This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "OWASP Testing Guide v4 Table of Contents"
| Line 97: | Line 97: | ||
[[Testing for configuration management|'''4.3 Configuration and Deploy Management Testing ''']] | [[Testing for configuration management|'''4.3 Configuration and Deploy Management Testing ''']] | ||
| − | Infrastructure Configuration management weakness | + | Infrastructure Configuration management weakness<br> |
| − | Application Configuration management weakness | + | Application Configuration management weakness<br> |
| − | File extensions handling | + | File extensions handling<br> |
| − | Old, backup and unreferenced files | + | Old, backup and unreferenced files<br> |
| − | Access to Admin interfaces | + | Access to Admin interfaces<br> |
| − | Bad HTTP Methods enabled, [new] | + | Bad HTTP Methods enabled, [new]<br> |
| − | Informative Error Messages | + | Informative Error Messages<br> |
| − | Database credentials/connection strings available | + | Database credentials/connection strings available<br> |
[[Testing for authentication|'''4.4 Authentication Testing ''']] [To review--> contributor here] | [[Testing for authentication|'''4.4 Authentication Testing ''']] [To review--> contributor here] | ||
| − | Credentials transport over an unencrypted channel | + | Credentials transport over an unencrypted channel <br> |
| − | User enumeration (also Guessable user account) | + | User enumeration (also Guessable user account) <br> |
| − | Default passwords | + | Default passwords <br> |
| − | Weak lock out mechanism [New!] | + | Weak lock out mechanism [New!] <br> |
| − | Account lockout DoS [New!] | + | Account lockout DoS [New!]<br> |
| − | Bypassing authentication schema | + | Bypassing authentication schema<br> |
| − | Directory traversal/file include | + | Directory traversal/file include <br> |
| − | vulnerable remember password | + | vulnerable remember password <br> |
| − | Logout function not properly implemented | + | Logout function not properly implemented <br> |
| − | browser cache weakness [New!] | + | browser cache weakness [New!]<br> |
| − | Weak Password policy [New!] | + | Weak Password policy [New!]<br> |
| − | Weak username policy [New!] | + | Weak username policy [New!]<br> |
| − | weak security question answer [New!] | + | weak security question answer [New!]<br> |
| − | Failure to Restrict access to authenticated resource [New!] | + | Failure to Restrict access to authenticated resource [New!]<br> |
| − | Weak password change function [New!] | + | Weak password change function [New!]<br> |
[[Testing for Session Management|'''4.5 Session Management Testing''']] | [[Testing for Session Management|'''4.5 Session Management Testing''']] | ||
| − | Bypassing Session Management Schema | + | Bypassing Session Management Schema <br> |
| − | Weak Session Token | + | Weak Session Token <br> |
| − | Cookies are set not ‘HTTP Only’, ‘Secure’, and no time validity | + | Cookies are set not ‘HTTP Only’, ‘Secure’, and no time validity<br> |
| − | Exposed sensitive session variables | + | Exposed sensitive session variables <br> |
| − | CSRF | + | CSRF <br> |
| − | Session passed over http [New!] | + | Session passed over http [New!] <br> |
| − | Session token within URL [New!] | + | Session token within URL [New!]<br> |
| − | Session Fixation | + | Session Fixation <br> |
| − | Session token not removed on server after logout [New!] | + | Session token not removed on server after logout [New!]<br> |
| − | Persistent session token [New!] | + | Persistent session token [New!]<br> |
| − | Session token not restrcited properly (such as domain or path not set properly) [New!] | + | Session token not restrcited properly (such as domain or path not set properly) [New!]<br> |
[[Testing for Authorization|'''4.6 Authorization Testing''']] | [[Testing for Authorization|'''4.6 Authorization Testing''']] | ||
| − | Bypassing authorization schema | + | Bypassing authorization schema <br> |
| − | Privilege Escalation | + | Privilege Escalation <br> |
| − | Insecure Direct Object References | + | Insecure Direct Object References <br> |
| − | Failure to Restrict access to authorized resource [New!] | + | Failure to Restrict access to authorized resource [New!]<br> |
[[Testing for business logic (OWASP-BL-001)|'''4.7 Business Logic Testing (OWASP-BL-001)''']] [To review--> contributor here] | [[Testing for business logic (OWASP-BL-001)|'''4.7 Business Logic Testing (OWASP-BL-001)''']] [To review--> contributor here] | ||
Revision as of 15:30, 30 August 2012
This is DRAFT of the table of content of the New Testing Guide v4.
You can download the stable version here
Back to the OWASP Testing Guide Project: http://www.owasp.org/index.php/OWASP_Testing_Project
Updated: 28th August 2012
The following are the main improvements we have to realize:
(1) - Add new testing techniques and OWASP Top10 update:
- Testing for HTTP Verb tampering
- Testing for HTTP Parameter Pollutions
- Testing for URL Redirection
- Testing for Insecure Direct Object References
- Testing for Insecure Cryptographic Storage
- Testing for Failure to Restrict URL Access
- Testing for Insufficient Transport Layer Protection
- Testing for Unvalidated Redirects and Forwards.
(2) - Review and improve all the sections in v3,
(3) - Create a more readable guide, eliminating some sections that are not
really useful, Rationalize some sections as Session Management Testing.
(4) Pavol says: - add new opensource testing tools that appeared during last 3 years (and are missing in the OWASP Testing Guide v3)
- add few useful and life-scenarios of possible vulnerabilities in Bussiness Logic Testing (many testers have no idea what vulnerabilities in Business Logic exactly mean)
- "Brute force testing" of "session ID" is missing in "Session Management Testing", describe other tools for Session ID entropy analysis (e.g. Stompy)
- in "Data Validation Testing" describe some basic obfuscation methods for malicious code injection including the statements how it is possible to detect it (web application obfuscation is quite succesfull in bypassing many data validation controls)
- split the phase Logout and Browser Cache Management" into two sections
The following is a DRAFT of the Toc based on the feedback already received.
T A B L E o f C O N T E N T S (DRAFT)
==Foreword by OWASP Chair== [To review--> OWASP Chair]
==1. Frontispiece== [To review--> Mat]
1.1 About the OWASP Testing Guide Project [To review--> Mat]
1.2 About The Open Web Application Security Project [To review--> ]
2. Introduction
2.1 The OWASP Testing Project
2.2 Principles of Testing
2.3 Testing Techniques Explained
2.4 Security requirements test derivation,functional and non functional test requirements, and test cases through use and misuse cases
3. The OWASP Testing Framework
3.1. Overview
3.2. Phase 1: Before Development Begins
3.3. Phase 2: During Definition and Design
3.4. Phase 3: During Development
3.5. Phase 4: During Deployment
3.6. Phase 5: Maintenance and Operations
3.7. A Typical SDLC Testing Workflow
4. Web Application Penetration Testing
4.1 Introduction and Objectives [To review--> Mat]
4.1.1 Testing Checklist [To review at the end of brainstorming --> Mat]
4.2 Information Gathering [To review--> contributor here]
4.3 Configuration and Deploy Management Testing
Infrastructure Configuration management weakness
Application Configuration management weakness
File extensions handling
Old, backup and unreferenced files
Access to Admin interfaces
Bad HTTP Methods enabled, [new]
Informative Error Messages
Database credentials/connection strings available
4.4 Authentication Testing [To review--> contributor here]
Credentials transport over an unencrypted channel
User enumeration (also Guessable user account)
Default passwords
Weak lock out mechanism [New!]
Account lockout DoS [New!]
Bypassing authentication schema
Directory traversal/file include
vulnerable remember password
Logout function not properly implemented
browser cache weakness [New!]
Weak Password policy [New!]
Weak username policy [New!]
weak security question answer [New!]
Failure to Restrict access to authenticated resource [New!]
Weak password change function [New!]
4.5 Session Management Testing
Bypassing Session Management Schema
Weak Session Token
Cookies are set not ‘HTTP Only’, ‘Secure’, and no time validity
Exposed sensitive session variables
CSRF
Session passed over http [New!]
Session token within URL [New!]
Session Fixation
Session token not removed on server after logout [New!]
Persistent session token [New!]
Session token not restrcited properly (such as domain or path not set properly) [New!]
Bypassing authorization schema
Privilege Escalation
Insecure Direct Object References
Failure to Restrict access to authorized resource [New!]
4.7 Business Logic Testing (OWASP-BL-001) [To review--> contributor here]
4.8 Data Validation Testing [To review--> contributor here]
Reflected XSS
Stored XSS
HTTP Verb Tampering [New!]
HTTP Parameter pollution [New!]
Unvalidated Redirects and Forwards [New!]
SQL Injection
LDAP Injection
ORM Injection
XML Injection
SSI Injection
XPath Injection
SOAP Injection
IMAP/SMTP Injection
Code Injection
OS Commanding
Buffer overflow
Incubated vulnerability
HTTP Splitting/Smuggling
[Testing for Data Encryption]
Application did not use encryption
Weak SSL/TSL Ciphers, Insufficient
Transport Layer Protection
Cacheable HTTPS Response
Cache directives insecure
Insecure Cryptographic Storage [CR Guide: but if the pwd reset
Sensitive information sent via unencrypted
channels
[ XML Interpreter ?]
Weak XML Structure XML content-level WS HTTP GET parameters/REST WS Naughty SOAP attachments WS Replay Testing
[ Client Side Testing ]
DOM XSS
Cross Site Flashing
ClickHijacking
5. Writing Reports: value the real risk
5.1 How to value the real risk [To review--> contributor here]
5.2 How to write the report of the testing [To review--> contributor here]
Appendix A: Testing Tools
- Black Box Testing Tools [To review--> contributor here]
- Source Code Analyzers [To review--> contributor here]
- Other Tools [To review--> contributor here]
Appendix B: Suggested Reading
- Whitepapers [To review--> contributor here]
- Books [To review--> contributor here]
- Useful Websites [To review--> contributor here]
Appendix C: Fuzz Vectors
- Fuzz Categories [To review--> contributor here]
Appendix D: Encoded Injection
[To review--> contributor here]
