OWASP Testing Guide v4 Table of Contents

This is DRAFT of the table of content of the New Testing Guide v4. You can download the stable version here

Back to the OWASP Testing Guide Project: http://www.owasp.org/index.php/OWASP_Testing_Project

Updated: 31st August 2012

'''Contributors List

The following are the main improvements we have to realize:

(1) - Add new testing techniques and OWASP Top10 update: - Testing for HTTP Verb tampering - Testing for HTTP Parameter Pollutions - Testing for URL Redirection - Testing for Insecure Direct Object References - Testing for Insecure Cryptographic Storage - Testing for Failure to Restrict URL Access - Testing for Insufficient Transport Layer Protection - Testing for Unvalidated Redirects and Forwards. (2) - Review and improve all the sections in v3, (3) - Create a more readable guide, eliminating some sections that are not really useful, Rationalize some sections as Session Management Testing.

(4) Pavol says: - add new opensource testing tools that appeared during last 3 years (and are missing in the OWASP Testing Guide v3)

- add few useful and life-scenarios of possible vulnerabilities in Bussiness Logic Testing (many testers have no idea what vulnerabilities in Business Logic exactly mean)

- "Brute force testing" of "session ID" is missing in "Session Management Testing", describe other tools for Session ID entropy analysis (e.g. Stompy)

- in "Data Validation Testing" describe some basic obfuscation methods for malicious code injection including the statements how it is possible to detect it (web application obfuscation is quite succesfull in bypassing many data validation controls)

- split the phase Logout and Browser Cache Management" into two sections The following is a DRAFT of the Toc based on the feedback already received.

Foreword by OWASP Chair
[To review--> OWASP Chair]

1. Frontispiece
[To review--> Mat]

1.1 About the OWASP Testing Guide Project [To review--> Mat]

1.2 About The Open Web Application Security Project [To review--> ]

2. Introduction
2.1 The OWASP Testing Project

2.2 Principles of Testing

2.3 Testing Techniques Explained

2.4 Security requirements test derivation,functional and non functional test requirements, and test cases through use and misuse cases

2.5 Security test data analysis and reporting: root cause identification and business/role case test data reporting

3. The OWASP Testing Framework
3.1. Overview

3.2. Phase 1: Before Development Begins 

3.3. Phase 2: During Definition and Design

3.4. Phase 3: During Development

3.5. Phase 4: During Deployment

3.6. Phase 5: Maintenance and Operations

3.7. A Typical SDLC Testing Workflow 

4. Web Application Penetration Testing
4.1 Introduction and Objectives [To review--> Mat]

4.1.1 Testing Checklist [To review at the end of brainstorming --> Mat]

4.2 Information Gathering  [To review--> contributor here]

4.3 Configuration and Deploy Management Testing 

Infrastructure Configuration management weakness Application Configuration management weakness File extensions handling Old, backup and unreferenced files Access to Admin interfaces Bad HTTP Methods enabled, [new] Informative Error Messages Database credentials/connection strings available

4.4 Authentication Testing 

Credentials transport over an unencrypted channel [Robert Winkel] User enumeration (also Guessable user account) [Robert Winkel] Default passwords [Robert Winkel] Weak lock out mechanism [New! - Robert Winkel] Account lockout DoS [New! - Robert Winkel] Bypassing authentication schema Vulnerable remember password [Robert Winkel] Browser cache weakness [New!] Weak password policy [New! - Robert Winkel] Weak username policy [New! - Robert Winkel] Weak security question/answer [New! - Robert Winkel] Failure to restrict access to authenticated resource [New!] Weak password change function [New! - Robert Winkel] Testing for CAPTCHA

4.5 Session Management Testing

Bypassing Session Management Schema Weak Session Token Cookies are set not ‘HTTP Only’, ‘Secure’, and no time validity Exposed sensitive session variables CSRF Session passed over http [New!] Session token within URL [New!] Session Fixation Session token not removed on server after logout [New!] Persistent session token [New!] Session token not restrcited properly (such as domain or path not set properly) [New!] Logout function not properly implemented

4.6 Authorization Testing

Bypassing authorization schema Directory traversal/file include [Juan Galiana] Privilege Escalation Insecure Direct Object References Failure to Restrict access to authorized resource [New!]

4.7 Business Logic Testing (OWASP-BL-001) [To review--> contributor here] Business Logic

4.8 Data Validation Testing

Reflected XSS Stored XSS HTTP Verb Tampering [Brad Causey] HTTP Parameter pollution [Brad Causey] Unvalidated Redirects and Forwards [Brad Causey] SQL Injection [Brad Causey] LDAP Injection ORM Injection XML Injection SSI Injection XPath Injection SOAP Injection IMAP/SMTP Injection Code Injection OS Commanding Buffer overflow Incubated vulnerability HTTP Splitting/Smuggling

Testing for Data Encryption (New!)

Application did not use encryption Weak SSL/TSL Ciphers, Insufficient Transport Layer Protection Cacheable HTTPS Response Cache directives insecure Insecure Cryptographic Storage [mainly CR Guide] Sensitive information sent via unencrypted channels

XML Interpreter? (New!)

Weak XML Structure XML content-level WS HTTP GET parameters/REST WS Naughty SOAP attachments WS Replay Testing

Client Side Testing (New!)

DOM XSS Cross Site Flashing ClickHijacking

5. Writing Reports: value the real risk
5.1 How to value the real risk [To review--> contributor here]

5.2 How to write the report of the testing [To review--> contributor here]

Appendix A: Testing Tools

 * Black Box Testing Tools [To review--> Amro. We need only tools fo webapp testing]

Appendix B: Suggested Reading

 * Whitepapers [To review--> contributor here]
 * Books [To review--> contributor here]
 * Useful Websites [To review--> contributor here]

Appendix C: Fuzz Vectors

 * Fuzz Categories [To review--> contributor here]

Appendix D: Encoded Injection
[To review--> contributor here]