|
|
(64 intermediate revisions by 4 users not shown) |
Line 1: |
Line 1: |
| __NOTOC__ | | __NOTOC__ |
| | | |
− | ==[[Testing Guide Foreword|Foreword by OWASP Chair]]==
| + | Please go [http://www.owasp.org/index.php/OWASP_Testing_Guide_v3_Table_of_Contents here] for the last release of the OWASP Testing Guide. |
− | | |
− | ==[[Testing Guide Frontispiece |1. Frontispiece]]==
| |
− | | |
− | '''[[Testing Guide Frontispiece|1.1 About the OWASP Testing Guide Project]]'''
| |
− | | |
− | 1.1.1 Copyright
| |
− | | |
− | 1.1.2 Editors
| |
− | | |
− | 1.1.3 Authors and Reviewers
| |
− | | |
− | 1.1.4 Revision History
| |
− | | |
− | 1.1.5 Trademarks
| |
− | | |
− | '''[[About The Open Web Application Security Project|1.2 About The Open Web Application Security Project]]'''
| |
− | | |
− | 1.2.1 Overview
| |
− | | |
− | 1.2.2 Structure
| |
− | | |
− | 1.2.3 Licensing
| |
− | | |
− | 1.2.4 Participation and Membership
| |
− | | |
− | 1.2.5 Projects
| |
− | | |
− | 1.2.6 OWASP Privacy Policy
| |
− | | |
− | | |
− | ==[[Testing Guide Introduction|2. Introduction]]==
| |
− | | |
− | '''2.1 The OWASP Testing Project'''
| |
− | | |
− | '''2.2 Principles of Testing'''
| |
− | | |
− | '''2.3 Testing Techniques Explained'''
| |
− | | |
− | | |
− | ==[[The OWASP Testing Framework|3. The OWASP Testing Framework]]==
| |
− | | |
− | '''3.1. Overview'''
| |
− | | |
− | '''3.2. Phase 1: Before Development Begins '''
| |
− | | |
− | '''3.3. Phase 2: During Definition and Design'''
| |
− | | |
− | '''3.4. Phase 3: During Development'''
| |
− | | |
− | '''3.5. Phase 4: During Deployment'''
| |
− | | |
− | '''3.6. Phase 5: Maintenance and Operations'''
| |
− | | |
− | '''3.7. A Typical SDLC Testing Workflow '''
| |
− | | |
− | ==[[Web Application Penetration Testing |4. Web Application Penetration Testing ]]==
| |
− | | |
− | [[Testing: Introduction and Objectives|'''4.1 Introduction and Objectives''']]
| |
− | | |
− | [[Testing: Information Gathering|'''4.2 Information Gathering''']]
| |
− | | |
− | [[Testing for Web Application Fingerprint|4.2.1 Testing Web Application Fingerprint]]
| |
− | | |
− | [[Testing for Application Discovery|4.2.2 Application Discovery]]
| |
− | | |
− | [[Testing: Spidering and Googling|4.2.3 Spidering and Googling]]
| |
− | | |
− | [[Testing for Error Code|4.2.4 Analysis of Error Codes]]
| |
− | | |
− | [[Testing for Infrastructure Configuration Management|4.2.5 Infrastructure
| |
− | Configuration Management Testing]]
| |
− | | |
− | [[Testing for SSL-TLS|4.2.5.1 SSL/TLS Testing]]
| |
− | | |
− | [[Testing for DB Listener|4.2.5.2 DB Listener Testing]]
| |
− | | |
− | [[Testing for Application Configuration Management|4.2.6 Application Configuration Management Testing]]
| |
− | | |
− | [[Testing for File Extensions Handling|4.2.6.1 Testing for File Extensions Handling]]
| |
− | | |
− | [[Testing for old_file|4.2.6.2 Old, backup and unreferenced files]]
| |
− | | |
− | [[Testing for Business Logic|'''4.3 Business Logic Testing''']]
| |
− | | |
− | [[Testing for Authentication|'''4.4 Authentication Testing''']]
| |
− | | |
− | [[Testing for Default or Guessable User Account|4.4.1 Testing for Guessable (Dictionary) User Account]]
| |
− | | |
− | [[Testing for Brute Force|4.4.2 Brute Force Testing]]
| |
− | | |
− | [[Testing for Bypassing Authentication Schema|4.4.3 Testing for bypassing authentication schema]]
| |
− | | |
− | [[Testing for Directory Traversal|4.4.4 Testing for directory traversal/file include]]
| |
− | | |
− | [[Testing for Vulnerable Remember Password and Pwd Reset|4.4.5 Testing for vulnerable remember
| |
− | password and pwd reset]]
| |
− | | |
− | [[Testing for Logout and Browser Cache Management|4.4.6 Testing for Logout and Browser Cache Management Testing]]
| |
− | | |
− | [[Testing for Session Management|'''4.5 Session Management Testing''']]
| |
− | | |
− | [[Testing for Session_Management_Schema|4.5.1 Testing for Session Management Schema]]
| |
− | | |
− | [[Testing for Cookie and Session Token Manipulation|4.5.2 Testing for Cookie and Session Token Manipulation]]
| |
− | | |
− | [[Testing for Exposed Session Variables|4.5.3 Testing for Exposed Session Variables ]]
| |
− | | |
− | [[Testing for CSRF|4.5.4 Testing for CSRF]]
| |
− | | |
− | [[Testing for HTTP Exploit|4.5.5 Testing for HTTP Exploit ]]
| |
− | | |
− | [[Testing for Data Validation|'''4.6 Data Validation Testing''']]
| |
− | | |
− | [[Testing for Cross site scripting|4.6.1 Testing for Cross Site Scripting]]
| |
− | | |
− | [[Testing for HTTP Methods and XST|4.6.1.1 Testing for HTTP Methods and XST ]]
| |
− | | |
− | [[Testing for SQL Injection|4.6.2 Testing for SQL Injection ]]
| |
− | | |
− | [[Testing for Oracle|4.6.2.1 Oracle Testing ]]
| |
− | | |
− | [[Testing for MySQL|4.6.2.2 MySQL Testing ]]
| |
− | | |
− | [[Testing for SQL Server|4.6.2.3 SQL Server Testing]]
| |
− | | |
− | [[Testing for LDAP Injection|4.6.3 Testing for LDAP Injection]]
| |
− | | |
− | [[Testing for ORM Injection|4.6.4 Testing for ORM Injection]]
| |
− | | |
− | [[Testing for XML Injection|4.6.5 Testing for XML Injection]]
| |
− | | |
− | [[Testing for SSI Injection|4.6.6 Testing for SSI Injection]]
| |
− | | |
− | [[Testing for XPath Injection|4.6.7 Testing for XPath Injection]]
| |
− | | |
− | [[Testing for IMAP/SMTP Injection|4.6.8 IMAP/SMTP Injection]]
| |
− | | |
− | [[Testing for Code Injection|4.6.9 Testing for Code Injection]]
| |
− | | |
− | [[Testing for Command Injection|4.6.10 Testing for Command Injection]]
| |
− | | |
− | [[Testing for Buffer Overflow|4.6.11 Testing for Buffer overflow]]
| |
− | | |
− | [[Testing for Heap Overflow|4.6.11.1 Testing for Heap overflow]]
| |
− | | |
− | [[Testing for Stack Overflow|4.6.11.2 Testing for Stack overflow]]
| |
− | | |
− | [[Testing for Format String|4.6.11.3 Testing for Format string]]
| |
− | | |
− | [[Testing for Incubated Vulnerability|4.6.12 Testing for incubated vulnerabilities]]
| |
− | | |
− | [[Testing for Denial of Service|'''4.7 Testing for Denial of Service''']]
| |
− | | |
− | [[Testing for DoS Locking Customer Accounts|4.7.1 Testing for DoS Locking Customer Accounts]]
| |
− | | |
− | [[Testing for DoS Buffer Overflows|4.7.2 Testing for DoS Buffer Overflows]]
| |
− | | |
− | [[Testing for DoS User Specified Object Allocation|4.7.3 Testing for DoS User Specified Object Allocation]]
| |
− | | |
− | [[Testing for User Input as a Loop Counter|4.7.4 Testing for User Input as a Loop Counter]]
| |
− | | |
− | [[Testing for Writing User Provided Data to Disk|4.7.5 Testing for Writing User Provided Data to Disk]]
| |
− | | |
− | [[Testing for DoS Failure to Release Resources|4.7.6 Testing for DoS Failure to Release Resources]]
| |
− | | |
− | [[Testing for Storing too Much Data in Session|4.7.7 Testing for Storing too Much Data in Session]]
| |
− | | |
− | [[Testing for Web Services|'''4.8 Web Services Testing''']]
| |
− | | |
− | [[Testing for XML Structural|4.8.1 XML Structural Testing]]
| |
− | | |
− | [[Testing for XML Content-Level|4.8.2 XML Content-level Testing]]
| |
− | | |
− | [[Testing for WS HTTP GET parameters/REST attacks|4.8.3 HTTP GET parameters/REST Testing ]]
| |
− | | |
− | [[Testing for Naughty SOAP Attachments|4.8.4 Testing for Naughty SOAP attachments]]
| |
− | | |
− | [[Testing for WS Replay|4.8.5 WS Replay Testing]]
| |
− | | |
− | [[Testing_for_AJAX:_introduction|'''4.9 AJAX Testing''']]
| |
− | | |
− | [[Testing for AJAX Vulnerabilities|4.9.1 AJAX Vulnerabilities]]
| |
− | | |
− | [[Testing for AJAX|4.9.2 How to test AJAX]]
| |
− | | |
− | ==[[Writing Reports: value the real risk |5. Writing Reports: value the real risk ]]==
| |
− | | |
− | [[How to value the real risk |5.1 How to value the real risk]]
| |
− | | |
− | [[How to write the report of the testing |5.2 How to write the report of the testing]]
| |
− | | |
− | | |
− | ==[[Appendix A: Testing Tools |Appendix A: Testing Tools ]]==
| |
− | | |
− | * Black Box Testing Tools
| |
− | * Source Code Analyzers
| |
− | * Other Tools
| |
− | | |
− | | |
− | ==[[OWASP Testing Guide Appendix B: Suggested Reading | Appendix B: Suggested Reading]]==
| |
− | * Whitepapers
| |
− | * Books
| |
− | * Useful Websites
| |
− | | |
− | | |
− | ==[[OWASP Testing Guide Appendix C: Fuzz Vectors | Appendix C: Fuzz Vectors]]==
| |
− | | |
− | * Fuzz Categories
| |
− | ** Recursive fuzzing
| |
− | ** Replasive fuzzing
| |
− | * Cross Site Scripting (XSS)
| |
− | * Buffer Overflows and Format String Errors
| |
− | ** Buffer Overflows (BFO)
| |
− | ** Format String Errors (FSE)
| |
− | ** Integer Overflows (INT)
| |
− | * SQL Injection
| |
− | ** Passive SQL Injection (SQP)
| |
− | ** Active SQL Injection (SQI)
| |
− | * LDAP Injection
| |
− | * XPATH Injection
| |
− | | |
− | | |
− | [[Category:OWASP Testing Project]]
| |