This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "OWASP Testing Guide v3 Startup"

From OWASP
Jump to: navigation, search
Line 18: Line 18:
  
 
1) Authorization testing missing. As Jeff and Dave said many time before it's important to create a new category.<br>
 
1) Authorization testing missing. As Jeff and Dave said many time before it's important to create a new category.<br>
2) Information gathering is not a set of vulnerabilities. I think we can add a new category Infrastructural testing.<br>
+
2) Information gathering is not a set of vulnerabilities --> not in report --> new category: Passive mode <br>
3) Web Services section needs improvement.<br>
+
3) Business logic testing --> not in report --> Passive mode  <br>
4) AJAX Testing section needs improvement.<br>
+
4) Infrastructural test --> new category <br>
5) New category: Client side Testing: nowadays in web 2.0 applications it's really important to test for client side vulnerabilities that can introduce new type of attacks: for example a XSS on flash movie loaded on the client (see the last work of Di Paola).<br>
+
5) Web Services section needs improvement <br>
 +
6) AJAX Testing section needs improvement <br>
 +
7) New category: Client side Testing. AJAX and Flash Testing  <br>
  
For each category we describe the v2 and the possible improvements.
 
  
 
+
In this document we analyze the OWASP Testing Guide (OTG) v2 vulnerabilities and a plan for an improving for the v3.
== Information Gathering ==
+
[[image:Planning_OTGv3.doc]]
v2: <br>
 
* Application Fingerprint <br>
 
* Application Discovery <br>
 
* Spidering and googling <br>
 
* Collection  of error code <br>
 
* SSL/TLS Testing<br>
 
* DB Listener Testing<br>
 
* File extensions handling<br>
 
* Old, backup and unreferenced files <br>
 

Revision as of 00:16, 7 October 2007

Planning the new OWASP Testing Guide v3

3rd October 2007: Startup v3
The OWASP Testing Guide v2 was a great success, with thousand download and many many Companies that have adopted it as standard for a Web Application Penetration Testing.
Now we would like to begin a new project that is based on v2 but improve it and complete it.

In the OWASP Testing Guide v2 we have split the set of tests in 8 sub-categories:

  • Information Gathering
  • Business logic testing
  • Authentication Testing
  • Session Management Testing
  • Data Validation Testing
  • Denial of Service Testing
  • Web Services Testing
  • AJAX Testing

The following are my thoughts about the new OWASP Testing Guide v3:

1) Authorization testing missing. As Jeff and Dave said many time before it's important to create a new category.
2) Information gathering is not a set of vulnerabilities --> not in report --> new category: Passive mode
3) Business logic testing --> not in report --> Passive mode
4) Infrastructural test --> new category
5) Web Services section needs improvement
6) AJAX Testing section needs improvement
7) New category: Client side Testing. AJAX and Flash Testing


In this document we analyze the OWASP Testing Guide (OTG) v2 vulnerabilities and a plan for an improving for the v3. File:Planning OTGv3.doc

Retrieved from "https://wiki.owasp.org/index.php?title=OWASP_Testing_Guide_v3_Startup&oldid=22224"