Difference between revisions of "OWASP Testing Guide v4 Table of Contents"

@@ Line 1: / Line 1: @@
+{{OWASP Breakers}}
 __NOTOC__
-'''This is the DRAFT of the table of content of the New Testing Guide v4.'''<br>
+'''This is the FINAL table of content of the New Testing Guide v4.'''<br>
-<br>You can download the stable version v3 [http://www.owasp.org/images/5/56/OWASP_Testing_Guide_v3.pdf here] <br>
+<br>You can download the Guide [https://www.owasp.org/images/1/19/OTGv4.pdf here] <br>
 Back to the OWASP Testing Guide Project:
 http://www.owasp.org/index.php/OWASP_Testing_Project
-'''Updated: 15th February 2013'''
+'''Testing Guide Wiki last Updated: April 2016'''
-[[ OWTGv4 Contributors list|'''Contributors List]]
+[[ OWTGv4 Contributors list|'''Contributors List''']]
 ----
-The following is a DRAFT of the Toc based on the feedback already received.
+== Table of Contents ==
-== Table of Contents ==
 ==[[Testing Guide Foreword|Foreword by Eoin Keary]]==
-[To review--> Eoin Keary -> Done!!]
 ==[[Testing Guide Frontispiece |1. Frontispiece]]==
-[To review--> Mat]
 '''[[Testing Guide Frontispiece|1.1 About the OWASP Testing Guide Project]]'''
-[To review--> Mat]
 '''[[About The Open Web Application Security Project|1.2 About The Open Web Application Security Project]]'''
-[To review--> ]
 ==[[Testing Guide Introduction|2. Introduction]]==
-'''2.1 The OWASP Testing Project'''
+'''[[Testing Guide Introduction#The_OWASP_Testing Project|2.1 The OWASP Testing Project]]'''
-'''2.2 Principles of Testing'''
+'''[[Testing Guide Introduction#Principles_of_Testing|2.2 Principles of Testing]]'''
-'''2.3 Testing Techniques Explained'''
+'''[[Testing Guide Introduction#Testing_Techniques_Explained|2.3 Testing Techniques Explained]]'''
-.4 [https://www.owasp.org/index.php/Testing_Guide_Introduction#Security_Requirements_Test_Derivation Security requirements test derivation],[https://www.owasp.org/index.php/Testing_Guide_Introduction#Functional_and_Non_Functional_Test_Requirements functional and non functional test requirements], and [https://www.owasp.org/index.php/Testing_Guide_Introduction#Test_Cases_Through_Use_and_Misuse_Cases test cases through use and misuse cases]
+'''[[Testing Guide Introduction#Manual_Inspections_.26_Reviews|2.4 Manual Inspections & Reviews]]'''
-.5 [https://www.owasp.org/index.php/Testing_Guide_Introduction#Security_Test_Data_Analysis_and_Reporting Security test data analysis and reporting: root cause identification and business/role case test data reporting]
+'''[[Testing Guide Introduction#Threat_Modeling|2.5 Threat Modeling]]'''
-==[[The OWASP Testing Framework|3. The OWASP Testing Framework]]==
+'''[[Testing Guide Introduction#Source_Code_Review|2.6 Source Code Review]]'''
-'''3.1. Overview'''
+'''[[Testing Guide Introduction#Penetration_Testing|2.7 Penetration Testing]]'''
-'''3.2. Phase 1: Before Development Begins '''
+'''[[Testing Guide Introduction#The_Need_for_a_Balanced_Approach|2.8 The Need for a Balanced Approach]]'''
-'''3.3. Phase 2: During Definition and Design'''
+'''[[Testing Guide Introduction#Deriving_Security_Test_Requirements|2.9 Deriving Security Test Requirements]]'''
-'''3.4. Phase 3: During Development'''
+'''[[Testing Guide Introduction#Security_Tests_Integrated_in_Development_and_Testing_Workflows|2.10 Security Tests Integrated in Development and Testing Workflows]]'''
-'''3.5. Phase 4: During Deployment'''
+'''[[Testing Guide Introduction#Security_Test_Data_Analysis_and_Reporting|2.11 Security Test Data Analysis and Reporting]]'''
-'''3.6. Phase 5: Maintenance and Operations'''
+==[[The OWASP Testing Framework|3. The OWASP Testing Framework]]==
-'''3.7. A Typical SDLC Testing Workflow '''
-==[[Web Application Penetration Testing |4. Web Application Penetration Testing ]]==
+'''[[The_OWASP_Testing_Framework#Overview|3.1 Overview]]'''
-[[Testing: Introduction and objectives|'''4.1 Introduction and Objectives''']] [To review--> Mat]
+'''[[The_OWASP_Testing_Framework#Phase_1:_Before_Development_Begins|3.2 Phase 1: Before Development Begins]]'''
-[[Testing Checklist| 4.1.1 Testing Checklist]] [To review at the end of brainstorming --> Mat]
+'''[[The_OWASP_Testing_Framework#Phase_2:_During_Definition_and_Design|3.3 Phase 2: During Definition and Design]]'''
+'''[[The_OWASP_Testing_Framework#Phase_3:_During_Development|3.4 Phase 3: During Development]]'''
-[[Testing Information Gathering|'''4.2 Information Gathering ''']]
+'''[[The_OWASP_Testing_Framework#Phase_4:_During_Deployment|3.5 Phase 4: During Deployment]]'''
-[[Testing: Search engine discovery/reconnaissance (OWASP-IG-002)|4.2.1 Conduct Search Engine Discovery and Reconnaissance for Information Leakage (OTG-INFO-001) ]] formerly "Search Engine Discovery/Reconnaissance (OWASP-IG-002)"
+'''[[The_OWASP_Testing_Framework#Phase_5:_Maintenance_and_Operations|3.6 Phase 5: Maintenance and Operations]]'''
-[[Testing for Web Application Fingerprint (OWASP-IG-004)|4.2.2 Fingerprint Web Server (OTG-INFO-002) ]] formerly "Testing for Web Application Fingerprint (OWASP-IG-004)"
+'''[[The_OWASP_Testing_Framework#A_Typical_SDLC_Testing_Workflow|3.7 A Typical SDLC Testing Workflow]]'''
-[[Testing: Spiders, Robots, and Crawlers (OWASP-IG-001)|4.2.3 Review Webserver Metafiles for Information Leakage (OTG-INFO-003) ]] formerly "Spiders, Robots and Crawlers (OWASP-IG-001)"
+'''[[Penetration testing methodologies |3.8 Penetration Testing Methodologies]]'''
-[[Testing for Application Discovery (OWASP-IG-005)|4.2.4 Enumerate Applications on Webserver (OTG-INFO-004) ]] formerly "Application Discovery (OWASP-IG-005)"
+==[[Web Application Penetration Testing |4. Web Application Security Testing]]==
-[[Testing Review webpage comments and metadata(OWASP-IG-007)|4.2.5 Review Webpage Comments and Metadata for Information Leakage (OTG-INFO-005) ]] formerly "Review webpage comments and metadata(OWASP-IG-007)"
+[[Testing: Introduction and objectives|'''4.1 Introduction and Objectives''']]
-[[Testing: Identify application entry points (OWASP-IG-003)|4.2.6 Identify application entry points (OTG-INFO-006) ]] formerly "Identify application entry points (OWASP-IG-003)"
+[[Testing Checklist| 4.1.1 Testing Checklist]]
-[[Testing Identify application exit/handover points (OWASP-IG-008)|4.2.7 Identify application exit/handover points (OTG-INFO-007) ]] formerly "Identify application exit/handover points (OWASP-IG-008)"
-[[Testing Map execution paths through application (OWASP-IG-009)|4.2.8 Map execution paths through application (OTG-INFO-008)]] formerly "Map execution paths through application (OWASP-IG-009)"
+[[Testing Information Gathering|'''4.2 Information Gathering ''']]
-[[Testing for Web Application Fingerprint (OWASP-IG-010)|4.2.9 Fingerprint Web Application Framework (OTG-INFO-009) ]] formerly "Testing for Web Application Fingerprint (OWASP-IG-010)"
+[[Conduct_search_engine_discovery/reconnaissance_for_information_leakage_(OTG-INFO-001) |4.2.1 Conduct Search Engine Discovery and Reconnaissance for Information Leakage (OTG-INFO-001)]]
-[[Testing for Web Application (OTG-INFO-011)|4.2.10 Fingerprint Web Application (OTG-INFO-010) ]] formerly "Testing for Web Application Fingerprint (OWASP-IG-010)"
+[[Fingerprint Web Server (OTG-INFO-002)|4.2.2 Fingerprint Web Server (OTG-INFO-002)]]
-[[Map Network and Application Architecture (OTG-INFO-012)|4.2.11 Map Network and Application Architecture (OTG-INFO-011) ]] formerly "Testing for Infrastructure Configuration Management Testing weakness (OWASP-CM-001)"
+[[Review_Webserver_Metafiles_for_Information_Leakage_(OTG-INFO-003) |4.2.3 Review Webserver Metafiles for Information Leakage (OTG-INFO-003)]]
+[[Enumerate Applications on Webserver (OTG-INFO-004) |4.2.4 Enumerate Applications on Webserver (OTG-INFO-004)]]
-[[Testing for configuration management|'''4.3 Configuration and Deploy Management Testing ''']]
+[[Review_webpage_comments_and_metadata_for_information_leakage_(OTG-INFO-005) |4.2.5 Review Webpage Comments and Metadata for Information Leakage (OTG-INFO-005)]]
-[[Testing for infrastructure configuration management (OWASP-CM-003)|4.3.1 Test Network/Infrastructure Configuration (OTG-CONFIG-001) ]] formerly "Testing for Infrastructure Configuration Management Testing weakness (OWASP-CM-001)"
+[[Identify_application_entry_points_(OTG-INFO-006) |4.2.6 Identify application entry points (OTG-INFO-006)]]
-[[Testing for application configuration management (OWASP-CM-004)|4.3.2 Test Application Platform Configuration (OTG-CONFIG-002 ]] formerly "Testing for Application Configuration Management weakness (OWASP-CM-002)"
+[[Map_execution_paths_through_application_(OTG-INFO-007) |4.2.7 Map execution paths through application (OTG-INFO-007)]]
-[[Testing for file extensions handling  (OWASP-CM-005)|4.3.3 Test File Extensions Handling for Sensitive Information (OTG-CONFIG-003) ]] formerly "Testing for File Extensions Handling  (OWASP-CM-003)"
+[[Fingerprint_Web_Application_Framework_(OTG-INFO-008) |4.2.8 Fingerprint Web Application Framework (OTG-INFO-008)]]
-[[Testing for Old, Backup and Unreferenced Files (OWASP-CM-006)|4.3.4 Review Old, Backup and Unreferenced Files for Sensitive Information (OTG-CONFIG-004) ]] formerly "Old, Backup and Unreferenced Files (OWASP-CM-004)"
+[[Fingerprint_Web_Application_(OTG-INFO-009) |4.2.9 Fingerprint Web Application (OTG-INFO-009)]]
-[[Testing for Admin Interfaces  (OWASP-CM-007)|4.3.5 Enumerate Infrastructure and Application Admin Interfaces (OTG-CONFIG-005) ]] formerly "Infrastructure and Application Admin Interfaces  (OWASP-CM-005)"
+[[Map_Application_Architecture_(OTG-INFO-010) |4.2.10 Map Application Architecture (OTG-INFO-010)]]
-[[Testing for HTTP Methods and XST  (OWASP-CM-008)|4.3.6 Test HTTP Methods (OTG-CONFIG-006) ]] formerly "Testing for Bad HTTP Methods (OWASP-CM-006)"
-[[Testing for Database credentials/connection strings available|4.3.7 Testing for Database credentials/connection strings available (OTG-CONFIG-007) ]] formerly "Testing for Database credentials/connection strings available (OWASP-CM-007)"
+[[Testing for configuration management|'''4.3 Configuration and Deployment Management Testing ''']]
-[[Testing for Content Security Policy weakness|4.3.8 Test Content Security Policy (OTG-CONFIG-008) ]] formerly "Testing for Content Security Policy weakness (OWASP-CM-008)"
+[[Test Network/Infrastructure Configuration (OTG-CONFIG-001)|4.3.1 Test Network/Infrastructure Configuration (OTG-CONFIG-001)]]
-[[Testing for Missing HSTS header|4.3.9 Test HTTP Strict Transport Security (OTG-CONFIG-009) ]] formerly "Testing for Missing HSTS header (OWASP-CM-009)"
+[[Test Application Platform Configuration (OTG-CONFIG-002)|4.3.2 Test Application Platform Configuration (OTG-CONFIG-002)]]
-[[Testing for Frame Options|4.3.10 Test Frame Options (OTG-CONFIG-010) ]]
+[[Test File Extensions Handling for Sensitive Information (OTG-CONFIG-003)|4.3.3 Test File Extensions Handling for Sensitive Information (OTG-CONFIG-003)]]
-[[Testing for RIA policy files weakness|4.3.11 Test RIA cross domain policy (OTG-CONFIG-011) ]] formerly "Testing for RIA policy files weakness (OWASP-CM-010)"
+[[Review Old, Backup and Unreferenced Files for Sensitive Information (OTG-CONFIG-004)|4.3.4 Review Old, Backup and Unreferenced Files for Sensitive Information (OTG-CONFIG-004)]]
+[[Enumerate Infrastructure and Application Admin Interfaces (OTG-CONFIG-005)|4.3.5 Enumerate Infrastructure and Application Admin Interfaces (OTG-CONFIG-005)]]
-[[Testing Identity Management|'''4.4 Identity Management Testing''']]
+[[Test HTTP Methods (OTG-CONFIG-006)|4.3.6 Test HTTP Methods (OTG-CONFIG-006)]]
-[[Test Role Definitions (OTG-IDENT-001)|4.4.1 Test Role Definitions (OTG-IDENT-001)]] New
+[[Test HTTP Strict Transport Security (OTG-CONFIG-007)|4.3.7 Test HTTP Strict Transport Security (OTG-CONFIG-007)]]
-[[Test User Registration Process (OTG-IDENT-002)|4.4.2 Test User Registration Process (OTG-IDENT-002)]] New
+[[Test RIA cross domain policy (OTG-CONFIG-008)|4.3.8 Test RIA cross domain policy (OTG-CONFIG-008)]]
-[[Test Account Provisioning Process (OTG-IDENT-003)|4.4.3 Test Account Provisioning Process (OTG-IDENT-003)]] New
+[[Test File Permission (OTG-CONFIG-009)|4.3.9 Test File Permission (OTG-CONFIG-009)]]
-[[Testing for Account Enumeration and Guessable User Account (OWASP-AT-002)|4.4.4 Testing for Account Enumeration and Guessable User Account (OTG-IDENT-004) ]] formerly "Testing for Account Enumeration and Guessable User Account (OWASP-AT-002)"
-[[Testing for Weak or unenforced username policy (OWASP-AT-009)| 4.4.5 Testing for Weak or unenforced username policy (OTG-IDENT-005)]] formerly "Testing for Weak or unenforced username policy (OWASP-AT-009)
+[[Testing Identity Management|'''4.4 Identity Management Testing''']]
-[[Test Permissions of Guest/Training Accounts (OTG-IDENT-006)|4.4.6 Test Permissions of Guest/Training Accounts (OTG-IDENT-006)]] New
+[[Test Role Definitions (OTG-IDENT-001)|4.4.1 Test Role Definitions (OTG-IDENT-001)]]
-[[Test Account Suspension/Resumption Process (OTG-IDENT-007)|4.4.7 Test Account Suspension/Resumption Process (OTG-IDENT-007)]] New
+[[Test User Registration Process (OTG-IDENT-002)|4.4.2 Test User Registration Process (OTG-IDENT-002)]]
-[[Test User Deregistration Process (OTG-IDENT-008)|4.4.8 Test User Deregistration Process (OTG-IDENT-008)]] New
+[[Test Account Provisioning Process (OTG-IDENT-003)|4.4.3 Test Account Provisioning Process (OTG-IDENT-003)]]
-[[Test Account Deregistration Process (OTG-IDENT-009)|4.4.9 Test Account Deregistration Process (OTG-IDENT-009)]] New
+[[Testing for Account Enumeration and Guessable User Account (OTG-IDENT-004)|4.4.4 Testing for Account Enumeration and Guessable User Account (OTG-IDENT-004)]]
+[[Testing for Weak or unenforced username policy (OTG-IDENT-005)| 4.4.5 Testing for Weak or unenforced username policy (OTG-IDENT-005)]]
 [[Testing for authentication|'''4.5 Authentication Testing ''']]
-[[Testing for Credentials Transported over an Encrypted Channel (OWASP-AT-001)|4.5.1 Testing for Credentials Transported over an Encrypted Channel  (OTG-AUTHN-001)]] formerly "Testing for Credentials Transported over an Encrypted Channel  (OWASP-AT-001)"
+[[Testing for Credentials Transported over an Encrypted Channel (OTG-AUTHN-001)|4.5.1 Testing for Credentials Transported over an Encrypted Channel  (OTG-AUTHN-001)]]
-[[Testing for default credentials (OWASP-AT-003)|4.5.2 Testing for default credentials (OTG-AUTHN-002)]] formerly "Testing for default credentials (OWASP-AT-003)"
+[[Testing for default credentials (OTG-AUTHN-002)|4.5.2 Testing for default credentials (OTG-AUTHN-002)]]
-[[Testing for Weak lock out mechanism (OWASP-AT-004)|4.5.3 Testing for Weak lock out mechanism (OTG-AUTHN-003)]] formerly "Testing for Weak lock out mechanism (OWASP-AT-004)"
+[[Testing for Weak lock out mechanism (OTG-AUTHN-003)|4.5.3 Testing for Weak lock out mechanism (OTG-AUTHN-003)]]
-[[Testing for Bypassing Authentication Schema (OWASP-AT-005)|4.5.4 Testing for bypassing authentication schema (OTG-AUTHN-004)]] formerly "Testing for bypassing authentication schema (OWASP-AT-005)"
+[[Testing for Bypassing Authentication Schema (OTG-AUTHN-004)|4.5.4 Testing for bypassing authentication schema (OTG-AUTHN-004)]]
-[[Testing for Vulnerable Remember Password (OWASP-AT-006)|4.5.5 Test remember password functionality (OTG-AUTHN-005)]] formerly "Testing for vulnerable remember password functionality (OWASP-AT-006)"
+[[Testing for Vulnerable Remember Password (OTG-AUTHN-005)|4.5.5 Test remember password functionality (OTG-AUTHN-005)]]
-[[Testing for Browser cache weakness (OWASP-AT-007)|4.5.6 Testing for Browser cache weakness (OTG-AUTHN-006)]] formerly "Testing for Browser cache weakness (OWASP-AT-007)"
+[[Testing for Browser cache weakness (OTG-AUTHN-006)|4.5.6 Testing for Browser cache weakness (OTG-AUTHN-006)]]
-[[Testing for Weak password policy (OWASP-AT-008)|4.5.7 Testing for Weak password policy (OTG-AUTHN-007)]] formerly "Testing for Weak password policy (OWASP-AT-008)"
+[[Testing for Weak password policy (OTG-AUTHN-007)|4.5.7 Testing for Weak password policy (OTG-AUTHN-007)]]
-[[Testing for Weak security question/answer (OTG-AUTHN-008)|4.5.8 Testing for Weak security question/answer (OTG-AUTHN-008)]] New! - Robert Winkel
+[[Testing for Weak security question/answer (OTG-AUTHN-008)|4.5.8 Testing for Weak security question/answer (OTG-AUTHN-008)]]
-[[Testing for weak password change or reset functionalities (OWASP-AT-011)|4.5.9 Testing for weak password change or reset functionalities (OTG-AUTHN-009)]] formerly "Testing for weak password change or reset functionalities (OWASP-AT-011)"
+[[Testing for weak password change or reset functionalities (OTG-AUTHN-009)|4.5.9 Testing for weak password change or reset functionalities (OTG-AUTHN-009)]]
-[[Testing for Weaker authentication in alternative channel (OTG-AUTHN-010)|4.5.10 Testing for Weaker authentication in alternative channel (OTG-AUTHN-010)]] (e.g. mobile app, IVR, help desk)
+[[Testing for Weaker authentication in alternative channel (OTG-AUTHN-010)|4.5.10 Testing for Weaker authentication in alternative channel (OTG-AUTHN-010)]]
 [[Testing for Authorization|'''4.6 Authorization Testing''']]
-[[Test Management of Account Permissions (OTG-AUTHZ-001)|4.6.1 Test Management of Account Permissions (OTG-AUTHZ-001)]] New
+[[Testing_Directory_traversal/file_include_(OTG-AUTHZ-001) |4.6.1 Testing Directory traversal/file include (OTG-AUTHZ-001)]]
-[[Testing for Path Traversal  (OWASP-AZ-001)|4.6.2 Testing Directory traversal/file include (OTG-AUTHZ-002)]] formerly "Testing Directory traversal/file include (OWASP-AZ-001)"
-[[Testing for Bypassing Authorization Schema  (OWASP-AZ-002)|4.6.3 Testing for bypassing authorization schema (OTG-AUTHZ-003)]] formerly "Testing for bypassing authorization schema  (OWASP-AZ-002)"
-[[Testing for Privilege escalation  (OWASP-AZ-003)|4.6.4 Testing for Privilege Escalation (OTG-AUTHZ-004)]] formerly "Testing for Privilege Escalation  (OWASP-AZ-003)"
-[[Testing for Insecure Direct Object References (OWASP-AZ-004)|4.6.5 Testing for Insecure Direct Object References (OTG-AUTHZ-005)]] formerly "Testing for Insecure Direct Object References (OWASP-AZ-004)"
-[[Testing for Failure to Restrict access to authorized resource (OWASP-AZ-005)|4.6.6 Testing for Failure to Restrict access to authorized resource (OTG-AUTHZ-006)]] formerly "Testing for Failure to Restrict access to authorized resource (OWASP-AZ-005)"
-[[Test privileges of server components (OTG-AUTHZ-007)|4.6.7 Test privileges of server components (OTG-AUTHZ-007)]] (e.g. indexing service, reporting interface, file generator)
+[[Testing for Bypassing Authorization Schema  (OTG-AUTHZ-002)|4.6.2 Testing for bypassing authorization schema (OTG-AUTHZ-002)]]
-[[Test enforcement of application entry points (OTG-AUTHZ-008)|4.6.8 Test enforcement of application entry points (OTG-AUTHZ-008)]] (including exposure of objects)
+[[Testing for Privilege escalation  (OTG-AUTHZ-003)|4.6.3 Testing for Privilege Escalation (OTG-AUTHZ-003)]]
-[[Testing for failure to restrict access to authenticated resource(OWASP-AT-010)|4.6.9 Testing for failure to restrict access to authenticated resource (OTG-AUTHZ-009)]] formerly "Testing for failure to restrict access to authenticated resource (OWASP-AT-010)"
+[[Testing for Insecure Direct Object References (OTG-AUTHZ-004)|4.6.4 Testing for Insecure Direct Object References (OTG-AUTHZ-004)]]
 [[Testing for Session Management|'''4.7 Session Management Testing''']]
-[[Testing for Session_Management_Schema (OWASP-SM-001)|4.7.1 Testing for Bypassing Session Management Schema (OTG-SESS-001)]] formerly "Testing for Bypassing Session Management Schema (OWASP-SM-001)"
+[[Testing for Session_Management_Schema (OTG-SESS-001)|4.7.1 Testing for Bypassing Session Management Schema (OTG-SESS-001)]]
-[[Testing for cookies attributes  (OWASP-SM-002)|4.7.2 Testing for Cookies attributes (OTG-SESS-002)]] formerly "Testing for Cookies attributes (OWASP-SM-002)" (Cookies are set not ‘HTTP Only’, ‘Secure’,  and no time validity)
+[[Testing for cookies attributes  (OTG-SESS-002)|4.7.2 Testing for Cookies attributes (OTG-SESS-002)]]
-[[Testing for Session Fixation  (OWASP-SM-003)|4.7.3 Testing for Session Fixation (OTG-SESS-003)]] formerly "Testing for Session Fixation  (OWASP-SM-003)"
+[[Testing for Session Fixation  (OTG-SESS-003)|4.7.3 Testing for Session Fixation (OTG-SESS-003)]]
-[[Testing for Exposed Session Variables  (OWASP-SM-004)|4.7.4 Testing for Exposed Session Variables (OTG-SESS-004)]] formerly "Testing for Exposed Session Variables (OWASP-SM-004)"
+[[Testing for Exposed Session Variables  (OTG-SESS-004)|4.7.4 Testing for Exposed Session Variables (OTG-SESS-004)]]
-[[Testing for CSRF  (OWASP-SM-005)|4.7.5 Testing for Cross Site Request Forgery (CSRF) (OTG-SESS-005)]] formerly "Testing for Cross Site Request Forgery (CSRF) (OWASP-SM-005)"
+[[Testing for CSRF  (OTG-SESS-005)|4.7.5 Testing for Cross Site Request Forgery (CSRF) (OTG-SESS-005)]]
-[[Test Session Token Strength (OTG-SESS-006)|4.7.6 Test Session Token Strength (OTG-SESS-006)]]
+[[Testing for logout functionality (OTG-SESS-006)|4.7.6 Testing for logout functionality (OTG-SESS-006)]]
-[[Testing for logout functionality (OWASP-SM-007)|4.7.7 Testing for logout functionality (OTG-SESS-007)]] formerly "Testing for logout functionality (OWASP-SM-007)"
-[[Testing for Session puzzling (OWASP-SM-008)|4.7.8 Testing for Session puzzling (OWASP-SM-008)]]
+[[Test Session Timeout (OTG-SESS-007)|4.7.7 Test Session Timeout (OTG-SESS-007)]]
-[[Test Session Timeout (OTG-SESS-008)|4.7.8 Test Session Timeout (OTG-SESS-008)]]
+[[Testing for Session puzzling (OTG-SESS-008)|4.7.8 Testing for Session puzzling (OTG-SESS-008)]]
-[[Test multiple concurrent sessions (OTG-SESS-009)|4.7.9 Test multiple concurrent sessions (OTG-SESS-009)]]
+[[Testing for Input Validation|'''4.8 Input Validation Testing''']]
-[[Testing for Data Validation|'''4.8 Data Validation Testing''']]
+[[Testing for Reflected Cross site scripting (OTG-INPVAL-001) |4.8.1 Testing for Reflected Cross Site Scripting (OTG-INPVAL-001)]]
-[[Testing for Reflected Cross site scripting (OWASP-DV-001) |4.8.1 Testing for Reflected Cross Site Scripting (OTG-INPVAL-001)]] formerly "Testing for Reflected Cross Site Scripting (OWASP-DV-001)"
+[[Testing for Stored Cross site scripting (OTG-INPVAL-002) |4.8.2 Testing for Stored Cross Site Scripting (OTG-INPVAL-002)]]
-[[Testing for Stored Cross site scripting (OWASP-DV-002) |4.8.2 Testing for Stored Cross Site Scripting (OTG-INPVAL-002)]] formerly "Testing for Stored Cross Site Scripting (OWASP-DV-002)"
+[[Testing for HTTP Verb Tampering (OTG-INPVAL-003)|4.8.3 Testing for HTTP Verb Tampering (OTG-INPVAL-003)]]
-[[Testing for HTTP Verb Tampering (OWASP-DV-003)|4.8.3 Testing for HTTP Verb Tampering (OTG-INPVAL-003)]] formerly "Testing for HTTP Verb Tampering (OWASP-DV-003)"
+[[Testing for HTTP Parameter pollution (OTG-INPVAL-004)|4.8.4 Testing for HTTP Parameter pollution (OTG-INPVAL-004)]]
-[[Testing for HTTP Parameter pollution (OWASP-DV-004)|4.8.4 Testing for HTTP Parameter pollution (OTG-INPVAL-004) ]] formerly "Testing for HTTP Parameter pollution (OWASP-DV-004)"
+[[Testing for SQL Injection (OTG-INPVAL-005)| 4.8.5 Testing for SQL Injection (OTG-INPVAL-005)]]
-[[Testing for Unvalidated Redirects and Forwards (OWASP-DV-004)|4.8.5 Testing for Unvalidated Redirects and Forwards (OTG-INPVAL-005) ]] formerly "Testing for Unvalidated Redirects and Forwards (OWASP-DV-004)"
+[[Testing for Oracle|4.8.5.1 Oracle Testing]]
-[[Testing for SQL Injection (OWASP-DV-005)| 4.8.6 Testing for SQL Injection (OTG-INPVAL-006)]] formerly "Testing for SQL Injection (OWASP-DV-005)" '''Ready to be reviewed'''
+[[Testing for MySQL|4.8.5.2 MySQL Testing]]
-[[Testing for Oracle|4.8.6.1 Oracle Testing]]
+[[Testing for SQL Server|4.8.5.3 SQL Server Testing]]
-[[Testing for MySQL|4.8.6.2 MySQL Testing [Ismael Gonçalves]]]
+[[OWASP_Backend_Security_Project_Testing_PostgreSQL|4.8.5.4 Testing PostgreSQL (from OWASP BSP)]]
-[[Testing for SQL Server|4.8.6.3 SQL Server Testing]]
+[[Testing for MS Access |4.8.5.5 MS Access Testing]]
-[[OWASP_Backend_Security_Project_Testing_PostgreSQL|4.8.6.4 Testing PostgreSQL (from OWASP BSP) ]]
+[[Testing for NoSQL injection|4.8.5.6 Testing for NoSQL injection]]
-[[Testing for MS Access |4.8.6.5 MS Access Testing]]
+[[Testing for LDAP Injection  (OTG-INPVAL-006)|4.8.6 Testing for LDAP Injection  (OTG-INPVAL-006)]]
-[[Testing for NoSQL injection|4.8.6.6 Testing for NoSQL injection [New!]]]
+[[Testing for ORM Injection   (OTG-INPVAL-007)|4.8.7 Testing for ORM Injection   (OTG-INPVAL-007)]]
-[[Testing for LDAP Injection  (OWASP-DV-006)|4.8.7 Testing for LDAP Injection  (OTG-INPVAL-007)]] formerly "Testing for LDAP Injection  (OWASP-DV-006)"
+[[Testing for XML Injection (OTG-INPVAL-008)|4.8.8 Testing for XML Injection (OTG-INPVAL-008)]]
-[[Testing for ORM Injection   (OWASP-DV-007)|4.8.8 Testing for ORM Injection   (OTG-INPVAL-008)]] formerly "Testing for ORM Injection   (OWASP-DV-007)"
+[[Testing for SSI Injection  (OTG-INPVAL-009)|4.8.9 Testing for SSI Injection  (OTG-INPVAL-009)]]
-[[Testing for XML Injection (OWASP-DV-008)|4.8.9 Testing for XML Injection (OTG-INPVAL-009)]] formerly "Testing for XML Injection (OWASP-DV-008)"
+[[Testing for XPath Injection  (OTG-INPVAL-010)|4.8.10 Testing for XPath Injection  (OTG-INPVAL-010)]]
-[[Testing for SSI Injection  (OWASP-DV-009)|4.8.10 Testing for SSI Injection  (OTG-INPVAL-010)]] formerly "Testing for SSI Injection  (OWASP-DV-009)"
+[[Testing for IMAP/SMTP Injection  (OTG-INPVAL-011)|4.8.11 IMAP/SMTP Injection  (OTG-INPVAL-011)]]
-[[Testing for XPath Injection  (OWASP-DV-010)|4.8.11 Testing for XPath Injection  (OTG-INPVAL-011)]] formerly "Testing for XPath Injection  (OWASP-DV-010)"
+[[Testing for Code Injection  (OTG-INPVAL-012)|4.8.12 Testing for Code Injection  (OTG-INPVAL-012)]]
-[[Testing for IMAP/SMTP Injection  (OWASP-DV-011)|4.8.12 IMAP/SMTP Injection  (OTG-INPVAL-012)]] formerly "IMAP/SMTP Injection  (OWASP-DV-011)"
+[[Testing for Local File Inclusion|4.8.12.1 Testing for Local File Inclusion]]
-[[Testing for Code Injection  (OWASP-DV-012)|4.8.13 Testing for Code Injection  (OTG-INPVAL-013)]] formerly "Testing for Code Injection  (OWASP-DV-012)"
+[[Testing for Remote File Inclusion|4.8.12.2 Testing for Remote File Inclusion]]
-[[Testing for Local File Inclusion|4.8.13.1 Testing for Local File Inclusion]]
+[[Testing for Command Injection   (OTG-INPVAL-013)|4.8.13 Testing for Command Injection   (OTG-INPVAL-013)]]
-[[Testing for Remote File Inclusion|4.8.13.2 Testing for Remote File Inclusion]]
+[[Testing for Buffer Overflow (OTG-INPVAL-014)|4.8.14 Testing for Buffer overflow (OTG-INPVAL-014)]]
-[[Testing for Command Injection   (OWASP-DV-013)|4.8.14 Testing for Command Injection   (OTG-INPVAL-014)]] formerly "Testing for Command Injection   (OWASP-DV-013)"
+[[Testing for Heap Overflow|4.8.14.1 Testing for Heap overflow]]
-[[Testing for Buffer Overflow (OWASP-DV-014)|4.8.15 Testing for Buffer overflow (OTG-INPVAL-015)]] formerly "Testing for Buffer overflow (OWASP-DV-014)"
+[[Testing for Stack Overflow|4.8.14.2 Testing for Stack overflow]]
-[[Testing for Heap Overflow|4.8.15.1 Testing for Heap overflow]]
+[[Testing for Format String|4.8.14.3 Testing for Format string]]
-[[Testing for Stack Overflow|4.8.15.2 Testing for Stack overflow]]
+[[Testing for Incubated Vulnerability (OTG-INPVAL-015)|4.8.15 Testing for incubated vulnerabilities (OTG-INPVAL-015)]]
-[[Testing for Format String|4.8.15.3 Testing for Format string]]
+[[Testing for HTTP Splitting/Smuggling  (OTG-INPVAL-016)|4.8.16 Testing for HTTP Splitting/Smuggling  (OTG-INPVAL-016)]]
-[[Testing for Incubated Vulnerability (OWASP-DV-015)|4.8.16 Testing for incubated vulnerabilities (OTG-INPVAL-016)]] formerly "Testing for incubated vulnerabilities (OWASP-DV-015)"
+[[Testing for HTTP Incoming requests  (OTG-INPVAL-017)|4.8.17 Testing for HTTP Incoming Requests  (OTG-INPVAL-017)]]
-[[Testing for HTTP Splitting/Smuggling  (OWASP-DV-016)|4.8.17 Testing for HTTP Splitting/Smuggling  (OTG-INPVAL-017) ]] formerly "Testing for HTTP Splitting/Smuggling  (OWASP-DV-016)"
+[[Testing for Error Handling|'''4.9 Testing for Error Handling''']]
+[[Testing for Error Code (OTG-ERR-001)|4.9.1 Analysis of Error Codes (OTG-ERR-001)]]
-[[Error Handling|'''4.9 Error Handling''']]
+[[Testing for Stack Traces (OTG-ERR-002)|4.9.2 Analysis of Stack Traces (OTG-ERR-002)]]
-[[Testing for Error Code (OWASP-IG-006)|4.9.9 Analysis of Error Codes (OTG-ERR-001)]] formerly "Analysis of Error Codes (OWASP-IG-006)"
+[[Testing for weak Cryptography|'''4.10 Testing for weak Cryptography''']]
-[[Cryptography|'''4.10 Cryptography''']]
+[[Testing for Weak SSL/TLS Ciphers, Insufficient Transport Layer Protection (OTG-CRYPST-001)| 4.10.1 Testing for Weak SSL/TLS Ciphers, Insufficient Transport Layer Protection (OTG-CRYPST-001)]]
-[[Testing for Insecure encryption usage (OWASP-EN-001)| 4.10.1  Testing for Insecure encryption usage (OTG-CRYPST-001)]] formerly "Testing for Insecure encryption usage (OWASP-EN-001)"
+[[Testing for Padding Oracle (OTG-CRYPST-002)| 4.10.2 Testing for Padding Oracle (OTG-CRYPST-002)]]
-[[Testing for Weak SSL/TSL Ciphers, Insufficient Transport Layer Protection (OWASP-EN-002)| 4.10.2 Testing for Weak SSL/TSL Ciphers, Insufficient Transport Layer Protection (OTG-CRYPST-002)]] formerly "Testing for Weak SSL/TSL Ciphers, Insufficient Transport Layer Protection (OWASP-EN-002)"
+[[Testing for Sensitive information sent via unencrypted channels (OTG-CRYPST-003)|4.10.3 Testing for Sensitive information sent via unencrypted channels (OTG-CRYPST-003)]]
-[[Testing for Padding Oracle (OWASP-EN-003)| 4.10.3 Testing for Padding Oracle (OTG-CRYPST-003)]] formerly "Testing for Padding Oracle (OWASP-EN-003)"
+[[Testing for Weak Encryption (OTG-CRYPST-004)|4.10.4 Testing for Weak Encryption (OTG-CRYPST-004)]]
-[[Testing for Cacheable HTTPS Response (OTG-CRYPST-004)| 4.10.4 Testing for Cacheable HTTPS Response (OTG-CRYPST-004)]]
-[[Test Cache Directives (OTG-CRYPST-005)|4.10.5 Test Cache Directives (OTG-CRYPST-005)]]
+[[Testing for business logic|'''4.11 Business Logic Testing''']]
-[[Testing for Insecure Cryptographic Storage (OTG-CRYPST-006)|4.10.6 Testing for Insecure Cryptographic Storage (OTG-CRYPST-006)]]
+[[Test business logic data validation (OTG-BUSLOGIC-001)|4.11.1 Test Business Logic Data Validation (OTG-BUSLOGIC-001)]]
-[[Testing for Sensitive information sent via unencrypted channels (OTG-CRYPST-007)|4.10.7 Testing for Sensitive information sent via unencrypted channels (OTG-CRYPST-007)]]
+[[Test Ability to forge requests (OTG-BUSLOGIC-002)|4.11.2 Test Ability to Forge Requests (OTG-BUSLOGIC-002)]]
-[[Test Cryptographic Key Management (OTG-CRYPST-008)|4.10.8 Test Cryptographic Key Management (OTG-CRYPST-008)]]
+[[Test integrity checks (OTG-BUSLOGIC-003)|4.11.3 Test Integrity Checks (OTG-BUSLOGIC-003)]]
+[[Test for Process Timing (OTG-BUSLOGIC-004)|4.11.4 Test for Process Timing (OTG-BUSLOGIC-004)]]
-[[Logging|'''4.11 Logging''']] Not convinced Logging should be included as it requires access to logs to test
+[[Test number of times a function can be used limits (OTG-BUSLOGIC-005)|4.11.5 Test Number of Times a Function Can be Used Limits (OTG-BUSLOGIC-005)]]
-[[Test time synchronisation (OTG-LOG-001)|4.11.1 Test time synchronisation (OTG-LOG-001) ]] formerly "Incorrect time"
+[[Testing for the Circumvention of Work Flows (OTG-BUSLOGIC-006)|4.11.6 Testing for the Circumvention of Work Flows (OTG-BUSLOGIC-006)]]
-[[Test user-viewable log of authentication events (OTG-LOG-002)|4.11.2 Test user-viewable log of authentication events (OTG-LOG-002)]]
+[[Test defenses against application mis-use (OTG-BUSLOGIC-007)|4.11.7 Test Defenses Against Application Mis-use (OTG-BUSLOGIC-007)]]
+[[Test Upload of Unexpected File Types (OTG-BUSLOGIC-008)|4.11.8 Test Upload of Unexpected File Types (OTG-BUSLOGIC-008)]]
-[[Testing for business logic   (OWASP-BL-001)|'''4.12 Business Logic Testing  (OWASP-BL-001)''']] [To review--> David Fern]
+[[Test Upload of Malicious Files (OTG-BUSLOGIC-009)|4.11.9 Test Upload of Malicious Files (OTG-BUSLOGIC-009)]]
-Business Logic<br>
-Business logic data validation[New!] NOTE MAT: to discuss this section<br>
-Ability to forge requests[New!]<br>
-Lack of integrity checks (e.g. overwriting updates) [New!]<br>
-Lack of tamper evidence[New!]<br>
-Use of untrusted time source[New!]<br>
-Lack of limits to excessive rate (speed) of use[New!]<br>
-Lack of limits to size of request[New!]<br>
-Lack of limit to number of times a function can be used[New!]<br>
-Bypass of correct sequence[New!]<br>
-Missing user-viewable log of activity[New!]<br>
-Self-hosted payment cardholder data processing[New!]<br>
-Lack of security incident reporting information[New!]<br>
-Defenses against application mis-use[New!]<br>
+[[Client Side Testing|'''4.12 Client Side Testing''']]<br>
+[[Testing for DOM-based Cross site scripting  (OTG-CLIENT-001)|4.12.1 Testing for DOM based Cross Site Scripting  (OTG-CLIENT-001)]]
-[[Denial of Service|'''4.13 Denial of Service''']]
+[[Testing for JavaScript Execution (OTG-CLIENT-002)|4.12.2 Testing for JavaScript Execution (OTG-CLIENT-002)]]
-> Regular expression DoS[New!] note: to understand better<br>
+[[Testing for HTML Injection (OTG-CLIENT-003)|4.12.3 Testing for HTML Injection (OTG-CLIENT-003)]]
-> XML DoS [New! - Andrew Muller]
+[[Testing for Client Side URL Redirect (OTG-CLIENT-004)|4.12.4 Testing for Client Side URL Redirect (OTG-CLIENT-004)]]
-[[Testing for Captcha (OWASP-AT-012)|4.4.12 Testing for CAPTCHA (OWASP-AT-012)]] [Note: Andrew Muller - CAPTCHA's objective is not authentication but to test humanness. This could be moved to Business Logic or the now deleted Denial of Service section]
+[[Testing_for_CSS_Injection (OTG-CLIENT-005)|4.12.5 Testing for CSS Injection (OTG-CLIENT-005)]]
+[[Testing_for_Client_Side_Resource_Manipulation (OTG-CLIENT-006)|4.12.6 Testing for Client Side Resource Manipulation (OTG-CLIENT-006)]]
+[[Test Cross Origin Resource Sharing (OTG-CLIENT-007)|4.12.7 Test Cross Origin Resource Sharing (OTG-CLIENT-007)]]
-[[Web Service (XML Interpreter)|'''4.14 Web Service Testing''']] [Tom Eston]
+[[Testing for Cross site flashing (OTG-CLIENT-008)|4.12.8 Testing for Cross Site Flashing (OTG-CLIENT-008)]]
-[[Scoping a Web Service Test (OWASP-WS-001)|4.10.1 Scoping a Web Service Test (OWASP-WS-001)]]
+[[Testing for Clickjacking (OTG-CLIENT-009)|4.12.9 Testing for Clickjacking (OTG-CLIENT-009)]]
-[[WS Information Gathering (OWASP-WS-002)|4.10.2 WS Information Gathering (OWASP-WS-002)]]
+[[Testing WebSockets (OTG-CLIENT-010)|4.12.10 Testing WebSockets (OTG-CLIENT-010)]]
-[[WS Authentication Testing (OWASP-WS-003)|4.10.3 WS Authentication Testing (OWASP-WS-003)]]
+[[Test Web Messaging (OTG-CLIENT-011)|4.12.11 Test Web Messaging (OTG-CLIENT-011)]]
-[[WS Management Interface Testing (OWASP-WS-004)|4.10.4 WS Management Interface Testing (OWASP-WS-004)]]
+[[Test Local Storage (OTG-CLIENT-012)|4.12.12 Test Local Storage (OTG-CLIENT-012)]]
-[[Weak XML Structure Testing (OWASP-WS-005)|4.10.5 Weak XML Structure Testing (OWASP-WS-005)]]
-[[XML Content-Level Testing (OWASP-WS-006)|4.10.6 XML Content-Level Testing (OWASP-WS-006)]]
+==[[Reporting |5. Reporting]]==
-[[WS HTTP GET Parameters/REST Testing (OWASP-WS-007)|4.10.7 WS HTTP GET Parameters/REST Testing (OWASP-WS-007)]]
-[[WS Naughty SOAP Attachment Testing (OWASP-WS-008)|4.10.8 WS Naughty SOAP Attachment Testing (OWASP-WS-008)]]
+==[[Appendix A: Testing Tools |Appendix A: Testing Tools Resource]]==
-[[WS Replay/MiTM Testing (OWASP-WS-009)|4.10.9 WS Replay/MiTM Testing (OWASP-WS-009)]]
+Security Testing Tools
+* http://www.pentest-standard.org/index.php/PTES_Technical_Guidelines
+* http://www.vulnerabilityassessment.co.uk/Penetration%20Test.html
+* http://sectools.org/
+* https://www.kali.org/
+* http://www.blackarch.org/tools.html
-[[WS BEPL Testing (OWASP-WS-010)|4.10.10 WS BEPL Testing (OWASP-WS-010)]]
+Security Testing Tools in Virtual Image
+* https://tools.pentestbox.com/
+* https://sourceforge.net/p/samurai/wiki/Home/
+* https://sourceforge.net/projects/santoku/
+* https://sourceforge.net/projects/parrotsecurity/?source=navbar
+* https://sourceforge.net/projects/matriux/?source=navbar
+* http://www.blackarch.org/downloads.html
+* https://www.kali.org/
+* http://cyborg.ztrela.com/tools/
+* http://www.caine-live.net/index.html
+* http://www.pentoo.ch/download/
+* http://bugtraq-team.com/
+==[[OWASP Testing Guide Appendix B: Suggested Reading | Appendix B: Suggested Reading]]==
-[[Client Side Testing|'''4.15 Client Side Testing''']] [New!]
+* Whitepapers
+* Books
-[[Testing for DOM-based Cross site scripting  (OWASP-DV-003)|4.11.1 Testing for DOM based Cross Site Scripting  (OWASP-CS-001) [Stefano Di Paola] ]]
+* Useful Websites
-[[Testing for HTML5 (OWASP CS-002)|4.11.2 Testing for HTML5 (OWASP CS-002) [Juan Galiana] ]]<br/>
-[[Testing for Cross site flashing (OWASP-DV-004)|4.11.3 Testing for Cross Site Flashing   (OWASP-CS-003)]]
-[[Testing for Clickjacking (OWASP-CS-004)|4.11.4 Testing for Clickjacking (OWASP-CS-004) [Davide Danelon] ]]<br>
-==[[Writing Reports: value the real risk |5. Writing Reports: value the real risk ]]==
-[[How to value the real risk |5.1 How to value the real risk]] [To review--> Amro AlOlaqi]
-[[How to write the report of the testing |5.2 How to write the report of the testing]] [To review--> Amro AlOlaqi]
-==[[Appendix A: Testing Tools |Appendix A: Testing Tools ]]==
+==[[OWASP Testing Guide Appendix C: Fuzz Vectors | Appendix C: Fuzz Vectors]]==
-* Black Box Testing Tools [To review--> Amro AlOlaqi]
+* Fuzz Categories
-==[[OWASP Testing Guide Appendix B: Suggested Reading | Appendix B: Suggested Reading]]==
-* Whitepapers [To review--> David Fern]
-* Books [To review--> David Fern]
-* Useful Websites [To review--> David Fern]
-==[[OWASP Testing Guide Appendix C: Fuzz Vectors | Appendix C: Fuzz Vectors]]==
+==[[OWASP Testing Guide Appendix D: Encoded Injection | Appendix D: Encoded Injection]]==
-* Fuzz Categories [To review--> Amro AlOlaqi]
+* Input Encoding
+* Output Encoding
-==[[OWASP Testing Guide Appendix D: Encoded Injection | Appendix D: Encoded Injection]]==
-[To review--> Amro AlOlaqi]
 ----
 [[Category:OWASP Testing Project]]
+[[Category:Popular]]