This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "OWASP Testing Guide v2 Table of Contents"
| Line 1: | Line 1: | ||
| − | Updated | + | Updated 24th Nov, 12.00 GMT+1 |
Legend:<br> | Legend:<br> | ||
xx%: Progress status of the paragraph <br> | xx%: Progress status of the paragraph <br> | ||
| Line 12: | Line 12: | ||
==[[Testing Guide Frontispiece AoC|Frontispiece]]== | ==[[Testing Guide Frontispiece AoC|Frontispiece]]== | ||
| − | '''1.1 About | + | '''1.1 About the OWASP Testing Guide Project'''<br> |
| − | 1.1.1 | + | 1.1.1 Copyright <br> |
| − | 1.1.2 | + | 1.1.2 Editors (0%, Review)<br> |
| − | 1.1.3 | + | 1.1.3 Authors and Reviewers (0%, Review)<br> |
| − | 1.1.4 | + | 1.1.4 Revision History<br> |
| − | 1.1.5 | + | 1.1.5 Trademarks<br> |
| − | + | '''1.2 About The Open Web Application Security Project''' <br> | |
| − | '''1.2 About | + | 1.2.1 Overview <br> |
| − | 1.1 | + | 1.2.2 Structure <br> |
| − | 1.2 | + | 1.2.3 Licensing <br> |
| − | 1.3 | + | 1.2.4 Participation and Membership <br> |
| − | 1.4 | + | 1.2.5 Projects <br> |
| − | 1.5 | + | 1.2.6 OWASP Privacy Policy <br> |
==[[Testing Guide Introduction AoC|Introduction]]== | ==[[Testing Guide Introduction AoC|Introduction]]== | ||
| − | '''2.1 The OWASP Testing Project''' | + | '''2.1 The OWASP Testing Project''' <br> |
| − | '''2.2 Principles of Testing''' | + | '''2.2 Principles of Testing''' <br> |
| − | '''2.3 Testing Techniques Explained''' | + | '''2.3 Testing Techniques Explained''' <br> |
==[[The OWASP Testing Framework AoC|The OWASP Testing Framework]]== | ==[[The OWASP Testing Framework AoC|The OWASP Testing Framework]]== | ||
| − | '''3.1. Overview''' | + | '''3.1. Overview''' <br> |
| − | '''3.2. Phase 1 — Before Development Begins ''' | + | '''3.2. Phase 1 — Before Development Begins '''<br> |
| − | '''3.3. Phase 2: During Definition and Design''' | + | '''3.3. Phase 2: During Definition and Design'''<br> |
| − | '''3.4. Phase 3: During Development''' | + | '''3.4. Phase 3: During Development'''<br> |
| − | '''3.5. Phase 4: During Deployment''' | + | '''3.5. Phase 4: During Deployment'''<br> |
| − | '''3.6. Phase 5: Maintenance and Operations''' | + | '''3.6. Phase 5: Maintenance and Operations'''<br> |
| − | '''3.7. A Typical SDLC Testing Workflow ''' | + | '''3.7. A Typical SDLC Testing Workflow '''<br> |
==[[Web Application Penetration Testing AoC |Web Application Penetration Testing ]]== | ==[[Web Application Penetration Testing AoC |Web Application Penetration Testing ]]== | ||
| − | '''4.1 Introduction and objectives''' ( | + | '''4.1 Introduction and objectives''' (Matteo Meucci)<br> |
| − | '''4.2 Information Gathering''' ( | + | '''4.2 Information Gathering''' (Carlo Pelliccioni)<br> |
4.2.1 Testing Web Application Fingerprint (Antonio Parata)<br> | 4.2.1 Testing Web Application Fingerprint (Antonio Parata)<br> | ||
| − | 4.2.2 Application Discovery ( | + | 4.2.2 Application Discovery (Mauro Bregolin)<br> |
4.2.3 Spidering and googling (80%, Tom Brennan, Tom Ryan)<br> | 4.2.3 Spidering and googling (80%, Tom Brennan, Tom Ryan)<br> | ||
| − | 4.2.4 Analysis of error codes ( | + | 4.2.4 Analysis of error codes (Carlo Pelliccioni)<br> |
| − | 4.2.5 Infrastructure configuration management testing | + | 4.2.5 Infrastructure configuration management testing <br> |
| − | 4.2.5.1 SSL/TLS Testing ( | + | 4.2.5.1 SSL/TLS Testing (Mauro Bregolin, Mark Curphey)<br> |
4.2.5.2 DB Listener Testing (60%, Eoin Keary, Matteo Meucci)<br> | 4.2.5.2 DB Listener Testing (60%, Eoin Keary, Matteo Meucci)<br> | ||
4.2.6 Application configuration management testing (90%)<br> | 4.2.6 Application configuration management testing (90%)<br> | ||
| − | 4.2.6.1 File extensions handling ( | + | 4.2.6.1 File extensions handling (Mauro Bregolin)<br> |
| − | 4.2.6.2 Old, backup and unreferenced files ( | + | 4.2.6.2 Old, backup and unreferenced files (Mauro Bregolin, Javier Fernandez Sanguino, Dafydd Studdard)<br> |
| − | '''4.3 Business logic testing''' ( | + | '''4.3 Business logic testing''' (Madhura Halasgikar)<br> |
| − | '''4.4 Authentication Testing''' ( | + | '''4.4 Authentication Testing''' (Meucci)<br> |
| − | 4.4.1 Default or guessable (dictionary) user account | + | 4.4.1 Default or guessable (dictionary) user account <br> |
| − | 4.4.2 Brute Force ( | + | 4.4.2 Brute Force (Giorgio Fedon, Andrea Lombardini)<br> |
| − | 4.4.3 Bypassing authentication schema ( | + | 4.4.3 Bypassing authentication schema (Giorgio Fedon, Andrea Lombardini)<br> |
| − | 4.4.4 Directory traversal/file include ( | + | 4.4.4 Directory traversal/file include (Luca Carettoni)<br> |
| − | 4.4.5 Vulnerable remember password and pwd reset ( | + | 4.4.5 Vulnerable remember password and pwd reset (Ralph M. Los,Alberto Revelli)<br> |
| − | 4.4.6 Logout and Browser Cache Management Testing ( | + | 4.4.6 Logout and Browser Cache Management Testing (Alberto Revelli)<br> |
| − | '''4.5 Session Management Testing''' ( | + | '''4.5 Session Management Testing''' (Glyn Geoghegan, Meucci)<br> |
| − | 4.5.1 Analysis of the Session Management Schema ( | + | 4.5.1 Analysis of the Session Management Schema (Meucci)<br> |
| − | 4.5.2 Cookie and Session token Manipulation ( | + | 4.5.2 Cookie and Session token Manipulation (Alberto Revelli, Matteo Meucci) <br> |
| − | 4.5.3 Exposed session variables ( | + | 4.5.3 Exposed session variables (Meucci)<br> |
| − | 4.5.4 Session Riding (XSRF) ( | + | 4.5.4 Session Riding (XSRF) (Mauro Bregolin,Review)<br> |
4.5.5 HTTP Exploit (0%, Arian J.Evans)<br> | 4.5.5 HTTP Exploit (0%, Arian J.Evans)<br> | ||
'''4.6 Data Validation Testing''' (Intro 95% Meucci) <br> | '''4.6 Data Validation Testing''' (Intro 95% Meucci) <br> | ||
4.6.1 Cross site scripting (80%, Tom Brennan, Tom Ryan) <br> | 4.6.1 Cross site scripting (80%, Tom Brennan, Tom Ryan) <br> | ||
| − | 4.6.1.1 HTTP Methods and XST ( | + | 4.6.1.1 HTTP Methods and XST (Alberto Revelli) <br> |
| − | 4.6.2 SQL Injection ( | + | 4.6.2 SQL Injection (Antonio Parata) <br> |
4.6.2.1 Stored procedure injection (40%,Gary Burns)<br> | 4.6.2.1 Stored procedure injection (40%,Gary Burns)<br> | ||
4.6.2.2 Oracle testing (0%,TD) <br> | 4.6.2.2 Oracle testing (0%,TD) <br> | ||
| − | 4.6.2.3 MySQL testing ( | + | 4.6.2.3 MySQL testing (Stefano Di Paola) <br> |
4.6.2.4 SQL Server testing (95%,Ariel Waissbein)<br> | 4.6.2.4 SQL Server testing (95%,Ariel Waissbein)<br> | ||
| − | 4.6.3 LDAP Injection ( | + | 4.6.3 LDAP Injection (Stefano Di Paola) <br> |
4.6.4 ORM Injection (90%,Mark Roxberry) <br> | 4.6.4 ORM Injection (90%,Mark Roxberry) <br> | ||
| − | 4.6.5 XML Injection ( | + | 4.6.5 XML Injection (Antonio Parata, Stefano Di Paola) <br> |
| − | 4.6.6 SSI Injection ( | + | 4.6.6 SSI Injection (Claudio Merloni) <br> |
| − | 4.6.7 XPath Injection ( | + | 4.6.7 XPath Injection (Antonio Parata, Alberto Revelli, Stefano Di Paola) <br> |
| − | 4.6.8 IMAP/SMTP Injection ( | + | 4.6.8 IMAP/SMTP Injection (Vicente Aguilera) <br> |
4.6.9 Code Injection (90%, Mark Roxberry) <br> | 4.6.9 Code Injection (90%, Mark Roxberry) <br> | ||
4.6.10 OS Commanding (70%, Gary Burns) <br> | 4.6.10 OS Commanding (70%, Gary Burns) <br> | ||
| − | 4.6.11 Buffer overflow Testing | + | 4.6.11 Buffer overflow Testing <br> |
| − | 4.6.11.1 Heap overflow | + | 4.6.11.1 Heap overflow <br> |
| − | 4.6.11.2 Stack overflow | + | 4.6.11.2 Stack overflow <br> |
| − | 4.6.11.3 Format string | + | 4.6.11.3 Format string <br> |
4.6.12 Incubated vulnerability testing (95%,Ariel Waissbein, Laura Nuñez) <br> | 4.6.12 Incubated vulnerability testing (95%,Ariel Waissbein, Laura Nuñez) <br> | ||
| − | '''4.7 Denial of Service Testing''' | + | '''4.7 Denial of Service Testing''' <br> |
| − | 4.7.1 Locking Customer Accounts | + | 4.7.1 Locking Customer Accounts Review<br> |
| − | 4.7.2 Buffer Overflows | + | 4.7.2 Buffer Overflows <br> |
| − | 4.7.3 User Specified Object Allocation | + | 4.7.3 User Specified Object Allocation <br> |
| − | 4.7.4 User Input as a Loop Counter | + | 4.7.4 User Input as a Loop Counter <br> |
| − | 4.7.5 Writing User Provided Data to Disk | + | 4.7.5 Writing User Provided Data to Disk <br> |
| − | 4.7.6 Failure to Release Resources | + | 4.7.6 Failure to Release Resources <br> |
| − | 4.7.7 Storing too Much Data in Session | + | 4.7.7 Storing too Much Data in Session <br> |
| − | '''4.8 Web Services Testing''' ( | + | '''4.8 Web Services Testing''' (Eoin Keary, Mark Roxberry)<br> |
| − | 4.8.1 XML Structural Testing | + | 4.8.1 XML Structural Testing <br> |
| − | 4.8.2 XML content-level Testing | + | 4.8.2 XML content-level Testing <br> |
| − | 4.8.3 HTTP GET parameters/REST Testing | + | 4.8.3 HTTP GET parameters/REST Testing <br> |
| − | 4.8.4 Naughty SOAP attachments | + | 4.8.4 Naughty SOAP attachments <br> |
| − | 4.8.5 Replay Testing | + | 4.8.5 Replay Testing <br> |
'''4.9 AJAX Testing''' (70%, Dan Cornell, Giorgio Fedon, Stefano Di Paola)<br> | '''4.9 AJAX Testing''' (70%, Dan Cornell, Giorgio Fedon, Stefano Di Paola)<br> | ||
| − | 4.9.1 Vulnerabilities ( | + | 4.9.1 Vulnerabilities (90%, Anush Shetty) <br> |
4.9.2 How to test (60%)<br> | 4.9.2 How to test (60%)<br> | ||
Revision as of 10:38, 24 November 2006
Updated 24th Nov, 12.00 GMT+1
Legend:
xx%: Progress status of the paragraph
Review: the paragraph need a review (Matteo Meucci)
TD: Paragraph To Be Assigned
Frontispiece
1.1 About the OWASP Testing Guide Project
1.1.1 Copyright
1.1.2 Editors (0%, Review)
1.1.3 Authors and Reviewers (0%, Review)
1.1.4 Revision History
1.1.5 Trademarks
1.2 About The Open Web Application Security Project
1.2.1 Overview
1.2.2 Structure
1.2.3 Licensing
1.2.4 Participation and Membership
1.2.5 Projects
1.2.6 OWASP Privacy Policy
Introduction
2.1 The OWASP Testing Project
2.2 Principles of Testing
2.3 Testing Techniques Explained
The OWASP Testing Framework
3.1. Overview
3.2. Phase 1 — Before Development Begins
3.3. Phase 2: During Definition and Design
3.4. Phase 3: During Development
3.5. Phase 4: During Deployment
3.6. Phase 5: Maintenance and Operations
3.7. A Typical SDLC Testing Workflow
Web Application Penetration Testing
4.1 Introduction and objectives (Matteo Meucci)
4.2 Information Gathering (Carlo Pelliccioni)
4.2.1 Testing Web Application Fingerprint (Antonio Parata)
4.2.2 Application Discovery (Mauro Bregolin)
4.2.3 Spidering and googling (80%, Tom Brennan, Tom Ryan)
4.2.4 Analysis of error codes (Carlo Pelliccioni)
4.2.5 Infrastructure configuration management testing
4.2.5.1 SSL/TLS Testing (Mauro Bregolin, Mark Curphey)
4.2.5.2 DB Listener Testing (60%, Eoin Keary, Matteo Meucci)
4.2.6 Application configuration management testing (90%)
4.2.6.1 File extensions handling (Mauro Bregolin)
4.2.6.2 Old, backup and unreferenced files (Mauro Bregolin, Javier Fernandez Sanguino, Dafydd Studdard)
4.3 Business logic testing (Madhura Halasgikar)
4.4 Authentication Testing (Meucci)
4.4.1 Default or guessable (dictionary) user account
4.4.2 Brute Force (Giorgio Fedon, Andrea Lombardini)
4.4.3 Bypassing authentication schema (Giorgio Fedon, Andrea Lombardini)
4.4.4 Directory traversal/file include (Luca Carettoni)
4.4.5 Vulnerable remember password and pwd reset (Ralph M. Los,Alberto Revelli)
4.4.6 Logout and Browser Cache Management Testing (Alberto Revelli)
4.5 Session Management Testing (Glyn Geoghegan, Meucci)
4.5.1 Analysis of the Session Management Schema (Meucci)
4.5.2 Cookie and Session token Manipulation (Alberto Revelli, Matteo Meucci)
4.5.3 Exposed session variables (Meucci)
4.5.4 Session Riding (XSRF) (Mauro Bregolin,Review)
4.5.5 HTTP Exploit (0%, Arian J.Evans)
4.6 Data Validation Testing (Intro 95% Meucci)
4.6.1 Cross site scripting (80%, Tom Brennan, Tom Ryan)
4.6.1.1 HTTP Methods and XST (Alberto Revelli)
4.6.2 SQL Injection (Antonio Parata)
4.6.2.1 Stored procedure injection (40%,Gary Burns)
4.6.2.2 Oracle testing (0%,TD)
4.6.2.3 MySQL testing (Stefano Di Paola)
4.6.2.4 SQL Server testing (95%,Ariel Waissbein)
4.6.3 LDAP Injection (Stefano Di Paola)
4.6.4 ORM Injection (90%,Mark Roxberry)
4.6.5 XML Injection (Antonio Parata, Stefano Di Paola)
4.6.6 SSI Injection (Claudio Merloni)
4.6.7 XPath Injection (Antonio Parata, Alberto Revelli, Stefano Di Paola)
4.6.8 IMAP/SMTP Injection (Vicente Aguilera)
4.6.9 Code Injection (90%, Mark Roxberry)
4.6.10 OS Commanding (70%, Gary Burns)
4.6.11 Buffer overflow Testing
4.6.11.1 Heap overflow
4.6.11.2 Stack overflow
4.6.11.3 Format string
4.6.12 Incubated vulnerability testing (95%,Ariel Waissbein, Laura Nuñez)
4.7 Denial of Service Testing
4.7.1 Locking Customer Accounts Review
4.7.2 Buffer Overflows
4.7.3 User Specified Object Allocation
4.7.4 User Input as a Loop Counter
4.7.5 Writing User Provided Data to Disk
4.7.6 Failure to Release Resources
4.7.7 Storing too Much Data in Session
4.8 Web Services Testing (Eoin Keary, Mark Roxberry)
4.8.1 XML Structural Testing
4.8.2 XML content-level Testing
4.8.3 HTTP GET parameters/REST Testing
4.8.4 Naughty SOAP attachments
4.8.5 Replay Testing
4.9 AJAX Testing (70%, Dan Cornell, Giorgio Fedon, Stefano Di Paola)
4.9.1 Vulnerabilities (90%, Anush Shetty)
4.9.2 How to test (60%)
Writing Reports: value the real risk
5.1 How to value the real risk (90%, Daniel Cuthbert, Matteo Meucci, Sebastien Deleersnyder, Marco Morana)
5.2 How to write the report of the testing (20%, Daniel Cuthbert, Tom Brennan, Tom Ryan) TD
Appendix A: Testing Tools
(90%)
- Black Box Testing Tools
- Source Code Analyzers
- Other Tools
Appendix B: Suggested Reading
(70%)
- Whitepapers
- Books
- Articles
- Useful Websites
Appendix C: Fuzz Vectors
(70%)
OWASP Testing Guide v2
Here is the OWASP Testing Guide v2 Table of Contents
