|
|
Line 1: |
Line 1: |
− | <br>
| |
− | <br>
| |
− | <br>
| |
− | This is The Testing Guide v1<br>
| |
− | PLEASE, REFER TO THIS URL FOR THE TESTING GUIDE V2:<br>
| |
− | http://www.owasp.org/index.php/OWASP_Testing_Guide_v2_Table_of_Contents
| |
| | | |
− |
| |
− | ==[[Testing Guide Frontispiece|Frontispiece]]==
| |
− | #Copyright and License
| |
− | #Endorsements
| |
− | #Trademarks
| |
− |
| |
− | ==[[Testing Guide Introduction|Introduction]]==
| |
− | #Performing An Application Security Review
| |
− | #Principles of Testing
| |
− | #Testing Techniques Explained
| |
− |
| |
− | ==[[Methodologies Used]]==
| |
− | #Secure application design
| |
− | #Code Review (See the code review project)
| |
− | #*Overview
| |
− | #*Advantages and Disadvantages
| |
− | #Penetration Testing
| |
− | #*Overview
| |
− | #*Advantages and Disadvantages
| |
− | #The Need for a Balanced Approach
| |
− | #A Note about Web Application Scanners
| |
− | #A Note about Static Source Code Review Tools
| |
− |
| |
− | ==[[Finding Specific Issues In a Non-Technical Manner]]==
| |
− | #Threat Modeling Introduction
| |
− | #Design Reviews
| |
− | #Threat Modeling the Application
| |
− | #Policy Reviews
| |
− | #Requirements Analysis
| |
− | #Developer Interviews and Interaction
| |
− |
| |
− | ==[[:Category:OWASP Code Review Project|Finding Specific Vulnerabilities Using Source Code Review]]==
| |
− |
| |
− | ''For code review please see the [[:Category:OWASP_Code_Review_Project|OWASP Code Review Project]]
| |
− |
| |
− | ==[[Manual testing techniques]]==
| |
− | #[[Business logic testing]]
| |
− | #[[Authentication Testing Guide|Authentication]]
| |
− | #[[How to perform cookie manipulation test|Cookie manipulation]]
| |
− | #[[How to test for weak session tokens|Weak session tokens]]
| |
− | #[[How to perform session riding test|Session riding test]]
| |
− | #[[Testing for Cross site scripting vulnerabilities]]
| |
− | #[[Testing for vulnerable remember password implementation]]
| |
− | #[[Weak Password Self-Reset Testing]]
| |
− | #[[Testing for default or guessable user accounts and empty passwords]]
| |
− | #[[Testing for application layer Denial of Service (DoS) attacks]]
| |
− | #*[[DoS Testing: Locking Customer Accounts]]
| |
− | #*[[DoS Testing: Buffer Overflows]]
| |
− | #*[[DoS Testing: User Specified Object Allocation]]
| |
− | #*[[DoS Testing: User Input as a Loop Counter]]
| |
− | #*[[DoS Testing: Writing User Provided Data to Disk]]
| |
− | #*[[DoS Testing: Failure to Release Resources]]
| |
− | #*[[DoS Testing: Storing too Much Data in Session]]
| |
− | #[[Testing for buffer overflow]]
| |
− | #*[[Testing for heap overflow vulnerability]]
| |
− | #*[[Testing for stack overflow vulnerability]]
| |
− | #*[[Testing for format string vulnerability]]
| |
− | #[[Testing for test and debug files]]
| |
− | #[[Testing file extensions handling]]
| |
− | #[[Testing for Old, backup and unreferenced files]]
| |
− | #[[Testing defense from Automatic Attacks]]
| |
− | #[[Infrastructure configuration management testing]]
| |
− | #[[Application configuration management testing]]
| |
− | #[[SSL/TLS Testing: support of weak ciphers]]
| |
− | #[[SSL Testing: certificate validity]]
| |
− | #[[Web Services Security Testing]]
| |
− | #[[Analysis about error codes]]
| |
− | #[[Web services Testing]]
| |
− | #*[[XML Structural Attacks]]
| |
− | #*[[XML content-level attacks]]
| |
− | #*[[HTTP GET parameters/REST attacks]]
| |
− | #*[[Naughty SOAP attachments]]
| |
− | #*[[Brute force attacks]]
| |
− |
| |
− | ==[[The OWASP Testing Framework]]==
| |
− | #Overview
| |
− | #Phase 1 — Before Development Begins
| |
− | #*Phase 1A: Policies and Standards Review
| |
− | #*Phase 1B: Develop Measurement and Metrics Criteria (Ensure Traceability)
| |
− | #Phase 2: During Definition and Design
| |
− | #*Phase 2A: Security Requirements Review
| |
− | #*Phase 2B: Design and Architecture Review
| |
− | #*Phase 2C: Create and Review UML Models
| |
− | #*Phase 2D: Create and Review Threat Models
| |
− | #Phase 3: During Development
| |
− | #*Phase 3A: Code Walkthroughs
| |
− | #*Phase 3B: Code Reviews
| |
− | #Phase 4: During Deployment
| |
− | #*Phase 4A: Application Penetration Testing
| |
− | #*Phase 4B: Configuration Management Testing
| |
− | #Phase 5: Maintenance and Operations
| |
− | #*Phase 5A: Conduct Operational Management Reviews
| |
− | #*Phase 5B: Conduct Periodic Health Checks
| |
− | #*Phase 5C: Ensure Change Verification
| |
− | #A Typical SDLC Testing Workflow
| |
− | #* Figure 3: Typical SDLC Testing Workflow.
| |
− |
| |
− | ==[[Appendix A: Testing Tools]]==
| |
− | #Source Code Analyzers
| |
− | #*Open Source / Freeware
| |
− | #*Commercial
| |
− | #Black Box Scanners
| |
− | #*Open Source
| |
− | #*Commercial
| |
− | #Other Tools
| |
− | #*Runtime Analysis
| |
− | #*Binary Analysis
| |
− | #*Requirements Management
| |
− |
| |
− | ==[[OWASP Testing Guide Appendix B: Suggested Reading | Appendix B: Suggested Reading]]==
| |
− | #Whitepapers
| |
− | #Books
| |
− | #Articles
| |
− | #Useful Websites
| |
− | #OWASP — http://www.owasp.org
| |
− |
| |
− | [[Category:OWASP Testing Project]]
| |
− | [[Category:Test]]
| |
− |
| |
− | ==[[OWASP Testing Guide Appendix C: Fuzz Vectors| Appendix C: Fuzz Vectors]]==
| |