|
|
(57 intermediate revisions by 8 users not shown) |
Line 1: |
Line 1: |
− | ==[[Introduction]]==
| + | #REDIRECT [[OWASP_Testing_Guide_v3_Table_of_Contents]] |
− | #How To Go About Performing An Application Security Review
| |
− | #Principles of Testing
| |
− | #Testing Techniques Explained
| |
− | ==[[Methodologies Used]]==
| |
− | #Secure application design
| |
− | #Code Review
| |
− | #*Overview
| |
− | #*Advantages and Disadvantages
| |
− | #Penetration Testing
| |
− | #*Overview
| |
− | #*Advantages and Disadvantages
| |
− | #The Need for a Balanced Approach
| |
− | #A Note about Web Application Scanners
| |
− | #A Note about Static Source Code Review Tools
| |
− | ==[[Finding Specific Issues In a Non-Technical Manner]]==
| |
− | #Threat Modeling Introduction
| |
− | #Design Reviews
| |
− | #Threat Modeling the Application
| |
− | #Policy Reviews
| |
− | #Requirements Analysis
| |
− | #Developer Interviews and Interaction
| |
− | ==[[Finding Specific Vulnerabilities Using Source Code Review]]==
| |
− | #Gathering the information
| |
− | #*Context, Context, Context
| |
− | #*The Checklist
| |
− | #*The Code Base
| |
− | #*Transactional Analysis
| |
− | #Source code examples
| |
− | #Authentication & Authorisation
| |
− | #*How to locate the potentially vulnerable code
| |
− | #Buffer Overruns and Overflows
| |
− | #*How to locate the potentially vulnerable code:
| |
− | #*Vulnerable Patterns for buffer overflows
| |
− | #*Good Patterns & procedures to prevent buffer overflows
| |
− | #Data Validation
| |
− | #*Canoncalization of input.
| |
− | #**Data validation strategy
| |
− | #*Good Patterns for Data validation
| |
− | #**Framework Example
| |
− | #*Data validation of parameter names
| |
− | #*Web services data validation
| |
− | #Error, Exception handling & Logging
| |
− | #*Releasing resources and good housekeeping
| |
− | #OS Injection
| |
− | #SQL Injection
| |
− | #*How to Locate potentially vulnerable code
| |
− | #*Best practices when dealing with DB’s
| |
− | #Threat Modeling
| |
− | #*Overview
| |
− | #*Advantages and Disadvantages
| |
− | #**Advantages
| |
− | #**Disadvantage
| |
− | ==[[Manual testing techniques]]==
| |
− | #Business logic testing - <TBD>
| |
− | #Authentication
| |
− | #*Default or guessable user accounts
| |
− | #** Causes
| |
− | #** Blackbox Testing
| |
− | #** Manual
| |
− | #** Suggested Tools - <TBD>
| |
− | #** Whitebox Testing
| |
− | #** Further Reading
| |
− | #Cookie manipulation
| |
− | #*Short Description of Issue
| |
− | #*How to Test
| |
− | #*Black Box
| |
− | #*Cookie reverse engineering
| |
− | #*Cookie manipulation
| |
− | #*Brute force
| |
− | #**Cookie predictability
| |
− | #**335697#**
| |
− | #*Overflow
| |
− | #*White Box
| |
− | #*Examples
| |
− | #*Whitepapers
| |
− | #*Tools
| |
− | #Weak Session Tokens
| |
− | #*Blackbox Testing
| |
− | #*Manual
| |
− | #*Suggested Tools
| |
− | #*Whitebox Testing
| |
− | #*Further Reading
| |
− | #Session riding
| |
− | #*How to Test
| |
− | #*Black Box
| |
− | #*White Box
| |
− | #*References
| |
− | #*Examples
| |
− | #*Whitepapers
| |
− | #*Tools
| |
− | #Vulnerable remember password implementation
| |
− | #*Blackbox Testing
| |
− | #*Manual
| |
− | #*Suggested Tools:
| |
− | #*Whitebox Testing
| |
− | #*Further Reading
| |
− | #Weak Password Self-Reset Testing
| |
− | #*Blackbox Testing
| |
− | #*Manual
| |
− | #Default or Guessable User Accounts and Empty Passwords
| |
− | #*Blackbox Testing
| |
− | #*Manual
| |
− | #*Suggested Tools
| |
− | #*Whitebox Testing
| |
− | #*Further Reading
| |
− | #Application Layer Denial of Service (DoS) Attacks
| |
− | #DoS: Locking Customer Accounts
| |
− | #*Black Box Testing
| |
− | #*White Box Testing
| |
− | #DoS: Buffer Overflows
| |
− | #*Code Example
| |
− | #*Testing Black Box
| |
− | #*Testing White Box
| |
− | #DoS: User Specified Object Allocation
| |
− | #*Code Example
| |
− | #*Testing Black Box
| |
− | #*Testing White Box
| |
− | #DoS: User Input as a Loop Counter
| |
− | #*Code Example
| |
− | #*Testing Black Box
| |
− | #*Testing White Box
| |
− | #*DoS: Writing User Provided Data to Disk
| |
− | #*Testing Black Box
| |
− | #*Testing White Box
| |
− | #DoS: Failure to Release Resources
| |
− | #*Code Example
| |
− | #*Testing Black Box
| |
− | #*Testing White Box
| |
− | #DoS: Storing too Much Data in Session
| |
− | #*Testing Black Box
| |
− | #*Testing White Box
| |
− | #*Other References
| |
− | #Buffer Overflow
| |
− | #*Buffer Overflow – Heap Overflow Vulnerability
| |
− | #**How to Test
| |
− | #**Black Box
| |
− | #**White Box
| |
− | #*Buffer Overflow – Stack Overflow Vulnerability
| |
− | #*How to Test
| |
− | #*Black Box
| |
− | #*White Box
| |
− | #*References
| |
− | #*Examples
| |
− | #*Whitepapers
| |
− | #*Tools
| |
− | #*Buffer Overflow – Format String Vulnerability
| |
− | #**Black Box
| |
− | #**White Box
| |
− | #**References
| |
− | #**Whitepapers
| |
− | #**Tools
| |
− | #Test and debug files
| |
− | #*How to Test
| |
− | #*Black Box
| |
− | #*White Box
| |
− | #*References - <TBD>
| |
− | #*Examples
| |
− | #*Whitepapers
| |
− | #*Tools
| |
− | #File extensions handling
| |
− | #*How to Test
| |
− | #*Black Box
| |
− | #*White Box
| |
− | #*References
| |
− | #*Examples
| |
− | #*Whitepapers
| |
− | #*Tools
| |
− | #Old, backup and unreferenced files
| |
− | #*Threats
| |
− | #*Countermeasures
| |
− | #*How to Test
| |
− | #*Black Box
| |
− | #*White Box
| |
− | #** Tools
| |
− | #Defense from Automatic Attacks
| |
− | #*Blackbox Testing
| |
− | #*Manual
| |
− | #*Suggested Tools
| |
− | #*Whitebox Testing
| |
− | #*Further Reading
| |
− | #*SSL usage during whole session (see recent post on Webappsec regarding this) [Yvan Boily ([email protected]) ] | |
− | #Configuration Management Infrastructure
| |
− | #*Review of the application architecture
| |
− | #*Known server vulnerabilities
| |
− | #*Administrative tools
| |
− | #*Authentication back-ends
| |
− | #*Configuration Management Application
| |
− | #*Sample/known files and directories
| |
− | #*Comment review
| |
− | #*Configuration review
| |
− | #*Logging
| |
− | #*Log location
| |
− | #*Log storage
| |
− | #*Log rotation
| |
− | #*Log review
| |
− | #Sensitive data in URL’s
| |
− | #*Hashing sensitive data
| |
− | #SSL / TLS cipher specifications and requirements for site
| |
− | #*How to Test
| |
− | #*Black Box
| |
− | #*White Box
| |
− | #** References
| |
− | #*Examples
| |
− | #*Whitepapers
| |
− | #Tools
| |
− | #How to Test
| |
− | #*Black Box | |
− | #*White Box
| |
− | #References
| |
− | #*Examples
| |
− | #*Whitepapers
| |
− | #Tools
| |
− | #*Language/Services/Application Specific Testing
| |
− | #Web Services Security Testing
| |
− | #*Notes
| |
− | #*How to Test
| |
− | #*Transport Layer Security
| |
− | #*Message Layer Security
| |
− | #*Application Layer Security
| |
− | #*References
| |
− | #*Examples
| |
− | #*Whitepapers
| |
− | #*Analyzing Results
| |
− | ==[[The OWASP Testing Framework]]==
| |
− | #Overview
| |
− | #Phase 1 — Before Development Begins
| |
− | #*Phase 1A: Policies and Standards Review
| |
− | #*Phase 1B: Develop Measurement and Metrics Criteria (Ensure Traceability)
| |
− | #Phase 2: During Definition and Design
| |
− | #*Phase 2A: Security Requirements Review
| |
− | #*Phase 2B: Design an Architecture Review
| |
− | #*Phase 2C: Create and Review UML Models
| |
− | #*Phase 2D: Create and Review Threat Models
| |
− | #Phase 3: During Development
| |
− | #*Phase 3A: Code Walkthroughs
| |
− | #*Phase 3B: Code Reviews
| |
− | #Phase 4: During Deployment
| |
− | #*Phase 4A: Application Penetration Testing
| |
− | #*Phase 4B: Configuration Management Testing
| |
− | #Phase 5: Maintenance and Operations
| |
− | #*Phase 5A: Conduct Operational Management Reviews
| |
− | #*Phase 5B: Conduct Periodic Health Checks
| |
− | #*Phase 5C: Ensure Change Verification
| |
− | #A Typical SDLC Testing Workflow
| |
− | #* Figure 3: Typical SDLC Testing Workflow.
| |
− | ==[[Appendix A: Testing Tools]]==
| |
− | #Source Code Analyzers
| |
− | #Open Source / Freeware
| |
− | #*Commercial
| |
− | #Black Box Scanners
| |
− | #*Open Source
| |
− | #*Commercial
| |
− | #Other Tools
| |
− | #*Runtime Analysis
| |
− | #*Binary Analysis
| |
− | #*Requirements Management
| |
− | ==[[Appendix B: Suggested Reading]]==
| |
− | #Whitepapers
| |
− | #Books
| |
− | #Articles
| |
− | #Useful Websites
| |
− | #OWASP — http://www.owasp.org
| |
− | ==[[Figures]]==
| |
− | #Figure 1: Proportion of Test Effort in SDLC.
| |
− | #Figure 2: Proportion of Test Effort According to Test Technique.
| |
− | #Figure 3: Typical SDLC Testing Workflow.
| |
| | | |
− | [[Category:OWASP Testing Guide Project]]
| + | Note: This page is not in use any more since it contained the 1st version of the OWASP Testing guide |
| + | |
| + | PLEASE, REFER TO THIS URL FOR THE TESTING GUIDE V3: |
| + | http://www.owasp.org/index.php/OWASP_Testing_Guide_v3_Table_of_Contents |
Note: This page is not in use any more since it contained the 1st version of the OWASP Testing guide