This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "OWASP Testing Guide v4 Table of Contents"
Line 214: | Line 214: | ||
[[Testing for Code Injection (OWASP-DV-012)|4.8.12 Testing for Code Injection (OTG-INPVAL-013)]] formerly "Testing for Code Injection (OWASP-DV-012)" | [[Testing for Code Injection (OWASP-DV-012)|4.8.12 Testing for Code Injection (OTG-INPVAL-013)]] formerly "Testing for Code Injection (OWASP-DV-012)" | ||
− | [[Testing for Local File Inclusion|4.8.12.1 Testing for Local File Inclusion]] | + | [[Testing for Local File Inclusion|4.8.12.1 Testing for Local File Inclusion]] |
− | [[Testing for Remote File Inclusion|4.8.12.2 Testing for Remote File Inclusion]] | + | [[Testing for Remote File Inclusion|4.8.12.2 Testing for Remote File Inclusion]] |
[[Testing for Command Injection (OWASP-DV-013)|4.8.13 Testing for Command Injection (OTG-INPVAL-014)]] formerly "Testing for Command Injection (OWASP-DV-013)" | [[Testing for Command Injection (OWASP-DV-013)|4.8.13 Testing for Command Injection (OTG-INPVAL-014)]] formerly "Testing for Command Injection (OWASP-DV-013)" |
Revision as of 16:52, 6 March 2014
This project is part of the OWASP Breakers community. Feel free to browse other projects within the Defenders, Builders, and Breakers communities. |
This is the DRAFT of the table of content of the New Testing Guide v4.
You can download the stable version v3 here
Back to the OWASP Testing Guide Project: http://www.owasp.org/index.php/OWASP_Testing_Project
Updated: 5th March 2014
The following is a DRAFT of the Toc based on the feedback already received.
Table of Contents
Foreword by Eoin Keary
1. Frontispiece
[To review--> Mat]
1.1 About the OWASP Testing Guide Project [To review--> Mat]
1.2 About The Open Web Application Security Project [To review--> ]
2. Introduction
2.1 The OWASP Testing Project
2.2 Principles of Testing
2.3 Testing Techniques Explained
2.4 Security requirements test derivation
2.5 Security test data analysis and reporting: root cause identification and business/role case test data reporting
3. The OWASP Testing Framework
3.1. Overview
3.2. Phase 1: Before Development Begins
3.3. Phase 2: During Definition and Design
3.4. Phase 3: During Development
3.5. Phase 4: During Deployment
3.6. Phase 5: Maintenance and Operations
3.7. A Typical SDLC Testing Workflow
4. Web Application Penetration Testing
4.1 Introduction and Objectives [To review--> Mat]
4.1.1 Testing Checklist [To review at the end of brainstorming --> Mat]
4.2.1 Conduct Search Engine Discovery and Reconnaissance for Information Leakage (OTG-INFO-001) formerly "Search Engine Discovery/Reconnaissance (OWASP-IG-002)"
4.2.2 Fingerprint Web Server (OTG-INFO-002) formerly "Testing for Web Application Fingerprint (OWASP-IG-004)"
4.2.3 Review Webserver Metafiles for Information Leakage (OTG-INFO-003) formerly "Spiders, Robots and Crawlers (OWASP-IG-001)"
4.2.4 Enumerate Applications on Webserver (OTG-INFO-004) formerly "Application Discovery (OWASP-IG-005)"
4.2.5 Review Webpage Comments and Metadata for Information Leakage (OTG-INFO-005) formerly "Review webpage comments and metadata(OWASP-IG-007)"
4.2.6 Identify application entry points (OTG-INFO-006) formerly "Identify application entry points (OWASP-IG-003)"
4.2.7 Map execution paths through application (OTG-INFO-008) formerly "Map execution paths through application (OWASP-IG-009)"
4.2.8 Fingerprint Web Application Framework (OTG-INFO-009) formerly "Testing for Web Application Fingerprint (OWASP-IG-010)" Ready to be reviewed
4.2.9 Fingerprint Web Application (OTG-INFO-010) formerly "Testing for Web Application Fingerprint (OWASP-IG-010)" [Amro AlOlaqi] Ready to be reviewed
4.2.10 Map Network and Application Architecture (OTG-INFO-011) formerly "Testing for Infrastructure Configuration Management Testing weakness (OWASP-CM-001)" [Amro AlOlaqi] Ready to be reviewed
4.3 Configuration and Deploy Management Testing
4.3.1 Test Network/Infrastructure Configuration (OTG-CONFIG-001) formerly "Testing for Infrastructure Configuration Management Testing weakness (OWASP-CM-001)"
4.3.2 Test Application Platform Configuration (OTG-CONFIG-002) formerly "Testing for Application Configuration Management weakness (OWASP-CM-002)" [Amro AlOlaqi] Ready to be reviewed
4.3.3 Test File Extensions Handling for Sensitive Information (OTG-CONFIG-003) formerly "Testing for File Extensions Handling (OWASP-CM-003)"
4.3.4 Review Old, Backup and Unreferenced Files for Sensitive Information (OTG-CONFIG-004) formerly "Old, Backup and Unreferenced Files (OWASP-CM-004)"
4.3.5 Enumerate Infrastructure and Application Admin Interfaces (OTG-CONFIG-005) formerly "Infrastructure and Application Admin Interfaces (OWASP-CM-005)" [Amro AlOlaqi] Ready to be reviewed
4.3.6 Test HTTP Methods (OTG-CONFIG-006) formerly "Testing for Bad HTTP Methods (OWASP-CM-006)"
4.3.7 Test HTTP Strict Transport Security (OTG-CONFIG-009) formerly "Testing for Missing HSTS header (OWASP-CM-009)"
4.3.8 Test RIA cross domain policy (OTG-CONFIG-011) formerly "Testing for RIA policy files weakness (OWASP-CM-010)"
4.4 Identity Management Testing
4.4.1 Test Role Definitions (OTG-IDENT-001) New
4.4.2 Test User Registration Process (OTG-IDENT-002) New
4.4.3 Test Account Provisioning Process (OTG-IDENT-003) New
4.4.4 Testing for Account Enumeration and Guessable User Account (OTG-IDENT-004) formerly "Testing for Account Enumeration and Guessable User Account (OWASP-AT-002)"
4.4.5 Testing for Weak or unenforced username policy (OTG-IDENT-005) formerly "Testing for Weak or unenforced username policy (OWASP-AT-009)
4.5.1 Testing for Credentials Transported over an Encrypted Channel (OTG-AUTHN-001) formerly "Testing for Credentials Transported over an Encrypted Channel (OWASP-AT-001)"
4.5.2 Testing for default credentials (OTG-AUTHN-002) formerly "Testing for default credentials (OWASP-AT-003)"
4.5.3 Testing for Weak lock out mechanism (OTG-AUTHN-003) formerly "Testing for Weak lock out mechanism (OWASP-AT-004)"
4.5.4 Testing for bypassing authentication schema (OTG-AUTHN-004) formerly "Testing for bypassing authentication schema (OWASP-AT-005)"
4.5.5 Test remember password functionality (OTG-AUTHN-005) formerly "Testing for vulnerable remember password functionality (OWASP-AT-006)"
4.5.6 Testing for Browser cache weakness (OTG-AUTHN-006) formerly "Testing for Browser cache weakness (OWASP-AT-007)"
4.5.7 Testing for Weak password policy (OTG-AUTHN-007) formerly "Testing for Weak password policy (OWASP-AT-008)"
4.5.8 Testing for Weak security question/answer (OTG-AUTHN-008) New! - Robert Winkel
4.5.9 Testing for weak password change or reset functionalities (OTG-AUTHN-009) formerly "Testing for weak password change or reset functionalities (OWASP-AT-011)"
4.5.10 Testing for Weaker authentication in alternative channel (OTG-AUTHN-010) (e.g. mobile app, IVR, help desk)
4.6.1 Testing Directory traversal/file include (OTG-AUTHZ-002) formerly "Testing Directory traversal/file include (OWASP-AZ-001)"
4.6.2 Testing for bypassing authorization schema (OTG-AUTHZ-003) formerly "Testing for bypassing authorization schema (OWASP-AZ-002)"
4.6.3 Testing for Privilege Escalation (OTG-AUTHZ-004) formerly "Testing for Privilege Escalation (OWASP-AZ-003)"
4.6.4 Testing for Insecure Direct Object References (OTG-AUTHZ-005) formerly "Testing for Insecure Direct Object References (OWASP-AZ-004)"
4.7 Session Management Testing
4.7.1 Testing for Bypassing Session Management Schema (OTG-SESS-001) formerly "Testing for Bypassing Session Management Schema (OWASP-SM-001)"
4.7.2 Testing for Cookies attributes (OTG-SESS-002) formerly "Testing for Cookies attributes (OWASP-SM-002)" (Cookies are set not ‘HTTP Only’, ‘Secure’, and no time validity)
4.7.3 Testing for Session Fixation (OTG-SESS-003) formerly "Testing for Session Fixation (OWASP-SM-003)"
4.7.4 Testing for Exposed Session Variables (OTG-SESS-004) formerly "Testing for Exposed Session Variables (OWASP-SM-004)"
4.7.5 Testing for Cross Site Request Forgery (CSRF) (OTG-SESS-005) formerly "Testing for Cross Site Request Forgery (CSRF) (OWASP-SM-005)"
4.7.6 Testing for logout functionality (OTG-SESS-007) formerly "Testing for logout functionality (OWASP-SM-007)"
4.7.7 Test Session Timeout (OTG-SESS-008)
4.7.8 Testing for Session puzzling (OTG-SESS-010)
4.8.1 Testing for Reflected Cross Site Scripting (OTG-INPVAL-001) formerly "Testing for Reflected Cross Site Scripting (OWASP-DV-001)"
4.8.2 Testing for Stored Cross Site Scripting (OTG-INPVAL-002) formerly "Testing for Stored Cross Site Scripting (OWASP-DV-002)"
4.8.3 Testing for HTTP Verb Tampering (OTG-INPVAL-003) formerly "Testing for HTTP Verb Tampering (OWASP-DV-003)"
4.8.4 Testing for HTTP Parameter pollution (OTG-INPVAL-004) formerly "Testing for HTTP Parameter pollution (OWASP-DV-004)"
4.8.5 Testing for SQL Injection (OTG-INPVAL-006) formerly "Testing for SQL Injection (OWASP-DV-005)" Ready to be reviewed
4.8.5.2 MySQL Testing [Ismael Gonçalves]
4.8.5.4 Testing PostgreSQL (from OWASP BSP)
4.8.5.6 Testing for NoSQL injection [New!]
4.8.6 Testing for LDAP Injection (OTG-INPVAL-007) formerly "Testing for LDAP Injection (OWASP-DV-006)"
4.8.7 Testing for ORM Injection (OTG-INPVAL-008) formerly "Testing for ORM Injection (OWASP-DV-007)"
4.8.8 Testing for XML Injection (OTG-INPVAL-009) formerly "Testing for XML Injection (OWASP-DV-008)"
4.8.9 Testing for SSI Injection (OTG-INPVAL-010) formerly "Testing for SSI Injection (OWASP-DV-009)"
4.8.10 Testing for XPath Injection (OTG-INPVAL-011) formerly "Testing for XPath Injection (OWASP-DV-010)"
4.8.11 IMAP/SMTP Injection (OTG-INPVAL-012) formerly "IMAP/SMTP Injection (OWASP-DV-011)"
4.8.12 Testing for Code Injection (OTG-INPVAL-013) formerly "Testing for Code Injection (OWASP-DV-012)"
4.8.12.1 Testing for Local File Inclusion
4.8.12.2 Testing for Remote File Inclusion
4.8.13 Testing for Command Injection (OTG-INPVAL-014) formerly "Testing for Command Injection (OWASP-DV-013)"
4.8.14 Testing for Buffer overflow (OTG-INPVAL-015) formerly "Testing for Buffer overflow (OWASP-DV-014)"
4.8.14.1 Testing for Heap overflow
4.8.14.2 Testing for Stack overflow
4.8.14.3 Testing for Format string
4.8.15 Testing for incubated vulnerabilities (OTG-INPVAL-016) formerly "Testing for incubated vulnerabilities (OWASP-DV-015)"
4.8.16 Testing for HTTP Splitting/Smuggling (OTG-INPVAL-017) formerly "Testing for HTTP Splitting/Smuggling (OWASP-DV-016)" [Juan Galiana]
4.9.1 Analysis of Error Codes (OTG-ERR-001) formerly "Analysis of Error Codes (OWASP-IG-006)"
4.9.2 Analysis of Stack Traces (OTG-ERR-002) formerly "Analysis of Stack Traces"
4.10.1 Testing for Weak SSL/TSL Ciphers, Insufficient Transport Layer Protection (OTG-CRYPST-002) formerly "Testing for Weak SSL/TSL Ciphers, Insufficient Transport Layer Protection (OWASP-EN-002)" [Simone Onofri]
4.10.2 Testing for Padding Oracle (OTG-CRYPST-003) formerly "Testing for Padding Oracle (OWASP-EN-003)"
4.10.3 Testing for Sensitive information sent via unencrypted channels (OTG-CRYPST-007) [Simone Onofri]
4.11 Business Logic Testing (OWASP-BL-001)
Business Logic
4.11.1 Test Business Logic Data Validation (OTG-BUSLOGIC-001)
4.11.2 Test Ability to Forge Requests (OTG-BUSLOGIC-002)
4.11.3 Test Integrity Checks (OTG-BUSLOGIC-003)
4.11.4 Test for Process Timing (OTG-BUSLOGIC-004)
4.11.5 Test Number of Times a Function Can be Used Limits (OTG-BUSLOGIC-005)
4.11.6 Testing for the Circumvention of Work Flows (OTG-BUSLOGIC-006)
4.11.7 Test Defenses Against Application Mis-use (OTG-BUSLOGIC-007)
4.11.8 Test Upload of Unexpected File Types (OTG-BUSLOGIC-008)
4.11.9 Test Upload of Malicious Files (OTG-BUSLOGIC-009)
4.12 Client Side Testing [New!]
4.12.1 Testing for DOM based Cross Site Scripting (OTG-CLIENT-001) formerly "Testing for DOM based Cross Site Scripting (OWASP-CS-001)" [Stefano Di Paola]
4.12.2 Testing for JavaScript Execution (OWASP-CS-002) (Stefano Di Paola, Matteo Meucci)
4.12.3 Testing for HTML Injection (OWASP-CS-003) (Stefano Di Paola, Matteo Meucci)
4.12.4 Testing for Client Side URL Redirect (OWASP-CS-004) (Mauro Gentile, Davide Danelon)
4.12.5 Testing for CSS Injection (OWASP-CS-005) (Mauro Gentile, Davide Danelon)
4.12.6 Testing for Client Side Resource Manipulation (OWASP-CS-006) (Mauro Gentile, Davide Danelon)
4.12.7 Test Cross Origin Resource Sharing (OTG-CLIENT-007) formerly "Testing for HTML5 (OWASP CS-002)" [Juan Galiana]
4.12.8 Testing for Cross Site Flashing (OTG-CLIENT-008) formerly "Testing for Cross Site Flashing (OWASP-CS-003)"
4.12.9 Testing for Clickjacking (OTG-CLIENT-009) formerly "Testing for Clickjacking (OWASP-CS-004)" [Davide Danelon]
4.12.10 Testing WebSockets (OTG-CLIENT-010) [Ryan Dewhurst]
4.12.11 Test Web Messaging (OTG-CLIENT-011) [Juan Galiana]
4.12.12 Test Local Storage (OTG-CLIENT-012) [Juan Galiana]
5. Writing Reports: value the real risk
5.1 How to value the real risk [To review--> Amro AlOlaqi] Ready to be reviewed
5.2 How to write the report of the testing [To review--> Amro AlOlaqi] Ready to be reviewed
Appendix A: Testing Tools
- Black Box Testing Tools [To review--> Amro AlOlaqi] Ready to be reviewed
Appendix B: Suggested Reading
- Whitepapers [To review--> David Fern]Ready to be reviewed
- Books [To review--> David Fern]Ready to be reviewed
- Useful Websites [To review--> David Fern]Ready to be reviewed
Appendix C: Fuzz Vectors
- Fuzz Categories [To review--> Amro AlOlaqi] Ready to be reviewed
Appendix D: Encoded Injection
[To review--> Amro AlOlaqi] Ready to be reviewed
ARTICLES DELETED:
INFO GATHERING:
CONFIGURATION AND DEPLOY MANAGEMENT TESTING:
4.3.7 Testing for Database credentials/connection strings available (OTG-CONFIG-007) formerly "Testing for Database credentials/connection strings available (OWASP-CM-007)"
4.3.8 Test Content Security Policy (OTG-CONFIG-008) formerly "Testing for Content Security Policy weakness (OWASP-CM-008)"
4.3.10 Test Frame Options (OTG-CONFIG-010)
4.3.12 Test Content Type Options (OTG-CONFIG-012) new
IDENTITY MANAGEMENT TESTING:
4.4.8 Test User Deregistration Process (OTG-IDENT-008) New
4.4.9 Test Account Deregistration Process (OTG-IDENT-009) New
AUTHORIZATION TESTING:
4.6.1 Test Management of Account Permissions (OTG-AUTHZ-001) New
4.6.6 Testing for Failure to Restrict access to authorized resource (OTG-AUTHZ-006) formerly "Testing for Failure to Restrict access to authorized resource (OWASP-AZ-005)"
4.6.7 Test privileges of server components (OTG-AUTHZ-007) (e.g. indexing service, reporting interface, file generator)
4.6.8 Test enforcement of application entry points (OTG-AUTHZ-008) (including exposure of objects)
4.6.9 Testing for failure to restrict access to authenticated resource (OTG-AUTHZ-009) formerly "Testing for failure to restrict access to authenticated resource (OWASP-AT-010)"
SESSION MANAGEMENT TESTING:
4.7.6 Test Session Token Strength (OTG-SESS-006)
4.7.9 Test multiple concurrent sessions (OTG-SESS-009)
DATA VALIDATION TESTING:
4.8.5 Testing for Unvalidated Redirects and Forwards (OTG-INPVAL-005) formerly "Testing for Unvalidated Redirects and Forwards (OWASP-DV-004)"
CRYPTOGRAPHY:
4.10.1 Testing for Insecure encryption usage (OTG-CRYPST-001) formerly "Testing for Insecure encryption usage (OWASP-EN-001)"
4.10.4 Testing for Cacheable HTTPS Response (OTG-CRYPST-004)
4.10.5 Test Cache Directives (OTG-CRYPST-005)
4.10.6 Testing for Insecure Cryptographic Storage (OTG-CRYPST-006)
4.10.8 Test Cryptographic Key Management (OTG-CRYPST-008)
BUSINESS LOGIC:
XXXX4.12.3 Testing for Forged Requests Using Predictive Parameters (OTG-BUSLOGIC-003) [New!]- [Combine with Test Ability to forge requests as an example]
4.12.3 Test Integrity Checks (OTG-BUSLOGIC-003) (e.g. overwriting updates)
DENIAL OF SERVICE
4.13.1 Test Regular expression DoS (OTG-DOS-001) [New!] note: to understand better
4.13.2 Test XML DoS (OTG-DOS-002) [New! - Andrew Muller]
4.13.3 Testing for CAPTCHA (OTG-DOS-003) formerly "Testing for CAPTCHA (OWASP-AT-012)"
4.13.4 Test excessive rate (speed) of use limits (OTG-DOS-004) [New!]- [Moved from Business Logic, formerly OTG-BUSLOGIC-006]
4.13.5 Test size of request limits (OTG-DOS-005) [New!] - [Moved from Business Logic, formerly OTG-BUSLOGIC-008]
WEB SERVICES TESTING
4.14 Web Service Testing [Tom Eston]
4.14.1 Scoping a Web Service Test (OTG-WEBSVC-001) formerly "Scoping a Web Service Test (OWASP-WS-001)"
4.14.2 WS Information Gathering (OTG-WEBSVC-002) formerly "WS Information Gathering (OWASP-WS-002)"
4.14.3 WS Authentication Testing (OTG-WEBSVC-003) formerly "WS Authentication Testing (OWASP-WS-003)"
4.14.4 WS Management Interface Testing (OTG-WEBSVC-004) formerly "WS Management Interface Testing (OWASP-WS-004)"
4.14.5 Weak XML Structure Testing (OTG-WEBSVC-005) formerly "Weak XML Structure Testing (OWASP-WS-005)"
4.14.6 XML Content-Level Testing (OTG-WEBSVC-006) formerly "XML Content-Level Testing (OWASP-WS-006)"
4.14.7 WS HTTP GET Parameters/REST Testing (OTG-WEBSVC-007) formerly "WS HTTP GET Parameters/REST Testing (OWASP-WS-007)"
4.14.8 WS Naughty SOAP Attachment Testing (OTG-WEBSVC-008) formerly "WS Naughty SOAP Attachment Testing (OWASP-WS-008)"
4.14.9 WS Replay/MiTM Testing (OTG-WEBSVC-009) formerly "WS Replay/MiTM Testing (OWASP-WS-009)"
4.14.10 WS BEPL Testing (OTG-WEBSVC-010) formerly "WS BEPL Testing (OWASP-WS-010)"
4.11 Logging Not convinced Logging should be included as it requires access to logs to test
4.11.1 Test time synchronisation (OTG-LOG-001) formerly "Incorrect time"
4.11.2 Test user-viewable log of authentication events (OTG-LOG-002)
4.4.6 Test Permissions of Guest/Training Accounts (OTG-IDENT-006) New
4.4.7 Test Account Suspension/Resumption Process (OTG-IDENT-007) New