This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "OWASP Testing Guide v2 Table of Contents"
| Line 45: | Line 45: | ||
==[[Web Application Penetration Testing AoC |Web Application Penetration Testing ]]== | ==[[Web Application Penetration Testing AoC |Web Application Penetration Testing ]]== | ||
| − | [[Introduction and objectives Testing AoC|'''4.1 Introduction and objectives''']] | + | [[Introduction and objectives Testing AoC|'''4.1 Introduction and objectives''']] <br> |
| − | [[Information Gathering Testing AoC|'''4.2 Information Gathering''']] | + | [[Information Gathering Testing AoC|'''4.2 Information Gathering''']]<br> |
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | [[ | + | [[Testing for Web Application Fingerprint|4.2.1 Testing Web Application Fingerprint]]<br> |
| + | [[Application Discovery AoC|4.2.2 Application Discovery]]<br> | ||
| + | [[Spidering and googling AoC|4.2.3 Spidering and googling]] <br> | ||
| + | [[Testing for Error Code|4.2.4 Analysis of error code]] <br> | ||
| + | [[Infrastructure configuration management testing AoC|4.2.5 Infrastructure configuration management testing]]<br> | ||
| + | [[SSL/TLS Testing AoC|4.2.5.1 SSL/TLS Testing ]]<br> | ||
| + | [[DB Listener Testing AoC|4.2.5.2 DB Listener Testing ]]<br> | ||
| + | [[Application configuration management testing AoC|4.2.6 Application configuration management testing]] <br> | ||
| + | [[File extensions handling AoC|4.2.6.1 File extensions handling ]]<br> | ||
| + | [[Old_file_testing_AoC|4.2.6.2 Old, backup and unreferenced files ]]<br> | ||
| − | [[ | + | [[Business logic testing AoC|'''4.3 Business logic testing''']] <br> |
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | [[ | + | [[Authentication Testing Aoc|'''4.4 Authentication Testing''']] <br> |
| − | [[ | + | [[Default or Guessable User Account Testing AoC|4.4.1 Default or guessable (dictionary) user account]]<br> |
| − | [[ | + | [[Brute Force Testing AoC|4.4.2 Brute Force]]<br> |
| − | [[ | + | [[Bypassing Authentication Schema AoC|4.4.3 Bypassing authentication schema]]<br> |
| − | [[ | + | [[Directory Traversal Testing AoC|4.4.4 Directory traversal/file include]] <br> |
| − | [[ | + | [[Vulnerable Remember Password and Pwd Reset AoC|4.4.5 Vulnerable remember password and pwd reset]]<br> |
| + | [[Logout and Browser Cache Management Testing AoC|4.4.6 Logout and Browser Cache Management Testing]]<br> | ||
| − | [[ | + | [[Session Management Testing AoC|'''4.5 Session Management Testing''']] <br> |
| − | [[ | + | [[ Analysis_of_the_Session_Management_Schema_AoC|4.5.1 Analysis of the Session Management Schema]] <br> |
| − | [[ | + | [[ Cookie and Session Token Manipulation AoC|4.5.2 Cookie and Session Token Manipulation]]<br> |
| − | [[ | + | [[ Exposed Session Variables AoC|4.5.3 Exposed Session Variables ]]<br> |
| − | [[ | + | [[ Session Riding AoC|4.5.4 Session Riding ]]<br> |
| − | + | [[ HTTP Exploit AoC|4.5.5 HTTP Exploit ]]<br> | |
| − | [[ | ||
| − | [[LDAP Injection Testing AoC|4.6.3 LDAP Injection]] | + | [[Data Validation Testing AoC|'''4.6 Data Validation Testing''']] <br> |
| − | [[ORM Injection Testing AoC|4.6.4 ORM Injection]] | + | [[Cross site scripting AoC|4.6.1 Cross Site Scripting]]<br> |
| − | [[XML Injection Testing AoC|4.6.5 XML Injection]] | + | [[HTTP Methods and XST AoC|4.6.1.1 HTTP Methods and XST ]]<br> |
| − | [[SSI Injection Testing AoC|4.6.6 SSI Injection]] | + | [[Testing for SQL Injection|4.6.2 SQL Injection ]]<br> |
| − | [[XPath Injection Testing AoC|4.6.7 XPath Injection]] | + | [[Stored Procedure Injection AoC| Stored procedure injection (moving to Testing for SQL Injection testing) ]]<br> |
| − | [[IMAP/SMTP Injection Testing AoC|4.6.8 IMAP/SMTP Injection]] | + | [[Oracle Testing AoC|4.6.2.1 Oracle Testing ]]<br> |
| − | [[Code Injection Testing AoC|4.6.9 Code Injection]] | + | [[MySQL Testing AoC|4.6.2.2 MySQL Testing ]]<br> |
| − | [[OS Commanding Testing AoC|4.6.10 OS Commanding]] | + | [[SQL Server Testing AoC|4.6.2.3 SQL Server Testing ]]<br> |
| + | |||
| + | [[LDAP Injection Testing AoC|4.6.3 LDAP Injection]]<br> | ||
| + | [[ORM Injection Testing AoC|4.6.4 ORM Injection]]<br> | ||
| + | [[XML Injection Testing AoC|4.6.5 XML Injection]]<br> | ||
| + | [[SSI Injection Testing AoC|4.6.6 SSI Injection]]<br> | ||
| + | [[XPath Injection Testing AoC|4.6.7 XPath Injection]]<br> | ||
| + | [[IMAP/SMTP Injection Testing AoC|4.6.8 IMAP/SMTP Injection]]<br> | ||
| + | [[Code Injection Testing AoC|4.6.9 Code Injection]]<br> | ||
| + | [[OS Commanding Testing AoC|4.6.10 OS Commanding]]<br> | ||
[[Buffer Overflow Testing AoC|4.6.11 Buffer overflow Testing ]]<br> | [[Buffer Overflow Testing AoC|4.6.11 Buffer overflow Testing ]]<br> | ||
| Line 98: | Line 100: | ||
[[Format String Testing AoC|4.6.11.3 Format string ]]<br> | [[Format String Testing AoC|4.6.11.3 Format string ]]<br> | ||
| − | [[Incubated Vulnerability Testing AoC|4.6.12 Incubated vulnerability testing]] | + | [[Incubated Vulnerability Testing AoC|4.6.12 Incubated vulnerability testing]] <br> |
[[Denial of Service Testing AoC|'''4.7 Denial of Service Testing''']] <br> | [[Denial of Service Testing AoC|'''4.7 Denial of Service Testing''']] <br> | ||
| Line 109: | Line 111: | ||
[[DoS Testing: Storing too Much Data in Session|4.7.7 Storing too Much Data in Session]]<br> | [[DoS Testing: Storing too Much Data in Session|4.7.7 Storing too Much Data in Session]]<br> | ||
| − | [[Web Services Testing AoC|'''4.8 Web Services Testing''']] | + | [[Web Services Testing AoC|'''4.8 Web Services Testing''']] <br> |
[[XML Structural Testing AoC|4.8.1 XML Structural Testing ]]<br> | [[XML Structural Testing AoC|4.8.1 XML Structural Testing ]]<br> | ||
[[XML Content-Level Testing AoC|4.8.2 XML Content-level Testing ]]<br> | [[XML Content-Level Testing AoC|4.8.2 XML Content-level Testing ]]<br> | ||
| Line 116: | Line 118: | ||
[[WS Replay Testing|4.8.5 Replay Testing ]]<br> | [[WS Replay Testing|4.8.5 Replay Testing ]]<br> | ||
| − | [[AJAX Testing AoC|'''4.9 AJAX Testing''']] | + | [[AJAX Testing AoC|'''4.9 AJAX Testing''']] <br> |
[[AJAX Vulnerabilities AoC |4.9.1 AJAX Vulnerabilities ]]<br> | [[AJAX Vulnerabilities AoC |4.9.1 AJAX Vulnerabilities ]]<br> | ||
[[AJAX How to test AoC|4.9.2 How to test AJAX ]]<br> | [[AJAX How to test AoC|4.9.2 How to test AJAX ]]<br> | ||
Revision as of 13:54, 17 December 2006
Updated 16th Dec, 18.00 GMT+1
Status: draft
Deadline: 16th December
Legend:
xx%: Progress status of the paragraph
Review: the paragraph need a review (Matteo Meucci)
Forward
Frontispiece
1.1 About the OWASP Testing Guide Project
1.1.1 Copyright
1.1.2 Editors
1.1.3 Authors and Reviewers
1.1.4 Revision History
1.1.5 Trademarks
1.2 About The Open Web Application Security Project
1.2.1 Overview
1.2.2 Structure
1.2.3 Licensing
1.2.4 Participation and Membership
1.2.5 Projects
1.2.6 OWASP Privacy Policy
Introduction
2.1 The OWASP Testing Project
2.2 Principles of Testing
2.3 Testing Techniques Explained
The OWASP Testing Framework
3.1. Overview
3.2. Phase 1 — Before Development Begins
3.3. Phase 2: During Definition and Design
3.4. Phase 3: During Development
3.5. Phase 4: During Deployment
3.6. Phase 5: Maintenance and Operations
3.7. A Typical SDLC Testing Workflow
Web Application Penetration Testing
4.1 Introduction and objectives
4.2.1 Testing Web Application Fingerprint
4.2.2 Application Discovery
4.2.3 Spidering and googling
4.2.4 Analysis of error code
4.2.5 Infrastructure configuration management testing
4.2.5.1 SSL/TLS Testing
4.2.5.2 DB Listener Testing
4.2.6 Application configuration management testing
4.2.6.1 File extensions handling
4.2.6.2 Old, backup and unreferenced files
4.4 Authentication Testing
4.4.1 Default or guessable (dictionary) user account
4.4.2 Brute Force
4.4.3 Bypassing authentication schema
4.4.4 Directory traversal/file include
4.4.5 Vulnerable remember password and pwd reset
4.4.6 Logout and Browser Cache Management Testing
4.5 Session Management Testing
4.5.1 Analysis of the Session Management Schema
4.5.2 Cookie and Session Token Manipulation
4.5.3 Exposed Session Variables
4.5.4 Session Riding
4.5.5 HTTP Exploit
4.6 Data Validation Testing
4.6.1 Cross Site Scripting
4.6.1.1 HTTP Methods and XST
4.6.2 SQL Injection
Stored procedure injection (moving to Testing for SQL Injection testing)
4.6.2.1 Oracle Testing
4.6.2.2 MySQL Testing
4.6.2.3 SQL Server Testing
4.6.3 LDAP Injection
4.6.4 ORM Injection
4.6.5 XML Injection
4.6.6 SSI Injection
4.6.7 XPath Injection
4.6.8 IMAP/SMTP Injection
4.6.9 Code Injection
4.6.10 OS Commanding
4.6.11 Buffer overflow Testing
4.6.11.1 Heap overflow
4.6.11.2 Stack overflow
4.6.11.3 Format string
4.6.12 Incubated vulnerability testing
4.7 Denial of Service Testing
4.7.1 Locking Customer Accounts
4.7.2 Buffer Overflows
4.7.3 User Specified Object Allocation
4.7.4 User Input as a Loop Counter
4.7.5 Writing User Provided Data to Disk
4.7.6 Failure to Release Resources
4.7.7 Storing too Much Data in Session
4.8 Web Services Testing
4.8.1 XML Structural Testing
4.8.2 XML Content-level Testing
4.8.3 HTTP GET parameters/REST Testing
4.8.4 Naughty SOAP attachments
4.8.5 Replay Testing
4.9 AJAX Testing
4.9.1 AJAX Vulnerabilities
4.9.2 How to test AJAX
Writing Reports: value the real risk
5.1 How to value the real risk (90%, Daniel Cuthbert, Matteo Meucci, Sebastien Deleersnyder, Marco Morana)
5.2 How to write the report of the testing (Daniel Cuthbert, Tom Brennan)
Appendix A: Testing Tools
- Black Box Testing Tools
- Source Code Analyzers
- Other Tools
Appendix B: Suggested Reading
- Whitepapers
- Books
- Useful Websites
Appendix C: Fuzz Vectors
- Fuzz Categories
- Recursive fuzzing
- Replasive fuzzing
- Cross Site Scripting (XSS)
- Buffer Overflows and Format String Errors
- Buffer Overflows (BFO)
- Format String Errors (FSE)
- Integer Overflows (INT)
- SQL Injection
- Passive SQL Injection (SQP)
- Active SQL Injection (SQI)
- LDAP Injection
- XPATH Injection
OWASP Testing Guide v2
Here is the OWASP Testing Guide v2 Table of Contents
