This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "OWASP Testing Guide v2 Table of Contents"
| Line 62: | Line 62: | ||
[[Old_file_testing_AoC|4.2.6.2 Old, backup and unreferenced files]] (Mauro Bregolin, Javier Fernández Sanguino, Dafydd Studdard)<br> | [[Old_file_testing_AoC|4.2.6.2 Old, backup and unreferenced files]] (Mauro Bregolin, Javier Fernández Sanguino, Dafydd Studdard)<br> | ||
| − | [[Business logic testing AoC|'''4.3 Business logic testing''']] <br> | + | [[Business logic testing AoC|'''4.3 Business logic testing''']] (Madhura Halasgikar)<br> |
| − | [[Authentication Testing Aoc|'''4.4 Authentication Testing''']] | + | [[Authentication Testing Aoc|'''4.4 Authentication Testing''']] (Matteo Meucci)<br> |
| − | [[Default or Guessable User Account Testing AoC|4.4.1 Default or guessable (dictionary) user account]]<br> | + | [[Default or Guessable User Account Testing AoC|4.4.1 Default or guessable (dictionary) user account]] <br> |
| − | [[Brute Force Testing AoC|4.4.2 Brute Force]]<br> | + | [[Brute Force Testing AoC|4.4.2 Brute Force]] (Giorgio Fedon, Andrea Lombardini)<br> |
| − | [[Bypassing Authentication Schema AoC|4.4.3 Bypassing authentication schema]]<br> | + | [[Bypassing Authentication Schema AoC|4.4.3 Bypassing authentication schema]] (Giorgio Fedon, Andrea Lombardini)<br> |
| − | [[Directory Traversal Testing AoC|4.4.4 Directory traversal/file include]] <br> | + | [[Directory Traversal Testing AoC|4.4.4 Directory traversal/file include]] (Luca Carettoni)<br> |
| − | [[Vulnerable Remember Password and Pwd Reset AoC|4.4.5 Vulnerable remember password and pwd reset]]<br> | + | [[Vulnerable Remember Password and Pwd Reset AoC|4.4.5 Vulnerable remember password and pwd reset]] (Ralph M. Los,Alberto Revelli)<br> |
| − | [[Logout and Browser Cache Management Testing AoC|4.4.6 Logout and Browser Cache Management Testing]]<br> | + | [[Logout and Browser Cache Management Testing AoC|4.4.6 Logout and Browser Cache Management Testing]] (Alberto Revelli)<br> |
| − | [[Session Management Testing AoC|'''4.5 Session Management Testing''']] <br> | + | [[Session Management Testing AoC|'''4.5 Session Management Testing''']] (Glyn Geoghegan, Matteo Meucci, Gunter Ollmann, Stephen DeVries, David Endler)<br> |
| − | [[ Analysis_of_the_Session_Management_Schema_AoC|4.5.1 Analysis of the Session Management Schema]] <br> | + | [[ Analysis_of_the_Session_Management_Schema_AoC|4.5.1 Analysis of the Session Management Schema]] (Matteo Meucci)<br> |
| − | [[ Cookie and Session Token Manipulation AoC|4.5.2 Cookie and Session Token Manipulation]]<br> | + | [[ Cookie and Session Token Manipulation AoC|4.5.2 Cookie and Session Token Manipulation]] (Alberto Revelli, Matteo Meucci)<br> |
| − | [[ Exposed Session Variables AoC|4.5.3 Exposed Session Variables ]]<br> | + | [[ Exposed Session Variables AoC|4.5.3 Exposed Session Variables ]] (Matteo Meucci)<br> |
| − | [[ Session Riding AoC|4.5.4 Session Riding ]]<br> | + | [[ Session Riding AoC|4.5.4 Session Riding ]] (Mauro Bregolin)<br> |
[[ HTTP Exploit AoC|4.5.5 HTTP Exploit ]] (70%, Arian J.Evans, Alberto Revelli)<br> | [[ HTTP Exploit AoC|4.5.5 HTTP Exploit ]] (70%, Arian J.Evans, Alberto Revelli)<br> | ||
| − | [[Data Validation Testing AoC|'''4.6 Data Validation Testing''']] <br> | + | [[Data Validation Testing AoC|'''4.6 Data Validation Testing''']] (Matteo Meucci)<br> |
| − | [[Cross site scripting AoC|4.6.1 Cross Site Scripting]]<br> | + | [[Cross site scripting AoC|4.6.1 Cross Site Scripting]] (Tom Brennan, Tom Ryan) <br> |
| − | [[HTTP Methods and XST AoC|4.6.1.1 HTTP Methods and XST ]]<br> | + | [[HTTP Methods and XST AoC|4.6.1.1 HTTP Methods and XST ]] (Alberto Revelli) <br> |
| − | [[Testing for SQL Injection|4.6.2 SQL Injection ]] | + | [[Testing for SQL Injection|4.6.2 SQL Injection ]] (Antonio Parata, Gary Burns)<br> |
| − | + | [[Oracle Testing AoC|4.6.2.1 Oracle Testing ]](David Litchfield)<br> | |
| − | [[Oracle Testing AoC|4.6.2.1 Oracle Testing ]]<br> | + | [[MySQL Testing AoC|4.6.2.2 MySQL Testing ]] (Stefano Di Paola)<br> |
| − | [[MySQL Testing AoC|4.6.2.2 MySQL Testing ]]<br> | + | [[SQL Server Testing AoC|4.6.2.3 SQL Server Testing ]] (Ariel Waissbein, Laura Nuñez, Alberto Revelli)<br> |
| − | [[SQL Server Testing AoC|4.6.2.3 SQL Server Testing ]]<br> | ||
| − | [[LDAP Injection Testing AoC|4.6.3 LDAP Injection]]<br> | + | [[LDAP Injection Testing AoC|4.6.3 LDAP Injection]] (Stefano Di Paola)<br> |
| − | [[ORM Injection Testing AoC|4.6.4 ORM Injection]]<br> | + | [[ORM Injection Testing AoC|4.6.4 ORM Injection]] (Mark Roxberry)<br> |
| − | [[XML Injection Testing AoC|4.6.5 XML Injection]]<br> | + | [[XML Injection Testing AoC|4.6.5 XML Injection]] (Antonio Parata, Stefano Di Paola)<br> |
| − | [[SSI Injection Testing AoC|4.6.6 SSI Injection]]<br> | + | [[SSI Injection Testing AoC|4.6.6 SSI Injection]] (Claudio Merloni)<br> |
| − | [[XPath Injection Testing AoC|4.6.7 XPath Injection]]<br> | + | [[XPath Injection Testing AoC|4.6.7 XPath Injection]] (Antonio Parata, Alberto Revelli, Stefano Di Paola)<br> |
| − | [[IMAP/SMTP Injection Testing AoC|4.6.8 IMAP/SMTP Injection]]<br> | + | [[IMAP/SMTP Injection Testing AoC|4.6.8 IMAP/SMTP Injection]] (Vicente Aguilera)<br> |
| − | [[Code Injection Testing AoC|4.6.9 Code Injection]]<br> | + | [[Code Injection Testing AoC|4.6.9 Code Injection]] (Mark Roxberry)<br> |
[[OS Commanding Testing AoC|4.6.10 OS Commanding]] (70%, Gary Burns)<br> | [[OS Commanding Testing AoC|4.6.10 OS Commanding]] (70%, Gary Burns)<br> | ||
| Line 102: | Line 101: | ||
[[Format String Testing AoC|4.6.11.3 Format string ]]<br> | [[Format String Testing AoC|4.6.11.3 Format string ]]<br> | ||
| − | [[Incubated Vulnerability Testing AoC|4.6.12 Incubated vulnerability testing]] <br> | + | [[Incubated Vulnerability Testing AoC|4.6.12 Incubated vulnerability testing]] (95%,Ariel Waissbein, Laura Nunez)<br> |
[[Denial of Service Testing AoC|'''4.7 Denial of Service Testing''']] <br> | [[Denial of Service Testing AoC|'''4.7 Denial of Service Testing''']] <br> | ||
| Line 113: | Line 112: | ||
[[DoS Testing: Storing too Much Data in Session|4.7.7 Storing too Much Data in Session]]<br> | [[DoS Testing: Storing too Much Data in Session|4.7.7 Storing too Much Data in Session]]<br> | ||
| − | [[Web Services Testing AoC|'''4.8 Web Services Testing''']] <br> | + | [[Web Services Testing AoC|'''4.8 Web Services Testing''']] (Eoin Keary, Mark Roxberry)<br> |
[[XML Structural Testing AoC|4.8.1 XML Structural Testing ]]<br> | [[XML Structural Testing AoC|4.8.1 XML Structural Testing ]]<br> | ||
[[XML Content-Level Testing AoC|4.8.2 XML Content-level Testing ]]<br> | [[XML Content-Level Testing AoC|4.8.2 XML Content-level Testing ]]<br> | ||
Revision as of 16:44, 10 December 2006
Updated 5th Dec, 21.00 GMT+1
Status: draft
Deadline: 20th December
Legend:
xx%: Progress status of the paragraph
Review: the paragraph need a review (Matteo Meucci)
TD: Paragraph To Be Assigned
Forward
Frontispiece
1.1 About the OWASP Testing Guide Project
1.1.1 Copyright
1.1.2 Editors
1.1.3 Authors and Reviewers (0%, Review)
1.1.4 Revision History
1.1.5 Trademarks
1.2 About The Open Web Application Security Project
1.2.1 Overview
1.2.2 Structure
1.2.3 Licensing
1.2.4 Participation and Membership
1.2.5 Projects
1.2.6 OWASP Privacy Policy
Introduction
2.1 The OWASP Testing Project
2.2 Principles of Testing
2.3 Testing Techniques Explained
The OWASP Testing Framework
3.1. Overview
3.2. Phase 1 — Before Development Begins
3.3. Phase 2: During Definition and Design
3.4. Phase 3: During Development
3.5. Phase 4: During Deployment
3.6. Phase 5: Maintenance and Operations
3.7. A Typical SDLC Testing Workflow
Web Application Penetration Testing
4.1 Introduction and objectives (Matteo Meucci)
4.2 Information Gathering (Carlo Pelliccioni)
4.2.1 Testing Web Application Fingerprint (Antonio Parata)
4.2.2 Application Discovery (Mauro Bregolin)
4.2.3 Spidering and googling (60%,Tom Brennan, Tom Ryan)
4.2.4 Analysis of error code (Carlo Pelliccioni)
4.2.5 Infrastructure configuration management testing (Javier Fernández-Sanguino)
4.2.5.1 SSL/TLS Testing(Mauro Bregolin, Mark Curphey)
4.2.5.2 DB Listener Testing (Eoin Keary, Matteo Meucci)
4.2.6 Application configuration management testing (Javier Fernández-Sanguino)
4.2.6.1 File extensions handling (Mauro Bregolin)
4.2.6.2 Old, backup and unreferenced files (Mauro Bregolin, Javier Fernández Sanguino, Dafydd Studdard)
4.3 Business logic testing (Madhura Halasgikar)
4.4 Authentication Testing (Matteo Meucci)
4.4.1 Default or guessable (dictionary) user account
4.4.2 Brute Force (Giorgio Fedon, Andrea Lombardini)
4.4.3 Bypassing authentication schema (Giorgio Fedon, Andrea Lombardini)
4.4.4 Directory traversal/file include (Luca Carettoni)
4.4.5 Vulnerable remember password and pwd reset (Ralph M. Los,Alberto Revelli)
4.4.6 Logout and Browser Cache Management Testing (Alberto Revelli)
4.5 Session Management Testing (Glyn Geoghegan, Matteo Meucci, Gunter Ollmann, Stephen DeVries, David Endler)
4.5.1 Analysis of the Session Management Schema (Matteo Meucci)
4.5.2 Cookie and Session Token Manipulation (Alberto Revelli, Matteo Meucci)
4.5.3 Exposed Session Variables (Matteo Meucci)
4.5.4 Session Riding (Mauro Bregolin)
4.5.5 HTTP Exploit (70%, Arian J.Evans, Alberto Revelli)
4.6 Data Validation Testing (Matteo Meucci)
4.6.1 Cross Site Scripting (Tom Brennan, Tom Ryan)
4.6.1.1 HTTP Methods and XST (Alberto Revelli)
4.6.2 SQL Injection (Antonio Parata, Gary Burns)
4.6.2.1 Oracle Testing (David Litchfield)
4.6.2.2 MySQL Testing (Stefano Di Paola)
4.6.2.3 SQL Server Testing (Ariel Waissbein, Laura Nuñez, Alberto Revelli)
4.6.3 LDAP Injection (Stefano Di Paola)
4.6.4 ORM Injection (Mark Roxberry)
4.6.5 XML Injection (Antonio Parata, Stefano Di Paola)
4.6.6 SSI Injection (Claudio Merloni)
4.6.7 XPath Injection (Antonio Parata, Alberto Revelli, Stefano Di Paola)
4.6.8 IMAP/SMTP Injection (Vicente Aguilera)
4.6.9 Code Injection (Mark Roxberry)
4.6.10 OS Commanding (70%, Gary Burns)
4.6.11 Buffer overflow Testing
4.6.11.1 Heap overflow
4.6.11.2 Stack overflow
4.6.11.3 Format string
4.6.12 Incubated vulnerability testing (95%,Ariel Waissbein, Laura Nunez)
4.7 Denial of Service Testing
4.7.1 Locking Customer Accounts
4.7.2 Buffer Overflows
4.7.3 User Specified Object Allocation
4.7.4 User Input as a Loop Counter
4.7.5 Writing User Provided Data to Disk
4.7.6 Failure to Release Resources
4.7.7 Storing too Much Data in Session
4.8 Web Services Testing (Eoin Keary, Mark Roxberry)
4.8.1 XML Structural Testing
4.8.2 XML Content-level Testing
4.8.3 HTTP GET parameters/REST Testing
4.8.4 Naughty SOAP attachments
4.8.5 Replay Testing
4.9 AJAX Testing (70%, Dan Cornell, Giorgio Fedon, Stefano Di Paola, Anush Shetty)
4.9.1 AJAX Vulnerabilities
4.9.2 How to test AJAX
Writing Reports: value the real risk
5.1 How to value the real risk (90%, Daniel Cuthbert, Matteo Meucci, Sebastien Deleersnyder, Marco Morana)
5.2 How to write the report of the testing (Daniel Cuthbert, Tom Brennan)
Appendix A: Testing Tools
- Black Box Testing Tools
- Source Code Analyzers
- Other Tools
Appendix B: Suggested Reading
- Whitepapers
- Books
- Useful Websites
Appendix C: Fuzz Vectors
- Fuzz Categories
- Recursive fuzzing
- Replasive fuzzing
- Cross Site Scripting (XSS)
- Buffer Overflows and Format String Errors
- Buffer Overflows (BFO)
- Format String Errors (FSE)
- Integer Overflows (INT)
- SQL Injection
- Passive SQL Injection (SQP)
- Active SQL Injection (SQI)
- LDAP Injection
- XPATH Injection
OWASP Testing Guide v2
Here is the OWASP Testing Guide v2 Table of Contents
