|
|
| (293 intermediate revisions by 21 users not shown) |
| Line 1: |
Line 1: |
| − | ==[[Testing Guide Frontispiece AoC|Frontispiece]]==
| + | __NOTOC__ |
| − | #Copyright and License (100%, Review)
| |
| − | #Endorsements (100%, Review)
| |
| − | #Trademarks (100%, Review)
| |
| | | | |
| − | ==[[Testing Guide Introduction AoC|Introduction]]==
| + | Please go [http://www.owasp.org/index.php/OWASP_Testing_Guide_v3_Table_of_Contents here] for the last release of the OWASP Testing Guide. |
| − | 2.1 The OWASP Testing Project
| |
| − | 2.2 The Economics of Insecure Software
| |
| − | 2.3 Scope of this Document
| |
| − | 2.4 The Software Development Life Cycle Process
| |
| − | 2.5 The Scope of What To Test
| |
| − | 2.6 How To Go About Performing An Application Security Review
| |
| − | 2.7 Principles of Testing
| |
| − | 2.8 Testing Techniques Explained
| |
| − | 2.9 Manual Inspections & Reviews
| |
| − | 2.10 Threat Modeling
| |
| − | 2.11 Source Code Review
| |
| − | 2.12 Penetration Testing
| |
| − | 2.13 The Need for a Balanced Approach
| |
| − | 2.14 A Note about Web Application Scanners
| |
| − | | |
| − | ==[[The OWASP Testing Framework AoC|The OWASP Testing Framework]]==
| |
| − | 3. The OWASP Testing Framework 20% (Review) <br>
| |
| − | '''3.1. Overview'''<br>
| |
| − | '''3.2. Phase 1 — Before Development Begins <br>'''
| |
| − | * Phase 1A: Policies and Standards Review <br>
| |
| − | * Phase 1B: Develop Measurement and Metrics Criteria (Ensure Traceability) <br>
| |
| − | '''3.3. Phase 2: During Definition and Design<br>'''
| |
| − | * Phase 2A: Security Requirements Review<br>
| |
| − | * Phase 2B: Design an Architecture Review<br>
| |
| − | * Phase 2C: Create and Review UML Models<br>
| |
| − | * Phase 2D: Create and Review Threat Models <br>
| |
| − | '''3.4. Phase 3: During Development<br>'''
| |
| − | * Phase 3A: Code Walkthroughs<br>
| |
| − | * Phase 3B: Code Reviews <br>
| |
| − | '''3.5. Phase 4: During Deployment<br>'''
| |
| − | * Phase 4A: Application Penetration Testing<br>
| |
| − | * Phase 4B: Configuration Management Testing <br>
| |
| − | '''3.6. Phase 5: Maintenance and Operations<br>'''
| |
| − | * Phase 5A: Conduct Operational Management Reviews<br>
| |
| − | * Phase 5B: Conduct Periodic Health Checks<br>
| |
| − | * Phase 5C: Ensure Change Verification <br>
| |
| − | '''3.7. A Typical SDLC Testing Workflow <br>'''
| |
| − | * Figure 3: Typical SDLC Testing Workflow <br>
| |
| − | '''3.8 Methodologies Used (Review)<br>'''
| |
| − | 3.8.1 The goal 50% TD<br>
| |
| − | 3.8.2 Overview of Approaches 50% TD<br>
| |
| − | 3.8.3 Security Requirements Review 0% TD<br>
| |
| − | 3.8.4 Security Architecture Review 0% TD<br>
| |
| − | 3.8.5 Code Review 50% TD<br>
| |
| − | 3.8.6 Automated Code Scanning 0% TD<br>
| |
| − | 3.8.7 Penetration Testing 50% TD<br>
| |
| − | 3.8.8 Automated Vulnerability Scanning 0% TD<br>
| |
| − | | |
| − | ==[[Web Application Penetration Testing AoC |Web Application Penetration Testing ]]==
| |
| − | '''4.1 Introduction and objectives''' 0% TD<br>
| |
| − | '''4.2 Information Gathering (spider, google)''' 0% TD<br>
| |
| − | '''4.3 Business logic testing''' 50% TD<br>
| |
| − |
| |
| − | '''4.4 Authentication Testing''' 50% TD<br>
| |
| − | 4.4.1 Default or guessable (dictionary) user account 90% TD<br>
| |
| − | 4.4.2 Brute Force 0% TD<br>
| |
| − | 4.4.3 Bypassing authentication schema 0% TD<br>
| |
| − | 4.4.4 Vulnerable remember password and pwd reset 90% TD<br>
| |
| − | 4.4.5 Logout and account expiry 0% TD<br>
| |
| − |
| |
| − | '''4.5 Session Management Testing''' 0% TD<br>
| |
| − | 4.5.1 Cookie and Session token Manipulation(reg, forg/brute force) 100% Review <br>
| |
| − | 4.5.2 Weak session tokens 70% TD<br>
| |
| − | 4.5.3 Session Riding 100% Review<br>
| |
| − | 4.5.4 Exposed session variables 0% TD<br>
| |
| − | 4.5.5 HTTP Exploit 0% TD<br>
| |
| − |
| |
| − | '''4.6 Data Validation Testing''' 0% TD <br>
| |
| − | 4.6.1 Cross site scripting 0% TD<br>
| |
| − | 4.6.1.1 Incubated attacks 0% TD<br>
| |
| − | 4.6.1.2 Phishing (using javascript) 0% TD<br>
| |
| − | 4.6.1.3 HTTP Methods + XSS (TRACE) 0% TD<br>
| |
| − | 4.6.2 SQL Injection 0% TD<br>
| |
| − | 4.6.2.1 Oracle, mySQL, SQL Server, TeraData 0% TD <br>
| |
| − | 4.6.2.2 Extended stored procedures 0% TD<br>
| |
| − | 4.6.2.3 Stored procedure injection 0% TD<br>
| |
| − | 4.6.2.4 Oracle +SQLServer ports and attacks 0% TD<br>
| |
| − | 4.6.2.5 Listener attacks etc. 1521 1433 1527 0% TD<br>
| |
| − | 4.6.3 Orm injection 0% TD<br>
| |
| − | 4.6.4 Ldap injection 0% TD<br>
| |
| − | 4.6.5 Xml injection 0% TD<br>
| |
| − | 4.6.6 Code injection 0% TD<br>
| |
| − | 4.6.7 Buffer overflow Testing 100% Review <br>
| |
| − | 4.6.7.1 Heap overflow 100% Review<br>
| |
| − | 4.6.7.2 Stack overflow 100% Review<br>
| |
| − | 4.6.7.3 Format string 100% Review<br>
| |
| − |
| |
| − | '''4.7 Denial of Service Testing''' 95% Review<br>
| |
| − | 4.7.1 Locking Customer Accounts 100% Review<br>
| |
| − | 4.7.2 Buffer Overflows 100% Review <br>
| |
| − | 4.7.3 User Specified Object Allocation 100% Review<br>
| |
| − | 4.7.4 User Input as a Loop Counter 100% Review<br>
| |
| − | 4.7.5 Writing User Provided Data to Disk 100% Review<br>
| |
| − | 4.7.6 Failure to Release Resources 100% Review<br>
| |
| − | 4.7.7 Storing too Much Data in Session 90% Review<br>
| |
| − | | |
| − | '''4.8 Infrastructure and configuration Testing''' 0% TD<br>
| |
| − | 4.8.1 Intro and objective 0% TD<br>
| |
| − | 4.8.2 Infrastructure configuration management testing 100% TD<br>
| |
| − | 4.8.3 Application configuration management testing 100% TD<br>
| |
| − | 4.8.4 Old, backup and unreferenced files 100% TD<br>
| |
| − | 4.8.5 File extensions handling 90% TD<br>
| |
| − | 4.8.6 Analisys of error code 50% TD<br>
| |
| − | 4.8.7 SSL/TLS Testing: support of weak ciphers and cert validity 100% TD<br>
| |
| − | 4.8.8 Testing defense from Automatic attacks (maybe a duplicate) 10% TD<br>
| |
| − |
| |
| − | '''4.9 Web Services Testing''' 0% TD<br>
| |
| − | 4.9.1 XML Structural Attacks 0% TD<br>
| |
| − | 4.9.2 XML content-level attacks 0% TD<br>
| |
| − | 4.9.3 HTTP GET parameters/REST attacks 0% TD<br>
| |
| − | 4.9.4 Naughty SOAP attachments 0% TD<br>
| |
| − | 4.9.5 Brute force attacks 0% TD<br>
| |
| − | | |
| − | '''4.10 AJAX Testing''' 0% TD<br>
| |
| − | 4.10.1 Vulnerabilities 0% TD<br>
| |
| − | 4.10.2 How to test 0% TD<br>
| |
| − | | |
| − | ==[[Writing Reports: value the real risk AoC |Writing Reports: value the real risk ]]==
| |
| − | '''5.1 How to value the real risk''' 0% TD<br>
| |
| − | '''5.2 How to write the report of the testing''' 0% TD<br>
| |
| − | | |
| − | ==[[Appendix A: Testing Tools |Appendix A: Testing Tools ]]==
| |
| − | 1. Source Code Analyzers
| |
| − | * Open Source / Freeware
| |
| − | * Commercial
| |
| − | 2. Black Box Scanners
| |
| − | * Open Source
| |
| − | * Commercial
| |
| − | 3. Other Tools
| |
| − | * Runtime Analysis
| |
| − | * Binary Analysis
| |
| − | * Requirements Management
| |
| − | | |
| − | ==[[OWASP Testing Guide Appendix B: Suggested Reading | Appendix B: Suggested Reading]]==
| |
| − | 1. Whitepapers
| |
| − | 2. Books
| |
| − | 3. Articles
| |
| − | 4. Useful Websites
| |
| − | 5. OWASP — http://www.owasp.org
| |
| − | | |
| − | ==[[OWASP Testing Guide Appendix C: Fuzz Vectors | Appendix C: Fuzz Vectors]]==
| |
