OWASP Testing Guide Table of Contents

Frontispiece

 * 1) Copyright and License
 * 2) Endorsements
 * 3) Trademarks

Introduction

 * 1) Performing An Application Security Review
 * 2) Principles of Testing
 * 3) Testing Techniques Explained

Methodologies Used

 * 1) Secure application design
 * 2) Code Review (See the code review project)
 * 3) *Overview
 * 4) *Advantages and Disadvantages
 * 5) Penetration Testing
 * 6) *Overview
 * 7) *Advantages and Disadvantages
 * 8) The Need for a Balanced Approach
 * 9) A Note about Web Application Scanners
 * 10) A Note about Static Source Code Review Tools

Finding Specific Issues In a Non-Technical Manner

 * 1) Threat Modeling Introduction
 * 2) Design Reviews
 * 3) Threat Modeling the Application
 * 4) Policy Reviews
 * 5) Requirements Analysis
 * 6) Developer Interviews and Interaction

Finding Specific Vulnerabilities Using Source Code Review

 * 1) Gathering the information
 * 2) *Context, Context, Context
 * 3) *The Checklist
 * 4) *The Code Base
 * 5) *Transactional Analysis
 * 6) Source code examples
 * 7) Authentication & Authorisation
 * 8) *How to locate the potentially vulnerable code
 * 9) Buffer Overruns and Overflows
 * 10) *How to locate the potentially vulnerable code:
 * 11) *Vulnerable Patterns for buffer overflows
 * 12) *Good Patterns & procedures to prevent buffer overflows
 * 13) Data Validation
 * 14) *Canoncalization of input.
 * 15) **Data validation strategy
 * 16) *Good Patterns for Data validation
 * 17) **Framework Example
 * 18) *Data validation of parameter names
 * 19) *Web services data validation
 * 20) Error, Exception handling & Logging
 * 21) *Releasing resources and good housekeeping
 * 22) OS Injection
 * 23) SQL Injection
 * 24) *How to Locate potentially vulnerable code
 * 25) *Best practices when dealing with DB’s
 * 26) Threat Modeling
 * 27) *Overview
 * 28) *Advantages and Disadvantages
 * 29) **Advantages
 * 30) **Disadvantage

Manual testing techniques

 * 1) Business logic testing - 
 * 2) Authentication
 * 3) *Default or guessable user accounts
 * 4) **	Causes
 * 5) **	Blackbox Testing
 * 6) **	Manual
 * 7) **	Suggested Tools - 
 * 8) **	Whitebox Testing
 * 9) **	Further Reading
 * 10) Cookie manipulation
 * 11) *Short Description of Issue
 * 12) *How to Test
 * 13) *Black Box
 * 14) *Cookie reverse engineering
 * 15) *Cookie manipulation
 * 16) *Brute force
 * 17) **Cookie predictability
 * 18) **335697#**
 * 19) *Overflow
 * 20) *White Box
 * 21) *Examples
 * 22) *Whitepapers
 * 23) *Tools
 * 24) Weak Session Tokens
 * 25) *Blackbox Testing
 * 26) *Manual
 * 27) *Suggested Tools
 * 28) *Whitebox Testing
 * 29) *Further Reading
 * 30) Session riding
 * 31) *How to Test
 * 32) *Black Box
 * 33) *White Box
 * 34) *References
 * 35) *Examples
 * 36) *Whitepapers
 * 37) *Tools
 * 38) Vulnerable remember password implementation
 * 39) *Blackbox Testing
 * 40) *Manual
 * 41) *Suggested Tools:
 * 42) *Whitebox Testing
 * 43) *Further Reading
 * 44) Weak Password Self-Reset Testing
 * 45) *Blackbox Testing
 * 46) *Manual
 * 47) Default or Guessable User Accounts and Empty Passwords
 * 48) *Blackbox Testing
 * 49) *Manual
 * 50) *Suggested Tools
 * 51) *Whitebox Testing
 * 52) *Further Reading
 * 53) Application Layer Denial of Service (DoS) Attacks
 * DoS: Locking Customer Accounts
 * 1) *Black Box Testing
 * 2) *White Box Testing
 * DoS: Buffer Overflows
 * 1) *Code Example
 * 2) *Testing Black Box
 * 3) *Testing White Box
 * DoS: User Specified Object Allocation
 * 1) *Code Example
 * 2) *Testing Black Box
 * 3) *Testing White Box
 * DoS: User Input as a Loop Counter
 * 1) *Code Example
 * 2) *Testing Black Box
 * 3) *Testing White Box
 * 4) *DoS: Writing User Provided Data to Disk
 * 5) *Testing Black Box
 * 6) *Testing White Box
 * DoS: Failure to Release Resources
 * 1) *Code Example
 * 2) *Testing Black Box
 * 3) *Testing White Box
 * DoS: Storing too Much Data in Session
 * 1) *Testing Black Box
 * 2) *Testing White Box
 * 3) *Other References
 * 4) Buffer Overflow
 * 5) *Buffer Overflow – Heap Overflow Vulnerability
 * 6) **How to Test
 * 7) **Black Box
 * 8) **White Box
 * 9) *Buffer Overflow – Stack Overflow Vulnerability
 * 10) *How to Test
 * 11) *Black Box
 * 12) *White Box
 * 13) *References
 * 14) *Examples
 * 15) *Whitepapers
 * 16) *Tools
 * 17) *Buffer Overflow – Format String Vulnerability
 * 18) **Black Box
 * 19) **White Box
 * 20) **References
 * 21) **Whitepapers
 * 22) **Tools
 * 23) Test and debug files
 * 24) *How to Test
 * 25) *Black Box
 * 26) *White Box
 * 27) *References - 
 * 28) *Examples
 * 29) *Whitepapers
 * 30) *Tools
 * 31) File extensions handling
 * 32) *How to Test
 * 33) *Black Box
 * 34) *White Box
 * 35) *References
 * 36) *Examples
 * 37) *Whitepapers
 * 38) *Tools
 * Old, backup and unreferenced files
 * 1) *Threats
 * 2) *Countermeasures
 * 3) *How to Test
 * 4) *Black Box
 * 5) *White Box
 * 6) **	Tools
 * 7) Defense from Automatic Attacks
 * 8) *Blackbox Testing
 * 9) *Manual
 * 10) *Suggested Tools
 * 11) *Whitebox Testing
 * 12) *Further Reading
 * 13) *SSL usage during whole session (see recent post on Webappsec regarding this) [Yvan Boily (yboily@gmail.com) ]
 * 14) Configuration Management Infrastructure
 * 15) *Review of the application architecture
 * 16) *Known server vulnerabilities
 * 17) *Administrative tools
 * 18) *Authentication back-ends
 * 19) *Configuration Management Application
 * 20) *Sample/known files and directories
 * 21) *Comment review
 * 22) *Configuration review
 * 23) *Logging
 * 24) *Log location
 * 25) *Log storage
 * 26) *Log rotation
 * 27) *Log review
 * 28) Sensitive data in URL’s
 * 29) *Hashing sensitive data
 * 30) SSL / TLS cipher specifications and requirements for site
 * 31) *How to Test
 * 32) *Black Box
 * 33) *White Box
 * 34) **	References
 * 35) *Examples
 * 36) *Whitepapers
 * 37) Tools
 * 38) How to Test
 * 39) *Black Box
 * 40) *White Box
 * 41) References
 * 42) *Examples
 * 43) *Whitepapers
 * 44) Tools
 * 45) *Language/Services/Application Specific Testing
 * 46) Web Services Security Testing
 * 47) *Notes
 * 48) *How to Test
 * 49) *Transport Layer Security
 * 50) *Message Layer Security
 * 51) *Application Layer Security
 * 52) *References
 * 53) *Examples
 * 54) *Whitepapers
 * 55) *Analyzing Results

The OWASP Testing Framework

 * 1) Overview
 * 2) Phase 1 — Before Development Begins
 * 3) *Phase 1A: Policies and Standards Review
 * 4) *Phase 1B: Develop Measurement and Metrics Criteria (Ensure Traceability)
 * 5) Phase 2: During Definition and Design
 * 6) *Phase 2A: Security Requirements Review
 * 7) *Phase 2B: Design an Architecture Review
 * 8) *Phase 2C: Create and Review UML Models
 * 9) *Phase 2D: Create and Review Threat Models
 * 10) Phase 3: During Development
 * 11) *Phase 3A: Code Walkthroughs
 * 12) *Phase 3B: Code Reviews
 * 13) Phase 4: During Deployment
 * 14) *Phase 4A: Application Penetration Testing
 * 15) *Phase 4B: Configuration Management Testing
 * 16) Phase 5: Maintenance and Operations
 * 17) *Phase 5A: Conduct Operational Management Reviews
 * 18) *Phase 5B: Conduct Periodic Health Checks
 * 19) *Phase 5C: Ensure Change Verification
 * 20) A Typical SDLC Testing Workflow
 * 21) *	Figure 3: Typical SDLC Testing Workflow.

Appendix A: Testing Tools

 * 1) Source Code Analyzers
 * 2) Open Source / Freeware
 * 3) *Commercial
 * 4) Black Box Scanners
 * 5) *Open Source
 * 6) *Commercial
 * 7) Other Tools
 * 8) *Runtime Analysis
 * 9) *Binary Analysis
 * 10) *Requirements Management

Appendix B: Suggested Reading

 * 1) Whitepapers
 * 2) Books
 * 3) Articles
 * 4) Useful Websites
 * 5) OWASP — http://www.owasp.org

Figures

 * 1) Figure 1: Proportion of Test Effort in SDLC.
 * 2) Figure 2: Proportion of Test Effort According to Test Technique.
 * 3) Figure 3: Typical SDLC Testing Workflow.