Difference between revisions of "OWASP Testing Guide v3 Startup"
| Line 14: | Line 14: | ||
* Web Services Testing | * Web Services Testing | ||
* AJAX Testing | * AJAX Testing | ||
| + | |||
| + | The following are my thoughts about the new OWASP Testing Guide v3: | ||
| + | |||
| + | 1) Authorization testing missing. As Jeff and Dave said many time before it's important to create a new category. | ||
| + | 2) Information gathering is not a set of vulnerabilities. I think we can add a new category Infrastructural testing | ||
| + | 3) Web Services section needs improvement | ||
| + | 4) AJAX Testing section needs improvement | ||
| + | 5) New category: Client side Testing Di Paola & PdP (new category). Particular focus on flash testing | ||
| + | |||
| + | |||
== Information Gathering == | == Information Gathering == | ||
v2: <br> | v2: <br> | ||
| − | Application Fingerprint <br> | + | * Application Fingerprint <br> |
| − | Application Discovery <br> | + | * Application Discovery <br> |
| − | Spidering and googling <br> | + | * Spidering and googling <br> |
| − | Collection of error code <br> | + | * Collection of error code <br> |
| − | SSL/TLS Testing<br> | + | * SSL/TLS Testing<br> |
| − | DB Listener Testing<br> | + | * DB Listener Testing<br> |
| − | File extensions handling<br> | + | * File extensions handling<br> |
| − | Old, backup and unreferenced files <br> | + | * Old, backup and unreferenced files <br> |
Revision as of 19:57, 3 October 2007
Planning the new OWASP Testing Guide v3
3rd October 2007: Startup v3
The OWASP Testing Guide v2 was a great success, with thousand download and many many Companies that have adopted it as standard for a Web Application Penetration Testing.
Now we would like to begin a new project that is based on v2 but improve it and complete it.
In the OWASP Testing Guide v2 we have split the set of tests in 8 sub-categories:
- Information Gathering
- Business logic testing
- Authentication Testing
- Session Management Testing
- Data Validation Testing
- Denial of Service Testing
- Web Services Testing
- AJAX Testing
The following are my thoughts about the new OWASP Testing Guide v3:
1) Authorization testing missing. As Jeff and Dave said many time before it's important to create a new category. 2) Information gathering is not a set of vulnerabilities. I think we can add a new category Infrastructural testing 3) Web Services section needs improvement 4) AJAX Testing section needs improvement 5) New category: Client side Testing Di Paola & PdP (new category). Particular focus on flash testing
Information Gathering
v2:
- Application Fingerprint
- Application Discovery
- Spidering and googling
- Collection of error code
- SSL/TLS Testing
- DB Listener Testing
- File extensions handling
- Old, backup and unreferenced files
