This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "OWASP Testing Guide v4 Table of Contents"
m |
|||
| Line 1: | Line 1: | ||
__NOTOC__ | __NOTOC__ | ||
| − | This is the table of content of the New Testing Guide v4 | + | '''This is DRAFT of the table of content of the New Testing Guide v4.'''<br> |
| − | You can download the stable version [http://www.owasp.org/images/5/56/OWASP_Testing_Guide_v3.pdf here] <br> | + | <br>You can download the stable version [http://www.owasp.org/images/5/56/OWASP_Testing_Guide_v3.pdf here] <br> |
Back to the OWASP Testing Guide Project: | Back to the OWASP Testing Guide Project: | ||
| Line 11: | Line 11: | ||
The following are the main improvements we have to realize: <br> | The following are the main improvements we have to realize: <br> | ||
| − | (1) - | + | (1) - Add new testing techniques and OWASP Top10 update: <br> |
- Testing for HTTP Verb tampering<br> | - Testing for HTTP Verb tampering<br> | ||
- Testing for HTTP Parameter Pollutions<br> | - Testing for HTTP Parameter Pollutions<br> | ||
| Line 24: | Line 24: | ||
<br> | <br> | ||
(3) - Create a more readable guide, eliminating some sections that are not | (3) - Create a more readable guide, eliminating some sections that are not | ||
| − | really useful, Rationalize some sections as Session Management | + | really useful, Rationalize some sections as Session Management Testing. |
| − | Testing | + | |
| + | (4) Pavol says: - add new opensource testing tools that appeared during last 3 years | ||
| + | (and are missing in the OWASP Testing Guide v3) | ||
| + | |||
| + | - add few useful and life-scenarios of possible | ||
| + | vulnerabilities in Bussiness Logic Testing (many testers have no idea what | ||
| + | vulnerabilities in Business Logic exactly mean) | ||
| + | |||
| + | - "Brute force testing" of "session ID" is missing in "Session Management | ||
| + | Testing", describe other tools for Session ID entropy analysis | ||
| + | (e.g. Stompy) | ||
| + | |||
| + | - in "Data Validation Testing" describe some basic obfuscation methods for | ||
| + | malicious code injection including the statements how it is possible to | ||
| + | detect it (web application obfuscation is quite succesfull in bypassing | ||
| + | many data validation controls) | ||
| + | |||
| + | - split the phase Logout and Browser Cache Management" into two sections | ||
| + | |||
| + | |||
<br><br><br><br><br> | <br><br><br><br><br> | ||
'''T A B L E o f C O N T E N T S (DRAFT)''' | '''T A B L E o f C O N T E N T S (DRAFT)''' | ||
Revision as of 20:20, 29 August 2012
This is DRAFT of the table of content of the New Testing Guide v4.
You can download the stable version here
Back to the OWASP Testing Guide Project: http://www.owasp.org/index.php/OWASP_Testing_Project
Updated: 28th August 2012
The following are the main improvements we have to realize:
(1) - Add new testing techniques and OWASP Top10 update:
- Testing for HTTP Verb tampering
- Testing for HTTP Parameter Pollutions
- Testing for URL Redirection
- Testing for Insecure Direct Object References
- Testing for Insecure Cryptographic Storage
- Testing for Failure to Restrict URL Access
- Testing for Insufficient Transport Layer Protection
- Testing for Unvalidated Redirects and Forwards.
(2) - Review and improve all the sections in v3,
(3) - Create a more readable guide, eliminating some sections that are not
really useful, Rationalize some sections as Session Management Testing.
(4) Pavol says: - add new opensource testing tools that appeared during last 3 years (and are missing in the OWASP Testing Guide v3)
- add few useful and life-scenarios of possible vulnerabilities in Bussiness Logic Testing (many testers have no idea what vulnerabilities in Business Logic exactly mean)
- "Brute force testing" of "session ID" is missing in "Session Management Testing", describe other tools for Session ID entropy analysis (e.g. Stompy)
- in "Data Validation Testing" describe some basic obfuscation methods for malicious code injection including the statements how it is possible to detect it (web application obfuscation is quite succesfull in bypassing many data validation controls)
- split the phase Logout and Browser Cache Management" into two sections
T A B L E o f C O N T E N T S (DRAFT)
==Foreword by OWASP Chair== [To review--> OWASP Chair]
==1. Frontispiece== [To review--> Mat]
1.1 About the OWASP Testing Guide Project [To review--> Mat]
1.2 About The Open Web Application Security Project [To review--> ]
2. Introduction
2.1 The OWASP Testing Project
2.2 Principles of Testing
2.3 Testing Techniques Explained
2.4 Security requirements test derivation,functional and non functional test requirements, and test cases through use and misuse cases
3. The OWASP Testing Framework
3.1. Overview
3.2. Phase 1: Before Development Begins
3.3. Phase 2: During Definition and Design
3.4. Phase 3: During Development
3.5. Phase 4: During Deployment
3.6. Phase 5: Maintenance and Operations
3.7. A Typical SDLC Testing Workflow
4. Web Application Penetration Testing
4.1 Introduction and Objectives [To review--> Mat]
4.1.1 Testing Checklist [To review at the end of brainstorming --> Mat]
4.2 Information Gathering [To review--> contributor here]
4.3 Configuration Management Testing [To review--> contributor here]
4.4 Authentication Testing [To review--> contributor here]
4.5 Session Management Testing [To review--> contributor here]
4.6 Authorization Testing [To review--> contributor here]
4.7 Business Logic Testing (OWASP-BL-001) [To review--> contributor here]
4.8 Data Validation Testing [To review--> contributor here]
4.9 Testing for Denial of Service [To review--> contributor here]
4.10 Web Services Testing [To review--> contributor here]
4.11 AJAX Testing [To review--> contributor here]
5. Writing Reports: value the real risk
5.1 How to value the real risk [To review--> contributor here]
5.2 How to write the report of the testing [To review--> contributor here]
Appendix A: Testing Tools
- Black Box Testing Tools [To review--> contributor here]
- Source Code Analyzers [To review--> contributor here]
- Other Tools [To review--> contributor here]
Appendix B: Suggested Reading
- Whitepapers [To review--> contributor here]
- Books [To review--> contributor here]
- Useful Websites [To review--> contributor here]
Appendix C: Fuzz Vectors
- Fuzz Categories [To review--> contributor here]
Appendix D: Encoded Injection
[To review--> contributor here]
