OWASP - User contributions [en]

Category talk:OWASP SQLiX Project

2014-03-19T13:36:47Z

Kingthorin: /* If you're porting anyway why not add to an existing project? */ new section

Several Perl modules are required for SQLix to work, which aren't necessarily installed by default on your OS of choice.

For my install (Fedora Core 6) here's the commands I used to setup

perl -MCPAN -e shell

cpan>install WWW::CheckSite

cpan>install HTML::TreeBuilder

cpan>install Tie::CharArray

cpan>install Algorithm::Diff

== Using URL files ==

It isn't explained that the URL file e.g. crawler should be of the form: method URL queryparams <lf>

For example

GET http://www.example.com/hello/

POST http://www.example.com/hello/myform.php qs1=val1&qs2=val2

== cedri.cc down ==

cedri.cc appears to be having DNS issues. Is it possible to have this code mirrored on the sourceforge or something similar for times like these? :)

== This is NOT open source / available for us to use? ==

The source code of SQLiX.pl says
Copyright 2006 Cedric COCHIN, All Rights Reserved.
which would mean, especially in the absence of any GPL or other license, that we do not have the right to download much less use or modify this tool. So why bother listing it here? (Of course, you can't '''see''' the copyright message until after you already made a copy and unzipped it.)

I can not get the -file option to work. I've created a text file with the following line
GET http://test.accunetix.com

But it does not return any results and the program ends much too quickly for any scanning to take place.

If I run
perl SQLiX.pl -crawl http://test.acunetix.com -exploit -all -v=2

The program works as expected. Any ideas?

== If you're porting anyway why not add to an existing project? ==

If you're working on porting perl to python why not integrate this functionality into OWASP ZAP?

https://groups.google.com/forum/#!topic/zaproxy-develop/AIUd6MVS1PU

Either as an extension or base addition to the project. I know it would mean java development instead of python but it would get this out to a wider community and improve things for everyone. [[User:Kingthorin|Kingthorin]] ([[User talk:Kingthorin|talk]]) 08:36, 19 March 2014 (CDT)

OWASP Testing Guide v3 Startup

2008-05-23T14:15:29Z

Kingthorin: Highlight Answers

== Planning the new OWASP Testing Guide v3 ==

'''3rd October 2007: Startup v3''' 
The OWASP Testing Guide v2 was a great success, with thousand download and many many Companies that have adopted it as standard for a Web Application Penetration Testing. 
Now we would like to begin a new project that is based on v2 but improve it and complete it. 
 
In the OWASP Testing Guide v2 we have split the set of tests in 8 sub-categories:
* Information Gathering
* Business Logic Testing
* Authentication Testing
* Session Management Testing
* Data Validation Testing
* Denial of Service Testing
* Web Services Testing
* AJAX Testing

The following are my thoughts about the new OWASP Testing Guide v3:

1) Authorization testing missing. As Jeff and Dave said many time before it's important to create a new category. 
* This should include things which were in v1 but dropped from v2, like: OWASP-AC-003 : Authorization Parameter Manipulation, OWASP-AC-004 : Authorized pages/functions
2) Information gathering is not a set of vulnerabilities --> not in report --> new category: Passive mode 
3) Business logic testing --> not in report --> Passive mode 
4) Infrastructural test --> new category 
5) Web Services section needs improvement 
6) AJAX Testing section needs improvement 
7) New category: Client side Testing. AJAX and Flash Testing 

This [http://www.owasp.org/index.php/Image:Planning_OTGv3.doc document] analyzes the OWASP Testing Guide v2 vulnerabilities and a plan for create the new v3. 

The following clarifications/considerations also need to be made in preparation for v3: 
1) Are "OWASP-AUTHN-001 : Authentication endpoint request should be HTTPS" and "OWASP-AUTHN-003 : Credentials transport over an encrypted channel" as they were in v1 fully covered by "OWASP-IG-005 : SSL/TLS Testing"? '''--> no, we need to create a new test in authentication testing''' 
2) Are "OWASP-AUTHN-009 : Password Structure" and "OWASP-AUTHN-010 : Blank Passwords" as they were in v1 fully covered by OWASP-AT-003 & OWASP-AT-001? '''--> Yes''' 
3) Are all 5 AUTHSM references as they were in v1 fully covered by "OWASP-SM-001 : Session Management Schema"? 
4) What does "OWASP-DP-001 : Sensitive Data in HTML" fall under in v2/v3? 
5) Are all the SSL Data protection references (DP-003 through DP-007) from v1 fall under "OWASP-IG-005 : SSL/TLS Testing"? 
6) Is "OWASP-DS-001 : Locking Customer Accounts" a subset of AUTHN-008 in v1 or AT-006 in v2 or is it really an item on it's own? 
7) Are "OWASP-EH-002 : User Error Messages" and "OWASP-EH-001 : Application Error Messages" as they were in v1 meant to fall under "OWASP-IG-004 : Analysis of Error Codes"? If so where would things like overly specific authentication errors appear in the report? (If I understand correctly Information gathering isn't going to be reported) [This would be things like errors messages which actually specify "invalid username" or "invalid password" instead of "Error: the credentials provided are invalid" or similar generic messaging.] '''--> yes'''

OWASP Testing Guide v3 Table of Contents

2008-05-20T12:58:07Z

Kingthorin: Format like other sections

__NOTOC__

'''20th May 2008'''
This is the draft of table of content of the New Testing Guide.
You can download the stable version [http://www.owasp.org/index.php/Image:OWASP_Testing_Guide_v2_pdf.zip here] or read it on line [http://www.owasp.org/index.php/OWASP_Testing_Guide_v2_Table_of_Contents here]

Testing Guide v3 (draft 20th May 2008)

The core index is the OTG v2. (new): new articles, (toimp): needs to improve

==[[Testing Guide Foreword|(toimp)Foreword by OWASP Chair]]==

==[[Testing Guide Frontispiece |(toimp)1. Frontispiece]]==

'''[[Testing Guide Frontispiece|(toimp)1.1 About the OWASP Testing Guide Project]]'''

'''[[About The Open Web Application Security Project|1.2 About The Open Web Application Security Project]]'''

==[[Testing Guide Introduction|2. Introduction]]==

'''2.1 The OWASP Testing Project'''

'''2.2 Principles of Testing'''

'''2.3 Testing Techniques Explained'''

(new) 2.4 Security requirements test derivation, functional and non functional test requirements, and test cases through use and misuse cases

(new) 2.4.1 Security tests integrated in developers and testers workflows

(new) 2.4.2 Developers' security tests: Unit Tests, component level tests, etc

(new) 2.4.3 Functional testers' security tests: integrated system tests, tests in UAT, and production environment

(new) 2.5 Security test data analysis and reporting: root cause identification and business/role case test data reporting

==[[The OWASP Testing Framework|3. The OWASP Testing Framework]]==

'''3.1. Overview'''

'''3.2. Phase 1: Before Development Begins '''

'''3.3. Phase 2: During Definition and Design'''

'''3.4. Phase 3: During Development'''

'''3.5. Phase 4: During Deployment'''

'''3.6. Phase 5: Maintenance and Operations'''

'''3.7. A Typical SDLC Testing Workflow '''

==[[Web Application Penetration Testing |4. (toimp) Web Application Penetration Testing ]]==

[[Testing: Introduction and objectives|'''4.1 Introduction and Objectives''']]

[[Testing: Information Gathering|'''(toimp) 4.2 Information Gathering''']]

[[Testing for Web Application Fingerprint|4.2.1 (toimp) Testing Web Application Fingerprint]]

[[Testing for Application Discovery|4.2.2 Application Discovery]]

[[Testing: Spiders Robots and Crawlers|(new:Christian Heinrich)4.2.3 Spiders, Robots and Crawlers]]

[[Testing: Search engine discovery|(new:Christian Heinrich)4.2.4 Search Engine Discovery/Reconnaissance"]]

[[Testing for Error Code|(toimp)4.2.5 Analysis of Error Codes]]

[[Testing for infrastructure configuration management|4.2.6 Infrastructure
Configuration Management Testing]]

[[Testing for SSL-TLS|4.2.6.1 SSL/TLS Testing]]

[[Testing for DB Listener|4.2.6.2 DB Listener Testing]]

[[Testing for application configuration management|4.2.7 Application Configuration Management Testing]]

[[Testing for file extensions handling|4.2.7.1 Testing for File Extensions Handling]]

[[Testing for old_file|4.2.7.2 Old, backup and unreferenced files]]

[[Testing for business logic|'''(toimp)4.3 Business Logic Testing''']]

[[Testing for authentication|'''(toimp)4.4 Authentication Testing''']]

[[Testing for credentials transport|(new)4.4.1 Credentials transport over an encrypted channel]]

[[Testing for Default or Guessable User Account|4.4.2 Testing for Guessable (Dictionary) User Account]]

[[Testing for Brute Force|4.4.3 Brute Force Testing]]

[[Testing for Bypassing Authentication Schema|4.4.4 Testing for bypassing authentication schema]]

[[Testing for Directory Traversal|4.4.5 Testing for directory traversal/file include]]

[[Testing for Vulnerable Remember Password and Pwd Reset|4.4.6 Testing for vulnerable remember
password and pwd reset]]

[[Testing for Logout and Browser Cache Management|4.4.7 Testing for Logout and Browser Cache Management Testing]]

[[Testing for Authorization|'''(new) 4.x Authorization testing''']]

[[Testing for Path Traversal|(new) 4.x.x Testing for Path Traversal]]

[[Testing for Bypassing Authorization Schema|(new)4.x.x Testing for bypassing authorization schema]]

[[Testing fot Privilege escalation|(new)4.x.x Testing for Privilege Escalation]]

[[Testing for Session Management|'''4.5 Session Management Testing''']]

[[Testing for Session_Management_Schema|4.5.1 Testing for Session Management Schema]]

[[Testing for Cookie and Session Token Manipulation|(new)4.5.2 Test the token strength (old 4.5.2 Testing for Cookie and Session Token Manipulation)]]

[[Testing for Exposed Session Variables|4.5.3 Testing for Exposed Session Variables ]]

[[Testing for CSRF|4.5.4 Testing for CSRF]]

[[Testing for HTTP Exploit|4.5.5 Testing for HTTP Exploit ]]

[[Testing for Data Validation|'''4.6 Data Validation Testing''']]

[[Testing for Reflected Cross site scripting|(new)4.6.1 Testing for Reflected Cross Site Scripting]]

[[Testing for Stored Cross site scripting|(new)4.6.2 Testing for Stored Cross Site Scripting]]

[[Testing for DOM-based Cross site scripting|4.6.3 Testing for DOM based Cross Site Scripting]]

[[Testing for Cross site flashing|(new)4.6.4 Testing for Cross Site Flashing]]

[[Testing for HTTP Methods and XST|4.6.1.1 Testing for HTTP Methods and XST ]]

[[Testing for SQL Injection|4.6.2 Testing for SQL Injection ]]

[[Testing for Oracle|4.6.2.1 Oracle Testing ]]

[[Testing for MySQL|4.6.2.2 MySQL Testing ]]

[[Testing for SQL Server|4.6.2.3 SQL Server Testing]]

[[Testing for LDAP Injection|4.6.3 Testing for LDAP Injection]]

[[Testing for ORM Injection|4.6.4 Testing for ORM Injection]]

[[Testing for XML Injection|4.6.5 Testing for XML Injection]]

[[Testing for SSI Injection|4.6.6 Testing for SSI Injection]]

[[Testing for XPath Injection|4.6.7 Testing for XPath Injection]]

[[Testing for IMAP/SMTP Injection|4.6.8 IMAP/SMTP Injection]]

[[Testing for Code Injection|4.6.9 Testing for Code Injection]]

[[Testing for Command Injection|4.6.10 Testing for Command Injection]]

[[Testing for Buffer Overflow|4.6.11 Testing for Buffer overflow]]

[[Testing for Heap Overflow|4.6.11.1 Testing for Heap overflow]]

[[Testing for Stack Overflow|4.6.11.2 Testing for Stack overflow]]

[[Testing for Format String|4.6.11.3 Testing for Format string]]

[[Testing for Incubated Vulnerability|4.6.12 Testing for incubated vulnerabilities]]

[[Testing for Denial of Service|'''4.7 Testing for Denial of Service''']]

[[Testing for DoS Locking Customer Accounts|4.7.1 Testing for DoS Locking Customer Accounts]]

[[Testing for DoS Buffer Overflows|4.7.2 Testing for DoS Buffer Overflows]]

[[Testing for DoS User Specified Object Allocation|4.7.3 Testing for DoS User Specified Object Allocation]]

[[Testing for User Input as a Loop Counter|4.7.4 Testing for User Input as a Loop Counter]]

[[Testing for Writing User Provided Data to Disk|4.7.5 Testing for Writing User Provided Data to Disk]]

[[Testing for DoS Failure to Release Resources|4.7.6 Testing for DoS Failure to Release Resources]]

[[Testing for Storing too Much Data in Session|4.7.7 Testing for Storing too Much Data in Session]]

[[Testing for Web Services|'''4.8 Web Services Testing''']]

[[Testing for XML Structural|4.8.1 XML Structural Testing]]

[[Testing for XML Content-Level|4.8.2 XML Content-level Testing]]

[[Testing for WS HTTP GET parameters/REST attacks|4.8.3 HTTP GET parameters/REST Testing ]]

[[Testing for Naughty SOAP Attachments|4.8.4 Testing for Naughty SOAP attachments]]

[[Testing for WS Replay|4.8.5 WS Replay Testing]]

[[Client-Side Testing|(new)4.10 Client site testing]]

[[Testing for AJAX|(new) 4.10.1 AJAX Testing]]

[[Flash Testing|(new)4.10.2 Flash Testing]]

[[RIA Testing|(new)4.10.3 RIA Testing]]

==[[Writing Reports: value the real risk |(toimp)5. Writing Reports: value the real risk ]]==

[[How to value the real risk |5.1 How to value the real risk]]

[[How to write the report of the testing |5.2 How to write the report of the testing]]

OTGv3 team Discussion

Also see [http://www.owasp.org/index.php/OWASP_Testing_Guide_v3_Startup http://www.owasp.org/index.php/OWASP_Testing_Guide_v3_Startup].

 The new OWASP testing Guidev3:
 This [http://www.owasp.org/index.php/Image:Planning_OTGv3.doc document] analyze the OWASP Testing Guide v2 checklist and a plan for create the new v3.

* 1) Methodical Testing (new category) <-- (Mat) needs explanation
* 2) Authorization testing missing. (new category)
* 3) Information gathering is not a vulnerability
* 4) Business logic testing
* 5) Infrastructural test  (new category) *this has to only concentrate on 80 and 443 and other web related testing
* 6) Web Services section needs improvement
* 7) AJAX Testing section needs improvement
* 8) Testing Methodology section updates (requirements, plans, levels and environments)
* 9) New category: Client side Testing
* 10) New category: Thick Client Testing
* 11) New category: Flash/Silverlight Applications
* 12) New category: Assessing Financial Applications
* 13) New category: Fuzzing (we have the vectors, but this should explain the whole concept)

Proposed new categories for the OTG v3:
* OTG Form Templates
** OTG Request for Quote (RFQ) (new)
** OTG 3rd Party Assessment Authorization Form (new)
** OTG Sample Report (new)
* Passive Mode
* Information Gathering
* Business logic testing
* Web Application Penetration Testing
** Infrastructural testing
** Authentication Testing
** Authorization Testing (new)
** Session Management Testing
** Data Validation Testing
** Denial of Service Testing
** Web Services Testing
** Client-Side Testing
*** AJAX Testing
*** Flash Testing (new)
*** RIA stuff (new)

[[Category:OWASP Testing Project]]

OWASP Testing Guide v3 Table of Contents

2008-05-20T12:54:06Z

Kingthorin: /* 2. Introduction */

__NOTOC__

'''20th May 2008'''
This is the draft of table of content of the New Testing Guide.
You can download the stable version [http://www.owasp.org/index.php/Image:OWASP_Testing_Guide_v2_pdf.zip here] or read it on line [http://www.owasp.org/index.php/OWASP_Testing_Guide_v2_Table_of_Contents here]

Testing Guide v3 (draft 20th May 2008)

The core index is the OTG v2. (new): new articles, (toimp): needs to improve

==[[Testing Guide Foreword|(toimp)Foreword by OWASP Chair]]==

==[[Testing Guide Frontispiece |(toimp)1. Frontispiece]]==

'''[[Testing Guide Frontispiece|(toimp)1.1 About the OWASP Testing Guide Project]]'''

'''[[About The Open Web Application Security Project|1.2 About The Open Web Application Security Project]]'''

==[[Testing Guide Introduction|2. Introduction]]==

'''2.1 The OWASP Testing Project'''

'''2.2 Principles of Testing'''

'''2.3 Testing Techniques Explained'''

''' (new) 2.4 Security requirements test derivation, functional and non functional
test requirements, and test cases through use and misuse cases'''

''' (new) 2.4.1 Security tests integrated in developers and testers workflows'''

''' (new) 2.4.2 Developers' security tests: Unit Tests, component level tests, etc'''

''' (new) 2.4.3 Functional testers' security tests: integrated system tests, tests in UAT,
and production environment'''

''' (new) 2.5 Security test data analysis and reporting: root cause identification and
business/role case test data reporting'''

==[[The OWASP Testing Framework|3. The OWASP Testing Framework]]==

'''3.1. Overview'''

'''3.2. Phase 1: Before Development Begins '''

'''3.3. Phase 2: During Definition and Design'''

'''3.4. Phase 3: During Development'''

'''3.5. Phase 4: During Deployment'''

'''3.6. Phase 5: Maintenance and Operations'''

'''3.7. A Typical SDLC Testing Workflow '''

==[[Web Application Penetration Testing |4. (toimp) Web Application Penetration Testing ]]==

[[Testing: Introduction and objectives|'''4.1 Introduction and Objectives''']]

[[Testing: Information Gathering|'''(toimp) 4.2 Information Gathering''']]

[[Testing for Web Application Fingerprint|4.2.1 (toimp) Testing Web Application Fingerprint]]

[[Testing for Application Discovery|4.2.2 Application Discovery]]

[[Testing: Spiders Robots and Crawlers|(new:Christian Heinrich)4.2.3 Spiders, Robots and Crawlers]]

[[Testing: Search engine discovery|(new:Christian Heinrich)4.2.4 Search Engine Discovery/Reconnaissance"]]

[[Testing for Error Code|(toimp)4.2.5 Analysis of Error Codes]]

[[Testing for infrastructure configuration management|4.2.6 Infrastructure
Configuration Management Testing]]

[[Testing for SSL-TLS|4.2.6.1 SSL/TLS Testing]]

[[Testing for DB Listener|4.2.6.2 DB Listener Testing]]

[[Testing for application configuration management|4.2.7 Application Configuration Management Testing]]

[[Testing for file extensions handling|4.2.7.1 Testing for File Extensions Handling]]

[[Testing for old_file|4.2.7.2 Old, backup and unreferenced files]]

[[Testing for business logic|'''(toimp)4.3 Business Logic Testing''']]

[[Testing for authentication|'''(toimp)4.4 Authentication Testing''']]

[[Testing for credentials transport|(new)4.4.1 Credentials transport over an encrypted channel]]

[[Testing for Default or Guessable User Account|4.4.2 Testing for Guessable (Dictionary) User Account]]

[[Testing for Brute Force|4.4.3 Brute Force Testing]]

[[Testing for Bypassing Authentication Schema|4.4.4 Testing for bypassing authentication schema]]

[[Testing for Directory Traversal|4.4.5 Testing for directory traversal/file include]]

[[Testing for Vulnerable Remember Password and Pwd Reset|4.4.6 Testing for vulnerable remember
password and pwd reset]]

[[Testing for Logout and Browser Cache Management|4.4.7 Testing for Logout and Browser Cache Management Testing]]

[[Testing for Authorization|'''(new) 4.x Authorization testing''']]

[[Testing for Path Traversal|(new) 4.x.x Testing for Path Traversal]]

[[Testing for Bypassing Authorization Schema|(new)4.x.x Testing for bypassing authorization schema]]

[[Testing fot Privilege escalation|(new)4.x.x Testing for Privilege Escalation]]

[[Testing for Session Management|'''4.5 Session Management Testing''']]

[[Testing for Session_Management_Schema|4.5.1 Testing for Session Management Schema]]

[[Testing for Cookie and Session Token Manipulation|(new)4.5.2 Test the token strength (old 4.5.2 Testing for Cookie and Session Token Manipulation)]]

[[Testing for Exposed Session Variables|4.5.3 Testing for Exposed Session Variables ]]

[[Testing for CSRF|4.5.4 Testing for CSRF]]

[[Testing for HTTP Exploit|4.5.5 Testing for HTTP Exploit ]]

[[Testing for Data Validation|'''4.6 Data Validation Testing''']]

[[Testing for Reflected Cross site scripting|(new)4.6.1 Testing for Reflected Cross Site Scripting]]

[[Testing for Stored Cross site scripting|(new)4.6.2 Testing for Stored Cross Site Scripting]]

[[Testing for DOM-based Cross site scripting|4.6.3 Testing for DOM based Cross Site Scripting]]

[[Testing for Cross site flashing|(new)4.6.4 Testing for Cross Site Flashing]]

[[Testing for HTTP Methods and XST|4.6.1.1 Testing for HTTP Methods and XST ]]

[[Testing for SQL Injection|4.6.2 Testing for SQL Injection ]]

[[Testing for Oracle|4.6.2.1 Oracle Testing ]]

[[Testing for MySQL|4.6.2.2 MySQL Testing ]]

[[Testing for SQL Server|4.6.2.3 SQL Server Testing]]

[[Testing for LDAP Injection|4.6.3 Testing for LDAP Injection]]

[[Testing for ORM Injection|4.6.4 Testing for ORM Injection]]

[[Testing for XML Injection|4.6.5 Testing for XML Injection]]

[[Testing for SSI Injection|4.6.6 Testing for SSI Injection]]

[[Testing for XPath Injection|4.6.7 Testing for XPath Injection]]

[[Testing for IMAP/SMTP Injection|4.6.8 IMAP/SMTP Injection]]

[[Testing for Code Injection|4.6.9 Testing for Code Injection]]

[[Testing for Command Injection|4.6.10 Testing for Command Injection]]

[[Testing for Buffer Overflow|4.6.11 Testing for Buffer overflow]]

[[Testing for Heap Overflow|4.6.11.1 Testing for Heap overflow]]

[[Testing for Stack Overflow|4.6.11.2 Testing for Stack overflow]]

[[Testing for Format String|4.6.11.3 Testing for Format string]]

[[Testing for Incubated Vulnerability|4.6.12 Testing for incubated vulnerabilities]]

[[Testing for Denial of Service|'''4.7 Testing for Denial of Service''']]

[[Testing for DoS Locking Customer Accounts|4.7.1 Testing for DoS Locking Customer Accounts]]

[[Testing for DoS Buffer Overflows|4.7.2 Testing for DoS Buffer Overflows]]

[[Testing for DoS User Specified Object Allocation|4.7.3 Testing for DoS User Specified Object Allocation]]

[[Testing for User Input as a Loop Counter|4.7.4 Testing for User Input as a Loop Counter]]

[[Testing for Writing User Provided Data to Disk|4.7.5 Testing for Writing User Provided Data to Disk]]

[[Testing for DoS Failure to Release Resources|4.7.6 Testing for DoS Failure to Release Resources]]

[[Testing for Storing too Much Data in Session|4.7.7 Testing for Storing too Much Data in Session]]

[[Testing for Web Services|'''4.8 Web Services Testing''']]

[[Testing for XML Structural|4.8.1 XML Structural Testing]]

[[Testing for XML Content-Level|4.8.2 XML Content-level Testing]]

[[Testing for WS HTTP GET parameters/REST attacks|4.8.3 HTTP GET parameters/REST Testing ]]

[[Testing for Naughty SOAP Attachments|4.8.4 Testing for Naughty SOAP attachments]]

[[Testing for WS Replay|4.8.5 WS Replay Testing]]

[[Client-Side Testing|(new)4.10 Client site testing]]

[[Testing for AJAX|(new) 4.10.1 AJAX Testing]]

[[Flash Testing|(new)4.10.2 Flash Testing]]

[[RIA Testing|(new)4.10.3 RIA Testing]]

==[[Writing Reports: value the real risk |(toimp)5. Writing Reports: value the real risk ]]==

[[How to value the real risk |5.1 How to value the real risk]]

[[How to write the report of the testing |5.2 How to write the report of the testing]]

OTGv3 team Discussion

Also see [http://www.owasp.org/index.php/OWASP_Testing_Guide_v3_Startup http://www.owasp.org/index.php/OWASP_Testing_Guide_v3_Startup].

 The new OWASP testing Guidev3:
 This [http://www.owasp.org/index.php/Image:Planning_OTGv3.doc document] analyze the OWASP Testing Guide v2 checklist and a plan for create the new v3.

* 1) Methodical Testing (new category) <-- (Mat) needs explanation
* 2) Authorization testing missing. (new category)
* 3) Information gathering is not a vulnerability
* 4) Business logic testing
* 5) Infrastructural test  (new category) *this has to only concentrate on 80 and 443 and other web related testing
* 6) Web Services section needs improvement
* 7) AJAX Testing section needs improvement
* 8) Testing Methodology section updates (requirements, plans, levels and environments)
* 9) New category: Client side Testing
* 10) New category: Thick Client Testing
* 11) New category: Flash/Silverlight Applications
* 12) New category: Assessing Financial Applications
* 13) New category: Fuzzing (we have the vectors, but this should explain the whole concept)

Proposed new categories for the OTG v3:
* OTG Form Templates
** OTG Request for Quote (RFQ) (new)
** OTG 3rd Party Assessment Authorization Form (new)
** OTG Sample Report (new)
* Passive Mode
* Information Gathering
* Business logic testing
* Web Application Penetration Testing
** Infrastructural testing
** Authentication Testing
** Authorization Testing (new)
** Session Management Testing
** Data Validation Testing
** Denial of Service Testing
** Web Services Testing
** Client-Side Testing
*** AJAX Testing
*** Flash Testing (new)
*** RIA stuff (new)

[[Category:OWASP Testing Project]]

OWASP Testing Guide v3 Table of Contents

2008-05-20T12:52:18Z

Kingthorin: Minor corrections

__NOTOC__

'''20th May 2008'''
This is the draft of table of content of the New Testing Guide.
You can download the stable version [http://www.owasp.org/index.php/Image:OWASP_Testing_Guide_v2_pdf.zip here] or read it on line [http://www.owasp.org/index.php/OWASP_Testing_Guide_v2_Table_of_Contents here]

Testing Guide v3 (draft 20th May 2008)

The core index is the OTG v2. (new): new articles, (toimp): needs to improve

==[[Testing Guide Foreword|(toimp)Foreword by OWASP Chair]]==

==[[Testing Guide Frontispiece |(toimp)1. Frontispiece]]==

'''[[Testing Guide Frontispiece|(toimp)1.1 About the OWASP Testing Guide Project]]'''

'''[[About The Open Web Application Security Project|1.2 About The Open Web Application Security Project]]'''

==[[Testing Guide Introduction|2. Introduction]]==

'''2.1 The OWASP Testing Project'''

'''2.2 Principles of Testing'''

'''2.3 Testing Techniques Explained'''

''' (new) 2.4 Security requirements tests derivazione functional and non functional
test requirements and test cases through use e misuse cases'''

''' (new) 2.4.1 Security tests integrated in developers and testers workflows'''

''' (new) 2.4.2 Developers' security tests: Unit Tests, component level tests, etc'''

''' (new) 2.4.3 Functional testers' security tests: integrated system tests, tests in UAT,
and production environment'''

''' (new) 2.5 Security test data analysis and reporting: root cause identification and
business/role case test data reporting'''

==[[The OWASP Testing Framework|3. The OWASP Testing Framework]]==

'''3.1. Overview'''

'''3.2. Phase 1: Before Development Begins '''

'''3.3. Phase 2: During Definition and Design'''

'''3.4. Phase 3: During Development'''

'''3.5. Phase 4: During Deployment'''

'''3.6. Phase 5: Maintenance and Operations'''

'''3.7. A Typical SDLC Testing Workflow '''

==[[Web Application Penetration Testing |4. (toimp) Web Application Penetration Testing ]]==

[[Testing: Introduction and objectives|'''4.1 Introduction and Objectives''']]

[[Testing: Information Gathering|'''(toimp) 4.2 Information Gathering''']]

[[Testing for Web Application Fingerprint|4.2.1 (toimp) Testing Web Application Fingerprint]]

[[Testing for Application Discovery|4.2.2 Application Discovery]]

[[Testing: Spiders Robots and Crawlers|(new:Christian Heinrich)4.2.3 Spiders, Robots and Crawlers]]

[[Testing: Search engine discovery|(new:Christian Heinrich)4.2.4 Search Engine Discovery/Reconnaissance"]]

[[Testing for Error Code|(toimp)4.2.5 Analysis of Error Codes]]

[[Testing for infrastructure configuration management|4.2.6 Infrastructure
Configuration Management Testing]]

[[Testing for SSL-TLS|4.2.6.1 SSL/TLS Testing]]

[[Testing for DB Listener|4.2.6.2 DB Listener Testing]]

[[Testing for application configuration management|4.2.7 Application Configuration Management Testing]]

[[Testing for file extensions handling|4.2.7.1 Testing for File Extensions Handling]]

[[Testing for old_file|4.2.7.2 Old, backup and unreferenced files]]

[[Testing for business logic|'''(toimp)4.3 Business Logic Testing''']]

[[Testing for authentication|'''(toimp)4.4 Authentication Testing''']]

[[Testing for credentials transport|(new)4.4.1 Credentials transport over an encrypted channel]]

[[Testing for Default or Guessable User Account|4.4.2 Testing for Guessable (Dictionary) User Account]]

[[Testing for Brute Force|4.4.3 Brute Force Testing]]

[[Testing for Bypassing Authentication Schema|4.4.4 Testing for bypassing authentication schema]]

[[Testing for Directory Traversal|4.4.5 Testing for directory traversal/file include]]

[[Testing for Vulnerable Remember Password and Pwd Reset|4.4.6 Testing for vulnerable remember
password and pwd reset]]

[[Testing for Logout and Browser Cache Management|4.4.7 Testing for Logout and Browser Cache Management Testing]]

[[Testing for Authorization|'''(new) 4.x Authorization testing''']]

[[Testing for Path Traversal|(new) 4.x.x Testing for Path Traversal]]

[[Testing for Bypassing Authorization Schema|(new)4.x.x Testing for bypassing authorization schema]]

[[Testing fot Privilege escalation|(new)4.x.x Testing for Privilege Escalation]]

[[Testing for Session Management|'''4.5 Session Management Testing''']]

[[Testing for Session_Management_Schema|4.5.1 Testing for Session Management Schema]]

[[Testing for Cookie and Session Token Manipulation|(new)4.5.2 Test the token strength (old 4.5.2 Testing for Cookie and Session Token Manipulation)]]

[[Testing for Exposed Session Variables|4.5.3 Testing for Exposed Session Variables ]]

[[Testing for CSRF|4.5.4 Testing for CSRF]]

[[Testing for HTTP Exploit|4.5.5 Testing for HTTP Exploit ]]

[[Testing for Data Validation|'''4.6 Data Validation Testing''']]

[[Testing for Reflected Cross site scripting|(new)4.6.1 Testing for Reflected Cross Site Scripting]]

[[Testing for Stored Cross site scripting|(new)4.6.2 Testing for Stored Cross Site Scripting]]

[[Testing for DOM-based Cross site scripting|4.6.3 Testing for DOM based Cross Site Scripting]]

[[Testing for Cross site flashing|(new)4.6.4 Testing for Cross Site Flashing]]

[[Testing for HTTP Methods and XST|4.6.1.1 Testing for HTTP Methods and XST ]]

[[Testing for SQL Injection|4.6.2 Testing for SQL Injection ]]

[[Testing for Oracle|4.6.2.1 Oracle Testing ]]

[[Testing for MySQL|4.6.2.2 MySQL Testing ]]

[[Testing for SQL Server|4.6.2.3 SQL Server Testing]]

[[Testing for LDAP Injection|4.6.3 Testing for LDAP Injection]]

[[Testing for ORM Injection|4.6.4 Testing for ORM Injection]]

[[Testing for XML Injection|4.6.5 Testing for XML Injection]]

[[Testing for SSI Injection|4.6.6 Testing for SSI Injection]]

[[Testing for XPath Injection|4.6.7 Testing for XPath Injection]]

[[Testing for IMAP/SMTP Injection|4.6.8 IMAP/SMTP Injection]]

[[Testing for Code Injection|4.6.9 Testing for Code Injection]]

[[Testing for Command Injection|4.6.10 Testing for Command Injection]]

[[Testing for Buffer Overflow|4.6.11 Testing for Buffer overflow]]

[[Testing for Heap Overflow|4.6.11.1 Testing for Heap overflow]]

[[Testing for Stack Overflow|4.6.11.2 Testing for Stack overflow]]

[[Testing for Format String|4.6.11.3 Testing for Format string]]

[[Testing for Incubated Vulnerability|4.6.12 Testing for incubated vulnerabilities]]

[[Testing for Denial of Service|'''4.7 Testing for Denial of Service''']]

[[Testing for DoS Locking Customer Accounts|4.7.1 Testing for DoS Locking Customer Accounts]]

[[Testing for DoS Buffer Overflows|4.7.2 Testing for DoS Buffer Overflows]]

[[Testing for DoS User Specified Object Allocation|4.7.3 Testing for DoS User Specified Object Allocation]]

[[Testing for User Input as a Loop Counter|4.7.4 Testing for User Input as a Loop Counter]]

[[Testing for Writing User Provided Data to Disk|4.7.5 Testing for Writing User Provided Data to Disk]]

[[Testing for DoS Failure to Release Resources|4.7.6 Testing for DoS Failure to Release Resources]]

[[Testing for Storing too Much Data in Session|4.7.7 Testing for Storing too Much Data in Session]]

[[Testing for Web Services|'''4.8 Web Services Testing''']]

[[Testing for XML Structural|4.8.1 XML Structural Testing]]

[[Testing for XML Content-Level|4.8.2 XML Content-level Testing]]

[[Testing for WS HTTP GET parameters/REST attacks|4.8.3 HTTP GET parameters/REST Testing ]]

[[Testing for Naughty SOAP Attachments|4.8.4 Testing for Naughty SOAP attachments]]

[[Testing for WS Replay|4.8.5 WS Replay Testing]]

[[Client-Side Testing|(new)4.10 Client site testing]]

[[Testing for AJAX|(new) 4.10.1 AJAX Testing]]

[[Flash Testing|(new)4.10.2 Flash Testing]]

[[RIA Testing|(new)4.10.3 RIA Testing]]

==[[Writing Reports: value the real risk |(toimp)5. Writing Reports: value the real risk ]]==

[[How to value the real risk |5.1 How to value the real risk]]

[[How to write the report of the testing |5.2 How to write the report of the testing]]

OTGv3 team Discussion

Also see [http://www.owasp.org/index.php/OWASP_Testing_Guide_v3_Startup http://www.owasp.org/index.php/OWASP_Testing_Guide_v3_Startup].

 The new OWASP testing Guidev3:
 This [http://www.owasp.org/index.php/Image:Planning_OTGv3.doc document] analyze the OWASP Testing Guide v2 checklist and a plan for create the new v3.

* 1) Methodical Testing (new category) <-- (Mat) needs explanation
* 2) Authorization testing missing. (new category)
* 3) Information gathering is not a vulnerability
* 4) Business logic testing
* 5) Infrastructural test  (new category) *this has to only concentrate on 80 and 443 and other web related testing
* 6) Web Services section needs improvement
* 7) AJAX Testing section needs improvement
* 8) Testing Methodology section updates (requirements, plans, levels and environments)
* 9) New category: Client side Testing
* 10) New category: Thick Client Testing
* 11) New category: Flash/Silverlight Applications
* 12) New category: Assessing Financial Applications
* 13) New category: Fuzzing (we have the vectors, but this should explain the whole concept)

Proposed new categories for the OTG v3:
* OTG Form Templates
** OTG Request for Quote (RFQ) (new)
** OTG 3rd Party Assessment Authorization Form (new)
** OTG Sample Report (new)
* Passive Mode
* Information Gathering
* Business logic testing
* Web Application Penetration Testing
** Infrastructural testing
** Authentication Testing
** Authorization Testing (new)
** Session Management Testing
** Data Validation Testing
** Denial of Service Testing
** Web Services Testing
** Client-Side Testing
*** AJAX Testing
*** Flash Testing (new)
*** RIA stuff (new)

[[Category:OWASP Testing Project]]

OWASP Testing Guide v3 Table of Contents

2008-05-07T14:34:27Z

Kingthorin:

__NOTOC__

'''26th April 2008'''
This is the draft of table of content of the New Testing Guide.
You can download the stable version [http://www.owasp.org/index.php/Image:OWASP_Testing_Guide_v2_pdf.zip here] or read it on line [http://www.owasp.org/index.php/OWASP_Testing_Guide_v2_Table_of_Contents here]

Also see [http://www.owasp.org/index.php/OWASP_Testing_Guide_v3_Startup http://www.owasp.org/index.php/OWASP_Testing_Guide_v3_Startup].

 The new OWASP testing Guidev3:
 This [http://www.owasp.org/index.php/Image:Planning_OTGv3.doc document] analyze the OWASP Testing Guide v2 checklist and a plan for create the new v3.

* 1) Methodical Testing (new category)
* 2) Authorization testing missing. (new category)
* 3) Information gathering is not a vulnerability  not in report  Passive mode
* 4) Business logic testing  not in report  Passive mode
* 5) Infrastructural test  (new category) *this has to only concentrate on 80 and 443 and other web related testing
* 6) Web Services section needs improvement
* 7) AJAX Testing section needs improvement
* 8) Testing Methodology section updates (requirements, plans, levels and environments)
* 9) New category: Client side Testing
* 10) New category: Thick Client Testing
* 11) New category: Flash/Silverlight Applications
* 12) New category: Assessing Financial Applications
* 13) New category: Fuzzing (we have the vectors, but this should explain the whole concept)

Proposed new categories for the OTG v3:
* OTG Form Templates
** OTG Request for Quote (RFQ) (new)
** OTG 3rd Party Assessment Authorization Form (new)
** OTG Sample Report (new)
* Passive Mode
* Information Gathering
* Business logic testing
* Web Application Penetration Testing
** Infrastructural testing
** Authentication Testing
** Authorization Testing (new)
** Session Management Testing
** Data Validation Testing
** Denial of Service Testing
** Web Services Testing
** Client-Side Testing
*** AJAX Testing
*** Flash Testing (new)
*** RIA stuff (new)

[[Category:OWASP Testing Project]]

Talk:OWASP Testing Guide v3 Table of Contents

2008-05-01T14:10:19Z

Kingthorin: Consolidate Similar Pages?

There's an existing v3 Index Brainstorming page from 2007 http://www.owasp.org/index.php/OWASP_Testing_Guide_v3_Startup
should it be combine with this page?
http://www.owasp.org/index.php/OWASP_Testing_Guide_v3_Table_of_Contents 
Note http://www.owasp.org/index.php/OWASP_Testing_Project#Welcome_to_the_new_OWASP_Testing_Guide references both of them and the latest post to the mailing list only references one.

OWASP Testing Guide v3 Startup

2008-04-29T12:00:27Z

Kingthorin:

== Planning the new OWASP Testing Guide v3 ==

'''3rd October 2007: Startup v3''' 
The OWASP Testing Guide v2 was a great success, with thousand download and many many Companies that have adopted it as standard for a Web Application Penetration Testing. 
Now we would like to begin a new project that is based on v2 but improve it and complete it. 
 
In the OWASP Testing Guide v2 we have split the set of tests in 8 sub-categories:
* Information Gathering
* Business Logic Testing
* Authentication Testing
* Session Management Testing
* Data Validation Testing
* Denial of Service Testing
* Web Services Testing
* AJAX Testing

The following are my thoughts about the new OWASP Testing Guide v3:

1) Authorization testing missing. As Jeff and Dave said many time before it's important to create a new category. 
* This should include things which were in v1 but dropped from v2, like: OWASP-AC-003 : Authorization Parameter Manipulation, OWASP-AC-004 : Authorized pages/functions
2) Information gathering is not a set of vulnerabilities --> not in report --> new category: Passive mode 
3) Business logic testing --> not in report --> Passive mode 
4) Infrastructural test --> new category 
5) Web Services section needs improvement 
6) AJAX Testing section needs improvement 
7) New category: Client side Testing. AJAX and Flash Testing 

This [http://www.owasp.org/index.php/Image:Planning_OTGv3.doc document] analyzes the OWASP Testing Guide v2 vulnerabilities and a plan for create the new v3. 

The following clarifications/considerations also need to be made in preparation for v3: 
1) Are "OWASP-AUTHN-001 : Authentication endpoint request should be HTTPS" and "OWASP-AUTHN-003 : Credentials transport over an encrypted channel" as they were in v1 fully covered by "OWASP-IG-005 : SSL/TLS Testing"? 
2) Are "OWASP-AUTHN-009 : Password Structure" and "OWASP-AUTHN-010 : Blank Passwords" as they were in v1 fully covered by OWASP-AT-003 & OWASP-AT-001? 
3) Are all 5 AUTHSM references as they were in v1 fully covered by "OWASP-SM-001 : Session Management Schema"? 
4) What does "OWASP-DP-001 : Sensitive Data in HTML" fall under in v2/v3? 
5) Are all the SSL Data protection references (DP-003 through DP-007) from v1 fall under "OWASP-IG-005 : SSL/TLS Testing"? 
6) Is "OWASP-DS-001 : Locking Customer Accounts" a subset of AUTHN-008 in v1 or AT-006 in v2 or is it really an item on it's own? 
7) Are "OWASP-EH-002 : User Error Messages" and "OWASP-EH-001 : Application Error Messages" as they were in v1 meant to fall under "OWASP-IG-004 : Analysis of Error Codes"? If so where would things like overly specific authentication errors appear in the report? (If I understand correctly Information gathering isn't going to be reported) [This would be things like errors messages which actually specify "invalid username" or "invalid password" instead of "Error: the credentials provided are invalid" or similar generic messaging.]

OWASP Testing Guide v3 Startup

2008-04-29T11:55:56Z

Kingthorin:

== Planning the new OWASP Testing Guide v3 ==

'''3rd October 2007: Startup v3''' 
The OWASP Testing Guide v2 was a great success, with thousand download and many many Companies that have adopted it as standard for a Web Application Penetration Testing. 
Now we would like to begin a new project that is based on v2 but improve it and complete it. 
 
In the OWASP Testing Guide v2 we have split the set of tests in 8 sub-categories:
* Information Gathering
* Business Logic Testing
* Authentication Testing
* Session Management Testing
* Data Validation Testing
* Denial of Service Testing
* Web Services Testing
* AJAX Testing

The following are my thoughts about the new OWASP Testing Guide v3:

1) Authorization testing missing. As Jeff and Dave said many time before it's important to create a new category. 
* This should include things which were in v1 but dropped from v2, like: OWASP-AC-003 : Authorization Parameter Manipulation, OWASP-AC-004 : Authorized pages/functions
2) Information gathering is not a set of vulnerabilities --> not in report --> new category: Passive mode 
3) Business logic testing --> not in report --> Passive mode 
4) Infrastructural test --> new category 
5) Web Services section needs improvement 
6) AJAX Testing section needs improvement 
7) New category: Client side Testing. AJAX and Flash Testing 

This [http://www.owasp.org/index.php/Image:Planning_OTGv3.doc document] analyzes the OWASP Testing Guide v2 vulnerabilities and a plan for create the new v3. 

The following clarifications/considerations also need to be made in preparation for v3: 
1) Are "OWASP-AUTHN-001 : Authentication endpoint request should be HTTPS" and "OWASP-AUTHN-003 : Credentials transport over an encrypted channel" as they were in v1 fully covered by "OWASP-IG-005 : SSL/TLS Testing"? 
2) Are "OWASP-AUTHN-009 : Password Structure" and "OWASP-AUTHN-010 : Blank Passwords" as they were in v1 fully covered by OWASP-AT-003 & OWASP-AT-001? 
3) Are all 5 AUTHSM references as they were in v1 fully covered by "OWASP-SM-001 : Session Management Schema"? 
4) What does "OWASP-DP-001 : Sensitive Data in HTML" fall under in v2/v3? 
5) Are all the SSL Data protection references (DP-003 through DP-007) from v1 fall under "OWASP-IG-005 : SSL/TLS Testing"? 
6) Is "OWASP-DS-001 : Locking Customer Accounts" a subset of AUTHN-008 in v1 or AT-006 in v2 or is it really an item on it's own? 
7) Are "OWASP-EH-002 : User Error Messages" and "OWASP-EH-001 : Application Error Messages" as they were in v1 meant to fall under "OWASP-IG-004 : Analysis of Error Codes"? If so where would things like overly specific authentication errors appear in the report? (If I understand correctly Information gathering isn't going to be reported) [This would be things like errors messages which actually specify "invalid username" or "invalid password" instead of "Error: the credentials provided are invalid" or similar generic messaging.]

Category:OWASP Testing Project

2008-04-28T19:10:53Z

Kingthorin: Typo correction

{{OWASP Book|1375886}}

== Welcome to the new OWASP Testing Guide ==

=== OWASP Testing Guide v3: let's start! ===

26th April 2008: Thanks to the [http://www.owasp.org/index.php/OWASP_Summer_0f_Code_2008_:_Selection SoC 08 results] the planning stage has started for version 3.0 of the Testing Guide. If you have knowledge and experience in application testing, and can spare a few hours a week, please do get in [mailto:matteo.meucci@gmail.com touch]. Alternatively you can join the [http://lists.owasp.org/mailman/listinfo/owasp-testing OWASP Testing mailing list]. The project is lead by [[User:Mmeucci|Matteo Meucci]].

'''Planning the new Testing Guide v3:'''

'''I phase: create the Index'''
Call for participation.
[http://www.owasp.org/index.php/OWASP_Testing_Guide_v3_Startup Index brainstorming]
Discuss the article content.
 Deadline: Sun 18th May 2008.

'''II phase: start writing'''
After creating the new [https://www.owasp.org/index.php/OWASP_Testing_Guide_v3_Table_of_Contents Index], we will assign each paragraph to the volunteers, start writing!
Each author will write the article on the wiki and reviewed by the OWASP Testing guide team.
 Deadline: 30th June 2008

'''III phase: start reviewing'''
Create the reviewer team. Assign each new paragraph to the reviewer.
 Deadline: 20th July 2008

'''IV phase: Finalize the Guide'''
Create the doc and pdf format of the v3.
 Deadline: 15th August 2008

'''Project deadlines:'''
# 21st May: Project status presentation at the OWASP AppSec Euro 08 Conference in Belgium.
# 15th June - Participants to report on project status.
# 31th August - Project completion. Participants should deliver final project report.

===Roadmap===

View the [[OWASP Testing Project v3 Roadmap]]

=== Background and Motivation ===

'''History Behind Project'''
The Testing guide originated in 2003 with Dan Cuthbert as one of the original editors. It was handed over to [[User:EoinKeary|Eoin Keary]] in 2005 and transformed into a wiki.
Being a wiki it is easier for people to contribute and should make updating much easier.
[[User:Mmeucci|Matteo Meucci]] has decided to take on the Testing guide and update it creating the OWASP Testing Guide v2.

Now it's time to create a new Guide, improving each chapter and adding the new testing methodologies.

The OWASP Testing Guide is a defacto web application security assessment guide.

===Overview===

This projects goal is to create a "best practices" penetration testing framework which users can implement in their own organizations and a "low level" penetration testing guide that describes how to find certain issues.

===Volunteers needed===
Positions for v3 of the guide are now open!

If you have knowledge and experience in application testing, and can spare a few hours a week, please do get in [mailto:matteo.meucci@gmail.com touch]

===Testing Project Phase Three Guide(draft) ===

This is the working draft of the OWASP Testing Guide v3. Please login to make changes as you see fit. Changes will be vetted by the OWASP Testing Project team.

[[OWASP Testing Guide v3 Table of Contents|OWASP Testing Guide v3 Table of Contents]]

== Project History ==

=== OWASP Testing Guide v2 (stable release) ===

'''10th February 2007: The OWASP Testing Guide v2 is now published''' [[User:Mmeucci|Matteo Meucci]] (as part of his [[OWASP_Autumn_of_Code_2006_-_Projects:_Testing_Guide | AoC project]]) has just published the latest version of Testing guide which:
* you can read it on line on the [http://www.owasp.org/index.php/OWASP_Testing_Guide_v2_Table_of_Contents Testing Guide v2 wiki]
* or download the Guide in [http://www.owasp.org/index.php/Image:OWASP_Testing_Guide_v2_pdf.zip Adobe PDF format] or in [http://www.owasp.org/index.php/Image:OWASP_Testing_Guide_v2_doc.zip Ms Doc format]

'''OWASP Testing Guide v2 in Spanish:''' Now you can get a complete translation in [http://www.owasp.org/index.php/Image:OWASP_Testing_Guide_v2_spanish_doc.zip Ms Doc format]

For comments or questions, please join the [http://lists.owasp.org/mailman/listinfo/owasp-testing OWASP Testing mailing list], read our archive and share your ideas. Alternatively you can contact [[User:EoinKeary|Eoin Keary]] or [[User:Mmeucci|Matteo Meucci]] directly.

Here you can find:
* [http://www.owasp.org/index.php/Testing_Guide_Quotes The OWASP Testing Guide 'Quotes']
* [http://www.owasp.org/index.php/OWASP_Testing_Guide_Presentations Testing Guide presentations]

=== The OWASP Testing Guide v2 - Request for Review ===

'''10th January 2007: The OWASP Testing Guide v2 is now in its final stages''' [[User:Mmeucci|Matteo Meucci]] (as part of his [[OWASP_Autumn_of_Code_2006_-_Projects:_Testing_Guide | AoC project]]) has just published the latest version of Testing guide which:
* you can read it on line on the [http://www.owasp.org/index.php/OWASP_Testing_Guide_v2_Table_of_Contents Testing Guide v2 wiki - 'Release Candidate 1']
* or download the Guide in [http://www.owasp.org/index.php/Image:OWASP_Testing_Guide_v2_RC1_pdf.zip Adobe PDF format] or [http://www.owasp.org/index.php/Image:OWASP_Testing_Guide_v2_RC1_doc.zip Ms Doc format]

'''So what we need now (until 10th of February) is for you to review it.''' Please let us know any mistakes made, and if you feel that there is something missing, please help yourself and edit the relevant WIKI page.

For comments or questions, please use the 'Discussion' pages or email [[User:EoinKeary|Eoin Keary]] or [[User:Mmeucci|Matteo Meucci]] directly.

The current plan is to create a 'published' version of this guide on the 10th of February which will be sent to all OWASP members in book format.

If you want to participate see the [[OWASP_Testing_Project_v2.0_-_Review_Guidelines]] page for the lastest updates

=== Old Testing Guide Download===

A copy of the old guide (The OWASP Testing Guide v1.1) is available [[http://prdownloads.sourceforge.net/owasp/OWASPWebAppPenTestList1.1.pdf?download here]], it shall also be available in HTML format on the forthcoming OWASP Live CD.
A PDF copy shall also be available to download.

'''OWASP Pen Test Checklist in Italian'''
Sun May 22 10:56:39 EDT 2005
I'm glad to announce we have released OWASP Pen Test Checklist in Italian. Thanks to the Italian Chapter, Massimiliano and Matteo for it's great effort to have this document translated. You can download this version in[http://www.owasp.org/docroot/owasp/misc/OWASPWebAppPenTestList1.1_ITA.pdf PDF] or [http://www.owasp.org/docroot/owasp/misc/OWASPWebAppPenTestList1.1_ITA.doc Word]

'''Checklist ver 1.17 in Spanish'''
Mon Apr 04 15:37:24 EDT 2005
I'm glad to announce we have released OWASP Pen Test Checklist ver 1.17 in Spanish.Thanks to Pedro, Raul and Rogelio for it's great effort to have this document translated and to Christian by helping out with technical edition. You can download this version [http://www.owasp.org/docroot/owasp/misc/testing_spanish.pdf PDF] or [http://www.owasp.org/docroot/owasp/misc/testing_spanish.doc Word]

'''THE OWASP Testing Project Live CD'''
The OWASP testing project is currently implementing an Application security Live CD. 
LabRat Version 0.8 Alpha is just weeks away from Beta testing*.

The aim of this CD is to have a complete testing suite on one Disk. The CD shall also contain the forthcoming OWASP Testing guide.

The Live CD now has its own section you can find it here:
[http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project]

==Feedback and Participation==

We hope you find the information in the OWASP Testing project useful. Please contribute back to the project by sending your comments, questions, and suggestions to the OWASP Testing mailing list. Thanks!

To join the OWASP Testing mailing list or view the archives, please visit the [http://lists.owasp.org/mailman/listinfo/owasp-testing subscription page].

[[Category:OWASP Project]]

OWASP Testing Guide v3 Startup

2008-04-08T11:57:27Z

Kingthorin:

Category talk:OWASP Testing Project

2008-03-05T15:39:54Z

Kingthorin: /* Version 2 vs Version 1 */

[[Typos]]

----

Hi all. I ´ ve been having a look at Owasp guide pages and contents, and I have doubts because of typos or perhaps not completely well explained facts. In Dinis Cruz first announcement mail you can read:

'' The current plan is to create a 'published' version of this guide on the 10th of February which will be sent as a book to all OWASP members''

But in that same email, the linked page that targets to reviewing guidelines, I found different dates to the email message. At first I read in [http://www.owasp.org/index.php/OWASP_Testing_Project_v2.0_-_Review_Guidelines#Timelines timelines] section

# 11th January 2007: Review process begins
# 11th January 2007: Review process ends

That I am almost completely secure it is wrong, and so I edited te page to put February the 11th in the reviewing process end. But it keeps mismatching with the time the email says, may you please address this issue? Thank you very much.

I send a copy of this message both to wiki discussion page and email to the guide responsibles.

== Version 2 vs Version 1 ==

I was recently reviewing the version 2 testing guide http://www.owasp.org/index.php/Image:OWASP_Testing_Guide_v2_doc.zip, I was wondering if this is meant to compliment the older version 1 checklists/docs or replace them?

Looking at the reporting table in v2 (pgs 258 to 261) for example, does "OWASP-AT-001 : Default or guessable account" replace the older "OWASP-AUTHN-004 : Default Accounts"?

I'm guessing that v2 replaces the older stuff since there seems to be a lot of overlap, but I wanted to confirm. [[User:Kingthorin|Kingthorin]] 14:53, 22 February 2008 (EST)
: Answer can be found here: https://lists.owasp.org/pipermail/owasp-testing/2008-March/001442.html [[User:Kingthorin|Kingthorin]] 10:39, 5 March 2008 (EST)

User talk:Alison.McNamee

2008-03-04T15:05:18Z

Kingthorin: Replacing page with 'Disregard my previous talk post, I spoke with Eoin and decided to post to the list. ~~~~'

Disregard my previous talk post, I spoke with Eoin and decided to post to the list. [[User:Kingthorin|Kingthorin]] 10:05, 4 March 2008 (EST)

User talk:Alison.McNamee

2008-03-04T13:26:13Z

Kingthorin:

Hi Allison I see that you seem to be rather active on the owasp site I was wondering if you could answer the following question.

I was recently reviewing the version 2 testing guide http://www.owasp.org/index.php/Image:OWASP_Testing_Guide_v2_doc.zip, I was wondering if this is meant to compliment the older version 1 checklists/docs or replace them?

Looking at the reporting table in v2 (pgs 258 to 261) for example, does "OWASP-AT-001 : Default or guessable account" replace the older "OWASP-AUTHN-004 : Default Accounts"?

I'm guessing that v2 replaces the older stuff since there seems to be a lot of overlap, but I wanted to confirm since v2 does not seem to cover absolutely everything that v1 did. The http://www.owasp.org/index.php/OWASP_Testing_Project does not make this clear at all.

I tried emailing Matteo Meucci (matteo <dot> meucci <at> owasp <dot> org) but did not get a reply.

I'm also curious about the status of v3.

Thanks!
[[User:Kingthorin|Kingthorin]] 08:26, 4 March 2008 (EST)

User talk:Alison.McNamee

2008-03-04T13:25:55Z

Kingthorin: OWASP Testing Guide V2 vs v1

User talk:Kingthorin

2008-02-22T19:55:53Z

Kingthorin: Welcome

== Welcome ==

This is probably the best way to interact with me, although I can't guarantee how diligent I will be in maintaining/reviewing this page. Notifications are sent when it's updated though so we should be fine.

User:Kingthorin

2008-02-22T19:54:28Z

Kingthorin:

My user page.....I'll update this someday. [[User:Kingthorin|Kingthorin]] 14:54, 22 February 2008 (EST)

User:Kingthorin

2008-02-22T19:53:59Z

Kingthorin: New page: kingthorin's talk page

kingthorin's talk page

Category talk:OWASP Testing Project

2008-02-22T19:53:43Z

Kingthorin:

Category talk:OWASP Testing Project

2008-02-22T19:52:27Z

Kingthorin: New section: Version 2 vs Version 1