This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "OWASP Testing Guide v2 Table of Contents"

From OWASP
Jump to: navigation, search
Line 48: Line 48:
 
4.2.4.1 SSL/TLS Testing                        (100%,Mauro Bregolin,Review Reviewed by EK)<br>
 
4.2.4.1 SSL/TLS Testing                        (100%,Mauro Bregolin,Review Reviewed by EK)<br>
 
4.2.4.2 DB Listener Testing                        (0%, Alexander Kornbrust)<br>
 
4.2.4.2 DB Listener Testing                        (0%, Alexander Kornbrust)<br>
4.2.5 Application configuration management testing                        (90%, Review)<br>
+
4.2.5 Application configuration management testing                        (90%, Reviewed by EK)<br>
4.2.5.1 File extensions handling                        (80%,Mauro Bregolin, Review)<br>
+
4.2.5.1 File extensions handling                        (80%,Mauro Bregolin, Reviewed by EK)<br>
4.2.5.2 Old, backup and unreferenced files                        (80%,Mauro Bregolin, Review)<br>
+
4.2.5.2 Old, backup and unreferenced files                        (80%,Mauro Bregolin, Reviewed by EK)<br>
 
'''4.3 Business logic testing'''                                        (95%,Madhura Halasgikar)<br>
 
'''4.3 Business logic testing'''                                        (95%,Madhura Halasgikar)<br>
 
'''4.4 Authentication Testing'''                                     (95%,        Intro Meucci)<br>
 
'''4.4 Authentication Testing'''                                     (95%,        Intro Meucci)<br>

Revision as of 14:22, 13 November 2006

Legend:
xx%: Progress status of the paragraph (updated 12th Nov, 23.00 GMT+1)
Review: the paragraph need a review (Matteo Meucci)
TD: Paragraph To Be Assigned

[OWASP Testing Guide AoC]

[Review Panel]


Frontispiece

1.1 About The Open Web Application Security Project (100%)
1.1.1 Overview (100%)
1.1.2 Structure (100%)
1.1.3 Licensing (100%)
1.1.4 Participation and Membership (100%)
1.1.5 Projects (100%)
1.1.6 OWASP Privacy Policy (100%)
1.2 About the OWASP Testing Guide Project
1.1 Copyright (100%, Review)
1.2 Editors (0%, Review)
1.3 Authors and Reviewers (0%, Review)
1.4 Revision History(0%, Review)
1.5 Trademarks(100%)

Introduction

2.1 The OWASP Testing Project (100%, Reviewed by EK)
2.2 Principles of Testing (100%, Reviewed by EK)
2.3 Testing Techniques Explained (100%, Reviewed by EK)

The OWASP Testing Framework

3.1. Overview (90%, Review)
3.2. Phase 1 — Before Development Begins (100%, Review)
3.3. Phase 2: During Definition and Design(100%, Review)
3.4. Phase 3: During Development(100%, Review)
3.5. Phase 4: During Deployment(100%, Review)
3.6. Phase 5: Maintenance and Operations(100%, Review)
3.7. A Typical SDLC Testing Workflow (100%, Review)

Web Application Penetration Testing

4.1 Introduction and objectives (95%, Matteo Meucci Reviewed by EK)
4.2 Information Gathering (90%, Carlo Pelliccioni, Reviewed by EK)
4.2.1 Application Discovery (90%, Mauro Bregolin Reviewed by EK)
4.2.2 Spidering and googling (0%, Tom Brennan, Tom Ryan)
4.2.3 Analysis of error codes (80%, Carlo Pelliccioni Reviewed by EK)
4.2.4 Infrastructure configuration management testing (80%, Review Reviewed by EK)
4.2.4.1 SSL/TLS Testing (100%,Mauro Bregolin,Review Reviewed by EK)
4.2.4.2 DB Listener Testing (0%, Alexander Kornbrust)
4.2.5 Application configuration management testing (90%, Reviewed by EK)
4.2.5.1 File extensions handling (80%,Mauro Bregolin, Reviewed by EK)
4.2.5.2 Old, backup and unreferenced files (80%,Mauro Bregolin, Reviewed by EK)
4.3 Business logic testing (95%,Madhura Halasgikar)
4.4 Authentication Testing (95%, Intro Meucci)
4.4.1 Default or guessable (dictionary) user account (80%, Review)
4.4.2 Brute Force (95%,Giorgio Fedon, Andrea Lombardini)
4.4.3 Bypassing authentication schema (95%,Giorgio Fedon, Andrea Lombardini)
4.4.4 Directory traversal/file include (100%, Luca Carettoni Reviewed by DC)
4.4.5 Vulnerable remember password and pwd reset (90%, Ralph M. Los,Alberto Revelli)
4.4.6 Logout and Browser Cache Management Testing (100%,Alberto Revelli)

4.5 Session Management Testing (95% intro,Glyn Geoghegan, Meucci)
4.5.1 Analysis of the Session Management Schema (90%, Meucci)
4.5.2 Cookie and Session token Manipulation (100%,Alberto Revelli, Matteo Meucci Review)
4.5.3 Exposed session variables (90%,Meucci)
4.5.4 Session Riding (XSRF) (80%, Mauro Bregolin,Review)
4.5.5 HTTP Exploit (0%, Arian J.Evans)

4.6 Data Validation Testing (Intro 70% Meucci)
4.6.1 Cross site scripting (20%, Tom Brennan, Tom Ryan)
4.6.1.1 HTTP Methods and XST (100%, Alberto Revelli)
4.6.2 SQL Injection (90%, Alexander Kornbrust, Antonio Parata)
4.6.2.1 Stored procedure injection (0%,TD)
4.6.2.2 Oracle testing (0%,Alexander Kornbrust)
4.6.2.3 MySQL testing (100%, Stefano Di Paola)
4.6.2.4 SQL Server testing (95%,Ariel Waissbein)
4.6.3 LDAP Injection (90%,Stefano Di Paola)
4.6.4 ORM Injection (0%,TD)
4.6.5 XML Injection (80%,Antonio Parata, Stefano Di Paola)
4.6.6 SSI Injection (95%,Claudio Merloni, Review)
4.6.7 XPath Injection (80%, Antonio Parata, Alberto Revelli, Stefano Di Paola)
4.6.8 IMAP/SMTP Injection (95%, Vicente Aguilera)
4.6.9 Code Injection (70%, Mark Roxberry)
4.6.10 OS Commanding (70%, Gary Burns)
4.6.11 Buffer overflow Testing (100%, Review)
4.6.11.1 Heap overflow (100%, Review)
4.6.11.2 Stack overflow (100%, Review)
4.6.11.3 Format string (100%, Review)
4.6.12 Incubated vulnerability testing (95%,Ariel Waissbein, Laura Nuñez)
4.7 Denial of Service Testing 95% Review
4.7.1 Locking Customer Accounts 100% Review
4.7.2 Buffer Overflows 100% Review
4.7.3 User Specified Object Allocation 100% Review
4.7.4 User Input as a Loop Counter 100% Review
4.7.5 Writing User Provided Data to Disk 100% Review
4.7.6 Failure to Release Resources 100% Review
4.7.7 Storing too Much Data in Session 90% Review

4.8 Web Services Testing (100%,Eoin Keary, Mark Roxberry)
4.8.1 XML Structural Testing (100% Review)
4.8.2 XML content-level Testing (90% Review)
4.8.3 HTTP GET parameters/REST Testing (100% Review)
4.8.4 Naughty SOAP attachments (95% Review)
4.8.5 Replay Testing (95% Review)

4.9 AJAX Testing (70%, Dan Cornell, Giorgio Fedon, Stefano Di Paola)
4.9.1 Vulnerabilities (60%, Anush Shetty)
4.9.2 How to test (60%)

Writing Reports: value the real risk

5.1 How to value the real risk (50%, Daniel Cuthbert, Matteo Meucci, Sebastien Deleersnyder, Marco Morana)
5.2 How to write the report of the testing (0%, Daniel Cuthbert, Tom Brennan, Tom Ryan) TD

Appendix A: Testing Tools

Source Code Analyzers

  • Open Source / Freeware
  • Commercial

Black Box Scanners

  • Open Source
  • Commercial

Other Tools

  • Runtime Analysis
  • Binary Analysis
  • Requirements Management

Appendix B: Suggested Reading

1. Whitepapers
2. Books
3. Articles
4. Useful Websites
5. OWASP — http://www.owasp.org

Appendix C: Fuzz Vectors



OWASP Testing Guide v2

Here is the OWASP Testing Guide v2 Table of Contents