|
|
(18 intermediate revisions by 6 users not shown) |
Line 1: |
Line 1: |
− | [[Testing: Introduction and objectives|'''4.1 Introduction and objectives''']]
| + | {{Template:OWASP Testing Guide v4}} |
| | | |
− | [[Testing: Information Gathering|'''4.2 Information Gathering''']]
| + | The following sections describe the 12 subcategories of the Web Application Penetration Testing Methodology: |
| | | |
− | [[Testing for Web Application Fingerprint|4.2.1 Testing Web Application Fingerprint]] | + | [[Testing: Introduction and objectives|'''4.1 Introduction and Objectives''']] |
| | | |
− | [[Testing for Application Discovery|4.2.2 Application Discovery]] | + | [[Testing Information Gathering|'''4.2 Information Gathering ''']] |
| | | |
− | [[Testing: Spidering and googling|4.2.3 Spidering and googling]] | + | [[Testing for configuration management|'''4.3 Configuration and Deployment Management Testing ''']] |
| | | |
− | [[Testing for Error Code|4.2.4 Analysis of error codes]] | + | [[Testing Identity Management|'''4.4 Identity Management Testing''']] |
| | | |
− | [[Testing for infrastructure configuration management|4.2.5 Infrastructure | + | [[Testing for authentication|'''4.5 Authentication Testing ''']] |
− | configuration management testing]]
| |
| | | |
− | [[Testing for SSL-TLS|4.2.5.1 SSL/TLS Testing]] | + | [[Testing for Authorization|'''4.6 Authorization Testing''']] |
| | | |
− | [[Testing for DB Listener|4.2.5.2 DB Listener Testing]] | + | [[Testing for Session Management|'''4.7 Session Management Testing''']] |
| | | |
− | [[Testing for application configuration management|4.2.6 Application configuration management testing]] | + | [[Testing for Input Validation|'''4.8 Input Validation Testing''']] |
| | | |
− | [[Testing for file extensions handling|4.2.6.1 Testing for file extensions handling]] | + | [[Error Handling|'''4.9 Error Handling''']] |
| | | |
− | [[Testing for old_file|4.2.6.2 Old, backup and unreferenced files]] | + | [[Cryptography|'''4.10 Cryptography''']] |
| | | |
− | [[Testing for business logic|'''4.3 Business logic testing''']] | + | [[Testing for business logic|'''4.11 Business Logic Testing ''']] |
| | | |
− | [[Testing for authentication|'''4.4 Authentication Testing''']] | + | [[Client Side Testing|'''4.12 Client Side Testing''']] |
− | | |
− | [[Testing for Default or Guessable User Account|4.4.1 Testing for guessable (dictionary) user account]]
| |
− | | |
− | [[Testing for Brute Force|4.4.2 Brute Force Testing]]
| |
− | | |
− | [[Testing for Bypassing Authentication Schema|4.4.3 Testing for bypassing authentication schema]]
| |
− | | |
− | [[Testing for Directory Traversal|4.4.4 Testing for directory traversal/file include]]
| |
− | | |
− | [[Testing for Vulnerable Remember Password and Pwd Reset|4.4.5 Testing for vulnerable remember
| |
− | password and pwd reset]]
| |
− | | |
− | [[Testing for Logout and Browser Cache Management|4.4.6 Testing for Logout and Browser Cache Management Testing]]
| |
− | | |
− | [[Testing for Session Management|'''4.5 Session Management Testing''']]
| |
− | | |
− | [[Testing for Session_Management_Schema|4.5.1 Testing for Session Management Schema]]
| |
− | | |
− | [[Testing for Cookie and Session Token Manipulation|4.5.2 Testing for Cookie and Session Token Manipulation]]
| |
− | | |
− | [[Testing for Exposed Session Variables|4.5.3 Testing for Exposed Session Variables ]]
| |
− | | |
− | [[Testing for CSRF|4.5.4 Testing for CSRF]]
| |
− | | |
− | [[Testing for HTTP Exploit|4.5.5 Testing for HTTP Exploit ]]
| |
− | | |
− | [[Testing for Data Validation|'''4.6 Data Validation Testing''']]
| |
− | | |
− | [[Testing for Cross site scripting|4.6.1 Testing for Cross Site Scripting]]
| |
− | | |
− | [[Testing for HTTP Methods and XST|4.6.1.1 Testing for HTTP Methods and XST ]]
| |
− | | |
− | [[Testing for SQL Injection|4.6.2 Testing for SQL Injection ]]
| |
− | | |
− | [[Testing for Oracle|4.6.2.1 Oracle Testing ]]
| |
− | | |
− | [[Testing for MySQL|4.6.2.2 MySQL Testing ]]
| |
− | | |
− | [[Testing for SQL Server|4.6.2.3 SQL Server Testing]]
| |
− | | |
− | [[Testing for LDAP Injection|4.6.3 Testing for LDAP Injection]]
| |
− | | |
− | [[Testing for ORM Injection|4.6.4 Testing for ORM Injection]]
| |
− | | |
− | [[Testing for XML Injection|4.6.5 Testing for XML Injection]]
| |
− | | |
− | [[Testing for SSI Injection|4.6.6 Testing for SSI Injection]]
| |
− | | |
− | [[Testing for XPath Injection|4.6.7 Testing for XPath Injection]]
| |
− | | |
− | [[Testing for IMAP/SMTP Injection|4.6.8 IMAP/SMTP Injection]]
| |
− | | |
− | [[Testing for Code Injection|4.6.9 Testing for Code Injection]]
| |
− | | |
− | [[Testing for Command Injection|4.6.10 Testing for Command Injection]]
| |
− | | |
− | [[Testing for Buffer Overflow|4.6.11 Testing for Buffer overflow]]
| |
− | | |
− | [[Testing for Heap Overflow|4.6.11.1 Testing for Heap overflow]]
| |
− | | |
− | [[Testing for Stack Overflow|4.6.11.2 Testing for Stack overflow]]
| |
− | | |
− | [[Testing for Format String|4.6.11.3 Testing for Format string]]
| |
− | | |
− | [[Testing for Incubated Vulnerability|4.6.12 Testing for incubated vulnerabilities]]
| |
− | | |
− | [[Testing for Denial of Service|'''4.7 Testing for Denial of Service''']]
| |
− | | |
− | [[Testing for DoS Locking Customer Accounts|4.7.1 Testing for DoS Locking Customer Accounts]]
| |
− | | |
− | [[Testing for DoS Buffer Overflows|4.7.2 Testing for DoS Buffer Overflows]]
| |
− | | |
− | [[Testing for DoS User Specified Object Allocation|4.7.3 Testing for DoS User Specified Object Allocation]]
| |
− | | |
− | [[Testing for User Input as a Loop Counter|4.7.4 Testing for User Input as a Loop Counter]]
| |
− | | |
− | [[Testing for Writing User Provided Data to Disk|4.7.5 Testing for Writing User Provided Data to Disk]]
| |
− | | |
− | [[Testing for DoS Failure to Release Resources|4.7.6 Testing for DoS Failure to Release Resources]]
| |
− | | |
− | [[Testing for Storing too Much Data in Session|4.7.7 Testing for Storing too Much Data in Session]]
| |
− | | |
− | [[Testing for Web Services|'''4.8 Web Services Testing''']]
| |
− | | |
− | [[Testing for XML Structural|4.8.1 XML Structural Testing]]
| |
− | | |
− | [[Testing for XML Content-Level|4.8.2 XML Content-level Testing]]
| |
− | | |
− | [[Testing for WS HTTP GET parameters/REST attacks|4.8.3 HTTP GET parameters/REST Testing ]]
| |
− | | |
− | [[Testing for Naughty SOAP Attachments|4.8.4 Testing for Naughty SOAP attachments]]
| |
− | | |
− | [[Testing for WS Replay|4.8.5 WS Replay Testing]]
| |
− | | |
− | [[Testing_for_AJAX:_introduction|'''4.9 AJAX Testing''']]
| |
− | | |
− | [[Testing for AJAX Vulnerabilities|4.9.1 AJAX Vulnerabilities]]
| |
− | | |
− | [[Testing for AJAX|4.9.2 How to test AJAX]]
| |
The following sections describe the 12 subcategories of the Web Application Penetration Testing Methodology: