This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
OWASP Autumn of Code 2006 - Projects: Testing Guide - Index
This page contains content that is outdated and is no longer being maintained. It is provided as a courtesy for individuals who are still using these technologies. This page may contain URLs that were once valid but may now link to sites or pages that no longer exist.
Please use the newer Edition(s) like OWASP Testing Guide
-
Legend:
Review: M.Meucci
TD: Paragraph to be assigned
Frontispiece
- Copyright and License (100%, Review)
- Endorsements (100%, Review)
- Trademarks (100%, Review)
Introduction
- Performing An Application Security Review 0% TD
- Principles of Testing 0% TD
- Testing Techniques Explained 0% TD
The OWASP Testing Framework
3. The OWASP Testing Framework 20% (Review)
3.1. Overview
3.2. Phase 1 — Before Development Begins
- Phase 1A: Policies and Standards Review
- Phase 1B: Develop Measurement and Metrics Criteria (Ensure Traceability)
3.3. Phase 2: During Definition and Design
- Phase 2A: Security Requirements Review
- Phase 2B: Design an Architecture Review
- Phase 2C: Create and Review UML Models
- Phase 2D: Create and Review Threat Models
3.4. Phase 3: During Development
- Phase 3A: Code Walkthroughs
- Phase 3B: Code Reviews
3.5. Phase 4: During Deployment
- Phase 4A: Application Penetration Testing
- Phase 4B: Configuration Management Testing
3.6. Phase 5: Maintenance and Operations
- Phase 5A: Conduct Operational Management Reviews
- Phase 5B: Conduct Periodic Health Checks
- Phase 5C: Ensure Change Verification
3.7. A Typical SDLC Testing Workflow
- Figure 3: Typical SDLC Testing Workflow
3.8 Methodologies Used (Review)
3.8.1 The goal 50% TD
3.8.2 Overview of Approaches 50% TD
3.8.3 Security Requirements Review 0% TD
3.8.4 Security Architecture Review 0% TD
3.8.5 Code Review 50% TD
3.8.6 Automated Code Scanning 0% TD
3.8.7 Penetration Testing 50% TD
3.8.8 Automated Vulnerability Scanning 0% TD
Manual testing techniques
4.1 Introduction and objectives 0% TD
4.2 Information Gathering (spider, google) 0% TD
4.3 Business logic testing 50% TD
4.4 Authentication Testing 50% TD
4.4.1 Default or guessable (dictionary) user account 90% TD
4.4.2 Brute Force 0% TD
4.4.3 Bypassing authentication schema 0% TD
4.4.4 Vulnerable remember password and pwd reset 90% TD
4.4.5 Logout and account expiry 0% TD
4.5 Session Management Testing 0% TD
4.5.1 Cookie and Session token Manipulation(reg, forg/brute force) 100% Review
4.5.2 Weak session tokens 70% TD
4.5.3 Session Riding 100% Review
4.5.4 Exposed session variables 0% TD
4.5.5 HTTP Exploit 0% TD
4.6 Data Validation Testing 0% TD
4.6.1 Cross site scripting 0% TD
4.6.1.1 Incubated attacks 0% TD
4.6.1.2 Phishing (using javascript) 0% TD
4.6.1.3 HTTP Methods + XSS (TRACE) 0% TD
4.6.2 SQL Injection 0% TD
4.6.2.1 Oracle, mySQL, SQL Server, TeraData 0% TD
4.6.2.2 Extended stored procedures 0% TD
4.6.2.3 Stored procedure injection 0% TD
4.6.2.4 Oracle +SQLServer ports and attacks 0% TD
4.6.2.5 Listener attacks etc. 1521 1433 1527 0% TD
4.6.3 Orm injection 0% TD
4.6.4 Ldap injection 0% TD
4.6.5 Xml injection 0% TD
4.6.6 Code injection 0% TD
4.6.7 Buffer overflow Testing 100% Review
4.6.7.1 Heap overflow 100% Review
4.6.7.2 Stack overflow 100% Review
4.6.7.3 Format string 100% Review
4.7 Denial of Service Testing 95% Review
4.7.1 Locking Customer Accounts 100% Review
4.7.2 Buffer Overflows 100% Review
4.7.3 User Specified Object Allocation 100% Review
4.7.4 User Input as a Loop Counter 100% Review
4.7.5 Writing User Provided Data to Disk 100% Review
4.7.6 Failure to Release Resources 100% Review
4.7.7 Storing too Much Data in Session 90% Review
4.8 Infrastructure and configuration Testing 0% TD
4.8.1 Intro and objective 0% TD
4.8.2 Infrastructure configuration management testing 100% TD
4.8.3 Application configuration management testing 100% TD
4.8.4 Old, backup and unreferenced files 100% TD
4.8.5 File extensions handling 90% TD
4.8.6 Analisys of error code 50% TD
4.8.7 SSL/TLS Testing: support of weak ciphers and cert validity 100% TD
4.8.8 Testing defense from Automatic attacks (maybe a duplicate) 10% TD
4.9 Web Services Testing 0% TD
4.9.1 XML Structural Attacks 0% TD
4.9.2 XML content-level attacks 0% TD
4.9.3 HTTP GET parameters/REST attacks 0% TD
4.9.4 Naughty SOAP attachments 0% TD
4.9.5 Brute force attacks 0% TD
4.10 AJAX Testing 0% TD
4.10.1 Vulnerabilities 0% TD
4.10.2 How to test 0% TD
Writing Reports: value the real risk
5.1 How to value the real risk 0% TD
5.2 How to write the report of the testing 0% TD
Appendix A: Testing Tools
1. Source Code Analyzers * Open Source / Freeware * Commercial 2. Black Box Scanners * Open Source * Commercial 3. Other Tools * Runtime Analysis * Binary Analysis * Requirements Management
Appendix B: Suggested Reading
1. Whitepapers 2. Books 3. Articles 4. Useful Websites 5. OWASP — http://www.owasp.org
Appendix C: Fuzz Vectors
Version 0.1 (October 4th)
Paragraph___________________________________________________|__State___|___Action___|___Author___
1 Frontispiece
2.1 Copyright and License 100% Review 2.2 Endorsements 100% Review 2.3 Trademarks 100% Review
2. Introduction
1. Performing An Application Security Review 0% TD 2. Principles of Testing 0% TD 3. Testing Techniques Explained 0% TD
3. Methodologies Used (Review)
3.1 The goal 50% TD 3.2 Overview of Approaches 50% TD 3.3 Security Requirements Review 0% TD 3.4 Security Architecture Review 0% TD 3.5 Code Review 50% TD 3.6 Automated Code Scanning 0% TD 3.7 Penetration Testing 50% TD 3.8 Automated Vulnerability Scanning 0% TD
4. Finding Specific Issues In a Non-Technical Manner (Review)
4.1. Threat Modeling Introduction 0% TD 4.2. Design Reviews 0% TD 4.3. Threat Modeling the Application 0% TD 4.4. Policy Reviews 0% TD 4.5. Requirements Analysis 0% TD 4.6. Developer Interviews and Interaction 0% TD
5. Finding Specific Vulnerabilities Using Source Code Review
5.1 For code review please see the OWASP Code Review Project
6. Manual testing techniques (Review)
6.1 Introduction and objectives 0% TD 6.2 Information Gathering (spider, google) 0% TD 6.3 Business logic testing 50% TD
6.4 Authentication Testing 50% TD 6.4.1 Default or guessable (dictionary) user account 90% TD 6.4.2 Brute Force 0% TD 6.4.3 Bypassing authentication schema 0% TD 6.4.4 Vulnerable remember password and pwd reset 90% TD 6.4.5 Logout and account expiry 0% TD
6.5 Session Management Testing 0% TD 6.5.1 Cookie and Session token Manipulation (regeneration, forging/brute force) 100% Review 6.5.2 Weak session tokens 70% TD 6.5.3 Session Riding 100% Review 6.5.4 Exposed session variables 0% TD 6.5.5 HTTP Exploit 0% TD
6.6 Data Validation Testing 0% TD 6.6.1 Cross site scripting 0% TD 6.6.1.1 Incubated attacks 0% TD 6.6.1.2 Phishing (using javascript) 0% TD 6.6.1.3 HTTP Methods + XSS (TRACE) 0% TD 6.6.2 SQL Injection 0% TD 6.6.2.1 Oracle, mySQL, SQL Server, TeraData 0% TD 6.6.2.2 Extended stored procedures 0% TD 6.6.2.3 Stored procedure injection 0% TD 6.6.2.4 Oracle +SQLServer ports and attacks 0% TD 6.6.2.5 Listener attacks etc. 1521 1433 1527 0% TD 6.6.3 Orm injection 0% TD 6.6.4 Ldap injection 0% TD 6.6.5 Xml injection 0% TD 6.6.6 Code injection 0% TD
6.7 Denial of Service Testing 95% Review 6.7.1 Locking Customer Accounts 100% Review 6.7.2 Buffer Overflows 100% Review 6.7.3 User Specified Object Allocation 100% Review 6.7.4 User Input as a Loop Counter 100% Review 6.7.5 Writing User Provided Data to Disk 100% Review 6.7.6 Failure to Release Resources 100% Review 6.7.7 Storing too Much Data in Session 90% Review
6.8 Buffer overflow Testing 100% Review 6.8.1 Heap overflow 100% Review 6.8.2 Stack overflow 100% Review 6.8.3 Format string 100% Review
6.9 Infrastructure and configuration Testing 0% TD 6.9.1 Intro and objective 0% TD 6.9.2 Infrastructure configuration management testing 100% TD 6.9.3 Application configuration management testing 100% TD
6.9.4 Old, backup and unreferenced files 100% TD 6.9.5 File extensions handling 90% TD 6.9.6 Analisys of error code 50% TD 6.9.7 SSL/TLS Testing: support of weak 100% TD ciphers and certificate validity 6.9.8 Testing defense from Automatic 10% TD Attacks (maybe a duplicate)
6.10 Web Services Testing 0% TD 6.10.1 XML Structural Attacks 0% TD 6.10.2 XML content-level attacks 0% TD 6.10.3 HTTP GET parameters/REST attacks 0% TD 6.10.4 Naughty SOAP attachments 0% TD 6.10.5 Brute force attacks 0% TD
6.11 AJAX Testing 0% TD 6.11.1 Vulnerabilities 0% TD 6.11.2 How to test 0% TD
7. The OWASP Testing Framework 95% (Review)
7.1. Overview 7.2. Phase 1 — Before Development Begins * Phase 1A: Policies and Standards Review * Phase 1B: Develop Measurement and Metrics Criteria (Ensure Traceability) 7.3. Phase 2: During Definition and Design * Phase 2A: Security Requirements Review * Phase 2B: Design an Architecture Review * Phase 2C: Create and Review UML Models * Phase 2D: Create and Review Threat Models 7.4. Phase 3: During Development * Phase 3A: Code Walkthroughs * Phase 3B: Code Reviews 7.5. Phase 4: During Deployment * Phase 4A: Application Penetration Testing * Phase 4B: Configuration Management Testing 7.6. Phase 5: Maintenance and Operations * Phase 5A: Conduct Operational Management Reviews * Phase 5B: Conduct Periodic Health Checks * Phase 5C: Ensure Change Verification 7.7. A Typical SDLC Testing Workflow * Figure 3: Typical SDLC Testing Workflow.
Appendix A: Testing Tools 95% (Review)
1. Source Code Analyzers * Open Source / Freeware * Commercial 2. Black Box Scanners * Open Source * Commercial 3. Other Tools * Runtime Analysis * Binary Analysis * Requirements Management
Appendix B: Suggested Reading 95% (Review)
1. Whitepapers 2. Books 3. Articles 4. Useful Websites 5. OWASP — http://www.owasp.org
Appendix C: Fuzz Vectors 95% (Review)