This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "OWASP Testing Guide Table of Contents"
From OWASP
Line 1: | Line 1: | ||
− | This is The Testing Guide v1 | + | <br> |
− | PLEASE, REFER TO THIS URL FOR THE TESTING GUIDE V2: | + | <br> |
− | + | <br> | |
+ | This is The Testing Guide v1<br> | ||
+ | PLEASE, REFER TO THIS URL FOR THE TESTING GUIDE V2:<br> | ||
+ | http://www.owasp.org/index.php/OWASP_Testing_Guide_v2_Table_of_Contents | ||
Revision as of 12:14, 4 November 2006
This is The Testing Guide v1
PLEASE, REFER TO THIS URL FOR THE TESTING GUIDE V2:
http://www.owasp.org/index.php/OWASP_Testing_Guide_v2_Table_of_Contents
- 1 Frontispiece
- 2 Introduction
- 3 Methodologies Used
- 4 Finding Specific Issues In a Non-Technical Manner
- 5 Finding Specific Vulnerabilities Using Source Code Review
- 6 Manual testing techniques
- 7 The OWASP Testing Framework
- 8 Appendix A: Testing Tools
- 9 Appendix B: Suggested Reading
- 10 Appendix C: Fuzz Vectors
Frontispiece
- Copyright and License
- Endorsements
- Trademarks
Introduction
- Performing An Application Security Review
- Principles of Testing
- Testing Techniques Explained
Methodologies Used
- Secure application design
- Code Review (See the code review project)
- Overview
- Advantages and Disadvantages
- Penetration Testing
- Overview
- Advantages and Disadvantages
- The Need for a Balanced Approach
- A Note about Web Application Scanners
- A Note about Static Source Code Review Tools
Finding Specific Issues In a Non-Technical Manner
- Threat Modeling Introduction
- Design Reviews
- Threat Modeling the Application
- Policy Reviews
- Requirements Analysis
- Developer Interviews and Interaction
Finding Specific Vulnerabilities Using Source Code Review
For code review please see the OWASP Code Review Project
Manual testing techniques
- Business logic testing
- Authentication
- Cookie manipulation
- Weak session tokens
- Session riding test
- Testing for Cross site scripting vulnerabilities
- Testing for vulnerable remember password implementation
- Weak Password Self-Reset Testing
- Testing for default or guessable user accounts and empty passwords
- Testing for application layer Denial of Service (DoS) attacks
- Testing for buffer overflow
- Testing for test and debug files
- Testing file extensions handling
- Testing for Old, backup and unreferenced files
- Testing defense from Automatic Attacks
- Infrastructure configuration management testing
- Application configuration management testing
- SSL/TLS Testing: support of weak ciphers
- SSL Testing: certificate validity
- Web Services Security Testing
- Analysis about error codes
- Web services Testing
The OWASP Testing Framework
- Overview
- Phase 1 — Before Development Begins
- Phase 1A: Policies and Standards Review
- Phase 1B: Develop Measurement and Metrics Criteria (Ensure Traceability)
- Phase 2: During Definition and Design
- Phase 2A: Security Requirements Review
- Phase 2B: Design and Architecture Review
- Phase 2C: Create and Review UML Models
- Phase 2D: Create and Review Threat Models
- Phase 3: During Development
- Phase 3A: Code Walkthroughs
- Phase 3B: Code Reviews
- Phase 4: During Deployment
- Phase 4A: Application Penetration Testing
- Phase 4B: Configuration Management Testing
- Phase 5: Maintenance and Operations
- Phase 5A: Conduct Operational Management Reviews
- Phase 5B: Conduct Periodic Health Checks
- Phase 5C: Ensure Change Verification
- A Typical SDLC Testing Workflow
- Figure 3: Typical SDLC Testing Workflow.
Appendix A: Testing Tools
- Source Code Analyzers
- Open Source / Freeware
- Commercial
- Black Box Scanners
- Open Source
- Commercial
- Other Tools
- Runtime Analysis
- Binary Analysis
- Requirements Management
Appendix B: Suggested Reading
- Whitepapers
- Books
- Articles
- Useful Websites
- OWASP — http://www.owasp.org