This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
OWASP Testing Guide Table of Contents
From OWASP
Revision as of 05:14, 27 July 2006 by EoinKeary (talk | contribs) (→Finding Specific Vulnerabilities Using Source Code Review)
Frontispiece
- Copyright and License
- Endorsements
- Trademarks
Introduction
- Performing An Application Security Review
- Principles of Testing
- Testing Techniques Explained
Methodologies Used
- Secure application design
- Code Review (See the code review project)
- Overview
- Advantages and Disadvantages
- Penetration Testing
- Overview
- Advantages and Disadvantages
- The Need for a Balanced Approach
- A Note about Web Application Scanners
- A Note about Static Source Code Review Tools
Finding Specific Issues In a Non-Technical Manner
- Threat Modeling Introduction
- Design Reviews
- Threat Modeling the Application
- Policy Reviews
- Requirements Analysis
- Developer Interviews and Interaction
Finding Specific Vulnerabilities Using Source Code Review
For code review please see: http://www.owasp.org/index.php/Category:OWASP_Code_Review_Project The code review section has now got its own area.
Manual testing techniques
- Business logic testing - <TBD>
- Authentication
- How to perform cookie manipulation test
- How to test for weak session tokens
- Vulnerable remember password implementation
- Default or Guessable User Accounts and Empty Passwords
- Application Layer Denial of Service (DoS) Attacks
- DoS: Locking Customer Accounts
- DoS: Buffer Overflows
- DoS: User Specified Object Allocation
- DoS: User Input as a Loop Counter
- DoS: Writing User Provided Data to Disk
- DoS: Failure to Release Resources
- DoS: Storing too Much Data in Session
- Buffer Overflow
- Test and debug files
- File extensions handling
- Old, backup and unreferenced files
- Defense from Automatic Attacks
- Configuration Management Infrastructure
- Sensitive data in URL’s
- SSL / TLS cipher specifications and requirements for site
- How to Test
- References
- Tools
- Web Services Security Testing
The OWASP Testing Framework
- Overview
- Phase 1 — Before Development Begins
- Phase 1A: Policies and Standards Review
- Phase 1B: Develop Measurement and Metrics Criteria (Ensure Traceability)
- Phase 2: During Definition and Design
- Phase 2A: Security Requirements Review
- Phase 2B: Design an Architecture Review
- Phase 2C: Create and Review UML Models
- Phase 2D: Create and Review Threat Models
- Phase 3: During Development
- Phase 3A: Code Walkthroughs
- Phase 3B: Code Reviews
- Phase 4: During Deployment
- Phase 4A: Application Penetration Testing
- Phase 4B: Configuration Management Testing
- Phase 5: Maintenance and Operations
- Phase 5A: Conduct Operational Management Reviews
- Phase 5B: Conduct Periodic Health Checks
- Phase 5C: Ensure Change Verification
- A Typical SDLC Testing Workflow
- Figure 3: Typical SDLC Testing Workflow.
Appendix A: Testing Tools
- Source Code Analyzers
- Open Source / Freeware
- Commercial
- Black Box Scanners
- Open Source
- Commercial
- Other Tools
- Runtime Analysis
- Binary Analysis
- Requirements Management
Appendix B: Suggested Reading
- Whitepapers
- Books
- Articles
- Useful Websites
- OWASP — http://www.owasp.org
Figures
- Figure 1: Proportion of Test Effort in SDLC.
- Figure 2: Proportion of Test Effort According to Test Technique.
- Figure 3: Typical SDLC Testing Workflow.