This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
OWASP Autumn of Code 2006 - Projects: Testing Guide - Index
-
Legend:
Review: M.Meucci
TD: Paragraph to be assigned
Frontispiece
- Copyright and License (100%, Review)
- Endorsements (100%, Review)
- Trademarks (100%, Review)
Introduction
- Performing An Application Security Review 0% TD
- Principles of Testing 0% TD
- Testing Techniques Explained 0% TD
The OWASP Testing Framework
3. The OWASP Testing Framework 20% (Review)
3.1. Overview
3.2. Phase 1 — Before Development Begins
- Phase 1A: Policies and Standards Review
- Phase 1B: Develop Measurement and Metrics Criteria (Ensure Traceability)
3.3. Phase 2: During Definition and Design
- Phase 2A: Security Requirements Review
- Phase 2B: Design an Architecture Review
- Phase 2C: Create and Review UML Models
- Phase 2D: Create and Review Threat Models
3.4. Phase 3: During Development
- Phase 3A: Code Walkthroughs
- Phase 3B: Code Reviews
3.5. Phase 4: During Deployment
- Phase 4A: Application Penetration Testing
- Phase 4B: Configuration Management Testing
3.6. Phase 5: Maintenance and Operations
- Phase 5A: Conduct Operational Management Reviews
- Phase 5B: Conduct Periodic Health Checks
- Phase 5C: Ensure Change Verification
3.7. A Typical SDLC Testing Workflow
- Figure 3: Typical SDLC Testing Workflow
3.8 Methodologies Used (Review)
3.8.1 The goal 50% TD
3.8.2 Overview of Approaches 50% TD
3.8.3 Security Requirements Review 0% TD
3.8.4 Security Architecture Review 0% TD
3.8.5 Code Review 50% TD
3.8.6 Automated Code Scanning 0% TD
3.8.7 Penetration Testing 50% TD
3.8.8 Automated Vulnerability Scanning 0% TD
Manual testing techniques
4.1 Introduction and objectives 0% TD
4.2 Information Gathering (spider, google) 0% TD
4.3 Business logic testing 50% TD
4.4 Authentication Testing 50% TD
4.4.1 Default or guessable (dictionary) user account 90% TD
4.4.2 Brute Force 0% TD
4.4.3 Bypassing authentication schema 0% TD
4.4.4 Vulnerable remember password and pwd reset 90% TD
4.4.5 Logout and account expiry 0% TD
4.5 Session Management Testing 0% TD
4.5.1 Cookie and Session token Manipulation(reg, forg/brute force) 100% Review
4.5.2 Weak session tokens 70% TD
4.5.3 Session Riding 100% Review
4.5.4 Exposed session variables 0% TD
4.5.5 HTTP Exploit 0% TD
4.6 Data Validation Testing 0% TD
4.6.1 Cross site scripting 0% TD
4.6.1.1 Incubated attacks 0% TD
4.6.1.2 Phishing (using javascript) 0% TD
4.6.1.3 HTTP Methods + XSS (TRACE) 0% TD
4.6.2 SQL Injection 0% TD
4.6.2.1 Oracle, mySQL, SQL Server, TeraData 0% TD
4.6.2.2 Extended stored procedures 0% TD
4.6.2.3 Stored procedure injection 0% TD
4.6.2.4 Oracle +SQLServer ports and attacks 0% TD
4.6.2.5 Listener attacks etc. 1521 1433 1527 0% TD
4.6.3 Orm injection 0% TD
4.6.4 Ldap injection 0% TD
4.6.5 Xml injection 0% TD
4.6.6 Code injection 0% TD
4.6.7 Buffer overflow Testing 100% Review
4.6.7.1 Heap overflow 100% Review
4.6.7.2 Stack overflow 100% Review
4.6.7.3 Format string 100% Review
4.7 Denial of Service Testing 95% Review
4.7.1 Locking Customer Accounts 100% Review
4.7.2 Buffer Overflows 100% Review
4.7.3 User Specified Object Allocation 100% Review
4.7.4 User Input as a Loop Counter 100% Review
4.7.5 Writing User Provided Data to Disk 100% Review
4.7.6 Failure to Release Resources 100% Review
4.7.7 Storing too Much Data in Session 90% Review
4.8 Infrastructure and configuration Testing 0% TD
4.8.1 Intro and objective 0% TD
4.8.2 Infrastructure configuration management testing 100% TD
4.8.3 Application configuration management testing 100% TD
4.8.4 Old, backup and unreferenced files 100% TD
4.8.5 File extensions handling 90% TD
4.8.6 Analisys of error code 50% TD
4.8.7 SSL/TLS Testing: support of weak ciphers and cert validity 100% TD
4.8.8 Testing defense from Automatic attacks (maybe a duplicate) 10% TD
4.9 Web Services Testing 0% TD
4.9.1 XML Structural Attacks 0% TD
4.9.2 XML content-level attacks 0% TD
4.9.3 HTTP GET parameters/REST attacks 0% TD
4.9.4 Naughty SOAP attachments 0% TD
4.9.5 Brute force attacks 0% TD
4.10 AJAX Testing 0% TD
4.10.1 Vulnerabilities 0% TD
4.10.2 How to test 0% TD
Writing Reports: value the real risk
5.1 How to value the real risk 0% TD
5.2 How to write the report of the testing 0% TD
Appendix A: Testing Tools
1. Source Code Analyzers * Open Source / Freeware * Commercial 2. Black Box Scanners * Open Source * Commercial 3. Other Tools * Runtime Analysis * Binary Analysis * Requirements Management
Appendix B: Suggested Reading
1. Whitepapers 2. Books 3. Articles 4. Useful Websites 5. OWASP — http://www.owasp.org
Appendix C: Fuzz Vectors
Version 0.1 (October 4th)
Paragraph___________________________________________________|__State___|___Action___|___Author___
1 Frontispiece
2.1 Copyright and License 100% Review 2.2 Endorsements 100% Review 2.3 Trademarks 100% Review
2. Introduction
1. Performing An Application Security Review 0% TD 2. Principles of Testing 0% TD 3. Testing Techniques Explained 0% TD
3. Methodologies Used (Review)
3.1 The goal 50% TD 3.2 Overview of Approaches 50% TD 3.3 Security Requirements Review 0% TD 3.4 Security Architecture Review 0% TD 3.5 Code Review 50% TD 3.6 Automated Code Scanning 0% TD 3.7 Penetration Testing 50% TD 3.8 Automated Vulnerability Scanning 0% TD
4. Finding Specific Issues In a Non-Technical Manner (Review)
4.1. Threat Modeling Introduction 0% TD 4.2. Design Reviews 0% TD 4.3. Threat Modeling the Application 0% TD 4.4. Policy Reviews 0% TD 4.5. Requirements Analysis 0% TD 4.6. Developer Interviews and Interaction 0% TD
5. Finding Specific Vulnerabilities Using Source Code Review
5.1 For code review please see the OWASP Code Review Project
6. Manual testing techniques (Review)
6.1 Introduction and objectives 0% TD 6.2 Information Gathering (spider, google) 0% TD 6.3 Business logic testing 50% TD
6.4 Authentication Testing 50% TD 6.4.1 Default or guessable (dictionary) user account 90% TD 6.4.2 Brute Force 0% TD 6.4.3 Bypassing authentication schema 0% TD 6.4.4 Vulnerable remember password and pwd reset 90% TD 6.4.5 Logout and account expiry 0% TD
6.5 Session Management Testing 0% TD 6.5.1 Cookie and Session token Manipulation (regeneration, forging/brute force) 100% Review 6.5.2 Weak session tokens 70% TD 6.5.3 Session Riding 100% Review 6.5.4 Exposed session variables 0% TD 6.5.5 HTTP Exploit 0% TD
6.6 Data Validation Testing 0% TD 6.6.1 Cross site scripting 0% TD 6.6.1.1 Incubated attacks 0% TD 6.6.1.2 Phishing (using javascript) 0% TD 6.6.1.3 HTTP Methods + XSS (TRACE) 0% TD 6.6.2 SQL Injection 0% TD 6.6.2.1 Oracle, mySQL, SQL Server, TeraData 0% TD 6.6.2.2 Extended stored procedures 0% TD 6.6.2.3 Stored procedure injection 0% TD 6.6.2.4 Oracle +SQLServer ports and attacks 0% TD 6.6.2.5 Listener attacks etc. 1521 1433 1527 0% TD 6.6.3 Orm injection 0% TD 6.6.4 Ldap injection 0% TD 6.6.5 Xml injection 0% TD 6.6.6 Code injection 0% TD
6.7 Denial of Service Testing 95% Review 6.7.1 Locking Customer Accounts 100% Review 6.7.2 Buffer Overflows 100% Review 6.7.3 User Specified Object Allocation 100% Review 6.7.4 User Input as a Loop Counter 100% Review 6.7.5 Writing User Provided Data to Disk 100% Review 6.7.6 Failure to Release Resources 100% Review 6.7.7 Storing too Much Data in Session 90% Review
6.8 Buffer overflow Testing 100% Review 6.8.1 Heap overflow 100% Review 6.8.2 Stack overflow 100% Review 6.8.3 Format string 100% Review
6.9 Infrastructure and configuration Testing 0% TD 6.9.1 Intro and objective 0% TD 6.9.2 Infrastructure configuration management testing 100% TD 6.9.3 Application configuration management testing 100% TD
6.9.4 Old, backup and unreferenced files 100% TD 6.9.5 File extensions handling 90% TD 6.9.6 Analisys of error code 50% TD 6.9.7 SSL/TLS Testing: support of weak 100% TD ciphers and certificate validity 6.9.8 Testing defense from Automatic 10% TD Attacks (maybe a duplicate)
6.10 Web Services Testing 0% TD 6.10.1 XML Structural Attacks 0% TD 6.10.2 XML content-level attacks 0% TD 6.10.3 HTTP GET parameters/REST attacks 0% TD 6.10.4 Naughty SOAP attachments 0% TD 6.10.5 Brute force attacks 0% TD
6.11 AJAX Testing 0% TD 6.11.1 Vulnerabilities 0% TD 6.11.2 How to test 0% TD
7. The OWASP Testing Framework 95% (Review)
7.1. Overview 7.2. Phase 1 — Before Development Begins * Phase 1A: Policies and Standards Review * Phase 1B: Develop Measurement and Metrics Criteria (Ensure Traceability) 7.3. Phase 2: During Definition and Design * Phase 2A: Security Requirements Review * Phase 2B: Design an Architecture Review * Phase 2C: Create and Review UML Models * Phase 2D: Create and Review Threat Models 7.4. Phase 3: During Development * Phase 3A: Code Walkthroughs * Phase 3B: Code Reviews 7.5. Phase 4: During Deployment * Phase 4A: Application Penetration Testing * Phase 4B: Configuration Management Testing 7.6. Phase 5: Maintenance and Operations * Phase 5A: Conduct Operational Management Reviews * Phase 5B: Conduct Periodic Health Checks * Phase 5C: Ensure Change Verification 7.7. A Typical SDLC Testing Workflow * Figure 3: Typical SDLC Testing Workflow.
Appendix A: Testing Tools 95% (Review)
1. Source Code Analyzers * Open Source / Freeware * Commercial 2. Black Box Scanners * Open Source * Commercial 3. Other Tools * Runtime Analysis * Binary Analysis * Requirements Management
Appendix B: Suggested Reading 95% (Review)
1. Whitepapers 2. Books 3. Articles 4. Useful Websites 5. OWASP — http://www.owasp.org
Appendix C: Fuzz Vectors 95% (Review)