This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
OWASP Testing Guide Table of Contents
From OWASP
Revision as of 18:37, 25 July 2006 by Weilin Zhong (talk | contribs)
Introduction
- How To Go About Performing An Application Security Review
- Principles of Testing
- Testing Techniques Explained
Methodologies Used
- Secure application design
- Code Review
- Overview
- Advantages and Disadvantages
- Penetration Testing
- Overview
- Advantages and Disadvantages
- The Need for a Balanced Approach
- A Note about Web Application Scanners
- A Note about Static Source Code Review Tools
Finding Specific Issues In a Non-Technical Manner
- Threat Modeling Introduction
- Design Reviews
- Threat Modeling the Application
- Policy Reviews
- Requirements Analysis
- Developer Interviews and Interaction
Finding Specific Vulnerabilities Using Source Code Review
- Gathering the information
- Context, Context, Context
- The Checklist
- The Code Base
- Transactional Analysis
- Source code examples
- Authentication & Authorisation
- How to locate the potentially vulnerable code
- Buffer Overruns and Overflows
- How to locate the potentially vulnerable code:
- Vulnerable Patterns for buffer overflows
- Good Patterns & procedures to prevent buffer overflows
- Data Validation
- Canoncalization of input.
- Data validation strategy
- Good Patterns for Data validation
- Framework Example
- Data validation of parameter names
- Web services data validation
- Canoncalization of input.
- Error, Exception handling & Logging
- Releasing resources and good housekeeping
- OS Injection
- SQL Injection
- How to Locate potentially vulnerable code
- Best practices when dealing with DB’s
- Threat Modeling
- Overview
- Advantages and Disadvantages
- Advantages
- Disadvantage
Manual testing techniques
- Business logic testing - <TBD>
- Authentication
- Default or guessable user accounts
- Causes
- Blackbox Testing
- Manual
- Suggested Tools - <TBD>
- Whitebox Testing
- Further Reading
- Default or guessable user accounts
- Cookie manipulation
- Short Description of Issue
- How to Test
- Black Box
- Cookie reverse engineering
- Cookie manipulation
- Brute force
- Cookie predictability
- 335697#**
- Overflow
- White Box
- Examples
- Whitepapers
- Tools
- Weak Session Tokens
- Blackbox Testing
- Manual
- Suggested Tools
- Whitebox Testing
- Further Reading
- Session riding
- How to Test
- Black Box
- White Box
- References
- Examples
- Whitepapers
- Tools
- Vulnerable remember password implementation
- Blackbox Testing
- Manual
- Suggested Tools:
- Whitebox Testing
- Further Reading
- Weak Password Self-Reset Testing
- Blackbox Testing
- Manual
- Default or Guessable User Accounts and Empty Passwords
- Blackbox Testing
- Manual
- Suggested Tools
- Whitebox Testing
- Further Reading
- Application Layer Denial of Service (DoS) Attacks
- DoS: Locking Customer Accounts
- Black Box Testing
- White Box Testing
- DoS: Buffer Overflows
- Code Example
- Testing Black Box
- Testing White Box
- DoS: User Specified Object Allocation
- Code Example
- Testing Black Box
- Testing White Box
- DoS: User Input as a Loop Counter
- Code Example
- Testing Black Box
- Testing White Box
- DoS: Writing User Provided Data to Disk
- Testing Black Box
- Testing White Box
- DoS: Failure to Release Resources
- Code Example
- Testing Black Box
- Testing White Box
- DoS: Storing too Much Data in Session
- Testing Black Box
- Testing White Box
- Other References
- Buffer Overflow
- Buffer Overflow – Heap Overflow Vulnerability
- How to Test
- Black Box
- White Box
- Buffer Overflow – Stack Overflow Vulnerability
- How to Test
- Black Box
- White Box
- References
- Examples
- Whitepapers
- Tools
- Buffer Overflow – Format String Vulnerability
- Black Box
- White Box
- References
- Whitepapers
- Tools
- Buffer Overflow – Heap Overflow Vulnerability
- Test and debug files
- How to Test
- Black Box
- White Box
- References - <TBD>
- Examples
- Whitepapers
- Tools
- File extensions handling
- How to Test
- Black Box
- White Box
- References
- Examples
- Whitepapers
- Tools
- Old, backup and unreferenced files
- Threats
- Countermeasures
- How to Test
- Black Box
- White Box
- Tools
- Defense from Automatic Attacks
- Blackbox Testing
- Manual
- Suggested Tools
- Whitebox Testing
- Further Reading
- SSL usage during whole session (see recent post on Webappsec regarding this) [Yvan Boily ([email protected]) ]
- Configuration Management Infrastructure
- Review of the application architecture
- Known server vulnerabilities
- Administrative tools
- Authentication back-ends
- Configuration Management Application
- Sample/known files and directories
- Comment review
- Configuration review
- Logging
- Log location
- Log storage
- Log rotation
- Log review
- Sensitive data in URL’s
- Hashing sensitive data
- SSL / TLS cipher specifications and requirements for site
- How to Test
- Black Box
- White Box
- References
- Examples
- Whitepapers
- Tools
- How to Test
- Black Box
- White Box
- References
- Examples
- Whitepapers
- Tools
- Language/Services/Application Specific Testing
- Web Services Security Testing
- Notes
- How to Test
- Transport Layer Security
- Message Layer Security
- Application Layer Security
- References
- Examples
- Whitepapers
- Analyzing Results
The OWASP Testing Framework
- Overview
- Phase 1 — Before Development Begins
- Phase 1A: Policies and Standards Review
- Phase 1B: Develop Measurement and Metrics Criteria (Ensure Traceability)
- Phase 2: During Definition and Design
- Phase 2A: Security Requirements Review
- Phase 2B: Design an Architecture Review
- Phase 2C: Create and Review UML Models
- Phase 2D: Create and Review Threat Models
- Phase 3: During Development
- Phase 3A: Code Walkthroughs
- Phase 3B: Code Reviews
- Phase 4: During Deployment
- Phase 4A: Application Penetration Testing
- Phase 4B: Configuration Management Testing
- Phase 5: Maintenance and Operations
- Phase 5A: Conduct Operational Management Reviews
- Phase 5B: Conduct Periodic Health Checks
- Phase 5C: Ensure Change Verification
- A Typical SDLC Testing Workflow
- Figure 3: Typical SDLC Testing Workflow.
Appendix A: Testing Tools
- Source Code Analyzers
- Open Source / Freeware
- Commercial
- Black Box Scanners
- Open Source
- Commercial
- Other Tools
- Runtime Analysis
- Binary Analysis
- Requirements Management
Appendix B: Suggested Reading
- Whitepapers
- Books
- Articles
- Useful Websites
- OWASP — http://www.owasp.org
Figures
- Figure 1: Proportion of Test Effort in SDLC.
- Figure 2: Proportion of Test Effort According to Test Technique.
- Figure 3: Typical SDLC Testing Workflow.