This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "OWASP Testing Guide v2 Table of Contents"

From OWASP
Jump to: navigation, search
Line 10: Line 10:
  
 
==[[The OWASP Testing Framework AoC|The OWASP Testing Framework]]==
 
==[[The OWASP Testing Framework AoC|The OWASP Testing Framework]]==
3. The OWASP Testing Framework                                      20%      (Review) <br>
 
 
'''3.1. Overview'''<br>
 
'''3.1. Overview'''<br>
 
'''3.2. Phase 1 — Before Development Begins <br>'''
 
'''3.2. Phase 1 — Before Development Begins <br>'''
* Phase 1A: Policies and Standards Review <br>
 
* Phase 1B: Develop Measurement and Metrics Criteria (Ensure Traceability) <br>
 
 
'''3.3. Phase 2: During Definition and Design<br>'''
 
'''3.3. Phase 2: During Definition and Design<br>'''
* Phase 2A: Security Requirements Review<br>
 
* Phase 2B: Design an Architecture Review<br>
 
* Phase 2C: Create and Review UML Models<br>
 
* Phase 2D: Create and Review Threat Models <br>
 
 
'''3.4. Phase 3: During Development<br>'''
 
'''3.4. Phase 3: During Development<br>'''
* Phase 3A: Code Walkthroughs<br>
 
* Phase 3B: Code Reviews <br>
 
 
'''3.5. Phase 4: During Deployment<br>'''
 
'''3.5. Phase 4: During Deployment<br>'''
* Phase 4A: Application Penetration Testing<br>
 
* Phase 4B: Configuration Management Testing <br>
 
 
'''3.6. Phase 5: Maintenance and Operations<br>'''
 
'''3.6. Phase 5: Maintenance and Operations<br>'''
* Phase 5A: Conduct Operational Management Reviews<br>
 
* Phase 5B: Conduct Periodic Health Checks<br>
 
* Phase 5C: Ensure Change Verification <br>
 
 
'''3.7. A Typical SDLC Testing Workflow <br>'''
 
'''3.7. A Typical SDLC Testing Workflow <br>'''
* Figure 3: Typical SDLC Testing Workflow <br>
 
  
 
==[[Web Application Penetration Testing AoC |Web Application Penetration Testing ]]==
 
==[[Web Application Penetration Testing AoC |Web Application Penetration Testing ]]==

Revision as of 16:22, 10 October 2006

Frontispiece

  1. Copyright and License (100%, Review)
  2. Endorsements (100%, Review)
  3. Trademarks (100%, Review)

Introduction

2.1 The OWASP Testing Project
2.2 Principles of Testing
2.3 Testing Techniques Explained

The OWASP Testing Framework

3.1. Overview
3.2. Phase 1 — Before Development Begins
3.3. Phase 2: During Definition and Design
 3.4. Phase 3: During Development
 3.5. Phase 4: During Deployment
 3.6. Phase 5: Maintenance and Operations
 3.7. A Typical SDLC Testing Workflow

Web Application Penetration Testing

4.1 Introduction and objectives 0% TD
4.2 Information Gathering (spider, google) 0% TD
4.3 Business logic testing 50% TD

4.4 Authentication Testing 50% TD
4.4.1 Default or guessable (dictionary) user account 90% TD
4.4.2 Brute Force 0% TD
4.4.3 Bypassing authentication schema 0% TD
4.4.4 Vulnerable remember password and pwd reset 90% TD
4.4.5 Logout and account expiry 0% TD

4.5 Session Management Testing 0% TD
4.5.1 Cookie and Session token Manipulation(reg, forg/brute force) 100% Review
4.5.2 Weak session tokens 70% TD
4.5.3 Session Riding 100% Review
4.5.4 Exposed session variables 0% TD
4.5.5 HTTP Exploit 0% TD

4.6 Data Validation Testing 0% TD
4.6.1 Cross site scripting 0% TD
4.6.1.1 Incubated attacks 0% TD
4.6.1.2 Phishing (using javascript) 0% TD
4.6.1.3 HTTP Methods + XSS (TRACE) 0% TD
4.6.2 SQL Injection 0% TD
4.6.2.1 Oracle, mySQL, SQL Server, TeraData 0% TD
4.6.2.2 Extended stored procedures 0% TD
4.6.2.3 Stored procedure injection 0% TD
4.6.2.4 Oracle +SQLServer ports and attacks 0% TD
4.6.2.5 Listener attacks etc. 1521 1433 1527 0% TD
4.6.3 Orm injection 0% TD
4.6.4 Ldap injection 0% TD
4.6.5 Xml injection 0% TD
4.6.6 Code injection 0% TD
4.6.7 Buffer overflow Testing 100% Review
4.6.7.1 Heap overflow 100% Review
4.6.7.2 Stack overflow 100% Review
4.6.7.3 Format string 100% Review

4.7 Denial of Service Testing 95% Review
4.7.1 Locking Customer Accounts 100% Review
4.7.2 Buffer Overflows 100% Review
4.7.3 User Specified Object Allocation 100% Review
4.7.4 User Input as a Loop Counter 100% Review
4.7.5 Writing User Provided Data to Disk 100% Review
4.7.6 Failure to Release Resources 100% Review
4.7.7 Storing too Much Data in Session 90% Review

4.8 Infrastructure and configuration Testing 0% TD
4.8.1 Intro and objective 0% TD
4.8.2 Infrastructure configuration management testing 100% TD
4.8.3 Application configuration management testing 100% TD
4.8.4 Old, backup and unreferenced files 100% TD
4.8.5 File extensions handling 90% TD
4.8.6 Analisys of error code 50% TD
4.8.7 SSL/TLS Testing: support of weak ciphers and cert validity 100% TD
4.8.8 Testing defense from Automatic attacks (maybe a duplicate) 10% TD

4.9 Web Services Testing 0% TD
4.9.1 XML Structural Attacks 0% TD
4.9.2 XML content-level attacks 0% TD
4.9.3 HTTP GET parameters/REST attacks 0% TD
4.9.4 Naughty SOAP attachments 0% TD
4.9.5 Brute force attacks 0% TD

4.10 AJAX Testing 0% TD
4.10.1 Vulnerabilities 0% TD
4.10.2 How to test 0% TD

Writing Reports: value the real risk

5.1 How to value the real risk 0% TD
5.2 How to write the report of the testing 0% TD

Appendix A: Testing Tools 

  1. Source Code Analyzers
         * Open Source / Freeware
         * Commercial 
  2. Black Box Scanners
         * Open Source
         * Commercial 
  3. Other Tools
         * Runtime Analysis
         * Binary Analysis
         * Requirements Management

Appendix B: Suggested Reading

  1. Whitepapers
  2. Books
  3. Articles
  4. Useful Websites
  5. OWASP — http://www.owasp.org

Appendix C: Fuzz Vectors

Retrieved from "https://wiki.owasp.org/index.php?title=OWASP_Testing_Guide_v2_Table_of_Contents&oldid=10424"