This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "OWASP Testing Guide Table of Contents"

From OWASP
Jump to: navigation, search
Line 1: Line 1:
<br>
 
<br>
 
<br>
 
This is The Testing Guide v1<br>
 
PLEASE, REFER TO THIS URL FOR THE TESTING GUIDE V2:<br>
 
http://www.owasp.org/index.php/OWASP_Testing_Guide_v2_Table_of_Contents
 
  
 
==[[Testing Guide Frontispiece|Frontispiece]]==
 
#Copyright and License
 
#Endorsements
 
#Trademarks
 
 
==[[Testing Guide Introduction|Introduction]]==
 
#Performing An Application Security Review
 
#Principles of Testing
 
#Testing Techniques Explained
 
 
==[[Methodologies Used]]==
 
#Secure application design
 
#Code Review (See the code review project)
 
#*Overview
 
#*Advantages and Disadvantages
 
#Penetration Testing
 
#*Overview
 
#*Advantages and Disadvantages
 
#The Need for a Balanced Approach
 
#A Note about Web Application Scanners
 
#A Note about Static Source Code Review Tools
 
 
==[[Finding Specific Issues In a Non-Technical Manner]]==
 
#Threat Modeling Introduction
 
#Design Reviews
 
#Threat Modeling the Application
 
#Policy Reviews
 
#Requirements Analysis
 
#Developer Interviews and Interaction
 
 
==[[:Category:OWASP Code Review Project|Finding Specific Vulnerabilities Using Source Code Review]]==
 
 
''For code review please see the [[:Category:OWASP_Code_Review_Project|OWASP Code Review Project]]
 
 
==[[Manual testing techniques]]==
 
#[[Business logic testing]]
 
#[[Authentication Testing Guide|Authentication]]
 
#[[How to perform cookie manipulation test|Cookie manipulation]]
 
#[[How to test for weak session tokens|Weak session tokens]]
 
#[[How to perform session riding test|Session riding test]]
 
#[[Testing for Cross site scripting vulnerabilities]]
 
#[[Testing for vulnerable remember password implementation]]
 
#[[Weak Password Self-Reset Testing]]
 
#[[Testing for default or guessable user accounts and empty passwords]]
 
#[[Testing for application layer Denial of Service (DoS) attacks]]
 
#*[[DoS Testing: Locking Customer Accounts]]
 
#*[[DoS Testing: Buffer Overflows]]
 
#*[[DoS Testing: User Specified Object Allocation]]
 
#*[[DoS Testing: User Input as a Loop Counter]]
 
#*[[DoS Testing: Writing User Provided Data to Disk]]
 
#*[[DoS Testing: Failure to Release Resources]]
 
#*[[DoS Testing: Storing too Much Data in Session]]
 
#[[Testing for buffer overflow]]
 
#*[[Testing for heap overflow vulnerability]]
 
#*[[Testing for stack overflow vulnerability]]
 
#*[[Testing for format string vulnerability]]
 
#[[Testing for test and debug files]]
 
#[[Testing file extensions handling]]
 
#[[Testing for Old, backup and unreferenced files]]
 
#[[Testing defense from Automatic Attacks]]
 
#[[Infrastructure configuration management testing]]
 
#[[Application configuration management testing]]
 
#[[SSL/TLS Testing: support of weak ciphers]]
 
#[[SSL Testing: certificate validity]]
 
#[[Web Services Security Testing]]
 
#[[Analysis about error codes]]
 
#[[Web services Testing]]
 
#*[[XML Structural Attacks]]
 
#*[[XML content-level attacks]]
 
#*[[HTTP GET parameters/REST attacks]]
 
#*[[Naughty SOAP attachments]]
 
#*[[Brute force attacks]]
 
 
==[[The OWASP Testing Framework]]==
 
#Overview
 
#Phase 1 — Before Development Begins
 
#*Phase 1A: Policies and Standards Review
 
#*Phase 1B: Develop Measurement and Metrics Criteria (Ensure Traceability)
 
#Phase 2: During Definition and Design
 
#*Phase 2A: Security Requirements Review
 
#*Phase 2B: Design and Architecture Review
 
#*Phase 2C: Create and Review UML Models
 
#*Phase 2D: Create and Review Threat Models
 
#Phase 3: During Development
 
#*Phase 3A: Code Walkthroughs
 
#*Phase 3B: Code Reviews
 
#Phase 4: During Deployment
 
#*Phase 4A: Application Penetration Testing
 
#*Phase 4B: Configuration Management Testing
 
#Phase 5: Maintenance and Operations
 
#*Phase 5A: Conduct Operational Management Reviews
 
#*Phase 5B: Conduct Periodic Health Checks
 
#*Phase 5C: Ensure Change Verification
 
#A Typical SDLC Testing Workflow
 
#* Figure 3: Typical SDLC Testing Workflow.
 
 
==[[Appendix A: Testing Tools]]==
 
#Source Code Analyzers
 
#*Open Source / Freeware
 
#*Commercial
 
#Black Box Scanners
 
#*Open Source
 
#*Commercial
 
#Other Tools
 
#*Runtime Analysis
 
#*Binary Analysis
 
#*Requirements Management
 
 
==[[OWASP Testing Guide Appendix B: Suggested Reading | Appendix B: Suggested Reading]]==
 
#Whitepapers
 
#Books
 
#Articles
 
#Useful Websites
 
#OWASP — http://www.owasp.org
 
 
[[Category:OWASP Testing Project]]
 
[[Category:Test]]
 
 
==[[OWASP Testing Guide Appendix C: Fuzz Vectors| Appendix C: Fuzz Vectors]]==
 

Revision as of 12:16, 10 January 2007