This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "OWASP Testing Guide Table of Contents"

From OWASP
Jump to: navigation, search
(Fixed categories.)
(Changed V2 to V3, Redirect to v3)
 
(45 intermediate revisions by 8 users not shown)
Line 1: Line 1:
==[[Testing Guide Frontispiece|Frontispiece]]==
+
#REDIRECT [[OWASP_Testing_Guide_v3_Table_of_Contents]]
#Copyright and License
 
#Endorsements
 
#Trademarks
 
  
==[[Testing Guide Introduction|Introduction]]==
+
Note: This page is not in use any more since it contained the 1st version of the OWASP Testing guide
#Performing An Application Security Review
 
#Principles of Testing
 
#Testing Techniques Explained
 
  
==[[Methodologies Used]]==
+
PLEASE, REFER TO THIS URL FOR THE TESTING GUIDE V3:
#Secure application design
+
http://www.owasp.org/index.php/OWASP_Testing_Guide_v3_Table_of_Contents
#Code Review (See the code review project)
 
#*Overview
 
#*Advantages and Disadvantages
 
#Penetration Testing
 
#*Overview
 
#*Advantages and Disadvantages
 
#The Need for a Balanced Approach
 
#A Note about Web Application Scanners
 
#A Note about Static Source Code Review Tools
 
 
 
==[[Finding Specific Issues In a Non-Technical Manner]]==
 
#Threat Modeling Introduction
 
#Design Reviews
 
#Threat Modeling the Application
 
#Policy Reviews
 
#Requirements Analysis
 
#Developer Interviews and Interaction
 
 
 
==[[Finding Specific Vulnerabilities Using Source Code Review]]==
 
#Gathering the information
 
#*Context, Context, Context
 
#*The Checklist
 
#*The Code Base
 
#*Transactional Analysis
 
#Source code examples
 
#Authentication & Authorisation
 
#*How to locate the potentially vulnerable code
 
#Buffer Overruns and Overflows
 
#*How to locate the potentially vulnerable code:
 
#*Vulnerable Patterns for buffer overflows
 
#*Good Patterns & procedures to prevent buffer overflows
 
#Data Validation
 
#*Canoncalization of input.
 
#**Data validation strategy
 
#*Good Patterns for Data validation
 
#**Framework Example
 
#*Data validation of parameter names
 
#*Web services data validation
 
#Error, Exception handling & Logging
 
#*Releasing resources and good housekeeping
 
#OS Injection
 
#SQL Injection
 
#*How to Locate potentially vulnerable code
 
#*Best practices when dealing with DB’s
 
#Threat Modeling
 
#*Overview
 
#*Advantages and Disadvantages
 
#**Advantages
 
#**Disadvantage
 
 
 
==[[Manual testing techniques]]==
 
#[[Business logic testing]] - <TBD>
 
#[[Authentication Testing Guide|Authentication]]
 
#*Default or guessable user accounts
 
#** Causes
 
#** Blackbox Testing
 
#** Manual
 
#** Suggested Tools - <TBD>
 
#** Whitebox Testing
 
#** Further Reading
 
#[[Cookie manipulation]]
 
#*Short Description of Issue
 
#*How to Test
 
#*Black Box
 
#*Cookie reverse engineering
 
#*Cookie manipulation
 
#*Brute force
 
#**Cookie predictability
 
#**335697#**
 
#*Overflow
 
#*White Box
 
#*Examples
 
#*Whitepapers
 
#*Tools
 
#[[Weak Session Tokens]]
 
#*Blackbox Testing
 
#*Manual
 
#*Suggested Tools
 
#*Whitebox Testing
 
#*Further Reading
 
#[[Session riding]]
 
#*How to Test
 
#*Black Box
 
#*White Box
 
#*References
 
#*Examples
 
#*Whitepapers
 
#*Tools
 
#[[Vulnerable remember password implementation]]
 
#*Blackbox Testing
 
#*Manual
 
#*Suggested Tools:
 
#*Whitebox Testing
 
#*Further Reading
 
#[[Weak Password Self-Reset Testing]]
 
#*Blackbox Testing
 
#*Manual
 
#[[Default or Guessable User Accounts and Empty Passwords]]
 
#*Blackbox Testing
 
#*Manual
 
#*Suggested Tools
 
#*Whitebox Testing
 
#*Further Reading
 
#[[Application Layer Denial of Service (DoS) Attacks]]
 
#[[DoS: Locking Customer Accounts]]
 
#*Black Box Testing
 
#*White Box Testing
 
#[[DoS: Buffer Overflows]]
 
#*Code Example
 
#*Testing Black Box
 
#*Testing White Box
 
#[[DoS: User Specified Object Allocation]]
 
#*Code Example
 
#*Testing Black Box
 
#*Testing White Box
 
#[[DoS: User Input as a Loop Counter]]
 
#*Code Example
 
#*Testing Black Box
 
#*Testing White Box
 
#[[DoS: Writing User Provided Data to Disk]]
 
#*Testing Black Box
 
#*Testing White Box
 
#[[DoS: Failure to Release Resources]]
 
#*Code Example
 
#*Testing Black Box
 
#*Testing White Box
 
#[[DoS: Storing too Much Data in Session]]
 
#*Testing Black Box
 
#*Testing White Box
 
#*Other References
 
#[[Buffer Overflow Testing Guide|Buffer Overflow]]
 
#*Buffer Overflow – Heap Overflow Vulnerability
 
#**How to Test
 
#**Black Box
 
#**White Box
 
#*Buffer Overflow – Stack Overflow Vulnerability
 
#**How to Test
 
#**Black Box
 
#**White Box
 
#**References
 
#**Examples
 
#**Whitepapers
 
#**Tools
 
#*Buffer Overflow – Format String Vulnerability
 
#**Black Box
 
#**White Box
 
#**References
 
#**Whitepapers
 
#**Tools
 
#[[Test and debug files]]
 
#*How to Test
 
#*Black Box
 
#*White Box
 
#*References - <TBD>
 
#*Examples
 
#*Whitepapers
 
#*Tools
 
#[[File extensions handling]]
 
#*How to Test
 
#*Black Box
 
#*White Box
 
#*References
 
#*Examples
 
#*Whitepapers
 
#*Tools
 
#[[Old, backup and unreferenced files]]
 
#*Threats
 
#*Countermeasures
 
#*How to Test
 
#*Black Box
 
#*White Box
 
#**Tools
 
#[[Defense from Automatic Attacks]]
 
#*Blackbox Testing
 
#*Manual
 
#*Suggested Tools
 
#*Whitebox Testing
 
#*Further Reading
 
#*SSL usage during whole session (see recent post on Webappsec regarding this) [Yvan Boily ([email protected]) ]
 
#[[Configuration Management Infrastructure]]
 
#*Review of the application architecture
 
#*Known server vulnerabilities
 
#*Administrative tools
 
#*Authentication back-ends
 
#*Configuration Management Application
 
#*Sample/known files and directories
 
#*Comment review
 
#*Configuration review
 
#*Logging
 
#*Log location
 
#*Log storage
 
#*Log rotation
 
#*Log review
 
#[[Sensitive data in URL’s]]
 
#*Hashing sensitive data
 
#[[SSL / TLS cipher specifications and requirements for site]]
 
#*How to Test
 
#*Black Box
 
#*White Box
 
#** References
 
#*Examples
 
#*Whitepapers
 
#Tools
 
#[[How to Test]]
 
#*Black Box
 
#*White Box
 
#[[References]]
 
#*Examples
 
#*Whitepapers
 
#[[Testing Tools|Tools]]
 
#*Language/Services/Application Specific Testing
 
#[[Web Services Security Testing]]
 
#*Notes
 
#*How to Test
 
#*Transport Layer Security
 
#*Message Layer Security
 
#*Application Layer Security
 
#*References
 
#*Examples
 
#*Whitepapers
 
#*Analyzing Results
 
 
 
==[[The OWASP Testing Framework]]==
 
#Overview
 
#Phase 1 — Before Development Begins
 
#*Phase 1A: Policies and Standards Review
 
#*Phase 1B: Develop Measurement and Metrics Criteria (Ensure Traceability)
 
#Phase 2: During Definition and Design
 
#*Phase 2A: Security Requirements Review
 
#*Phase 2B: Design an Architecture Review
 
#*Phase 2C: Create and Review UML Models
 
#*Phase 2D: Create and Review Threat Models
 
#Phase 3: During Development
 
#*Phase 3A: Code Walkthroughs
 
#*Phase 3B: Code Reviews
 
#Phase 4: During Deployment
 
#*Phase 4A: Application Penetration Testing
 
#*Phase 4B: Configuration Management Testing
 
#Phase 5: Maintenance and Operations
 
#*Phase 5A: Conduct Operational Management Reviews
 
#*Phase 5B: Conduct Periodic Health Checks
 
#*Phase 5C: Ensure Change Verification
 
#A Typical SDLC Testing Workflow
 
#* Figure 3: Typical SDLC Testing Workflow.
 
 
 
==[[Appendix A: Testing Tools]]==
 
#Source Code Analyzers
 
#Open Source / Freeware
 
#*Commercial
 
#Black Box Scanners
 
#*Open Source
 
#*Commercial
 
#Other Tools
 
#*Runtime Analysis
 
#*Binary Analysis
 
#*Requirements Management
 
 
 
==[[Appendix B: Suggested Reading]]==
 
#Whitepapers
 
#Books
 
#Articles
 
#Useful Websites
 
#OWASP — http://www.owasp.org
 
 
 
==[[Figures]]==
 
#Figure 1: Proportion of Test Effort in SDLC.
 
#Figure 2: Proportion of Test Effort According to Test Technique.
 
#Figure 3: Typical SDLC Testing Workflow.
 
 
 
[[Category:OWASP Testing Project]]
 
[[Category:Test]]
 

Latest revision as of 23:27, 17 September 2013

Note: This page is not in use any more since it contained the 1st version of the OWASP Testing guide

PLEASE, REFER TO THIS URL FOR THE TESTING GUIDE V3: http://www.owasp.org/index.php/OWASP_Testing_Guide_v3_Table_of_Contents