2: During Definition and Design'''

'''3.4. Phase 3: During Development'''

'''3.5. Phase 4: During Deployment'''

'''3.6. Phase 5: Maintenance and Operations'''

'''3.7. A Typical SDLC Testing Workflow '''

==[[Web Application Penetration Testing |4. Web Application Penetration Testing ]]==

[[Testing: Introduction and objectives|'''4.1 Introduction and Objectives''']]

[[Testing: Information Gathering|'''4.2 Information Gathering''']]

[[Testing for Web Application Fingerprint|4.2.1 Testing Web Application Fingerprint]]

[[Testing for Application Discovery|4.2.2 Application Discovery]]

[[Testing: Spidering and googling|4.2.3 Spidering and Googling]]

[[Testing for Error Code|4.2.4 Analysis of Error Codes]]

[[Testing for infrastructure configuration management|4.2.5 Infrastructure
Configuration Management Testing]]

[[Testing for SSL-TLS|4.2.5.1 SSL/TLS Testing]]

[[Testing for DB Listener|4.2.5.2 DB Listener Testing]]

[[Testing for application configuration management|4.2.6 Application Configuration Management Testing]]

[[Testing for file extensions handling|4.2.6.1 Testing for File Extensions Handling]]

[[Testing for old_file|4.2.6.2 Old, backup and unreferenced files]]

[[Testing for business logic|'''4.3 Business Logic Testing''']]

[[Testing for authentication|'''4.4 Authentication Testing''']]

[[Testing for Default or Guessable User Account|4.4.1 Testing for Guessable (Dictionary) User Account]]

[[Testing for Brute Force|4.4.2 Brute Force Testing]]

[[Testing for Bypassing Authentication Schema|4.4.3 Testing for bypassing authentication schema]]

[[Testing for Directory Traversal|4.4.4 Testing for directory traversal/file include]]

[[Testing for Vulnerable Remember Password and Pwd Reset|4.4.5 Testing for vulnerable remember
password and pwd reset]]

[[Testing for Logout and Browser Cache Management|4.4.6 Testing for Logout and Browser Cache Management Testing]]

[[Testing for Session Management|'''4.5 Session Management Testing''']]

[[Testing for Session_Management_Schema|4.5.1 Testing for Session Management Schema]]

[[Testing for Cookie and Session Token Manipulation|4.5.2 Testing for Cookie and Session Token Manipulation]]

[[Testing for Exposed Session Variables|4.5.3 Testing for Exposed Session Variables ]]

[[Testing for CSRF|4.5.4 Testing for CSRF]]

[[Testing for HTTP Exploit|4.5.5 Testing for HTTP Exploit ]]

[[Testing for Data Validation|'''4.6 Data Validation Testing''']]

[[Testing for Cross site scripting|4.6.1 Testing for Cross Site Scripting]]

[[Testing for HTTP Methods and XST|4.6.1.1 Testing for HTTP Methods and XST ]]

[[Testing for SQL Injection|4.6.2 Testing for SQL Injection ]]

[[Testing for Oracle|4.6.2.1 Oracle Testing ]]

[[Testing for MySQL|4.6.2.2 MySQL Testing ]]

[[Testing for SQL Server|4.6.2.3 SQL Server Testing]]

[[Testing for LDAP Injection|4.6.3 Testing for LDAP Injection]]

[[Testing for ORM Injection|4.6.4 Testing for ORM Injection]]

[[Testing for XML Injection|4.6.5 Testing for XML Injection]]

[[Testing for SSI Injection|4.6.6 Testing for SSI Injection]]

[[Testing for XPath Injection|4.6.7 Testing for XPath Injection]]

[[Testing for IMAP/SMTP Injection|4.6.8 IMAP/SMTP Injection]]

[[Testing for Code Injection|4.6.9 Testing for Code Injection]]

[[Testing for Command Injection|4.6.10 Testing for Command Injection]]

[[Testing for Buffer Overflow|4.6.11 Testing for Buffer overflow]]

[[Testing for Heap Overflow|4.6.11.1 Testing for Heap overflow]]

[[Testing for Stack Overflow|4.6.11.2 Testing for Stack overflow]]

[[Testing for Format String|4.6.11.3 Testing for Format string]]

[[Testing for Incubated Vulnerability|4.6.12 Testing for incubated vulnerabilities]]

[[Testing for Denial of Service|'''4.7 Testing for Denial of Service''']]

[[Testing for DoS Locking Customer Accounts|4.7.1 Testing for DoS Locking Customer Accounts]]

[[Testing for DoS Buffer Overflows|4.7.2 Testing for DoS Buffer Overflows]]

[[Testing for DoS User Specified Object Allocation|4.7.3 Testing for DoS User Specified Object Allocation]]

[[Testing for User Input as a Loop Counter|4.7.4 Testing for User Input as a Loop Counter]]

[[Testing for Writing User Provided Data to Disk|4.7.5 Testing for Writing User Provided Data to Disk]]

[[Testing for DoS Failure to Release Resources|4.7.6 Testing for DoS Failure to Release Resources]]

[[Testing for Storing too Much Data in Session|4.7.7 Testing for Storing too Much Data in Session]]

[[Testing for Web Services|'''4.8 Web Services Testing''']]

[[Testing for XML Structural|4.8.1 XML Structural Testing]]

[[Testing for XML Content-Level|4.8.2 XML Content-level Testing]]

[[Testing for WS HTTP GET parameters/REST attacks|4.8.3 HTTP GET parameters/REST Testing ]]

[[Testing for Naughty SOAP Attachments|4.8.4 Testing for Naughty SOAP attachments]]

[[Testing for WS Replay|4.8.5 WS Replay Testing]]

[[Testing_for_AJAX:_introduction|'''4.9 AJAX Testing''']]

[[Testing for AJAX Vulnerabilities|4.9.1 AJAX Vulnerabilities]]

[[Testing for AJAX|4.9.2 How to test AJAX]]

==[[Writing Reports: value the real risk |5. Writing Reports: value the real risk ]]==

[[How to value the real risk |5.1 How to value the real risk]]

[[How to write the report of the testing |5.2 How to write the report of the testing]]

==[[Appendix A: Testing Tools |Appendix A: Testing Tools ]]==

* Black Box Testing Tools
* Source Code Analyzers
* Other Tools

==[[OWASP Testing Guide Appendix B: Suggested Reading | Appendix B: Suggested Reading]]==
* Whitepapers
* Books
* Useful Websites

==[[OWASP Testing Guide Appendix C: Fuzz Vectors | Appendix C: Fuzz Vectors]]==

* Fuzz Categories
** Recursive fuzzing
** Replasive fuzzing
* Cross Site Scripting (XSS)
* Buffer Overflows and Format String Errors
** Buffer Overflows (BFO)
** Format String Errors (FSE)
** Integer Overflows (INT)
* SQL Injection
** Passive SQL Injection (SQP)
** Active SQL Injection (SQI)
* LDAP Injection
* XPATH Injection

[[Category:OWASP Testing Project]]

OWASP Testing Guide v2 Table of Contents

2007-02-14T11:40:26Z

Jopi:

__NOTOC__

==[[Testing Guide Foreword|Foreword by OWASP Chair]]==

==[[Testing Guide Frontispiece |1. Frontispiece]]==

'''[[Testing Guide Frontispiece|1.1 About the OWASP Testing Guide Project]]'''

1.1.1 Copyright

1.1.2 Editors

1.1.3 Authors and Reviewers

1.1.4 Revision History

1.1.5 Trademarks

'''[[About The Open Web Application Security Project|1.2 About The Open Web Application Security Project]]'''

1.2.1 Overview

1.2.2 Structure

1.2.3 Licensing

1.2.4 Participation and Membership

1.2.5 Projects

1.2.6 OWASP Privacy Policy

==[[Testing Guide Introduction|2. Introduction]]==

'''2.1 The OWASP Testing Project'''

'''2.2 Principles of Testing'''

'''2.3 Testing Techniques Explained'''

==[[The OWASP Testing Framework|3. The OWASP Testing Framework]]==

'''3.1. Overview'''

'''3.2. Phase 1: Before Development Begins '''

'''3.3. Phase 2: During Definition and Design'''

'''3.4. Phase 3: During Development'''

'''3.5. Phase 4: During Deployment'''

'''3.6. Phase 5: Maintenance and Operations'''

'''3.7. A Typical SDLC Testing Workflow '''

==[[Web Application Penetration Testing |4. Web Application Penetration Testing ]]==

[[Testing: Introduction and objectives|'''4.1 Introduction and Objectives''']]

[[Testing: Information Gathering|'''4.2 Information Gathering''']]

[[Testing for Web Application Fingerprint|4.2.1 Testing Web Application Fingerprint]]

[[Testing for Application Discovery|4.2.2 Application Discovery]]

[[Testing: Spidering and googling|4.2.3 Spidering and Googling]]

[[Testing for Error Code|4.2.4 Analysis of Error Codes]]

[[Testing for infrastructure configuration management|4.2.5 Infrastructure
Configuration Management Testing]]

[[Testing for SSL-TLS|4.2.5.1 SSL/TLS Testing]]

[[Testing for DB Listener|4.2.5.2 DB Listener Testing]]

[[Testing for application configuration management|4.2.6 Application Configuration Management Testing]]

[[Testing for file extensions handling|4.2.6.1 Testing for File Extensions Handling]]

[[Testing for old_file|4.2.6.2 Old, backup and unreferenced files]]

[[Testing for business logic|'''4.3 Business Logic Testing''']]

[[Testing for authentication|'''4.4 Authentication Testing''']]

[[Testing for Default or Guessable User Account|4.4.1 Testing for Guessable (Dictionary) User Account]]

[[Testing for Brute Force|4.4.2 Brute Force Testing]]

[[Testing for Bypassing Authentication Schema|4.4.3 Testing for bypassing authentication schema]]

[[Testing for Directory Traversal|4.4.4 Testing for directory traversal/file include]]

[[Testing for Vulnerable Remember Password and Pwd Reset|4.4.5 Testing for vulnerable remember
password and pwd reset]]

[[Testing for Logout and Browser Cache Management|4.4.6 Testing for Logout and Browser Cache Management Testing]]

[[Testing for Session Management|'''4.5 Session Management Testing''']]

[[Testing for Session_Management_Schema|4.5.1 Testing for Session Management Schema]]

[[Testing for Cookie and Session Token Manipulation|4.5.2 Testing for Cookie and Session Token Manipulation]]

[[Testing for Exposed Session Variables|4.5.3 Testing for Exposed Session Variables ]]

[[Testing for CSRF|4.5.4 Testing for CSRF]]

[[Testing for HTTP Exploit|4.5.5 Testing for HTTP Exploit ]]

[[Testing for Data Validation|'''4.6 Data Validation Testing''']]

[[Testing for Cross site scripting|4.6.1 Testing for Cross Site Scripting]]

[[Testing for HTTP Methods and XST|4.6.1.1 Testing for HTTP Methods and XST ]]

[[Testing for SQL Injection|4.6.2 Testing for SQL Injection ]]

[[Testing for Oracle|4.6.2.1 Oracle Testing ]]

[[Testing for MySQL|4.6.2.2 MySQL Testing ]]

[[Testing for SQL Server|4.6.2.3 SQL Server Testing]]

[[Testing for LDAP Injection|4.6.3 Testing for LDAP Injection]]

[[Testing for ORM Injection|4.6.4 Testing for ORM Injection]]

[[Testing for XML Injection|4.6.5 Testing for XML Injection]]

[[Testing for SSI Injection|4.6.6 Testing for SSI Injection]]

[[Testing for XPath Injection|4.6.7 Testing for XPath Injection]]

[[Testing for IMAP/SMTP Injection|4.6.8 IMAP/SMTP Injection]]

[[Testing for Code Injection|4.6.9 Testing for Code Injection]]

[[Testing for Command Injection|4.6.10 Testing for Command Injection]]

[[Testing for Buffer Overflow|4.6.11 Testing for Buffer overflow]]

[[Testing for Heap Overflow|4.6.11.1 Testing for Heap overflow]]

[[Testing for Stack Overflow|4.6.11.2 Testing for Stack overflow]]

[[Testing for Format String|4.6.11.3 Testing for Format string]]

[[Testing for Incubated Vulnerability|4.6.12 Testing for incubated vulnerabilities]]

[[Testing for Denial of Service|'''4.7 Testing for Denial of Service''']]

[[Testing for DoS Locking Customer Accounts|4.7.1 Testing for DoS Locking Customer Accounts]]

[[Testing for DoS Buffer Overflows|4.7.2 Testing for DoS Buffer Overflows]]

[[Testing for DoS User Specified Object Allocation|4.7.3 Testing for DoS User Specified Object Allocation]]

[[Testing for User Input as a Loop Counter|4.7.4 Testing for User Input as a Loop Counter]]

[[Testing for Writing User Provided Data to Disk|4.7.5 Testing for Writing User Provided Data to Disk]]

[[Testing for DoS Failure to Release Resources|4.7.6 Testing for DoS Failure to Release Resources]]

[[Testing for Storing too Much Data in Session|4.7.7 Testing for Storing too Much Data in Session]]

[[Testing for Web Services|'''4.8 Web Services Testing''']]

[[Testing for XML Structural|4.8.1 XML Structural Testing]]

[[Testing for XML Content-Level|4.8.2 XML Content-level Testing]]

[[Testing for WS HTTP GET parameters/REST attacks|4.8.3 HTTP GET parameters/REST Testing ]]

[[Testing for Naughty SOAP Attachments|4.8.4 Testing for Naughty SOAP attachments]]

[[Testing for WS Replay|4.8.5 WS Replay Testing]]

[[Pruebas_de_AJAX:_introduccion|'''4.9 Pruebas de AJAX''']]

[[Pruebas de Vulnerabilidades de AJAX|4.9.1 Vulnerabilidades en AJAX]]

[[Pruebas en AJAX|4.9.2 Como probar AJAX]]

==[[Writing Reports: value the real risk |5. Writing Reports: value the real risk ]]==

[[How to value the real risk |5.1 How to value the real risk]]

[[How to write the report of the testing |5.2 How to write the report of the testing]]

==[[Appendix A: Testing Tools |Appendix A: Testing Tools ]]==

* Black Box Testing Tools
* Source Code Analyzers
* Other Tools

==[[OWASP Testing Guide Appendix B: Suggested Reading | Appendix B: Suggested Reading]]==
* Whitepapers
* Books
* Useful Websites

==[[OWASP Testing Guide Appendix C: Fuzz Vectors | Appendix C: Fuzz Vectors]]==

* Fuzz Categories
** Recursive fuzzing
** Replasive fuzzing
* Cross Site Scripting (XSS)
* Buffer Overflows and Format String Errors
** Buffer Overflows (BFO)
** Format String Errors (FSE)
** Integer Overflows (INT)
* SQL Injection
** Passive SQL Injection (SQP)
** Active SQL Injection (SQI)
* LDAP Injection
* XPATH Injection

[[Category:OWASP Testing Project]]

Talk:OWASP Testing Project v2.0 - Review Guidelines

2007-01-12T12:48:28Z

Jopi:

'''Typos'''
----

Hi all. I ´ ve been having a look at Owasp guide pages and contents, and I
have
doubts because of typos or perhaps not completely well explained facts. In
Dinis Cruz first announcement mail you can read:

'' The current plan is to create a 'published' version of this guide on the
10th
of February which will be sent as a book to all OWASP members''

But in that same email, the linked page that targets to reviewing guidelines, I
found different dates to the email message. At first I read in
[http://www.owasp.org/index.php/OWASP_Testing_Project_v2.0_-_Review_Guidelines#Timelines
timelines] section

# 11th January 2007: Review process begins
# 11th January 2007: Review process ends

That I am almost completely secure it is wrong, and so I edited te page to put
February the 11th in the reviewing process end. But it keeps mismatching with
the time the email says, may you please address this issue? Thank you very
much.

I send a copy of this message both to wiki discussion page and email to the
guide responsibles.

Category talk:OWASP Testing Project

2007-01-12T12:05:57Z

Jopi:

[[Typos]]

----

Hi all. I ´ ve been having a look at Owasp guide pages and contents, and I have doubts because of typos or perhaps not completely well explained facts. In Dinis Cruz first announcement mail you can read:

'' The current plan is to create a 'published' version of this guide on the 10th of February which will be sent as a book to all OWASP members''

But in that same email, the linked page that targets to reviewing guidelines, I found different dates to the email message. At first I read in [http://www.owasp.org/index.php/OWASP_Testing_Project_v2.0_-_Review_Guidelines#Timelines timelines] section

# 11th January 2007: Review process begins
# 11th January 2007: Review process ends

That I am almost completely secure it is wrong, and so I edited te page to put February the 11th in the reviewing process end. But it keeps mismatching with the time the email says, may you please address this issue? Thank you very much.

I send a copy of this message both to wiki discussion page and email to the guide responsibles.

OWASP Testing Project v2.0 - Review Guidelines

2007-01-12T11:40:24Z

Jopi: /* FAQ */

This is a support page for the [[:Category:OWASP Testing Project]] V2.0 Review effort. In here you will find more details on how to participate in this collaborative review process.

== Request for Review ==

Now that the The OWASP Testing Guide v2.0 has reached the 'Release Candidate 1 milestone, the time has come to make sure that everything is 100% and that there is nothing major missing.

During the next month we invite you all to review the current version of the OWASP Testing Guide, which is available in WIKI format here: [[OWASP_Testing_Guide_v2_Table_of_Contents]]

For your conveinience this version is also available in [http://www.owasp.org/index.php/Image:OWASP_Testing_Guide_v2_RC1_pdf.zip Adobe PDF format] or [http://www.owasp.org/index.php/Image:OWASP_Testing_Guide_v2_RC1_doc.zip Ms Doc format]

The current plan is to create a 'published' version of this guide on the 10th of February which will be sent to all OWASP members in book format.

== Timelines ==

* 01th January 2007: Owasp Testing Guide reaches Release Candidate 1 milestone
* 11th January 2007: Review process begins
* 11th February 2007: Review process ends
* 11th March 2007: Book is created and starts to be shipped to current OWASP members

== FAQ ==

* '''Q: Which are the main points of contact for this project'''
* A: The main contacts are: [[User:EoinKeary|Eoin Keary]] (OWASP Testing Project Leader) [[User:Mmeucci|Matteo Meucci]] (OWASP Testing Guide AoC 2006 lead) and [[User:Dinis.cruz|Dinis Cruz]] (Chief Owasp Evangelist). You can also join the [http://lists.owasp.org/mailman/listinfo/owasp-testing OWASP Testing mailing list] and ask your question there.

* '''Q: If I find a mistake in a WIKI page can I just edit it?'''
* A: Yes of course, just use your account (free to create) and click on 'edit'

*''' Q: Where do I add comments about a particular page?'''
* A: Either use the 'Discussion' page that exists for every content page, or add your comment to the ''General Area for general Comments'' below

*''' Q: If I have sugestions for the next version of the Guide, where do I place them?'''
* A: use the ''Wish List for next version'' area below

== Wish List for next version ==
* {put here your wish list for the next version (we will try to release a new version every 6 to 9 months.)}

== General Area for general Comments ==

* {if you have a general comments or specific question, feel free to place it here}

[[Category:OWASP Testing Project]]

OWASP Testing Project v2.0 - Review Guidelines

2007-01-12T09:01:30Z

Jopi: /* Timelines */

This is a support page for the [[:Category:OWASP Testing Project]] V2.0 Review effort. In here you will find more details on how to participate in this collaborative review process.

== Request for Review ==

Now that the The OWASP Testing Guide v2.0 has reached the 'Release Candidate 1 milestone, the time has come to make sure that everything is 100% and that there is nothing major missing.

During the next month we invite you all to review the current version of the OWASP Testing Guide, which is available in WIKI format here: [[OWASP_Testing_Guide_v2_Table_of_Contents]]

For your conveinience this version is also available in [http://www.owasp.org/index.php/Image:OWASP_Testing_Guide_v2_RC1_pdf.zip Adobe PDF format] or [http://www.owasp.org/index.php/Image:OWASP_Testing_Guide_v2_RC1_doc.zip Ms Doc format]

The current plan is to create a 'published' version of this guide on the 10th of February which will be sent to all OWASP members in book format.

== Timelines ==

* 01th January 2007: Owasp Testing Guide reaches Release Candidate 1 milestone
* 11th January 2007: Review process begins
* 11th February 2007: Review process ends
* 11th March 2007: Book is created and starts to be shipped to current OWASP members

== FAQ ==

* '''Q: What are the main points of contact for this project'''
* A: The main contacts are: [[User:EoinKeary|Eoin Keary]] (OWASP Testing Project Leader) [[User:Mmeucci|Matteo Meucci]] (OWASP Testing Guide AoC 2006 lead) and [[User:Dinis.cruz|Dinis Cruz]] (Chief Owasp Evangelist). You can also join the [http://lists.owasp.org/mailman/listinfo/owasp-testing OWASP Testing mailing list] and ask your question there.

* '''Q:If I find a mistake in a WIKI page can I just edit it?'''
* A: Yes of course, just use your account (free to create) and click on 'edit'

*''' Q:Where do I add comments about a particular page?'''
* A: Use the 'Discussion' page that exists for every content page, or add your comment to the ''General Area for general Comments'' below

*''' Q:If I have sugestions for the next version of the Guide where do I place them?'''
* A: use the ''Wish List for next version'' area below

== Wish List for next version ==
* {put here your wish list for the next version (we will try to release a new version every 6 to 9 months.)}

== General Area for general Comments ==

* {if you have a general comments or specific question, feel free to place it here}

[[Category:OWASP Testing Project]]