This is the DRAFT of the table of content of the New Testing Guide v4.

You can download the stable version v3here

Back to the OWASP Testing Guide Project: http://www.owasp.org/index.php/OWASP_Testing_Project

Updated: 16th October 2012

Contributors List

The following is a DRAFT of the Toc based on the feedback already received.

Table of Contents

Foreword by OWASP Chair

1. Frontispiece

1.1 About the OWASP Testing Guide Project

1.2 About The Open Web Application Security Project

2. Introduction

2.1 The OWASP Testing Project

2.2 Principles of Testing

2.3 Testing Techniques Explained

2.4 Security requirements test derivation,functional and non functional test requirements, and test cases through use and misuse cases

2.5 Security test data analysis and reporting: root cause identification and business/role case test data reporting

3. The OWASP Testing Framework

3.1. Overview

3.2. Phase 1: Before Development Begins

3.3. Phase 2: During Definition and Design

3.4. Phase 3: During Development

3.5. Phase 4: During Deployment

3.6. Phase 5: Maintenance and Operations

3.7. A Typical SDLC Testing Workflow

4. Web Application Penetration Testing

4.1 Introduction and Objectives

4.1.1 Testing Checklist

4.2 Information Gathering

4.2.1 Spiders, Robots and Crawlers (OWASP-IG-001)

4.2.2 Search Engine Discovery/Reconnaissance (OWASP-IG-002)

4.2.3 Identify application entry points (OWASP-IG-003)

4.2.4 Testing for Web Application Fingerprint (OWASP-IG-004)

4.2.5 Application Discovery (OWASP-IG-005)

4.2.6 Analysis of Error Codes (OWASP-IG-006)

4.3 Configuration and Deploy Management Testing

4.3.1 Testing for Infrastructure Configuration Management Testing weakness (OWASP-CM-001)

4.3.2 Testing for Application Configuration Management weakness (OWASP-CM-002)

4.3.3 Testing for File Extensions Handling (OWASP-CM-003)

4.3.4 Old, Backup and Unreferenced Files (OWASP-CM-004)

4.3.5 Infrastructure and Application Admin Interfaces (OWASP-CM-005)

4.3.6 Testing for Bad HTTP Methods (OWASP-CM-006)

4.3.7 Testing for Database credentials/connection strings available (OWASP-CM-007)

4.3.8 Testing for Content Security Policy weakness (OWASP-CM-008)

4.3.9 Testing for Missing HSTS header (OWASP-CM-009)

4.3.10 Testing for RIA policy files weakness (OWASP-CM-010)

4.4 Authentication Testing

4.4.1 Testing for Credentials transport over an encrypted channel (OWASP-AT-001)

4.4.2 Testing for user enumeration and guessable user account (OWASP-AT-002)

4.4.3 Testing for default credentials (OWASP-AT-003)

4.4.4 Testing for Weak lock out mechanism (OWASP-AT-004)

4.4.5 Testing for bypassing authentication schema (OWASP-AT-005)

4.4.6 Testing for vulnerable remember password functionality (OWASP-AT-006)

4.4.7 Testing for Browser cache weakness (OWASP-AT-007)

4.4.8 Testing for Weak password policy (OWASP-AT-008)

4.4.9 Testing for Weak or unenforced username policy (OWASP-AT-009)

4.4.10 Testing for failure to restrict access to authenticated resource (OWASP-AT-010)

4.4.11 Testing for weak password change or reset functionalities (OWASP-AT-011)

4.4.12 Testing for CAPTCHA (OWASP-AT-012)

4.5 Session Management Testing

4.5.1 Testing for Bypassing Session Management Schema (OWASP-SM-001)

4.5.2 Testing for Cookies attributes (Cookies are set not ‘HTTP Only’, ‘Secure’, and no time validity) (OWASP-SM-002)

4.5.3 Testing for Session Fixation (OWASP-SM-003)

4.5.4 Testing for Exposed Session Variables (OWASP-SM-004)

4.5.5 Testing for Cross Site Request Forgery (CSRF) (OWASP-SM-005)

4.5.6 Testing for Session token not restricted properly (such as domain or path not set properly) (OWASP-SM-006)

4.5.7 Testing for logout functionality (OWASP-SM-007)

4.5.8 Testing for Session puzzling (OWASP-SM-008)

4.6 Authorization Testing

4.6.1 Testing Directory traversal/file include (OWASP-AZ-001)

4.6.2 Testing for bypassing authorization schema (OWASP-AZ-002)

4.6.3 Testing for Privilege Escalation (OWASP-AZ-003)

4.6.4 Testing for Insecure Direct Object References (OWASP-AZ-004)

4.6.5 Testing for Failure to Restrict access to authorized resource (OWASP-AZ-005)

4.7 Business Logic Testing (OWASP-BL-001)

4.8 Data Validation Testing

4.8.1 Testing for Reflected Cross Site Scripting (OWASP-DV-001)

4.8.2 Testing for Stored Cross Site Scripting (OWASP-DV-002)

4.8.3 Testing for HTTP Verb Tampering

4.8.4 Testing for HTTP Parameter pollution

4.8.5 Testing for Unvalidated Redirects and Forwards

4.8.5 Testing for SQL Injection (OWASP-DV-005) Oracle Testing MySQL Testing SQL Server Testing MS Access Testing Testing for NoSQL injection Testing PostgreSQL (from OWASP BSP)

4.8.6 Testing for LDAP Injection (OWASP-DV-006)

4.8.7 Testing for ORM Injection (OWASP-DV-007)

4.8.8 Testing for XML Injection (OWASP-DV-008)

4.8.9 Testing for SSI Injection (OWASP-DV-009)

4.8.10 Testing for XPath Injection (OWASP-DV-010)

4.8.11 IMAP/SMTP Injection (OWASP-DV-011)

4.8.12 Testing for Code Injection (OWASP-DV-012)

4.8.13 Testing for Command Injection (OWASP-DV-013)

4.8.14 Testing for Buffer overflow (OWASP-DV-014) Testing for Heap overflow Testing for Stack overflow Testing for Format string

4.8.15 Testing for incubated vulnerabilities (OWASP-DV-015)

4.8.16 Testing for HTTP Splitting/Smuggling (OWASP-DV-016)

Data Encryption

4.9.1 Testing for Insecure encryption usage (OWASP-EN-001)

4.9.2 Testing for Weak SSL/TSL Ciphers, Insufficient Transport Layer Protection (OWASP-EN-002)

x.x.4 Testing for Sensitive information sent via unencrypted channels

4.10 Web Service Testing

4.10.1 Scoping a Web Service Test (OWASP-WS-001)

4.10.2 WS Information Gathering (OWASP-WS-002)

4.10.3 WS Authentication Testing (OWASP-WS-003)

4.10.4 WS Management Interface Testing (OWASP-WS-004)

4.10.5 Weak XML Structure Testing (OWASP-WS-005)

4.10.6 XML Content-Level Testing (OWASP-WS-006)

4.10.7 WS HTTP GET Parameters/REST Testing (OWASP-WS-007)

4.10.8 WS Naughty SOAP Attachment Testing (OWASP-WS-008)

4.10.9 WS Replay/MiTM Testing (OWASP-WS-009)

4.10.10 WS BEPL Testing (OWASP-WS-010)

4.11 Client Side Testing

4.11.1 Testing for DOM based Cross Site Scripting (OWASP-CS-001)

4.11.2 Testing for HTML5 (OWASP CS-002)

4.11.3 Testing for Cross Site Flashing (OWASP-CS-003)

4.11.4 Testing for Testing for ClickHijacking (OWASP-CS-004)

5. Writing Reports: value the real risk

5.1 How to value the real risk

5.2 How to write the report of the testing

Appendix A: Testing Tools

  • Black Box Testing Tools

Appendix B: Suggested Reading

  • Whitepapers
  • Books
  • Useful Websites

Appendix C: Fuzz Vectors

  • Fuzz Categories

Appendix D: Encoded Injection

