This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "OWASP Testing Guide Table of Contents"
From OWASP
Weilin Zhong (talk | contribs) |
Weilin Zhong (talk | contribs) (→Manual testing techniques: changed names for DoS Testing sections.) |
||
Line 48: | Line 48: | ||
#[[Testing for default or guessable user accounts and empty passwords]] | #[[Testing for default or guessable user accounts and empty passwords]] | ||
#[[Testing for application layer Denial of Service (DoS) attacks]] | #[[Testing for application layer Denial of Service (DoS) attacks]] | ||
− | #[[Testing | + | ##[[DoS Testing: Locking Customer Accounts]] |
− | #[[Testing | + | ##[[DoS Testing: Buffer Overflows]] |
− | #[[DoS: User Specified Object Allocation]] | + | ##[[DoS Testing: User Specified Object Allocation]] |
− | #[[DoS: User Input as a Loop Counter]] | + | ##[[DoS Testing: User Input as a Loop Counter]] |
− | #[[DoS: Writing User Provided Data to Disk]] | + | ##[[DoS Testing: Writing User Provided Data to Disk]] |
− | #[[DoS: Failure to Release Resources]] | + | ##[[DoS Testing: Failure to Release Resources]] |
− | #[[DoS: Storing too Much Data in Session]] | + | ##[[DoS Testing: Storing too Much Data in Session]] |
#[[Buffer Overflow Testing Guide|Buffer Overflow]] | #[[Buffer Overflow Testing Guide|Buffer Overflow]] | ||
#[[Test and debug files]] | #[[Test and debug files]] |
Revision as of 17:50, 28 July 2006
Frontispiece
- Copyright and License
- Endorsements
- Trademarks
Introduction
- Performing An Application Security Review
- Principles of Testing
- Testing Techniques Explained
Methodologies Used
- Secure application design
- Code Review (See the code review project)
- Overview
- Advantages and Disadvantages
- Penetration Testing
- Overview
- Advantages and Disadvantages
- The Need for a Balanced Approach
- A Note about Web Application Scanners
- A Note about Static Source Code Review Tools
Finding Specific Issues In a Non-Technical Manner
- Threat Modeling Introduction
- Design Reviews
- Threat Modeling the Application
- Policy Reviews
- Requirements Analysis
- Developer Interviews and Interaction
Finding Specific Vulnerabilities Using Source Code Review
For code review please see: http://www.owasp.org/index.php/Category:OWASP_Code_Review_Project The code review section has now got its own area.
Manual testing techniques
- Business logic testing - <TBD>
- Authentication
- Cookie manipulation
- Weak session tokens
- Session riding test
- Testing for Cross site scripting vulnerabilities
- Testing for vulnerable remember password implementation
- Weak Password Self-Reset Testing
- Testing for default or guessable user accounts and empty passwords
- Testing for application layer Denial of Service (DoS) attacks
- Buffer Overflow
- Test and debug files
- File extensions handling
- Old, backup and unreferenced files
- Defense from Automatic Attacks
- Configuration Management Infrastructure
- Sensitive data in URL’s
- SSL / TLS cipher specifications and requirements for site
- Web Services Security Testing
- References
- Tools
The OWASP Testing Framework
- Overview
- Phase 1 — Before Development Begins
- Phase 1A: Policies and Standards Review
- Phase 1B: Develop Measurement and Metrics Criteria (Ensure Traceability)
- Phase 2: During Definition and Design
- Phase 2A: Security Requirements Review
- Phase 2B: Design an Architecture Review
- Phase 2C: Create and Review UML Models
- Phase 2D: Create and Review Threat Models
- Phase 3: During Development
- Phase 3A: Code Walkthroughs
- Phase 3B: Code Reviews
- Phase 4: During Deployment
- Phase 4A: Application Penetration Testing
- Phase 4B: Configuration Management Testing
- Phase 5: Maintenance and Operations
- Phase 5A: Conduct Operational Management Reviews
- Phase 5B: Conduct Periodic Health Checks
- Phase 5C: Ensure Change Verification
- A Typical SDLC Testing Workflow
- Figure 3: Typical SDLC Testing Workflow.
Appendix A: Testing Tools
- Source Code Analyzers
- Open Source / Freeware
- Commercial
- Black Box Scanners
- Open Source
- Commercial
- Other Tools
- Runtime Analysis
- Binary Analysis
- Requirements Management
Appendix B: Suggested Reading
- Whitepapers
- Books
- Articles
- Useful Websites
- OWASP — http://www.owasp.org
Figures
- Figure 1: Proportion of Test Effort in SDLC.
- Figure 2: Proportion of Test Effort According to Test Technique.
- Figure 3: Typical SDLC Testing Workflow.