This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "OWASP Testing Guide v2 Table of Contents"

From OWASP
Jump to: navigation, search
m (Typo.)
 
(263 intermediate revisions by 21 users not shown)
Line 1: Line 1:
Legend:<br>
+
__NOTOC__
Rewiew: Matteo Meucci<br>
 
TD: Paragraph To Be Assigned<br>
 
  
[[http://www.owasp.org/index.php/OWASP_Autumn_of_Code_2006_-_Projects:_Testing_Guide OWASP Testing Guide AoC]]
+
Please go [http://www.owasp.org/index.php/OWASP_Testing_Guide_v3_Table_of_Contents here] for the last release of the OWASP Testing Guide.
 
 
 
 
==[[Testing Guide Frontispiece AoC|Frontispiece]]==
 
'''1.1 Copyright and License'''                                        (100%, Review)<br>
 
'''1.2 Endorsements'''                                         (100%, Review)<br>
 
'''1.3 Trademarks'''                                                 (100%, Review)<br>
 
 
 
==[[Testing Guide Introduction AoC|Introduction]]==
 
'''2.1 The OWASP Testing Project'''                                      (100%, Review)<br>
 
'''2.2 Principles of Testing'''                                          (100%, Review)<br>
 
'''2.3 Testing Techniques Explained'''                                    (100%, Review)<br>
 
 
 
==[[The OWASP Testing Framework AoC|The OWASP Testing Framework]]==
 
'''3.1. Overview'''                                        (90%, Review)<br>
 
'''3.2. Phase 1 — Before Development Begins '''(100%, Review)<br>
 
'''3.3. Phase 2: During Definition and Design'''(100%, Review)<br>
 
'''3.4. Phase 3: During Development'''(100%, Review)<br>
 
'''3.5. Phase 4: During Deployment'''(100%, Review)<br>
 
'''3.6. Phase 5: Maintenance and Operations'''(100%, Review)<br>
 
'''3.7. A Typical SDLC Testing Workflow '''(100%, Review)<br>
 
 
 
==[[Web Application Penetration Testing AoC |Web Application Penetration Testing ]]==
 
'''4.1 Introduction and objectives'''                               (0%, TD)<br>
 
'''4.2 Information Gathering'''                        (0%, Carlo Pelliccioni)<br>
 
4.2.1 Spidering and googling                        (0%, Tom Brennan)<br>
 
4.2.2 Analisys of error code                        (0%, TD)<br>
 
4.2.3 Infrastructure configuration management testing                        (0%, TD)<br>
 
4.2.3.1 SSL/TLS Testing                        (0%, TD)<br>
 
4.2.3.2 DB Listener Testing                        (0%, TD)<br>
 
4.2.4 Application configuration management testing                        (0%, TD)<br>
 
4.2.4.1 File extensions handling                        (0%, TD)<br>
 
4.2.4.1 Old, backup and unreferenced files                        (0%, TD)<br>
 
'''4.3 Business logic testing'''                                        (50%,Madhura Halasgikar)<br>
 
'''4.4 Authentication Testing'''                                     (50%,        TD)<br>
 
4.4.1 Default or guessable (dictionary) user account              (90%,        TD)<br>
 
4.4.2 Brute Force                                                  (0%,        TD)<br>
 
4.4.3 Bypassing authentication schema                              (0%,        TD)<br>
 
4.4.4 Directory traversal/file include                            (0%,        TD)<br>
 
4.4.5 Vulnerable remember password and pwd reset                  (90%,        TD)<br>
 
4.4.6 Logout and account expiry                                       (0%,        TD)<br>
 
'''4.5 Session Management Testing'''                                        (0%,        TD)<br>
 
4.5.1 Cookie and Session token Manipulation(reg, forg/brute force)  (100%,      Review) <br> 
 
4.5.2 Weak session tokens                                     (70%,        TD)<br>
 
4.5.3 Session Riding                                             (100%,      Review)<br>
 
4.5.4 Exposed session variables                               (0%        ,TD)<br>
 
4.5.5 HTTP Exploit                                                (0%,        TD)<br>
 
'''4.6 Data Validation Testing'''                                        0%        TD <br>
 
4.6.1 Cross site scripting (0%, Tom Brennan) <br>
 
4.6.1.1 HTTP Methods and XST 0% TD <br>
 
4.6.2 SQL Injection (0%, Antonio Parata) <br>
 
4.6.2.1 Stored procedure injection 0% TD <br>
 
4.6.2.2 Oracle testing 0% TD <br>
 
4.6.2.3 MySQL testing 0% TD <br>
 
4.6.2.4 SQL Server testing (0%,Ariel Waissbein)<br>
 
4.6.3 ORM Injection (0%, TD) <br>
 
4.6.4 LDAP Injection (0%, TD) <br>
 
4.6.5 XML Injection (0%, Antonio Parata) <br>
 
4.6.6 SSI Injection (0%, TD) <br>
 
4.6.7 XPath Injection (0%, Antonio Parata) <br>
 
4.6.8 IMAP/SMTP Injection (0%, TD) <br>
 
4.6.9 Code Injection (0%, TD) <br>
 
4.6.10 OS Commanding (0%, TD) <br>
 
4.6.11 Buffer overflow Testing 100% Review <br>
 
4.6.11.1 Heap overflow 100% Review <br>
 
4.6.11.2 Stack overflow 100% Review <br>
 
4.6.11.3 Format string 100% Review <br>
 
4.6.12 Incubated vulnerability testing (0%,Ariel Waissbein) <br>
 
'''4.7 Denial of Service Testing'''                                    95%        Review<br>
 
4.7.1 Locking Customer Accounts                                  100%        Review<br>
 
4.7.2 Buffer Overflows                                          100%        Review <br>
 
4.7.3 User Specified Object Allocation                          100%        Review<br>
 
4.7.4 User Input as a Loop Counter                              100%        Review<br>
 
4.7.5 Writing User Provided Data to Disk                        100%        Review<br>
 
4.7.6 Failure to Release Resources                              100%        Review<br>
 
4.7.7 Storing too Much Data in Session                            90%        Review<br>
 
'''4.8 Web Services Testing''' (0%,Eoin Keary, Mark Roxberry)<br>
 
4.8.1 XML Structural Attacks                                      0%<br>
 
4.8.2 XML content-level attacks                           0%<br>
 
4.8.3 HTTP GET parameters/REST attacks                       0%<br>
 
4.8.4 Naughty SOAP attachments                               0%<br>
 
4.8.5 Brute force attacks                                       0%<br>
 
 
 
'''4.9 AJAX Testing'''    (0%, Dan Cornell)<br>
 
4.9.1 Vulnerabilities                                       0%<br>
 
4.9.2  How to test                                               0%<br>
 
 
 
==[[Writing Reports: value the real risk AoC |Writing Reports: value the real risk ]]==
 
'''5.1 How to value the real risk'''                               (0%, Daniel Cuthbert)<br>
 
'''5.2 How to write the report of the testing'''                       (0%, Daniel Cuthbert, Tom Brennan) TD<br>
 
 
 
==[[Appendix A: Testing Tools |Appendix A: Testing Tools ]]==
 
  1. Source Code Analyzers
 
          * Open Source / Freeware
 
          * Commercial
 
  2. Black Box Scanners
 
          * Open Source
 
          * Commercial
 
  3. Other Tools
 
          * Runtime Analysis
 
          * Binary Analysis
 
          * Requirements Management
 
 
 
==[[OWASP Testing Guide Appendix B: Suggested Reading | Appendix B: Suggested Reading]]==
 
  1. Whitepapers
 
  2. Books
 
  3. Articles
 
  4. Useful Websites
 
  5. OWASP — http://www.owasp.org
 
 
 
==[[OWASP Testing Guide Appendix C: Fuzz Vectors | Appendix C: Fuzz Vectors]]==
 

Latest revision as of 17:07, 1 August 2013


Please go here for the last release of the OWASP Testing Guide.

Retrieved from "https://wiki.owasp.org/index.php?title=OWASP_Testing_Guide_v2_Table_of_Contents&oldid=156347"