This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "OWASP Testing Project v3 Review Roadmap"

From OWASP
Jump to: navigation, search
Line 69: Line 69:
 
'''Kevin Review:'''
 
'''Kevin Review:'''
 
----
 
----
Date<br>
+
August 27/28th
articles reviewed<br><br>
 
Date<br>
 
 
articles reviewed<br><br>
 
articles reviewed<br><br>
 +
toimp: M.Meucci)1. Frontispiece
 +
(toimp: M.Meucci)1.1 About the OWASP Testing Guide Project
 +
 +
1.2 About The Open Web Application Security Project
 +
 +
2. Introduction
 +
2.1 The OWASP Testing Project
 +
2.2 Principles of Testing
 +
2.3 Testing Techniques Explained
 +
2.4 Security requirements test derivation,functional and non functional test requirements, and test cases through use and misuse cases
 +
2.4.1 Security tests integrated in developers and testers workflows
 +
2.4.2 Developers' security tests: unit tests and component level tests
 +
2.4.3 Functional testers' security tests: integrated system tests, tests in UAT, and production environment
 +
2.5 Security test data analysis and reporting: root cause identification and business/role case test data reporting
 +
 +
3. The OWASP Testing Framework
 +
3.1. Overview
 +
3.2. Phase 1: Before Development Begins
 +
3.3. Phase 2: During Definition and Design
 +
3.4. Phase 3: During Development
 +
3.5. Phase 4: During Deployment
 +
3.6. Phase 5: Maintenance and Operations
 +
3.7. A Typical SDLC Testing Workflow
 +
 +
4.Web Application Penetration Testing
 +
4.1 Introduction and Objectives
 +
4.1.1 Testing Checklist
 +
4.2 Information Gathering
 +
4.2.1 Spiders, Robots and Crawlers
 +
4.2.2 Search Engine Discovery/Reconnaissance
 +
4.2.3 Identify application entry points
 +
4.2.4 Testing for Web Application Fingerprint
 +
4.2.5 Application Discovery
 +
4.2.6 Analysis of Error Codes
 +
4.3 Configuration Management Testing
 +
4.3.1 SSL/TLS Testing (SSL Version, Algorithms, Key length, Digital Cert. Validity)
 +
4.3.2 DB Listener Testing
 +
4.3.3 Infrastructure Configuration Management Testing
 +
4.3.4 Application Configuration Management Testing
 +
  ** I was concerned about the structure and flow of this section.  It did not read cleanly for me and appeared more "wordy" then the other sections. The format also did not appear to be consistent with the other sections resulting in a disjointed feeling when reading it.
 +
4.3.5 Testing for File Extensions Handling
 +
4.3.6 Old, Backup and Unreferenced Files
 +
 +
03 September, 2008<br>
 +
4.1 Introduction and Objectives
 +
4.1.1 Testing Checklist
 +
4.2 Information Gathering
 +
4.2.1 Spiders, Robots and Crawlers
 +
4.2.2 Search Engine Discovery/Reconnaissance
 +
  ** Changed "GoogleBot" to the "GoogleBot"
 +
4.2.3 Identify application entry points
 +
4.2.4 Testing for Web Application Fingerprint
 +
4.2.5 Application Discovery
 +
<br><br>
 +
 +
10 September, 2008
 +
4.3.7 Infrastructure and Application Admin Interfaces
 +
4.3.8 Testing for HTTP Methods and XST
 +
  ** Grammer change in the section "Arbitrary HTTP Methods". Changed "and / or" to "and/or"
 +
  ** Grammer change in section "Test XST Potential"  andded a space between bullet number 1 and 2 and the text.
 +
 +
 
Questions: (Mat will answer it)<br>
 
Questions: (Mat will answer it)<br>

Revision as of 16:03, 10 September 2008

This page track all the update to the Testing Guide v3 during the Reviewing phase.

In particular the focus is:
- Review the content of each article
- Review the english sintax
- no "attacker", better "tester"
- no "we describe", but "it is described"

Official Testing Guide Reviewers are:

  • Nam Nguyen
  • Kevin R.Fuller
  • if you want to review it add your name please and keep track of updating

Nam Review:


Aug 31, 2008

  • Appendix D
  • Appendix C
  • Appendix B
  • Appendix A
  • Chapter 5
  • Chapter 4
    • Section 4.11 Testing for AJAX Vulnerabilities
      • There are mentioning of "attackers" but I think they are fine.
      • The subsection on Memory leaks is not complete.
    • Section 4.11 Testing for AJAX
      • The subsection "Intercepting and Debugging JS code with Browsers" is very difficult to understand. I tried to fix it, but I'm afraid what I have might not reflect what the original author wanted to express.

Sep 02, 2008

  • Chapter 4
    • Section 4.10
      • Subsection Testing for WS Replay Gray box testing and examples gives incomplete sample code. I believe the call to GetSessionIDMac() missed four parameters. In this same part, using SSL helps in preventing replay attack but it doesnt prevent replay attack by itself. In this same subection, the images show identifiable real Internet address in Hungary, should them be masked off?

Sep 04, 2008

  • Chapter 4
    • Section 4.9
    • Section 4.8
      • I'm not sure if format string could be classified under subsection 4.8.14 "Buffer overflow testing".
      • Subsecion 4.8.3: Incomplete
      • Subsection 4.8.4: Incomplete
      • Subsection 4.8.5: What is "data-plane input"?

Sep 06, 2008

  • Chapter 4
    • Section 4.8

Sep 07, 2008

  • Chapter 4
    • Section 4.7
    • Section 4.6
      • Subsection 4.6.1: "Review code for path traversal" does not exist in the Code Review Guide, or the link the broken.
    • Section 4.5

Sep 10, 2008


Kevin Review:


August 27/28th articles reviewed

toimp: M.Meucci)1. Frontispiece (toimp: M.Meucci)1.1 About the OWASP Testing Guide Project

1.2 About The Open Web Application Security Project

2. Introduction 2.1 The OWASP Testing Project 2.2 Principles of Testing 2.3 Testing Techniques Explained 2.4 Security requirements test derivation,functional and non functional test requirements, and test cases through use and misuse cases 2.4.1 Security tests integrated in developers and testers workflows 2.4.2 Developers' security tests: unit tests and component level tests 2.4.3 Functional testers' security tests: integrated system tests, tests in UAT, and production environment 2.5 Security test data analysis and reporting: root cause identification and business/role case test data reporting

3. The OWASP Testing Framework 3.1. Overview 3.2. Phase 1: Before Development Begins 3.3. Phase 2: During Definition and Design 3.4. Phase 3: During Development 3.5. Phase 4: During Deployment 3.6. Phase 5: Maintenance and Operations 3.7. A Typical SDLC Testing Workflow

4.Web Application Penetration Testing 4.1 Introduction and Objectives 4.1.1 Testing Checklist 4.2 Information Gathering 4.2.1 Spiders, Robots and Crawlers 4.2.2 Search Engine Discovery/Reconnaissance 4.2.3 Identify application entry points 4.2.4 Testing for Web Application Fingerprint 4.2.5 Application Discovery 4.2.6 Analysis of Error Codes 4.3 Configuration Management Testing 4.3.1 SSL/TLS Testing (SSL Version, Algorithms, Key length, Digital Cert. Validity) 4.3.2 DB Listener Testing 4.3.3 Infrastructure Configuration Management Testing 4.3.4 Application Configuration Management Testing

 ** I was concerned about the structure and flow of this section.  It did not read cleanly for me and appeared more "wordy" then the other sections. The format also did not appear to be consistent with the other sections resulting in a disjointed feeling when reading it.

4.3.5 Testing for File Extensions Handling 4.3.6 Old, Backup and Unreferenced Files

03 September, 2008
4.1 Introduction and Objectives 4.1.1 Testing Checklist 4.2 Information Gathering 4.2.1 Spiders, Robots and Crawlers 4.2.2 Search Engine Discovery/Reconnaissance

  ** Changed "GoogleBot" to the "GoogleBot"

4.2.3 Identify application entry points 4.2.4 Testing for Web Application Fingerprint 4.2.5 Application Discovery

10 September, 2008 4.3.7 Infrastructure and Application Admin Interfaces 4.3.8 Testing for HTTP Methods and XST

  ** Grammer change in the section "Arbitrary HTTP Methods". Changed "and / or" to "and/or"
  ** Grammer change in section "Test XST Potential"  andded a space between bullet number 1 and 2 and the text.


Questions: (Mat will answer it)