OWASP Testing Guide Table of Contents

Frontispiece

 * 1) Copyright and License
 * 2) Endorsements
 * 3) Trademarks

Introduction

 * 1) Performing An Application Security Review
 * 2) Principles of Testing
 * 3) Testing Techniques Explained

Methodologies Used

 * 1) Secure application design
 * 2) Code Review (See the code review project)
 * 3) *Overview
 * 4) *Advantages and Disadvantages
 * 5) Penetration Testing
 * 6) *Overview
 * 7) *Advantages and Disadvantages
 * 8) The Need for a Balanced Approach
 * 9) A Note about Web Application Scanners
 * 10) A Note about Static Source Code Review Tools

Finding Specific Issues In a Non-Technical Manner

 * 1) Threat Modeling Introduction
 * 2) Design Reviews
 * 3) Threat Modeling the Application
 * 4) Policy Reviews
 * 5) Requirements Analysis
 * 6) Developer Interviews and Interaction

Finding Specific Vulnerabilities Using Source Code Review
For code review please see: http://www.owasp.org/index.php/Category:OWASP_Code_Review_Project The code review section has now got its own area.

Manual testing techniques

 * 1) Business logic testing - 
 * 2) Authentication
 * 3) How to perform cookie manipulation test
 * 4) How to test for weak session tokens
 * 5) How to perform session riding test
 * 6) How to test for vulnerable remember password implementation#How to test for default or guessable user accounts and empty passwords
 * 7) How to test for application layer Denial of Service (DoS) attacks
 * 8) DoS: Locking Customer Accounts
 * 9) DoS: Buffer Overflows
 * 10) DoS: User Specified Object Allocation
 * 11) DoS: User Input as a Loop Counter
 * 12) DoS: Writing User Provided Data to Disk
 * 13) DoS: Failure to Release Resources
 * 14) DoS: Storing too Much Data in Session
 * 15) Buffer Overflow
 * 16) Test and debug files
 * 17) File extensions handling
 * 18) Old, backup and unreferenced files
 * 19) Defense from Automatic Attacks
 * 20) Configuration Management Infrastructure
 * 21) Sensitive data in URL’s
 * 22) SSL / TLS cipher specifications and requirements for site
 * 23) How to Test
 * 24) References
 * 25) Tools
 * 26) Web Services Security Testing

The OWASP Testing Framework

 * 1) Overview
 * 2) Phase 1 — Before Development Begins
 * 3) *Phase 1A: Policies and Standards Review
 * 4) *Phase 1B: Develop Measurement and Metrics Criteria (Ensure Traceability)
 * 5) Phase 2: During Definition and Design
 * 6) *Phase 2A: Security Requirements Review
 * 7) *Phase 2B: Design an Architecture Review
 * 8) *Phase 2C: Create and Review UML Models
 * 9) *Phase 2D: Create and Review Threat Models
 * 10) Phase 3: During Development
 * 11) *Phase 3A: Code Walkthroughs
 * 12) *Phase 3B: Code Reviews
 * 13) Phase 4: During Deployment
 * 14) *Phase 4A: Application Penetration Testing
 * 15) *Phase 4B: Configuration Management Testing
 * 16) Phase 5: Maintenance and Operations
 * 17) *Phase 5A: Conduct Operational Management Reviews
 * 18) *Phase 5B: Conduct Periodic Health Checks
 * 19) *Phase 5C: Ensure Change Verification
 * 20) A Typical SDLC Testing Workflow
 * 21) *	Figure 3: Typical SDLC Testing Workflow.

Appendix A: Testing Tools

 * 1) Source Code Analyzers
 * 2) Open Source / Freeware
 * 3) *Commercial
 * 4) Black Box Scanners
 * 5) *Open Source
 * 6) *Commercial
 * 7) Other Tools
 * 8) *Runtime Analysis
 * 9) *Binary Analysis
 * 10) *Requirements Management

Appendix B: Suggested Reading

 * 1) Whitepapers
 * 2) Books
 * 3) Articles
 * 4) Useful Websites
 * 5) OWASP — http://www.owasp.org

Figures

 * 1) Figure 1: Proportion of Test Effort in SDLC.
 * 2) Figure 2: Proportion of Test Effort According to Test Technique.
 * 3) Figure 3: Typical SDLC Testing Workflow.