This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "OWASP Testing Guide v2 Table of Contents"

From OWASP
Jump to: navigation, search
m (Typo.)
 
(142 intermediate revisions by 14 users not shown)
Line 1: Line 1:
Updated 24th Nov, 12.00 GMT+1
+
__NOTOC__
Legend:<br>
 
xx%: Progress status of the paragraph <br>
 
Review: the paragraph need a review (Matteo Meucci)<br>
 
TD: Paragraph To Be Assigned<br>
 
  
[[http://www.owasp.org/index.php/OWASP_Autumn_of_Code_2006_-_Projects:_Testing_Guide OWASP Testing Guide AoC]]
+
Please go [http://www.owasp.org/index.php/OWASP_Testing_Guide_v3_Table_of_Contents here] for the last release of the OWASP Testing Guide.
 
 
[[http://www.owasp.org/index.php/OWASP_Testing_Guide_v2_Review_Panel Review Panel]]
 
 
 
 
 
==[[Testing Guide Frontispiece AoC|Frontispiece]]==
 
 
 
'''1.1 About the OWASP Testing Guide Project'''<br>
 
1.1.1 Copyright                                        <br>
 
1.1.2 Editors                                         (0%, Review)<br>
 
1.1.3 Authors and Reviewers                         (0%, Review)<br>
 
1.1.4 Revision History<br>
 
1.1.5 Trademarks<br>
 
'''1.2 About The Open Web Application Security Project''' <br>
 
1.2.1 Overview <br>
 
1.2.2 Structure <br>
 
1.2.3 Licensing <br>
 
1.2.4 Participation and Membership <br>
 
1.2.5 Projects <br>
 
1.2.6 OWASP Privacy Policy <br>
 
 
 
==[[Testing Guide Introduction AoC|Introduction]]==
 
'''2.1 The OWASP Testing Project'''                                      <br>
 
'''2.2 Principles of Testing'''                                          <br>
 
'''2.3 Testing Techniques Explained'''                                    <br>
 
 
 
==[[The OWASP Testing Framework AoC|The OWASP Testing Framework]]==
 
'''3.1. Overview'''                                        <br>
 
'''3.2. Phase 1 — Before Development Begins '''<br>
 
'''3.3. Phase 2: During Definition and Design'''<br>
 
'''3.4. Phase 3: During Development'''<br>
 
'''3.5. Phase 4: During Deployment'''<br>
 
'''3.6. Phase 5: Maintenance and Operations'''<br>
 
'''3.7. A Typical SDLC Testing Workflow '''<br>
 
 
 
==[[Web Application Penetration Testing AoC |Web Application Penetration Testing ]]==
 
'''4.1 Introduction and objectives'''                               (Matteo Meucci)<br>
 
 
 
'''4.2 Information Gathering'''                        (Carlo Pelliccioni)<br>
 
4.2.1 Testing Web Application Fingerprint (Antonio Parata)<br>
 
4.2.2 Application Discovery (Mauro Bregolin)<br>
 
4.2.3 Spidering and googling                        (80%, Tom Brennan, Tom Ryan)<br>
 
4.2.4 Analysis of error codes                        (Carlo Pelliccioni)<br>
 
4.2.5 Infrastructure configuration management testing                        <br>
 
4.2.5.1 SSL/TLS Testing                        (Mauro Bregolin, Mark Curphey)<br>
 
4.2.5.2 DB Listener Testing                        (60%, Eoin Keary, Matteo Meucci)<br>
 
4.2.6 Application configuration management testing                        (90%)<br>
 
4.2.6.1 File extensions handling                        (Mauro Bregolin)<br>
 
4.2.6.2 Old, backup and unreferenced files                        (Mauro Bregolin, Javier Fernandez Sanguino, Dafydd Studdard)<br>
 
 
 
'''4.3 Business logic testing'''                                        (Madhura Halasgikar)<br>
 
 
 
'''4.4 Authentication Testing'''                                     (Meucci)<br>
 
4.4.1 Default or guessable (dictionary) user account              <br>
 
4.4.2 Brute Force                                                  (Giorgio Fedon, Andrea Lombardini)<br>
 
4.4.3 Bypassing authentication schema                              (Giorgio Fedon, Andrea Lombardini)<br>
 
4.4.4 Directory traversal/file include                            (Luca Carettoni)<br>
 
4.4.5 Vulnerable remember password and pwd reset                  (Ralph M. Los,Alberto Revelli)<br>
 
4.4.6 Logout and Browser Cache Management Testing                                  (Alberto Revelli)<br>
 
 
 
'''4.5 Session Management Testing'''                                        (Glyn Geoghegan, Meucci)<br>
 
4.5.1 Analysis of the Session Management Schema (Meucci)<br>
 
4.5.2 Cookie and Session token Manipulation  (Alberto Revelli, Matteo Meucci) <br> 
 
4.5.3 Exposed session variables                               (Meucci)<br>
 
4.5.4 Session Riding (XSRF)  (Mauro Bregolin,Review)<br>
 
4.5.5 HTTP Exploit                                                (0%, Arian J.Evans)<br>
 
 
 
'''4.6 Data Validation Testing'''                                        (Meucci) <br>
 
4.6.1 Cross site scripting (80%, Tom Brennan, Tom Ryan) <br>
 
4.6.1.1 HTTP Methods and XST (Alberto Revelli) <br>
 
4.6.2 SQL Injection (Antonio Parata) <br>
 
4.6.2.1 Stored procedure injection (40%,Gary Burns)<br>
 
4.6.2.2 Oracle testing (0%,TD) <br>
 
4.6.2.3 MySQL testing (Stefano Di Paola) <br>
 
4.6.2.4 SQL Server testing (95%,Ariel Waissbein)<br>
 
4.6.3 LDAP Injection (Stefano Di Paola) <br>
 
4.6.4 ORM Injection (100%,Mark Roxberry) <br>
 
4.6.5 XML Injection (Antonio Parata, Stefano Di Paola) <br>
 
4.6.6 SSI Injection (Claudio Merloni) <br>
 
4.6.7 XPath Injection (Antonio Parata, Alberto Revelli, Stefano Di Paola) <br>
 
4.6.8 IMAP/SMTP Injection (Vicente Aguilera) <br>
 
4.6.9 Code Injection (100%, Mark Roxberry) <br>
 
4.6.10 OS Commanding (70%, Gary Burns) <br>
 
4.6.11 Buffer overflow Testing <br>
 
4.6.11.1 Heap overflow <br>
 
4.6.11.2 Stack overflow <br>
 
4.6.11.3 Format string <br>
 
4.6.12 Incubated vulnerability testing (95%,Ariel Waissbein, Laura Nuñez) <br>
 
'''4.7 Denial of Service Testing'''                                          <br>
 
4.7.1 Locking Customer Accounts          Review<br>
 
4.7.2 Buffer Overflows                                          <br>
 
4.7.3 User Specified Object Allocation                          <br>
 
4.7.4 User Input as a Loop Counter                              <br>
 
4.7.5 Writing User Provided Data to Disk                        <br>
 
4.7.6 Failure to Release Resources                              <br>
 
4.7.7 Storing too Much Data in Session                          <br>
 
 
 
'''4.8 Web Services Testing''' (Eoin Keary, Mark Roxberry)<br>
 
4.8.1 XML Structural Testing <br>
 
4.8.2 XML content-level Testing <br>
 
4.8.3 HTTP GET parameters/REST Testing <br>
 
4.8.4 Naughty SOAP attachments <br>
 
4.8.5 Replay Testing      <br>
 
 
 
'''4.9 AJAX Testing'''    (70%, Dan Cornell, Giorgio Fedon, Stefano Di Paola)<br>
 
4.9.1 Vulnerabilities (90%, Anush Shetty) <br>
 
4.9.2  How to test (60%)<br>
 
 
 
==[[Writing Reports: value the real risk AoC |Writing Reports: value the real risk ]]==
 
'''5.1 How to value the real risk'''                               (90%, Daniel Cuthbert, Matteo Meucci, Sebastien Deleersnyder, Marco Morana)<br>
 
'''5.2 How to write the report of the testing'''                       (20%, Daniel Cuthbert, Tom Brennan, Tom Ryan) TD<br>
 
 
 
==[[Appendix A: Testing Tools |Appendix A: Testing Tools ]]==
 
(90%)<br>
 
* Black Box Testing Tools
 
* Source Code Analyzers
 
* Other Tools
 
 
 
==[[OWASP Testing Guide Appendix B: Suggested Reading | Appendix B: Suggested Reading]]==
 
(70%)<br>
 
* Whitepapers<br>
 
* Books<br>
 
* Articles<br>
 
* Useful Websites<br>
 
 
 
==[[OWASP Testing Guide Appendix C: Fuzz Vectors | Appendix C: Fuzz Vectors]]==
 
(70%)
 
 
 
<br>
 
 
 
{{Category:OWASP Testing Project AoC}}
 

Latest revision as of 17:07, 1 August 2013


Please go here for the last release of the OWASP Testing Guide.