This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "OWASP Testing Guide Table of Contents"

From OWASP
Jump to: navigation, search
 
(Changed V2 to V3, Redirect to v3)
 
(57 intermediate revisions by 8 users not shown)
Line 1: Line 1:
==[[Introduction]]==
+
#REDIRECT [[OWASP_Testing_Guide_v3_Table_of_Contents]]
#How To Go About Performing An Application Security Review
 
#Principles of Testing
 
#Testing Techniques Explained
 
==[[Methodologies Used]]==
 
#Secure application design
 
#Code Review
 
#*Overview
 
#*Advantages and Disadvantages
 
#Penetration Testing
 
#*Overview
 
#*Advantages and Disadvantages
 
#The Need for a Balanced Approach
 
#A Note about Web Application Scanners
 
#A Note about Static Source Code Review Tools
 
==[[Finding Specific Issues In a Non-Technical Manner]]==
 
#Threat Modeling Introduction
 
#Design Reviews
 
#Threat Modeling the Application
 
#Policy Reviews
 
#Requirements Analysis
 
#Developer Interviews and Interaction
 
==[[Finding Specific Vulnerabilities Using Source Code Review]]==
 
#Gathering the information
 
#*Context, Context, Context
 
#*The Checklist
 
#*The Code Base
 
#*Transactional Analysis
 
#Source code examples
 
#Authentication & Authorisation
 
#*How to locate the potentially vulnerable code
 
#Buffer Overruns and Overflows
 
#*How to locate the potentially vulnerable code:
 
#*Vulnerable Patterns for buffer overflows
 
#*Good Patterns & procedures to prevent buffer overflows
 
#Data Validation
 
#*Canoncalization of input.
 
#**Data validation strategy
 
#*Good Patterns for Data validation
 
#**Framework Example
 
#*Data validation of parameter names
 
#*Web services data validation
 
#Error, Exception handling & Logging
 
#*Releasing resources and good housekeeping
 
#OS Injection
 
#SQL Injection
 
#*How to Locate potentially vulnerable code
 
#*Best practices when dealing with DB’s
 
#Threat Modeling
 
#*Overview
 
#*Advantages and Disadvantages
 
#**Advantages
 
#**Disadvantage
 
==[[Manual testing techniques]]==
 
#Business logic testing - <TBD>
 
#Authentication
 
#*Default or guessable user accounts
 
#** Causes
 
#** Blackbox Testing
 
#** Manual
 
#** Suggested Tools - <TBD>
 
#** Whitebox Testing
 
#** Further Reading
 
#Cookie manipulation
 
#*Short Description of Issue
 
#*How to Test
 
#*Black Box
 
#*Cookie reverse engineering
 
#*Cookie manipulation
 
#*Brute force
 
#**Cookie predictability
 
#**335697#**
 
#*Overflow
 
#*White Box
 
#*Examples
 
#*Whitepapers
 
#*Tools
 
#Weak Session Tokens
 
#*Blackbox Testing
 
#*Manual
 
#*Suggested Tools
 
#*Whitebox Testing
 
#*Further Reading
 
#Session riding
 
#*How to Test
 
#*Black Box
 
#*White Box
 
#*References
 
#*Examples
 
#*Whitepapers
 
#*Tools
 
#Vulnerable remember password implementation
 
#*Blackbox Testing
 
#*Manual
 
#*Suggested Tools:
 
#*Whitebox Testing
 
#*Further Reading
 
#Weak Password Self-Reset Testing
 
#*Blackbox Testing
 
#*Manual
 
#Default or Guessable User Accounts and Empty Passwords
 
#*Blackbox Testing
 
#*Manual
 
#*Suggested Tools
 
#*Whitebox Testing
 
#*Further Reading
 
#Application Layer Denial of Service (DoS) Attacks
 
#DoS: Locking Customer Accounts
 
#*Black Box Testing
 
#*White Box Testing
 
#DoS: Buffer Overflows
 
#*Code Example
 
#*Testing Black Box
 
#*Testing White Box
 
#DoS: User Specified Object Allocation
 
#*Code Example
 
#*Testing Black Box
 
#*Testing White Box
 
#DoS: User Input as a Loop Counter
 
#*Code Example
 
#*Testing Black Box
 
#*Testing White Box
 
#*DoS: Writing User Provided Data to Disk
 
#*Testing Black Box
 
#*Testing White Box
 
#DoS: Failure to Release Resources
 
#*Code Example
 
#*Testing Black Box
 
#*Testing White Box
 
#DoS: Storing too Much Data in Session
 
#*Testing Black Box
 
#*Testing White Box
 
#*Other References
 
#Buffer Overflow
 
#*Buffer Overflow – Heap Overflow Vulnerability
 
#**How to Test
 
#**Black Box
 
#**White Box
 
#*Buffer Overflow – Stack Overflow Vulnerability
 
#*How to Test
 
#*Black Box
 
#*White Box
 
#*References
 
#*Examples
 
#*Whitepapers
 
#*Tools
 
#*Buffer Overflow – Format String Vulnerability
 
#**Black Box
 
#**White Box
 
#**References
 
#**Whitepapers
 
#**Tools
 
#Test and debug files
 
#*How to Test
 
#*Black Box
 
#*White Box
 
#*References - <TBD>
 
#*Examples
 
#*Whitepapers
 
#*Tools
 
#File extensions handling
 
#*How to Test
 
#*Black Box
 
#*White Box
 
#*References
 
#*Examples
 
#*Whitepapers
 
#*Tools
 
#Old, backup and unreferenced files
 
#*Threats
 
#*Countermeasures
 
#*How to Test
 
#*Black Box
 
#*White Box
 
#** Tools
 
#Defense from Automatic Attacks
 
#*Blackbox Testing
 
#*Manual
 
#*Suggested Tools
 
#*Whitebox Testing
 
#*Further Reading
 
#*SSL usage during whole session (see recent post on Webappsec regarding this) [Yvan Boily ([email protected]) ]
 
#Configuration Management Infrastructure
 
#*Review of the application architecture
 
#*Known server vulnerabilities
 
#*Administrative tools
 
#*Authentication back-ends
 
#*Configuration Management Application
 
#*Sample/known files and directories
 
#*Comment review
 
#*Configuration review
 
#*Logging
 
#*Log location
 
#*Log storage
 
#*Log rotation
 
#*Log review
 
#Sensitive data in URL’s
 
#*Hashing sensitive data
 
#SSL / TLS cipher specifications and requirements for site
 
#*How to Test
 
#*Black Box
 
#*White Box
 
#** References
 
#*Examples
 
#*Whitepapers
 
#Tools
 
#How to Test
 
#*Black Box
 
#*White Box
 
#References
 
#*Examples
 
#*Whitepapers
 
#Tools
 
#*Language/Services/Application Specific Testing
 
#Web Services Security Testing
 
#*Notes
 
#*How to Test
 
#*Transport Layer Security
 
#*Message Layer Security
 
#*Application Layer Security
 
#*References
 
#*Examples
 
#*Whitepapers
 
#*Analyzing Results
 
==[[The OWASP Testing Framework]]==
 
#Overview
 
#Phase 1 — Before Development Begins
 
#*Phase 1A: Policies and Standards Review
 
#*Phase 1B: Develop Measurement and Metrics Criteria (Ensure Traceability)
 
#Phase 2: During Definition and Design
 
#*Phase 2A: Security Requirements Review
 
#*Phase 2B: Design an Architecture Review
 
#*Phase 2C: Create and Review UML Models
 
#*Phase 2D: Create and Review Threat Models
 
#Phase 3: During Development
 
#*Phase 3A: Code Walkthroughs
 
#*Phase 3B: Code Reviews
 
#Phase 4: During Deployment
 
#*Phase 4A: Application Penetration Testing
 
#*Phase 4B: Configuration Management Testing
 
#Phase 5: Maintenance and Operations
 
#*Phase 5A: Conduct Operational Management Reviews
 
#*Phase 5B: Conduct Periodic Health Checks
 
#*Phase 5C: Ensure Change Verification
 
#A Typical SDLC Testing Workflow
 
#* Figure 3: Typical SDLC Testing Workflow.
 
==[[Appendix A: Testing Tools]]==
 
#Source Code Analyzers
 
#Open Source / Freeware
 
#*Commercial
 
#Black Box Scanners
 
#*Open Source
 
#*Commercial
 
#Other Tools
 
#*Runtime Analysis
 
#*Binary Analysis
 
#*Requirements Management
 
==[[Appendix B: Suggested Reading]]==
 
#Whitepapers
 
#Books
 
#Articles
 
#Useful Websites
 
#OWASP — http://www.owasp.org
 
==[[Figures]]==
 
#Figure 1: Proportion of Test Effort in SDLC.
 
#Figure 2: Proportion of Test Effort According to Test Technique.
 
#Figure 3: Typical SDLC Testing Workflow.
 
  
[[Category:OWASP Testing Guide Project]]
+
Note: This page is not in use any more since it contained the 1st version of the OWASP Testing guide
 +
 
 +
PLEASE, REFER TO THIS URL FOR THE TESTING GUIDE V3:
 +
http://www.owasp.org/index.php/OWASP_Testing_Guide_v3_Table_of_Contents

Latest revision as of 23:27, 17 September 2013

Note: This page is not in use any more since it contained the 1st version of the OWASP Testing guide

PLEASE, REFER TO THIS URL FOR THE TESTING GUIDE V3: http://www.owasp.org/index.php/OWASP_Testing_Guide_v3_Table_of_Contents