|
|
(35 intermediate revisions by 9 users not shown) |
Line 1: |
Line 1: |
− | Please refer to [[OWASP_Testing_Guide_v2_Table_of_Contents]] for updated information about the progress status of each article.
| + | {{Template:OWASP Testing Guide v4}} |
| | | |
− | == Web Application Penetration Testing ==
| + | The following sections describe the 12 subcategories of the Web Application Penetration Testing Methodology: |
| | | |
− | 4.1 [[Introduction and objectives Testing AoC|Introduction and objectives]] <br>
| + | [[Testing: Introduction and objectives|'''4.1 Introduction and Objectives''']] |
| | | |
− | 4.2 [[Information Gathering Testing AoC|Information Gathering ]]<br>
| + | [[Testing Information Gathering|'''4.2 Information Gathering ''']] |
− | 4.2.1 [[Application Discovery AoC|Application Discovery]]<br>
| |
− | 4.2.2 [[Spidering and googling AoC|Spidering and googling]] <br> | |
− | 4.2.3 [[Analisys of error code AoC|Analisys of error code]] <br>
| |
− | 4.2.4 [[Infrastructure configuration management testing AoC|Infrastructure configuration management testing]]<br>
| |
− | 4.2.4.1 [[SSL/TLS Testing AoC|SSL/TLS Testing ]]<br>
| |
− | 4.2.4.2 [[DB Listener Testing AoC|DB Listener Testing ]]<br>
| |
− | 4.2.5 [[Application configuration management testing AoC|Application configuration management testing]] <br>
| |
− | 4.2.5.1 [[File extensions handling AoC|File extensions handling ]]<br>
| |
− | 4.2.5.2 [[Old_file_testing_AoC|Old, backup and unreferenced files ]]<br>
| |
| | | |
− | 4.3 [[Business logic testing AoC|Business logic testing]] <br> | + | [[Testing for configuration management|'''4.3 Configuration and Deployment Management Testing ''']] |
| | | |
− | 4.4 [[Authentication Testing Aoc|Authentication Testing]] <br>
| + | [[Testing Identity Management|'''4.4 Identity Management Testing''']] |
− | [[Default or Guessable User Account Testing AoC|4.4.1 Default or guessable (dictionary) user account]]<br>
| |
− | [[Brute Force Testing AoC|4.4.2 Brute Force]]<br>
| |
− | [[Bypassing Authentication Schema AoC|4.4.3 Bypassing authentication schema]]<br>
| |
− | [[Directory Traversal Testing AoC|4.4.4 Directory traversal/file include]] <br> | |
− | [[Vulnerable Remember Password and Pwd Reset AoC|4.4.5 Vulnerable remember password and pwd reset]]<br>
| |
− | [[Logout and Browser Cache Management Testing AoC|4.4.6 Logout and Browser Cache Management Testing]]<br>
| |
| | | |
− | 4.5 [[Session Management Testing AoC|Session Management Testing]] <br>
| + | [[Testing for authentication|'''4.5 Authentication Testing ''']] |
− | [[ Analysis_of_the_Session_Management_Schema_AoC|4.5.1 Analysis of the Session Management Schema]] <br>
| |
− | [[ Cookie and Session Token Manipulation AoC|4.5.2 Cookie and Session Token Manipulation]]<br>
| |
− | [[ Exposed Session Variables AoC|4.5.3 Exposed Session Variables ]]<br>
| |
− | [[ Session Riding AoC|4.5.4 Session Riding ]]<br>
| |
− | [[ HTTP Exploit AoC|4.5.5 HTTP Exploit ]]<br>
| |
| | | |
− | 4.6 [[Data Validation Testing AoC|Data Validation Testing]] <br>
| + | [[Testing for Authorization|'''4.6 Authorization Testing''']] |
− | [[Cross site scripting AoC|4.6.1 Cross site scripting]]<br>
| |
− | [[HTTP Methods and XST AoC|4.6.1.1 HTTP Methods and XST ]]<br>
| |
− | [[SQL Injection AoC|4.6.2 SQL Injection ]]<br>
| |
− | [[Stored Procedure Injection AoC|4.6.2.1 Stored procedure injection ]]<br>
| |
− | [[Oracle Testing AoC|4.6.2.2 Oracle Testing ]]<br>
| |
− | [[MySQL Testing AoC|4.6.2.3 MySQL Testing ]]<br>
| |
− | [[SQL Server Testing AoC|4.6.2.4 SQL Server Testing ]]<br>
| |
| | | |
− | [[ORM Injection Testing AoC|4.6.3 ORM Injection]]<br> | + | [[Testing for Session Management|'''4.7 Session Management Testing''']] |
− | [[LDAP Injection Testing AoC|4.6.4 LDAP Injection]]<br>
| |
− | [[XML Injection Testing AoC|4.6.5 XML Injection]]<br>
| |
− | [[SSI Injection Testing AoC|4.6.6 SSI Injection]]<br>
| |
− | [[XPath Injection Testing AoC|4.6.7 XPath Injection]]<br>
| |
− | [[IMAP/SMTP Injection Testing AoC|4.6.8 IMAP/SMTP Injection]]<br>
| |
− | [[Code Injection Testing AoC|4.6.9 Code Injection]]<br>
| |
− | [[OS Commanding Testing AoC|4.6.10 OS Commanding]]<br>
| |
| | | |
− | [[Buffer Overflow Testing AoC|4.6.11 Buffer overflow Testing ]]<br> | + | [[Testing for Input Validation|'''4.8 Input Validation Testing''']] |
− | [[Heap Overflow Testing AoC|4.6.11.1 Heap overflow ]]<br>
| |
− | [[Stack Overflow Testing AoC|4.6.11.2 Stack overflow ]]<br>
| |
− | [[Format String Testing AoC|4.6.11.3 Format string ]]<br>
| |
| | | |
− | [[Incubated Vulnerability Testing AoC|4.6.12 Incubated vulnerability testing]] <br> | + | [[Error Handling|'''4.9 Error Handling''']] |
| | | |
− | 4.7 [[Denial of Service Testing AoC|Denial of Service Testing]] <br>
| + | [[Cryptography|'''4.10 Cryptography''']] |
− | 4.7.1 Locking Customer Accounts <br>
| |
− | 4.7.2 Buffer Overflows <br>
| |
− | 4.7.3 User Specified Object Allocation <br>
| |
− | 4.7.4 User Input as a Loop Counter <br>
| |
− | 4.7.5 Writing User Provided Data to Disk <br>
| |
− | 4.7.6 Failure to Release Resources <br>
| |
− | 4.7.7 Storing too Much Data in Session <br>
| |
| | | |
− | 4.8 [[Web Services Testing AoC|Web Services Testing]] <br>
| + | [[Testing for business logic|'''4.11 Business Logic Testing ''']] |
− | 4.8.1 XML Structural Testing <br>
| |
− | 4.8.2 XML content-level Testing <br>
| |
− | 4.8.3 HTTP GET parameters/REST Testing <br>
| |
− | 4.8.4 Naughty SOAP attachments <br>
| |
− | 4.8.5 Replay Testing <br>
| |
| | | |
− | 4.9 [[AJAX Testing AoC|AJAX Testing]] <br>
| + | [[Client Side Testing|'''4.12 Client Side Testing''']] |
− | 4.9.1 AJAX Vulnerabilities <br> | |
− | 4.9.2 How to test AJAX <br>
| |
− | | |
− | | |
− | [[OWASP_Testing_Guide_v2_Table_of_Contents]]
| |
The following sections describe the 12 subcategories of the Web Application Penetration Testing Methodology: