This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "OWASP Testing Guide v3 Startup"
Kingthorin (talk | contribs) m |
|||
| Line 7: | Line 7: | ||
In the OWASP Testing Guide v2 we have split the set of tests in 8 sub-categories: | In the OWASP Testing Guide v2 we have split the set of tests in 8 sub-categories: | ||
* Information Gathering | * Information Gathering | ||
| − | * Business | + | * Business Logic Testing |
* Authentication Testing | * Authentication Testing | ||
* Session Management Testing | * Session Management Testing | ||
Revision as of 11:57, 8 April 2008
Planning the new OWASP Testing Guide v3
3rd October 2007: Startup v3
The OWASP Testing Guide v2 was a great success, with thousand download and many many Companies that have adopted it as standard for a Web Application Penetration Testing.
Now we would like to begin a new project that is based on v2 but improve it and complete it.
In the OWASP Testing Guide v2 we have split the set of tests in 8 sub-categories:
- Information Gathering
- Business Logic Testing
- Authentication Testing
- Session Management Testing
- Data Validation Testing
- Denial of Service Testing
- Web Services Testing
- AJAX Testing
The following are my thoughts about the new OWASP Testing Guide v3:
1) Authorization testing missing. As Jeff and Dave said many time before it's important to create a new category.
2) Information gathering is not a set of vulnerabilities --> not in report --> new category: Passive mode
3) Business logic testing --> not in report --> Passive mode
4) Infrastructural test --> new category
5) Web Services section needs improvement
6) AJAX Testing section needs improvement
7) New category: Client side Testing. AJAX and Flash Testing
This document analyze the OWASP Testing Guide v2 vulnerabilities and a plan for create the new v3.
