Difference between revisions of "OWASP Testing Guide v3 Table of Contents"

1) Methodical Testing (new category) <-- (Mat) needs explanation
2) Authorization testing missing. (new category)
3) Information gathering is not a vulnerability
4) Business logic testing
5) Infrastructural test  (new category) *this has to only concentrate on 80 and 443 and other web related testing
6) Web Services section needs improvement
7) AJAX Testing section needs improvement
8) Testing Methodology section updates (requirements, plans, levels and environments)
9) New category: Client side Testing
10) New category: Thick Client Testing
11) New category: Flash/Silverlight Applications
12) New category: Assessing Financial Applications
13) New category: Fuzzing (we have the vectors, but this should explain the whole concept)

Proposed new categories for the OTG v3:

OTG Form Templates
- OTG Request for Quote (RFQ) (new)
- OTG 3rd Party Assessment Authorization Form (new)
- OTG Sample Report (new)
Passive Mode
Information Gathering
Business logic testing
Web Application Penetration Testing
- Infrastructural testing
- Authentication Testing
- Authorization Testing (new)
- Session Management Testing
- Data Validation Testing
- Denial of Service Testing
- Web Services Testing
- Client-Side Testing
  - AJAX Testing
  - Flash Testing (new)
  - RIA stuff (new)

@@ Line 1: / Line 1: @@
 __NOTOC__
-'''26th April 2008'''
+'''20th May 2008'''
 This is the draft of table of content of the New Testing Guide.
 You can download the stable version [http://www.owasp.org/index.php/Image:OWASP_Testing_Guide_v2_pdf.zip here] or read it on line [http://www.owasp.org/index.php/OWASP_Testing_Guide_v2_Table_of_Contents here]
-Also see [http://www.owasp.org/index.php/OWASP_Testing_Guide_v3_Startup http://www.owasp.org/index.php/OWASP_Testing_Guide_v3_Startup].
-<br>The new OWASP testing Guidev3:
-<br>This [http://www.owasp.org/index.php/Image:Planning_OTGv3.doc document] analyze the OWASP Testing Guide v2 checklist and a plan for create the new v3.
-* 1) Methodical Testing (new category) <-- (Mat) needs explanation
-* 2) Authorization testing missing. (new category)
-* 3) Information gathering is not a vulnerability
-* 4) Business logic testing
-* 5) Infrastructural test  (new category) *this has to only concentrate on 80 and 443 and other web related testing
-* 6) Web Services section needs improvement
-* 7) AJAX Testing section needs improvement
-* 8) Testing Methodology section updates (requirements, plans, levels and environments)
-* 9) New category: Client side Testing
-* 10) New category: Thick Client Testing
-* 11) New category: Flash/Silverlight Applications
-* 12) New category: Assessing Financial Applications
-* 13) New category: Fuzzing (we have the vectors, but this should explain the whole concept)
-Proposed new categories for the OTG v3:
-* OTG Form Templates
-** OTG Request for Quote (RFQ) (new)
-** OTG 3rd Party Assessment Authorization Form (new)
-** OTG Sample Report (new)
-* Passive Mode
-* Information Gathering
-* Business logic testing
-* Web Application Penetration Testing
-** Infrastructural testing
-** Authentication Testing
-** Authorization Testing (new)
-** Session Management Testing
-** Data Validation Testing
-** Denial of Service Testing
-** Web Services Testing
-** Client-Side Testing
-*** AJAX Testing
-*** Flash Testing (new)
-*** RIA stuff (new)
@@ Line 51: / Line 10: @@
 The core index is the OTG v2. (new): new articles, (toimp): needs to improve
-==[[Testing Guide Foreword|Foreword by OWASP Chair]]==
+==[[Testing Guide Foreword|(toimp)Foreword by OWASP Chair]]==
-==[[Testing Guide Frontispiece |1. Frontispiece]]==
+==[[Testing Guide Frontispiece |(toimp)1. Frontispiece]]==
-'''[[Testing Guide Frontispiece|1.1 About the OWASP Testing Guide Project]]'''
+'''[[Testing Guide Frontispiece|(toimp)1.1 About the OWASP Testing Guide Project]]'''
-.1.1 Copyright
-.1.2 Editors
-.1.3 Authors and Reviewers
-.1.4 Revision History
-.1.5 Trademarks
 '''[[About The Open Web Application Security Project|1.2 About The Open Web Application Security Project]]'''
-.2.1 Overview
-.2.2 Structure
-.2.3 Licensing
-.2.4 Participation and Membership
-.2.5 Projects
-.2.6 OWASP Privacy Policy
@@ Line 94: / Line 31: @@
 ''' (new) 2.4.1 security tests integrated in developers and testers workflows:'''
 ''' (new) 2.4.2 Developers security tests; Unit Tests, component levels tests'''
 ''' (new) 2.4.3 Functional testers security tests: integrated system tests, tests in UAT
 and production environment'''
 ''' (new) 2.5 Security test data analysis and reporting: root cause identification and
 business/role case test data reporting'''
@@ Line 269: / Line 209: @@
-==[[Writing Reports: value the real risk |5. Writing Reports: value the real risk ]]==
+==[[Writing Reports: value the real risk |(toimp)5. Writing Reports: value the real risk ]]==
 [[How to value the real risk |5.1 How to value the real risk]]
@@ Line 276: / Line 216: @@
-==[[Appendix A: Testing Tools |Appendix A: Testing Tools ]]==
+ OTGv3 team Discussion
-* Black Box Testing Tools
+Also see [http://www.owasp.org/index.php/OWASP_Testing_Guide_v3_Startup http://www.owasp.org/index.php/OWASP_Testing_Guide_v3_Startup].
-* Source Code Analyzers
-* Other Tools
+<br>The new OWASP testing Guidev3:
+<br>This [http://www.owasp.org/index.php/Image:Planning_OTGv3.doc document] analyze the OWASP Testing Guide v2 checklist and a plan for create the new v3.
-==[[OWASP Testing Guide Appendix B: Suggested Reading | Appendix B: Suggested Reading]]==
-* Whitepapers
-* Books
-* Useful Websites
+* 1) Methodical Testing (new category) <-- (Mat) needs explanation
+* 2) Authorization testing missing. (new category)
+* 3) Information gathering is not a vulnerability
+* 4) Business logic testing
+* 5) Infrastructural test  (new category) *this has to only concentrate on 80 and 443 and other web related testing
+* 6) Web Services section needs improvement
+* 7) AJAX Testing section needs improvement
+* 8) Testing Methodology section updates (requirements, plans, levels and environments)
+* 9) New category: Client side Testing
+* 10) New category: Thick Client Testing
+* 11) New category: Flash/Silverlight Applications
+* 12) New category: Assessing Financial Applications
+* 13) New category: Fuzzing (we have the vectors, but this should explain the whole concept)
-==[[OWASP Testing Guide Appendix C: Fuzz Vectors | Appendix C: Fuzz Vectors]]==
+Proposed new categories for the OTG v3:
+* OTG Form Templates
+** OTG Request for Quote (RFQ) (new)
+** OTG 3rd Party Assessment Authorization Form (new)
+** OTG Sample Report (new)
+* Passive Mode
+* Information Gathering
+* Business logic testing
+* Web Application Penetration Testing
+** Infrastructural testing
+** Authentication Testing
+** Authorization Testing (new)
+** Session Management Testing
+** Data Validation Testing
+** Denial of Service Testing
+** Web Services Testing
+** Client-Side Testing
+*** AJAX Testing
+*** Flash Testing (new)
+*** RIA stuff (new)
-* Fuzz Categories
-** Recursive fuzzing
-** Replasive fuzzing
-* Cross Site Scripting (XSS)
-* Buffer Overflows and Format String Errors
-** Buffer Overflows (BFO)
-** Format String Errors (FSE)
-** Integer Overflows (INT)
-* SQL Injection
-** Passive SQL Injection (SQP)
-** Active SQL Injection (SQI)
-* LDAP Injection
-* XPATH Injection

Difference between revisions of "OWASP Testing Guide v3 Table of Contents"

Revision as of 06:12, 20 May 2008

(toimp)Foreword by OWASP Chair

(toimp)1. Frontispiece

2. Introduction

3. The OWASP Testing Framework

4. (toimp) Web Application Penetration Testing

(toimp)5. Writing Reports: value the real risk

Navigation menu

Personal tools

Namespaces

Variants

Views

More

Search

Navigation

Reference

Tools