This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "OWASP Testing Guide v3 Table of Contents"

From OWASP
Jump to: navigation, search
Line 10: Line 10:
 
<br>This [http://www.owasp.org/index.php/Image:Planning_OTGv3.doc document] analyze the OWASP Testing Guide v2 checklist and a plan for create the new v3.
 
<br>This [http://www.owasp.org/index.php/Image:Planning_OTGv3.doc document] analyze the OWASP Testing Guide v2 checklist and a plan for create the new v3.
  
1) security requirements tests derivazione functional and non functional
 
test requirements and test cases through use e misuse cases.
 
2) security tests integrated in developers and testers workflows:
 
2.a Developers security tests; Unit Tests, component levels tests
 
2.b Functional testers security tests: integrated system tests, tests in UAT
 
and production environment
 
3) Security test data analysis and reporting: root cause identification and
 
business/role case test data reporting
 
  
 
* 1) Methodical Testing (new category) <-- (Mat) needs explanation
 
* 1) Methodical Testing (new category) <-- (Mat) needs explanation
Line 53: Line 45:
 
*** Flash Testing (new)
 
*** Flash Testing (new)
 
*** RIA stuff (new)  
 
*** RIA stuff (new)  
 +
 +
 +
Testing Guide v3 (draft 20th May 2008)
 +
 +
The core index is the OTG v2. (new): new articles, (toimp): needs to improve
 +
 +
==[[Testing Guide Foreword|Foreword by OWASP Chair]]==
 +
 +
==[[Testing Guide Frontispiece |1. Frontispiece]]==
 +
 +
'''[[Testing Guide Frontispiece|1.1 About the OWASP Testing Guide Project]]'''
 +
 +
1.1.1 Copyright
 +
 +
1.1.2 Editors
 +
 +
1.1.3 Authors and Reviewers
 +
 +
1.1.4 Revision History
 +
 +
1.1.5 Trademarks
 +
 +
'''[[About The Open Web Application Security Project|1.2 About The Open Web Application Security Project]]'''
 +
 +
1.2.1 Overview
 +
 +
1.2.2 Structure
 +
 +
1.2.3 Licensing
 +
 +
1.2.4 Participation and Membership
 +
 +
1.2.5 Projects
 +
 +
1.2.6 OWASP Privacy Policy
 +
 +
 +
==[[Testing Guide Introduction|2. Introduction]]==
 +
 +
'''2.1 The OWASP Testing Project'''
 +
 +
'''2.2 Principles of Testing'''
 +
 +
'''2.3 Testing Techniques Explained'''
 +
 +
''' (new) 2.4 security requirements tests derivazione functional and non functional
 +
test requirements and test cases through use e misuse cases.'''
 +
 +
''' (new) 2.4.1 security tests integrated in developers and testers workflows:'''
 +
''' (new) 2.4.2 Developers security tests; Unit Tests, component levels tests'''
 +
''' (new) 2.4.3 Functional testers security tests: integrated system tests, tests in UAT
 +
and production environment'''
 +
''' (new) 2.5 Security test data analysis and reporting: root cause identification and
 +
business/role case test data reporting'''
 +
 +
 +
==[[The OWASP Testing Framework|3. The OWASP Testing Framework]]==
 +
 +
'''3.1. Overview'''
 +
 +
'''3.2. Phase 1: Before Development Begins '''
 +
 +
'''3.3. Phase 2: During Definition and Design'''
 +
 +
'''3.4. Phase 3: During Development'''
 +
 +
'''3.5. Phase 4: During Deployment'''
 +
 +
'''3.6. Phase 5: Maintenance and Operations'''
 +
 +
'''3.7. A Typical SDLC Testing Workflow '''
 +
 +
==[[Web Application Penetration Testing |4. Web Application Penetration Testing ]]==
 +
 +
[[Testing: Introduction and objectives|'''4.1 Introduction and Objectives''']]
 +
 +
[[Testing: Information Gathering|'''4.2 Information Gathering''']]
 +
 +
[[Testing for Web Application Fingerprint|4.2.1 Testing Web Application Fingerprint]]
 +
 +
[[Testing for Application Discovery|4.2.2 Application Discovery]]
 +
 +
[[Testing: Spidering and googling|4.2.3 Spidering and Googling]]
 +
 +
[[Testing for Error Code|4.2.4 Analysis of Error Codes]]
 +
 +
[[Testing for infrastructure configuration management|4.2.5 Infrastructure
 +
Configuration Management Testing]]
 +
 +
[[Testing for SSL-TLS|4.2.5.1 SSL/TLS Testing]]
 +
 +
[[Testing for DB Listener|4.2.5.2 DB Listener Testing]]
 +
 +
[[Testing for application configuration management|4.2.6 Application Configuration Management Testing]]
 +
 +
[[Testing for file extensions handling|4.2.6.1 Testing for File Extensions Handling]]
 +
 +
[[Testing for old_file|4.2.6.2 Old, backup and unreferenced files]]
 +
 +
[[Testing for business logic|'''4.3 Business Logic Testing''']]
 +
 +
[[Testing for authentication|'''4.4 Authentication Testing''']]
 +
 +
[[Testing for Default or Guessable User Account|4.4.1 Testing for Guessable (Dictionary) User Account]]
 +
 +
[[Testing for Brute Force|4.4.2 Brute Force Testing]]
 +
 +
[[Testing for Bypassing Authentication Schema|4.4.3 Testing for bypassing authentication schema]]
 +
 +
[[Testing for Directory Traversal|4.4.4 Testing for directory traversal/file include]]
 +
 +
[[Testing for Vulnerable Remember Password and Pwd Reset|4.4.5 Testing for vulnerable remember
 +
password and pwd reset]]
 +
 +
[[Testing for Logout and Browser Cache Management|4.4.6 Testing for Logout and Browser Cache Management Testing]]
 +
 +
[[Testing for Session Management|'''4.5 Session Management Testing''']]
 +
 +
[[Testing for Session_Management_Schema|4.5.1 Testing for Session Management Schema]]
 +
 +
[[Testing for Cookie and Session Token Manipulation|4.5.2 Testing for Cookie and Session Token Manipulation]]
 +
 +
[[Testing for Exposed Session Variables|4.5.3 Testing for Exposed Session Variables ]]
 +
 +
[[Testing for CSRF|4.5.4 Testing for CSRF]]
 +
 +
[[Testing for HTTP Exploit|4.5.5 Testing for HTTP Exploit ]]
 +
 +
[[Testing for Data Validation|'''4.6 Data Validation Testing''']]
 +
 +
[[Testing for Cross site scripting|4.6.1 Testing for Cross Site Scripting]]
 +
 +
[[Testing for HTTP Methods and XST|4.6.1.1 Testing for HTTP Methods and XST ]]
 +
 +
[[Testing for SQL Injection|4.6.2 Testing for SQL Injection ]]
 +
 +
[[Testing for Oracle|4.6.2.1 Oracle Testing ]]
 +
 +
[[Testing for MySQL|4.6.2.2 MySQL Testing ]]
 +
 +
[[Testing for SQL Server|4.6.2.3 SQL Server Testing]]
 +
 +
[[Testing for LDAP Injection|4.6.3 Testing for LDAP Injection]]
 +
 +
[[Testing for ORM Injection|4.6.4 Testing for ORM Injection]]
 +
 +
[[Testing for XML Injection|4.6.5 Testing for XML Injection]]
 +
 +
[[Testing for SSI Injection|4.6.6 Testing for SSI Injection]]
 +
 +
[[Testing for XPath Injection|4.6.7 Testing for XPath Injection]]
 +
 +
[[Testing for IMAP/SMTP Injection|4.6.8 IMAP/SMTP Injection]]
 +
 +
[[Testing for Code Injection|4.6.9 Testing for Code Injection]]
 +
 +
[[Testing for Command Injection|4.6.10 Testing for Command Injection]]
 +
 +
[[Testing for Buffer Overflow|4.6.11 Testing for Buffer overflow]]
 +
 +
[[Testing for Heap Overflow|4.6.11.1 Testing for Heap overflow]]
 +
 +
[[Testing for Stack Overflow|4.6.11.2 Testing for Stack overflow]]
 +
 +
[[Testing for Format String|4.6.11.3 Testing for Format string]]
 +
 +
[[Testing for Incubated Vulnerability|4.6.12 Testing for incubated vulnerabilities]]
 +
 +
[[Testing for Denial of Service|'''4.7 Testing for Denial of Service''']]
 +
 +
[[Testing for DoS Locking Customer Accounts|4.7.1 Testing for DoS Locking Customer Accounts]]
 +
 +
[[Testing for DoS Buffer Overflows|4.7.2 Testing for DoS Buffer Overflows]]
 +
 +
[[Testing for DoS User Specified Object Allocation|4.7.3 Testing for DoS User Specified Object Allocation]]
 +
 +
[[Testing for User Input as a Loop Counter|4.7.4 Testing for User Input as a Loop Counter]]
 +
 +
[[Testing for Writing User Provided Data to Disk|4.7.5 Testing for Writing User Provided Data to Disk]]
 +
 +
[[Testing for DoS Failure to Release Resources|4.7.6 Testing for DoS Failure to Release Resources]]
 +
 +
[[Testing for Storing too Much Data in Session|4.7.7 Testing for Storing too Much Data in Session]]
 +
 +
[[Testing for Web Services|'''4.8 Web Services Testing''']]
 +
 +
[[Testing for XML Structural|4.8.1 XML Structural Testing]]
 +
 +
[[Testing for XML Content-Level|4.8.2 XML Content-level Testing]]
 +
 +
[[Testing for WS HTTP GET parameters/REST attacks|4.8.3 HTTP GET parameters/REST Testing ]]
 +
 +
[[Testing for Naughty SOAP Attachments|4.8.4 Testing for Naughty SOAP attachments]]
 +
 +
[[Testing for WS Replay|4.8.5 WS Replay Testing]]
 +
 +
[[Testing_for_AJAX:_introduction|'''4.9 AJAX Testing''']]
 +
 +
[[Testing for AJAX Vulnerabilities|4.9.1 AJAX Vulnerabilities]]
 +
 +
[[Testing for AJAX|4.9.2 How to test AJAX]]
 +
 +
==[[Writing Reports: value the real risk |5. Writing Reports: value the real risk ]]==
 +
 +
[[How to value the real risk |5.1 How to value the real risk]]
 +
 +
[[How to write the report of the testing |5.2 How to write the report of the testing]]
 +
 +
 +
==[[Appendix A: Testing Tools |Appendix A: Testing Tools ]]==
 +
 +
* Black Box Testing Tools
 +
* Source Code Analyzers
 +
* Other Tools
 +
 +
 +
==[[OWASP Testing Guide Appendix B: Suggested Reading | Appendix B: Suggested Reading]]==
 +
* Whitepapers
 +
* Books
 +
* Useful Websites
 +
 +
 +
==[[OWASP Testing Guide Appendix C: Fuzz Vectors | Appendix C: Fuzz Vectors]]==
 +
 +
* Fuzz Categories
 +
** Recursive fuzzing
 +
** Replasive fuzzing
 +
* Cross Site Scripting (XSS)
 +
* Buffer Overflows and Format String Errors
 +
** Buffer Overflows (BFO)
 +
** Format String Errors (FSE)
 +
** Integer Overflows (INT)
 +
* SQL Injection
 +
** Passive SQL Injection (SQP)
 +
** Active SQL Injection (SQI)
 +
* LDAP Injection
 +
* XPATH Injection
 +
 +
 +
  
 
[[Category:OWASP Testing Project]]
 
[[Category:OWASP Testing Project]]

Revision as of 05:40, 20 May 2008


26th April 2008 This is the draft of table of content of the New Testing Guide. You can download the stable version here or read it on line here

Also see http://www.owasp.org/index.php/OWASP_Testing_Guide_v3_Startup.


The new OWASP testing Guidev3:
This document analyze the OWASP Testing Guide v2 checklist and a plan for create the new v3.


  • 1) Methodical Testing (new category) <-- (Mat) needs explanation
  • 2) Authorization testing missing. (new category)
  • 3) Information gathering is not a vulnerability
  • 4) Business logic testing
  • 5) Infrastructural test  (new category) *this has to only concentrate on 80 and 443 and other web related testing
  • 6) Web Services section needs improvement
  • 7) AJAX Testing section needs improvement
  • 8) Testing Methodology section updates (requirements, plans, levels and environments)
  • 9) New category: Client side Testing
  • 10) New category: Thick Client Testing
  • 11) New category: Flash/Silverlight Applications
  • 12) New category: Assessing Financial Applications
  • 13) New category: Fuzzing (we have the vectors, but this should explain the whole concept)

Proposed new categories for the OTG v3:

  • OTG Form Templates
    • OTG Request for Quote (RFQ) (new)
    • OTG 3rd Party Assessment Authorization Form (new)
    • OTG Sample Report (new)
  • Passive Mode
  • Information Gathering
  • Business logic testing
  • Web Application Penetration Testing
    • Infrastructural testing
    • Authentication Testing
    • Authorization Testing (new)
    • Session Management Testing
    • Data Validation Testing
    • Denial of Service Testing
    • Web Services Testing
    • Client-Side Testing
      • AJAX Testing
      • Flash Testing (new)
      • RIA stuff (new) 


Testing Guide v3 (draft 20th May 2008)

The core index is the OTG v2. (new): new articles, (toimp): needs to improve

Foreword by OWASP Chair

1. Frontispiece

1.1 About the OWASP Testing Guide Project

1.1.1 Copyright

1.1.2 Editors

1.1.3 Authors and Reviewers

1.1.4 Revision History

1.1.5 Trademarks

1.2 About The Open Web Application Security Project

1.2.1 Overview

1.2.2 Structure

1.2.3 Licensing

1.2.4 Participation and Membership

1.2.5 Projects

1.2.6 OWASP Privacy Policy


2. Introduction

2.1 The OWASP Testing Project

2.2 Principles of Testing

2.3 Testing Techniques Explained

(new) 2.4 security requirements tests derivazione functional and non functional test requirements and test cases through use e misuse cases.

(new) 2.4.1 security tests integrated in developers and testers workflows: (new) 2.4.2 Developers security tests; Unit Tests, component levels tests (new) 2.4.3 Functional testers security tests: integrated system tests, tests in UAT and production environment (new) 2.5 Security test data analysis and reporting: root cause identification and business/role case test data reporting


3. The OWASP Testing Framework

3.1. Overview

3.2. Phase 1: Before Development Begins

3.3. Phase 2: During Definition and Design

3.4. Phase 3: During Development

3.5. Phase 4: During Deployment

3.6. Phase 5: Maintenance and Operations

3.7. A Typical SDLC Testing Workflow

4. Web Application Penetration Testing

4.1 Introduction and Objectives

4.2 Information Gathering

4.2.1 Testing Web Application Fingerprint

4.2.2 Application Discovery

4.2.3 Spidering and Googling

4.2.4 Analysis of Error Codes

4.2.5 Infrastructure Configuration Management Testing

4.2.5.1 SSL/TLS Testing

4.2.5.2 DB Listener Testing

4.2.6 Application Configuration Management Testing

4.2.6.1 Testing for File Extensions Handling

4.2.6.2 Old, backup and unreferenced files

4.3 Business Logic Testing

4.4 Authentication Testing

4.4.1 Testing for Guessable (Dictionary) User Account

4.4.2 Brute Force Testing

4.4.3 Testing for bypassing authentication schema

4.4.4 Testing for directory traversal/file include

4.4.5 Testing for vulnerable remember password and pwd reset

4.4.6 Testing for Logout and Browser Cache Management Testing

4.5 Session Management Testing

4.5.1 Testing for Session Management Schema

4.5.2 Testing for Cookie and Session Token Manipulation

4.5.3 Testing for Exposed Session Variables

4.5.4 Testing for CSRF

4.5.5 Testing for HTTP Exploit

4.6 Data Validation Testing

4.6.1 Testing for Cross Site Scripting

4.6.1.1 Testing for HTTP Methods and XST

4.6.2 Testing for SQL Injection

4.6.2.1 Oracle Testing

4.6.2.2 MySQL Testing

4.6.2.3 SQL Server Testing

4.6.3 Testing for LDAP Injection

4.6.4 Testing for ORM Injection

4.6.5 Testing for XML Injection

4.6.6 Testing for SSI Injection

4.6.7 Testing for XPath Injection

4.6.8 IMAP/SMTP Injection

4.6.9 Testing for Code Injection

4.6.10 Testing for Command Injection

4.6.11 Testing for Buffer overflow

4.6.11.1 Testing for Heap overflow

4.6.11.2 Testing for Stack overflow

4.6.11.3 Testing for Format string

4.6.12 Testing for incubated vulnerabilities

4.7 Testing for Denial of Service

4.7.1 Testing for DoS Locking Customer Accounts

4.7.2 Testing for DoS Buffer Overflows

4.7.3 Testing for DoS User Specified Object Allocation

4.7.4 Testing for User Input as a Loop Counter

4.7.5 Testing for Writing User Provided Data to Disk

4.7.6 Testing for DoS Failure to Release Resources

4.7.7 Testing for Storing too Much Data in Session

4.8 Web Services Testing

4.8.1 XML Structural Testing

4.8.2 XML Content-level Testing

4.8.3 HTTP GET parameters/REST Testing

4.8.4 Testing for Naughty SOAP attachments

4.8.5 WS Replay Testing

4.9 AJAX Testing

4.9.1 AJAX Vulnerabilities

4.9.2 How to test AJAX

5. Writing Reports: value the real risk

5.1 How to value the real risk

5.2 How to write the report of the testing


Appendix A: Testing Tools

  • Black Box Testing Tools
  • Source Code Analyzers
  • Other Tools


Appendix B: Suggested Reading

  • Whitepapers
  • Books
  • Useful Websites


Appendix C: Fuzz Vectors

  • Fuzz Categories
    • Recursive fuzzing
    • Replasive fuzzing
  • Cross Site Scripting (XSS)
  • Buffer Overflows and Format String Errors
    • Buffer Overflows (BFO)
    • Format String Errors (FSE)
    • Integer Overflows (INT)
  • SQL Injection
    • Passive SQL Injection (SQP)
    • Active SQL Injection (SQI)
  • LDAP Injection
  • XPATH Injection
Retrieved from "https://wiki.owasp.org/index.php?title=OWASP_Testing_Guide_v3_Table_of_Contents&oldid=29563"