OWASP Autumn of Code 2006 - Projects: Testing Guide - Index

Version 0.1 (October 4th)

1. Frontispiece 1.Copyright and License 2 Endorsements 3 Trademarks

2. Introduction 1. Performing An Application Security Review 2. Principles of Testing 3. Testing Techniques Explained

3. Methodologies Used 3.1 The goal 3.2 Overview of Approaches 3.3 Security Requirements Review 3.4 Security Architecture Review 3.5 Code Review 3.6 Automated Code Scanning 3.7 Penetration Testing 3.8 Automated Vulnerability Scanning

4. Finding Specific Issues In a Non-Technical Manner 4.1. Threat Modeling Introduction 4.2. Design Reviews 4.3. Threat Modeling the Application 4.4. Policy Reviews 4.5. Requirements Analysis 4.6. Developer Interviews and Interaction

5. Finding Specific Vulnerabilities Using Source Code Review 5.1 For code review please see the OWASP Code Review Project

6. Manual testing techniques 6.1 Introduction and objectives 6.2 Business logic testing

6.3 Authentication 6.3.1 Default or guessable (dictionary) user account 6.3.2 Brute Force 6.3.3 Bypassing authentication schema 6.3.4 Vulnerable remeber password and password reset 6.3.5 Logout and account expiry

6.4 Session Management 6.4.1 Cookie and Session token Manipulation (regeneration, forging/brute force) 6.4.2 Weak session tokens 6.4.3 Session Riding 6.4.2 Exposed session variables 6.4.3 HTTP Exploit

6.5 Data Validation 6.5.1 Cross site scripting 6.5.1.1 Incubated attacks 6.5.1.2 Phishing (using java script) 6.5.1.3 HTTP Methods + XSS (TRACE) 6.5.2 SQL Injection 6.5.2.1 Oracle, mySQL, SQL Server, TeraData 6.5.2.2 Extended stored procedures. 6.5.2.3 Stored procedure injection 6.5.2.4 Oracle +SQLServer ports and attacks 6.5.2.5 Listener attacks etc. 1521 1433 1527 6.5.3 Orm injection 6.5.4 Ldap injection 6.5.5 Xml injection 6.5.6 Code injection

6.6 Denial of Service 6.6.1 Locking Customer Accounts 6.6.2 Buffer Overflows 6.6.3 User Specified Object Allocation 6.6.4 User Input as a Loop Counter 6.6.5 Writing User Provided Data to Disk 6.6.6 Failure to Release Resources 6.6.7 Storing too Much Data in Session

6.7 Buffer overflow 6.7.1 Heap overflow 6.7.2 Stack overflow 6.7.3 Format string

6.8 Infrastructure and configuration 6.8.1 Intro and objective 6.8.2 Application configuration management testing 6.8.3 Old, backup and unreferenced files 6.8.4 File extensions handling 6.8.5 Analisys of error code 6.8.5 SSL/TLS Testing: support of weak ciphers and certificate validity 6.8.6 Testing defense from Automatic Attacks (maybe a duplicate)

6.9 Web Services 6.9.1 XML Structural Attacks 6.9.2 XML content-level attacks 6.9.3 HTTP GET parameters/REST attacks 6.9.4 Naughty SOAP attachments 6.9.5 Brute force attacks

6.10 AJAX 6.10.1 Vulnerabilities 6.10.2 How to test

7. The OWASP Testing Framework 7.1. Overview 7.2. Phase 1 — Before Development Begins * Phase 1A: Policies and Standards Review * Phase 1B: Develop Measurement and Metrics Criteria (Ensure Traceability) 7.3. Phase 2: During Definition and Design * Phase 2A: Security Requirements Review * Phase 2B: Design an Architecture Review * Phase 2C: Create and Review UML Models * Phase 2D: Create and Review Threat Models 7.4. Phase 3: During Development * Phase 3A: Code Walkthroughs * Phase 3B: Code Reviews 7.5. Phase 4: During Deployment * Phase 4A: Application Penetration Testing * Phase 4B: Configuration Management Testing 7.6. Phase 5: Maintenance and Operations * Phase 5A: Conduct Operational Management Reviews * Phase 5B: Conduct Periodic Health Checks * Phase 5C: Ensure Change Verification 7.7. A Typical SDLC Testing Workflow * Figure 3: Typical SDLC Testing Workflow.

Appendix A: Testing Tools 1. Source Code Analyzers * Open Source / Freeware * Commercial 2. Black Box Scanners * Open Source * Commercial 3. Other Tools * Runtime Analysis * Binary Analysis * Requirements Management

Appendix B: Suggested Reading 1. Whitepapers 2. Books 3. Articles 4. Useful Websites 5. OWASP — http://www.owasp.org

Appendix C: Fuzz Vectors