This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "OWASP Autumn of Code 2006 - Projects: Testing Guide - Index"

From OWASP
Jump to: navigation, search
 
(4 intermediate revisions by 2 users not shown)
Line 1: Line 1:
 
+
{{taggedDocument
 +
| type=historical
 +
| link=OWASP Testing Guide
 +
}}
  
 
<ul>
 
<ul>
Line 19: Line 22:
 
==[[The OWASP Testing Framework|The OWASP Testing Framework]]==
 
==[[The OWASP Testing Framework|The OWASP Testing Framework]]==
 
3. The OWASP Testing Framework                                      20%      (Review) <br>
 
3. The OWASP Testing Framework                                      20%      (Review) <br>
3.1. Overview<br>
+
'''3.1. Overview'''<br>
3.2. Phase 1 — Before Development Begins <br>
+
'''3.2. Phase 1 — Before Development Begins <br>'''
 
* Phase 1A: Policies and Standards Review <br>
 
* Phase 1A: Policies and Standards Review <br>
 
* Phase 1B: Develop Measurement and Metrics Criteria (Ensure Traceability) <br>
 
* Phase 1B: Develop Measurement and Metrics Criteria (Ensure Traceability) <br>
3.3. Phase 2: During Definition and Design<br>
+
'''3.3. Phase 2: During Definition and Design<br>'''
 
* Phase 2A: Security Requirements Review<br>
 
* Phase 2A: Security Requirements Review<br>
 
* Phase 2B: Design an Architecture Review<br>
 
* Phase 2B: Design an Architecture Review<br>
 
* Phase 2C: Create and Review UML Models<br>
 
* Phase 2C: Create and Review UML Models<br>
 
* Phase 2D: Create and Review Threat Models <br>
 
* Phase 2D: Create and Review Threat Models <br>
3.4. Phase 3: During Development<br>
+
'''3.4. Phase 3: During Development<br>'''
 
* Phase 3A: Code Walkthroughs<br>
 
* Phase 3A: Code Walkthroughs<br>
 
* Phase 3B: Code Reviews <br>
 
* Phase 3B: Code Reviews <br>
3.5. Phase 4: During Deployment<br>
+
'''3.5. Phase 4: During Deployment<br>'''
 
* Phase 4A: Application Penetration Testing<br>
 
* Phase 4A: Application Penetration Testing<br>
 
* Phase 4B: Configuration Management Testing <br>
 
* Phase 4B: Configuration Management Testing <br>
3.6. Phase 5: Maintenance and Operations<br>
+
'''3.6. Phase 5: Maintenance and Operations<br>'''
 
* Phase 5A: Conduct Operational Management Reviews<br>
 
* Phase 5A: Conduct Operational Management Reviews<br>
 
* Phase 5B: Conduct Periodic Health Checks<br>
 
* Phase 5B: Conduct Periodic Health Checks<br>
 
* Phase 5C: Ensure Change Verification <br>
 
* Phase 5C: Ensure Change Verification <br>
3.7. A Typical SDLC Testing Workflow <br>
+
'''3.7. A Typical SDLC Testing Workflow <br>'''
 
* Figure 3: Typical SDLC Testing Workflow <br>
 
* Figure 3: Typical SDLC Testing Workflow <br>
3.8 Methodologies Used                                                        (Review)<br>
+
'''3.8 Methodologies Used                                                        (Review)<br>'''
 
3.8.1 The goal                                             50% TD<br>
 
3.8.1 The goal                                             50% TD<br>
 
3.8.2 Overview of Approaches                             50% TD<br>
 
3.8.2 Overview of Approaches                             50% TD<br>
Line 51: Line 54:
  
 
==[[Manual testing techniques |Manual testing techniques ]]==
 
==[[Manual testing techniques |Manual testing techniques ]]==
4.1 Introduction and objectives                               0% TD<br>
+
'''4.1 Introduction and objectives'''                               0% TD<br>
4.2 Information Gathering (spider, google)                        0% TD<br>
+
'''4.2 Information Gathering (spider, google)'''                         0% TD<br>
4.3 Business logic testing                                        50% TD<br>
+
'''4.3 Business logic testing'''                                       50% TD<br>
 
 
4.4 Authentication Testing                                     50%        TD<br>
+
'''4.4 Authentication Testing'''                                     50%        TD<br>
 
4.4.1 Default or guessable (dictionary) user account              90%        TD<br>
 
4.4.1 Default or guessable (dictionary) user account              90%        TD<br>
 
4.4.2 Brute Force                                                  0%        TD<br>
 
4.4.2 Brute Force                                                  0%        TD<br>
Line 62: Line 65:
 
4.4.5 Logout and account expiry                                       0%        TD<br>
 
4.4.5 Logout and account expiry                                       0%        TD<br>
 
 
4.5 Session Management Testing                                        0%        TD<br>
+
'''4.5 Session Management Testing'''                                       0%        TD<br>
 
4.5.1 Cookie and Session token Manipulation(reg, forg/brute force)  100%      Review <br>   
 
4.5.1 Cookie and Session token Manipulation(reg, forg/brute force)  100%      Review <br>   
 
4.5.2 Weak session tokens                                     70%        TD<br>
 
4.5.2 Weak session tokens                                     70%        TD<br>
Line 69: Line 72:
 
4.5.5 HTTP Exploit                                                0%        TD<br>
 
4.5.5 HTTP Exploit                                                0%        TD<br>
 
 
4.6 Data Validation Testing                                        0%        TD <br>
+
'''4.6 Data Validation Testing'''                                       0%        TD <br>
 
4.6.1 Cross site scripting                                        0%        TD<br>
 
4.6.1 Cross site scripting                                        0%        TD<br>
 
4.6.1.1 Incubated attacks                                          0%        TD<br>
 
4.6.1.1 Incubated attacks                                          0%        TD<br>
Line 89: Line 92:
 
4.6.7.3 Format string                                              100%        Review<br>
 
4.6.7.3 Format string                                              100%        Review<br>
 
 
4.7 Denial of Service Testing                                    95%        Review<br>
+
'''4.7 Denial of Service Testing'''                                     95%        Review<br>
 
4.7.1 Locking Customer Accounts                                  100%        Review<br>
 
4.7.1 Locking Customer Accounts                                  100%        Review<br>
 
4.7.2 Buffer Overflows                                          100%        Review <br>
 
4.7.2 Buffer Overflows                                          100%        Review <br>
Line 98: Line 101:
 
4.7.7 Storing too Much Data in Session                            90%        Review<br>
 
4.7.7 Storing too Much Data in Session                            90%        Review<br>
  
4.8 Infrastructure and configuration Testing                      0%        TD<br>
+
'''4.8 Infrastructure and configuration Testing'''                       0%        TD<br>
 
4.8.1 Intro and objective                                          0%        TD<br>
 
4.8.1 Intro and objective                                          0%        TD<br>
 
4.8.2 Infrastructure configuration management testing            100%        TD<br>
 
4.8.2 Infrastructure configuration management testing            100%        TD<br>
Line 108: Line 111:
 
4.8.8 Testing defense from Automatic attacks (maybe a duplicate)  10%        TD<br>
 
4.8.8 Testing defense from Automatic attacks (maybe a duplicate)  10%        TD<br>
 
    
 
    
4.9 Web Services Testing                                          0%        TD<br>
+
'''4.9 Web Services Testing'''                                         0%        TD<br>
 
4.9.1 XML Structural Attacks                                      0% TD<br>
 
4.9.1 XML Structural Attacks                                      0% TD<br>
 
4.9.2 XML content-level attacks                           0% TD<br>
 
4.9.2 XML content-level attacks                           0% TD<br>
Line 115: Line 118:
 
4.9.5 Brute force attacks                                       0% TD<br>
 
4.9.5 Brute force attacks                                       0% TD<br>
  
4.10 AJAX Testing                                                  0% TD<br>
+
'''4.10 AJAX Testing'''                                                 0% TD<br>
 
4.10.1 Vulnerabilities                                       0% TD<br>
 
4.10.1 Vulnerabilities                                       0% TD<br>
 
4.10.2  How to test                                               0% TD<br>
 
4.10.2  How to test                                               0% TD<br>
  
 
==[[Writing Reports: value the real risk |Writing Reports: value the real risk ]]==
 
==[[Writing Reports: value the real risk |Writing Reports: value the real risk ]]==
5.1 How to value the real risk                               0% TD<br>
+
'''5.1 How to value the real risk'''                               0% TD<br>
5.2 How to write the report of the testing                       0% TD<br>
+
'''5.2 How to write the report of the testing'''                       0% TD<br>
  
 
==[[Appendix A: Testing Tools |Appendix A: Testing Tools ]]==
 
==[[Appendix A: Testing Tools |Appendix A: Testing Tools ]]==

Latest revision as of 22:00, 30 July 2016

This historical page is now part of the OWASP archive.
This page contains content that is outdated and is no longer being maintained. It is provided as a courtesy for individuals who are still using these technologies. This page may contain URLs that were once valid but may now link to sites or pages that no longer exist.
Please use the newer Edition(s) like OWASP Testing Guide
    Legend:
    Review: M.Meucci
    TD: Paragraph to be assigned

Frontispiece

  1. Copyright and License (100%, Review)
  2. Endorsements (100%, Review)
  3. Trademarks (100%, Review)

Introduction

  1. Performing An Application Security Review 0% TD
  2. Principles of Testing 0% TD
  3. Testing Techniques Explained 0% TD

The OWASP Testing Framework

3. The OWASP Testing Framework 20% (Review)
3.1. Overview
3.2. Phase 1 — Before Development Begins

  • Phase 1A: Policies and Standards Review
  • Phase 1B: Develop Measurement and Metrics Criteria (Ensure Traceability)

3.3. Phase 2: During Definition and Design

  • Phase 2A: Security Requirements Review
  • Phase 2B: Design an Architecture Review
  • Phase 2C: Create and Review UML Models
  • Phase 2D: Create and Review Threat Models

3.4. Phase 3: During Development

  • Phase 3A: Code Walkthroughs
  • Phase 3B: Code Reviews

3.5. Phase 4: During Deployment

  • Phase 4A: Application Penetration Testing
  • Phase 4B: Configuration Management Testing

3.6. Phase 5: Maintenance and Operations

  • Phase 5A: Conduct Operational Management Reviews
  • Phase 5B: Conduct Periodic Health Checks
  • Phase 5C: Ensure Change Verification

3.7. A Typical SDLC Testing Workflow

  • Figure 3: Typical SDLC Testing Workflow

3.8 Methodologies Used (Review)
3.8.1 The goal 50% TD
3.8.2 Overview of Approaches 50% TD
3.8.3 Security Requirements Review 0% TD
3.8.4 Security Architecture Review 0% TD
3.8.5 Code Review 50% TD
3.8.6 Automated Code Scanning 0% TD
3.8.7 Penetration Testing 50% TD
3.8.8 Automated Vulnerability Scanning 0% TD

Manual testing techniques

4.1 Introduction and objectives 0% TD
4.2 Information Gathering (spider, google) 0% TD
4.3 Business logic testing 50% TD

4.4 Authentication Testing 50% TD
4.4.1 Default or guessable (dictionary) user account 90% TD
4.4.2 Brute Force 0% TD
4.4.3 Bypassing authentication schema 0% TD
4.4.4 Vulnerable remember password and pwd reset 90% TD
4.4.5 Logout and account expiry 0% TD

4.5 Session Management Testing 0% TD
4.5.1 Cookie and Session token Manipulation(reg, forg/brute force) 100% Review
4.5.2 Weak session tokens 70% TD
4.5.3 Session Riding 100% Review
4.5.4 Exposed session variables 0% TD
4.5.5 HTTP Exploit 0% TD

4.6 Data Validation Testing 0% TD
4.6.1 Cross site scripting 0% TD
4.6.1.1 Incubated attacks 0% TD
4.6.1.2 Phishing (using javascript) 0% TD
4.6.1.3 HTTP Methods + XSS (TRACE) 0% TD
4.6.2 SQL Injection 0% TD
4.6.2.1 Oracle, mySQL, SQL Server, TeraData 0% TD
4.6.2.2 Extended stored procedures 0% TD
4.6.2.3 Stored procedure injection 0% TD
4.6.2.4 Oracle +SQLServer ports and attacks 0% TD
4.6.2.5 Listener attacks etc. 1521 1433 1527 0% TD
4.6.3 Orm injection 0% TD
4.6.4 Ldap injection 0% TD
4.6.5 Xml injection 0% TD
4.6.6 Code injection 0% TD
4.6.7 Buffer overflow Testing 100% Review
4.6.7.1 Heap overflow 100% Review
4.6.7.2 Stack overflow 100% Review
4.6.7.3 Format string 100% Review

4.7 Denial of Service Testing 95% Review
4.7.1 Locking Customer Accounts 100% Review
4.7.2 Buffer Overflows 100% Review
4.7.3 User Specified Object Allocation 100% Review
4.7.4 User Input as a Loop Counter 100% Review
4.7.5 Writing User Provided Data to Disk 100% Review
4.7.6 Failure to Release Resources 100% Review
4.7.7 Storing too Much Data in Session 90% Review

4.8 Infrastructure and configuration Testing 0% TD
4.8.1 Intro and objective 0% TD
4.8.2 Infrastructure configuration management testing 100% TD
4.8.3 Application configuration management testing 100% TD
4.8.4 Old, backup and unreferenced files 100% TD
4.8.5 File extensions handling 90% TD
4.8.6 Analisys of error code 50% TD
4.8.7 SSL/TLS Testing: support of weak ciphers and cert validity 100% TD
4.8.8 Testing defense from Automatic attacks (maybe a duplicate) 10% TD

4.9 Web Services Testing 0% TD
4.9.1 XML Structural Attacks 0% TD
4.9.2 XML content-level attacks 0% TD
4.9.3 HTTP GET parameters/REST attacks 0% TD
4.9.4 Naughty SOAP attachments 0% TD
4.9.5 Brute force attacks 0% TD

4.10 AJAX Testing 0% TD
4.10.1 Vulnerabilities 0% TD
4.10.2 How to test 0% TD

Writing Reports: value the real risk

5.1 How to value the real risk 0% TD
5.2 How to write the report of the testing 0% TD

Appendix A: Testing Tools

  1. Source Code Analyzers
         * Open Source / Freeware
         * Commercial 
  2. Black Box Scanners
         * Open Source
         * Commercial 
  3. Other Tools
         * Runtime Analysis
         * Binary Analysis
         * Requirements Management 

Appendix B: Suggested Reading

  1. Whitepapers
  2. Books
  3. Articles
  4. Useful Websites
  5. OWASP — http://www.owasp.org 

Appendix C: Fuzz Vectors



Version 0.1 (October 4th)

Paragraph___________________________________________________|__State___|___Action___|___Author___


1 Frontispiece

  2.1 Copyright and License                                        100%      Review	
  2.2 Endorsements	                                            100%      Review
  2.3 Trademarks 	                                            100%      Review	

2. Introduction

  1. Performing An Application Security Review                       0%        TD
  2. Principles of Testing                                           0%        TD
  3. Testing Techniques Explained                                    0%        TD

3. Methodologies Used (Review)

  3.1 The goal	                                                     50%	TD
  3.2 Overview of Approaches	                                     50%	TD
  3.3 Security Requirements Review	                              0%	TD
  3.4 Security Architecture Review	                              0%	TD
  3.5 Code Review	                                             50%	TD
  3.6 Automated Code Scanning	                                      0%	TD
  3.7 Penetration Testing	                                     50%	TD
  3.8 Automated Vulnerability Scanning	                              0%	TD

4. Finding Specific Issues In a Non-Technical Manner (Review)

  4.1. Threat Modeling Introduction	                              0%	TD
  4.2. Design Reviews	                                              0%	TD
  4.3. Threat Modeling the Application	                              0%	TD
  4.4. Policy Reviews	                                              0%	TD
  4.5. Requirements Analysis	                                      0%	TD
  4.6. Developer Interviews and Interaction 	                      0%	TD

5. Finding Specific Vulnerabilities Using Source Code Review

  5.1 For code review please see the OWASP Code Review Project

6. Manual testing techniques (Review)

  6.1 Introduction and objectives	                              0%	TD
  6.2 Information Gathering (spider, google)                         0%	TD
  6.3 Business logic testing                                        50%	TD
  6.4 Authentication Testing	                                     50%        TD
  6.4.1 Default or guessable (dictionary) user account              90%        TD
  6.4.2 Brute Force                                                  0%        TD
  6.4.3 Bypassing authentication schema                              0%        TD
  6.4.4 Vulnerable remember password and pwd reset                  90%        TD
  6.4.5 Logout and account expiry	                              0%        TD
  6.5 Session Management Testing                                     0%        TD
  6.5.1 Cookie and Session token Manipulation 
           (regeneration, forging/brute force)	                    100%       Review    
  6.5.2 Weak session tokens	                                     70%        TD
  6.5.3 Session Riding	                                            100%       Review
  6.5.4 Exposed session variables	                              0%        TD
  6.5.5 HTTP Exploit                                                 0%        TD
  6.6 Data Validation Testing                                        0%        TD		
  6.6.1 Cross site scripting                                         0%        TD
  6.6.1.1 Incubated attacks                                          0%        TD
  6.6.1.2 Phishing (using javascript)                                0%        TD
  6.6.1.3  HTTP Methods + XSS (TRACE)                                0%        TD
  6.6.2 SQL Injection                                                0%        TD
  6.6.2.1 Oracle, mySQL, SQL Server, TeraData                        0%        TD	
  6.6.2.2 Extended stored procedures                                 0%        TD
  6.6.2.3 Stored procedure injection                                 0%        TD
  6.6.2.4 Oracle +SQLServer ports and attacks                        0%        TD
  6.6.2.5 Listener attacks etc. 1521 1433 1527                       0%        TD
  6.6.3 Orm injection                                                0%        TD
  6.6.4 Ldap injection                                               0%        TD
  6.6.5 Xml injection                                                0%        TD
  6.6.6 Code injection                                               0%        TD
  6.7 Denial of Service Testing                                     95%        Review
  6.7.1 Locking Customer Accounts                                  100%        Review
  6.7.2 Buffer Overflows                                           100%        Review		
  6.7.3 User Specified Object Allocation                           100%        Review		
  6.7.4 User Input as a Loop Counter                               100%        Review
  6.7.5 Writing User Provided Data to Disk                         100%        Review
  6.7.6 Failure to Release Resources                               100%        Review
  6.7.7 Storing too Much Data in Session                            90%        Review
  6.8 Buffer overflow Testing                                      100%        Review		
  6.8.1 Heap overflow	                                            100%        Review
  6.8.2 Stack overflow                                             100%        Review
  6.8.3 Format string                                              100%        Review
  6.9 Infrastructure and configuration Testing                       0%         TD
   6.9.1 Intro and objective                                         0%         TD
   6.9.2 Infrastructure configuration management testing           100%         TD
   6.9.3 Application configuration management testing              100%         TD
   6.9.4 Old, backup and unreferenced files                        100%         TD	
   6.9.5 File extensions handling		                     90%         TD
   6.9.6 Analisys of error code                                     50%         TD		
   6.9.7 SSL/TLS Testing: support of weak                          100%         TD
             ciphers and certificate validity		
   6.9.8 Testing defense from Automatic                             10%         TD
             Attacks (maybe a duplicate)		
  6.10 Web Services Testing                                          0%         TD
  6.10.1 XML Structural Attacks                                      0%	TD
  6.10.2 XML content-level attacks	                              0%	TD
  6.10.3 HTTP GET parameters/REST attacks	                      0%	TD
  6.10.4 Naughty SOAP attachments	                              0%	TD
  6.10.5 Brute force attacks	                                      0%	TD
  6.11 AJAX Testing                                                  0%	TD
  6.11.1 Vulnerabilities	                                      0%	TD
  6.11.2  How to test	                                              0%	TD


7. The OWASP Testing Framework 95% (Review)

  7.1. Overview
  7.2. Phase 1 — Before Development Begins
         * Phase 1A: Policies and Standards Review
         * Phase 1B: Develop Measurement and Metrics Criteria 
           (Ensure Traceability) 
  7.3. Phase 2: During Definition and Design
         * Phase 2A: Security Requirements Review
         * Phase 2B: Design an Architecture Review
         * Phase 2C: Create and Review UML Models
         * Phase 2D: Create and Review Threat Models 
  7.4. Phase 3: During Development
         * Phase 3A: Code Walkthroughs
         * Phase 3B: Code Reviews 
  7.5. Phase 4: During Deployment
         * Phase 4A: Application Penetration Testing
         * Phase 4B: Configuration Management Testing 
  7.6. Phase 5: Maintenance and Operations
         * Phase 5A: Conduct Operational Management Reviews
         * Phase 5B: Conduct Periodic Health Checks
         * Phase 5C: Ensure Change Verification 
  7.7. A Typical SDLC Testing Workflow
         * Figure 3: Typical SDLC Testing Workflow. 

Appendix A: Testing Tools 95% (Review)

  1. Source Code Analyzers
         * Open Source / Freeware
         * Commercial 
  2. Black Box Scanners
         * Open Source
         * Commercial 
  3. Other Tools
         * Runtime Analysis
         * Binary Analysis
         * Requirements Management 

Appendix B: Suggested Reading 95% (Review)

  1. Whitepapers
  2. Books
  3. Articles
  4. Useful Websites
  5. OWASP — http://www.owasp.org 

Appendix C: Fuzz Vectors 95% (Review)