OWASP Testing Guide v4 Table of Contents

This is the table of content of the New Testing Guide v4 (DRAFT). You can download the stable version here

Back to the OWASP Testing Guide Project: http://www.owasp.org/index.php/OWASP_Testing_Project

Updated: 28th August 2012

The following are the main improvements we have to realize:

(1) - Inserting new testing techniques and OWASP Top10 update: - Testing for HTTP Verb tampering - Testing for HTTP Parameter Pollutions - Testing for URL Redirection - Testing for Insecure Direct - Testing for Object References - Testing for Insecure Cryptographic Storage - Testing for Failure to Restrict URL Access - Testing for Insufficient Transport Layer Protection - Testing for Unvalidated Redirects and Forwards.

(2) - Review and improve all the sections in v3,

(3) - Create a more readable guide, eliminating some sections that are not really useful, Rationalize some sections as Session Management Testing

T A B L E   o f    C O N T E N T S (DRAFT)

1. Frontispiece
1.1 About the OWASP Testing Guide Project

1.2 About The Open Web Application Security Project

2. Introduction
2.1 The OWASP Testing Project

2.2 Principles of Testing

2.3 Testing Techniques Explained

2.4 Security requirements test derivation,functional and non functional test requirements, and test cases through use and misuse cases

2.5 Security test data analysis and reporting: root cause identification and business/role case test data reporting

3. The OWASP Testing Framework
3.1. Overview

3.2. Phase 1: Before Development Begins 

3.3. Phase 2: During Definition and Design

3.4. Phase 3: During Development

3.5. Phase 4: During Deployment

3.6. Phase 5: Maintenance and Operations

3.7. A Typical SDLC Testing Workflow 

4. Web Application Penetration Testing
4.1 Introduction and Objectives [To review--> contributor here]

4.1.1 Testing Checklist [To review at the end of brainstorming --> Mat]

4.2 Information Gathering  [To review--> contributor here]

4.3 Configuration Management Testing  [To review--> contributor here]

4.4 Authentication Testing  [To review--> contributor here]

4.5 Session Management Testing [To review--> contributor here]

4.6 Authorization Testing [To review--> contributor here]

4.7 Business Logic Testing (OWASP-BL-001) [To review--> contributor here]

4.8 Data Validation Testing [To review--> contributor here]

4.9 Testing for Denial of Service [To review--> contributor here]

4.10 Web Services Testing [To review--> contributor here]

4.11 AJAX Testing [To review--> contributor here]

5. Writing Reports: value the real risk
5.1 How to value the real risk [To review--> contributor here]

5.2 How to write the report of the testing [To review--> contributor here]

Appendix A: Testing Tools

 * Black Box Testing Tools [To review--> contributor here]
 * Source Code Analyzers [To review--> contributor here]
 * Other Tools [To review--> contributor here]

Appendix B: Suggested Reading

 * Whitepapers [To review--> contributor here]
 * Books [To review--> contributor here]
 * Useful Websites [To review--> contributor here]

Appendix C: Fuzz Vectors

 * Fuzz Categories [To review--> contributor here]

Appendix D: Encoded Injection
[To review--> contributor here]