OWASP Testing Guide v2 Table of Contents

Updated 17th Nov, 16.00 GMT+1 Legend: xx%: Progress status of the paragraph Review: the paragraph need a review (Matteo Meucci) TD: Paragraph To Be Assigned

[OWASP Testing Guide AoC]

[Review Panel]

Frontispiece
1.1 About The Open Web Application Security Project (100%) 1.1.1 Overview (100%) 1.1.2 Structure (100%) 1.1.3 Licensing (100%) 1.1.4 Participation and Membership (100%) 1.1.5 Projects (100%) 1.1.6 OWASP Privacy Policy (100%) 1.2 About the OWASP Testing Guide Project 1.1 Copyright                                       (100%) 1.2 Editors	                                        (0%, Review) 1.3 Authors and Reviewers 	                        (0%, Review) 1.4 Revision History(0%, Review) 1.5 Trademarks(100%)

Introduction
2.1 The OWASP Testing Project                                      (100%) 2.2 Principles of Testing                                          (100%) 2.3 Testing Techniques Explained                                   (100%)

The OWASP Testing Framework
3.1. Overview                                       (100%) 3.2. Phase 1 — Before Development Begins (100%) 3.3. Phase 2: During Definition and Design(100%) 3.4. Phase 3: During Development(100%) 3.5. Phase 4: During Deployment(100%) 3.6. Phase 5: Maintenance and Operations(100%) 3.7. A Typical SDLC Testing Workflow (100%)

Web Application Penetration Testing
4.1 Introduction and objectives	                             (100%, Matteo Meucci)

4.2 Information Gathering                        (100%,	Carlo Pelliccioni) 4.2.1 Application Discovery (100%, Mauro Bregolin) 4.2.2 Spidering and googling                        (80%,	Tom Brennan, Tom Ryan) 4.2.3 Analysis of error codes                        (100%,	Carlo Pelliccioni) 4.2.4 Infrastructure configuration management testing                        (80%,	Review) 4.2.4.1 SSL/TLS Testing                        (100%,Mauro Bregolin) 4.2.4.2 DB Listener Testing                        (60%, Eoin Keary, Matteo Meucci) 4.2.5 Application configuration management testing                        (90%) 4.2.5.1 File extensions handling                        (80%,Mauro Bregolin) 4.2.5.2 Old, backup and unreferenced files                        (80%,Mauro Bregolin)

4.3 Business logic testing                                       (100%,Madhura Halasgikar)

4.4 Authentication Testing	                                    (100%,        Intro Meucci) 4.4.1 Default or guessable (dictionary) user account             (100%) 4.4.2 Brute Force                                                 (100%,Giorgio Fedon, Andrea Lombardini) 4.4.3 Bypassing authentication schema                             (100%,Giorgio Fedon, Andrea Lombardini) 4.4.4 Directory traversal/file include                            (100%, Luca Carettoni) 4.4.5 Vulnerable remember password and pwd reset                 (100%, Ralph M. Los,Alberto Revelli) 4.4.6 Logout and Browser Cache Management Testing                                  (100%,Alberto Revelli)

4.5 Session Management Testing                                       (95% intro,Glyn Geoghegan, Meucci) 4.5.1 Analysis of the Session Management Schema (90%, Meucci) 4.5.2 Cookie and Session token Manipulation (100%,Alberto Revelli, Matteo Meucci) 4.5.3 Exposed session variables	                             (90%,Meucci) 4.5.4 Session Riding (XSRF) (80%, Mauro Bregolin,Review) 4.5.5 HTTP Exploit                                                (0%, Arian J.Evans)

4.6 Data Validation Testing                                       (Intro 95% Meucci) 4.6.1 Cross site scripting (80%, Tom Brennan, Tom Ryan) 4.6.1.1 HTTP Methods and XST (100%, Alberto Revelli) 4.6.2 SQL Injection (100%, Alexander Kornbrust, Antonio Parata) 4.6.2.1 Stored procedure injection (40%,Gary Burns) 4.6.2.2 Oracle testing (0%,TD) 4.6.2.3 MySQL testing (100%, Stefano Di Paola) 4.6.2.4 SQL Server testing (95%,Ariel Waissbein) 4.6.3 LDAP Injection (95%,Stefano Di Paola) 4.6.4 ORM Injection (0%,Mark Roxberry) 4.6.5 XML Injection (100%,Antonio Parata, Stefano Di Paola) 4.6.6 SSI Injection (100%,Claudio Merloni, Review) 4.6.7 XPath Injection (90%, Antonio Parata, Alberto Revelli, Stefano Di Paola) 4.6.8 IMAP/SMTP Injection (100%, Vicente Aguilera) 4.6.9 Code Injection (70%, Mark Roxberry) 4.6.10 OS Commanding (70%, Gary Burns) 4.6.11 Buffer overflow Testing (100%) 4.6.11.1 Heap overflow (100%) 4.6.11.2 Stack overflow (100%) 4.6.11.3 Format string (100%) 4.6.12 Incubated vulnerability testing (95%,Ariel Waissbein, Laura Nuñez) 4.7 Denial of Service Testing                                    (100%) 4.7.1 Locking Customer Accounts 100%        Review 4.7.2 Buffer Overflows                                          (100%) 4.7.3 User Specified Object Allocation                          (100%) 4.7.4 User Input as a Loop Counter                              (100%) 4.7.5 Writing User Provided Data to Disk                       (100%) 4.7.6 Failure to Release Resources                              (100%) 4.7.7 Storing too Much Data in Session                           (100%)

4.8 Web Services Testing (100%,Eoin Keary, Mark Roxberry) 4.8.1 XML Structural Testing (100%) 4.8.2 XML content-level Testing (100%) 4.8.3 HTTP GET parameters/REST Testing (100%) 4.8.4 Naughty SOAP attachments	(95%) 4.8.5 Replay Testing      (90%)

4.9 AJAX Testing   (70%, Dan Cornell, Giorgio Fedon, Stefano Di Paola) 4.9.1 Vulnerabilities (60%, Anush Shetty) 4.9.2 How to test (60%)

Writing Reports: value the real risk
5.1 How to value the real risk	                             (50%, Daniel Cuthbert, Matteo Meucci, Sebastien Deleersnyder, Marco Morana) 5.2 How to write the report of the testing	                     (0%, Daniel Cuthbert, Tom Brennan, Tom Ryan)	TD

Appendix A: Testing Tools
(80%)
 * Black Box Testing Tools
 * Source Code Analyzers
 * Other Tools

Appendix B: Suggested Reading
(70%)
 * Whitepapers
 * Books
 * Articles
 * Useful Websites

Appendix C: Fuzz Vectors
(70%)