OWASP Autumn of Code 2006 - Projects: Testing Guide - Index

From OWASP
Jump to: navigation, search
This historical page is now part of the OWASP archive.
This page contains content that is outdated and is no longer being maintained. It is provided as a courtesy for individuals who are still using these technologies. This page may contain URLs that were once valid but may now link to sites or pages that no longer exist.
Please use the newer Edition(s) like OWASP Testing Guide
    Legend:
    Review: M.Meucci
    TD: Paragraph to be assigned

Frontispiece

  1. Copyright and License (100%, Review)
  2. Endorsements (100%, Review)
  3. Trademarks (100%, Review)

Introduction

  1. Performing An Application Security Review 0% TD
  2. Principles of Testing 0% TD
  3. Testing Techniques Explained 0% TD

The OWASP Testing Framework

3. The OWASP Testing Framework 20% (Review)
3.1. Overview
3.2. Phase 1 — Before Development Begins

  • Phase 1A: Policies and Standards Review
  • Phase 1B: Develop Measurement and Metrics Criteria (Ensure Traceability)

3.3. Phase 2: During Definition and Design

  • Phase 2A: Security Requirements Review
  • Phase 2B: Design an Architecture Review
  • Phase 2C: Create and Review UML Models
  • Phase 2D: Create and Review Threat Models

3.4. Phase 3: During Development

  • Phase 3A: Code Walkthroughs
  • Phase 3B: Code Reviews

3.5. Phase 4: During Deployment

  • Phase 4A: Application Penetration Testing
  • Phase 4B: Configuration Management Testing

3.6. Phase 5: Maintenance and Operations

  • Phase 5A: Conduct Operational Management Reviews
  • Phase 5B: Conduct Periodic Health Checks
  • Phase 5C: Ensure Change Verification

3.7. A Typical SDLC Testing Workflow

  • Figure 3: Typical SDLC Testing Workflow

3.8 Methodologies Used (Review)
3.8.1 The goal 50% TD
3.8.2 Overview of Approaches 50% TD
3.8.3 Security Requirements Review 0% TD
3.8.4 Security Architecture Review 0% TD
3.8.5 Code Review 50% TD
3.8.6 Automated Code Scanning 0% TD
3.8.7 Penetration Testing 50% TD
3.8.8 Automated Vulnerability Scanning 0% TD

Manual testing techniques

4.1 Introduction and objectives 0% TD
4.2 Information Gathering (spider, google) 0% TD
4.3 Business logic testing 50% TD

4.4 Authentication Testing 50% TD
4.4.1 Default or guessable (dictionary) user account 90% TD
4.4.2 Brute Force 0% TD
4.4.3 Bypassing authentication schema 0% TD
4.4.4 Vulnerable remember password and pwd reset 90% TD
4.4.5 Logout and account expiry 0% TD

4.5 Session Management Testing 0% TD
4.5.1 Cookie and Session token Manipulation(reg, forg/brute force) 100% Review
4.5.2 Weak session tokens 70% TD
4.5.3 Session Riding 100% Review
4.5.4 Exposed session variables 0% TD
4.5.5 HTTP Exploit 0% TD

4.6 Data Validation Testing 0% TD
4.6.1 Cross site scripting 0% TD
4.6.1.1 Incubated attacks 0% TD
4.6.1.2 Phishing (using javascript) 0% TD
4.6.1.3 HTTP Methods + XSS (TRACE) 0% TD
4.6.2 SQL Injection 0% TD
4.6.2.1 Oracle, mySQL, SQL Server, TeraData 0% TD
4.6.2.2 Extended stored procedures 0% TD
4.6.2.3 Stored procedure injection 0% TD
4.6.2.4 Oracle +SQLServer ports and attacks 0% TD
4.6.2.5 Listener attacks etc. 1521 1433 1527 0% TD
4.6.3 Orm injection 0% TD
4.6.4 Ldap injection 0% TD
4.6.5 Xml injection 0% TD
4.6.6 Code injection 0% TD
4.6.7 Buffer overflow Testing 100% Review
4.6.7.1 Heap overflow 100% Review
4.6.7.2 Stack overflow 100% Review
4.6.7.3 Format string 100% Review

4.7 Denial of Service Testing 95% Review
4.7.1 Locking Customer Accounts 100% Review
4.7.2 Buffer Overflows 100% Review
4.7.3 User Specified Object Allocation 100% Review
4.7.4 User Input as a Loop Counter 100% Review
4.7.5 Writing User Provided Data to Disk 100% Review
4.7.6 Failure to Release Resources 100% Review
4.7.7 Storing too Much Data in Session 90% Review

4.8 Infrastructure and configuration Testing 0% TD
4.8.1 Intro and objective 0% TD
4.8.2 Infrastructure configuration management testing 100% TD
4.8.3 Application configuration management testing 100% TD
4.8.4 Old, backup and unreferenced files 100% TD
4.8.5 File extensions handling 90% TD
4.8.6 Analisys of error code 50% TD
4.8.7 SSL/TLS Testing: support of weak ciphers and cert validity 100% TD
4.8.8 Testing defense from Automatic attacks (maybe a duplicate) 10% TD

4.9 Web Services Testing 0% TD
4.9.1 XML Structural Attacks 0% TD
4.9.2 XML content-level attacks 0% TD
4.9.3 HTTP GET parameters/REST attacks 0% TD
4.9.4 Naughty SOAP attachments 0% TD
4.9.5 Brute force attacks 0% TD

4.10 AJAX Testing 0% TD
4.10.1 Vulnerabilities 0% TD
4.10.2 How to test 0% TD

Writing Reports: value the real risk

5.1 How to value the real risk 0% TD
5.2 How to write the report of the testing 0% TD

Appendix A: Testing Tools

  1. Source Code Analyzers
         * Open Source / Freeware
         * Commercial 
  2. Black Box Scanners
         * Open Source
         * Commercial 
  3. Other Tools
         * Runtime Analysis
         * Binary Analysis
         * Requirements Management 

Appendix B: Suggested Reading

  1. Whitepapers
  2. Books
  3. Articles
  4. Useful Websites
  5. OWASP — http://www.owasp.org 

Appendix C: Fuzz Vectors



Version 0.1 (October 4th)

Paragraph___________________________________________________|__State___|___Action___|___Author___


1 Frontispiece

  2.1 Copyright and License                                        100%      Review	
  2.2 Endorsements	                                            100%      Review
  2.3 Trademarks 	                                            100%      Review	

2. Introduction

  1. Performing An Application Security Review                       0%        TD
  2. Principles of Testing                                           0%        TD
  3. Testing Techniques Explained                                    0%        TD

3. Methodologies Used (Review)

  3.1 The goal	                                                     50%	TD
  3.2 Overview of Approaches	                                     50%	TD
  3.3 Security Requirements Review	                              0%	TD
  3.4 Security Architecture Review	                              0%	TD
  3.5 Code Review	                                             50%	TD
  3.6 Automated Code Scanning	                                      0%	TD
  3.7 Penetration Testing	                                     50%	TD
  3.8 Automated Vulnerability Scanning	                              0%	TD

4. Finding Specific Issues In a Non-Technical Manner (Review)

  4.1. Threat Modeling Introduction	                              0%	TD
  4.2. Design Reviews	                                              0%	TD
  4.3. Threat Modeling the Application	                              0%	TD
  4.4. Policy Reviews	                                              0%	TD
  4.5. Requirements Analysis	                                      0%	TD
  4.6. Developer Interviews and Interaction 	                      0%	TD

5. Finding Specific Vulnerabilities Using Source Code Review

  5.1 For code review please see the OWASP Code Review Project

6. Manual testing techniques (Review)

  6.1 Introduction and objectives	                              0%	TD
  6.2 Information Gathering (spider, google)                         0%	TD
  6.3 Business logic testing                                        50%	TD
  6.4 Authentication Testing	                                     50%        TD
  6.4.1 Default or guessable (dictionary) user account              90%        TD
  6.4.2 Brute Force                                                  0%        TD
  6.4.3 Bypassing authentication schema                              0%        TD
  6.4.4 Vulnerable remember password and pwd reset                  90%        TD
  6.4.5 Logout and account expiry	                              0%        TD
  6.5 Session Management Testing                                     0%        TD
  6.5.1 Cookie and Session token Manipulation 
           (regeneration, forging/brute force)	                    100%       Review    
  6.5.2 Weak session tokens	                                     70%        TD
  6.5.3 Session Riding	                                            100%       Review
  6.5.4 Exposed session variables	                              0%        TD
  6.5.5 HTTP Exploit                                                 0%        TD
  6.6 Data Validation Testing                                        0%        TD		
  6.6.1 Cross site scripting                                         0%        TD
  6.6.1.1 Incubated attacks                                          0%        TD
  6.6.1.2 Phishing (using javascript)                                0%        TD
  6.6.1.3  HTTP Methods + XSS (TRACE)                                0%        TD
  6.6.2 SQL Injection                                                0%        TD
  6.6.2.1 Oracle, mySQL, SQL Server, TeraData                        0%        TD	
  6.6.2.2 Extended stored procedures                                 0%        TD
  6.6.2.3 Stored procedure injection                                 0%        TD
  6.6.2.4 Oracle +SQLServer ports and attacks                        0%        TD
  6.6.2.5 Listener attacks etc. 1521 1433 1527                       0%        TD
  6.6.3 Orm injection                                                0%        TD
  6.6.4 Ldap injection                                               0%        TD
  6.6.5 Xml injection                                                0%        TD
  6.6.6 Code injection                                               0%        TD
  6.7 Denial of Service Testing                                     95%        Review
  6.7.1 Locking Customer Accounts                                  100%        Review
  6.7.2 Buffer Overflows                                           100%        Review		
  6.7.3 User Specified Object Allocation                           100%        Review		
  6.7.4 User Input as a Loop Counter                               100%        Review
  6.7.5 Writing User Provided Data to Disk                         100%        Review
  6.7.6 Failure to Release Resources                               100%        Review
  6.7.7 Storing too Much Data in Session                            90%        Review
  6.8 Buffer overflow Testing                                      100%        Review		
  6.8.1 Heap overflow	                                            100%        Review
  6.8.2 Stack overflow                                             100%        Review
  6.8.3 Format string                                              100%        Review
  6.9 Infrastructure and configuration Testing                       0%         TD
   6.9.1 Intro and objective                                         0%         TD
   6.9.2 Infrastructure configuration management testing           100%         TD
   6.9.3 Application configuration management testing              100%         TD
   6.9.4 Old, backup and unreferenced files                        100%         TD	
   6.9.5 File extensions handling		                     90%         TD
   6.9.6 Analisys of error code                                     50%         TD		
   6.9.7 SSL/TLS Testing: support of weak                          100%         TD
             ciphers and certificate validity		
   6.9.8 Testing defense from Automatic                             10%         TD
             Attacks (maybe a duplicate)		
  6.10 Web Services Testing                                          0%         TD
  6.10.1 XML Structural Attacks                                      0%	TD
  6.10.2 XML content-level attacks	                              0%	TD
  6.10.3 HTTP GET parameters/REST attacks	                      0%	TD
  6.10.4 Naughty SOAP attachments	                              0%	TD
  6.10.5 Brute force attacks	                                      0%	TD
  6.11 AJAX Testing                                                  0%	TD
  6.11.1 Vulnerabilities	                                      0%	TD
  6.11.2  How to test	                                              0%	TD


7. The OWASP Testing Framework 95% (Review)

  7.1. Overview
  7.2. Phase 1 — Before Development Begins
         * Phase 1A: Policies and Standards Review
         * Phase 1B: Develop Measurement and Metrics Criteria 
           (Ensure Traceability) 
  7.3. Phase 2: During Definition and Design
         * Phase 2A: Security Requirements Review
         * Phase 2B: Design an Architecture Review
         * Phase 2C: Create and Review UML Models
         * Phase 2D: Create and Review Threat Models 
  7.4. Phase 3: During Development
         * Phase 3A: Code Walkthroughs
         * Phase 3B: Code Reviews 
  7.5. Phase 4: During Deployment
         * Phase 4A: Application Penetration Testing
         * Phase 4B: Configuration Management Testing 
  7.6. Phase 5: Maintenance and Operations
         * Phase 5A: Conduct Operational Management Reviews
         * Phase 5B: Conduct Periodic Health Checks
         * Phase 5C: Ensure Change Verification 
  7.7. A Typical SDLC Testing Workflow
         * Figure 3: Typical SDLC Testing Workflow. 

Appendix A: Testing Tools 95% (Review)

  1. Source Code Analyzers
         * Open Source / Freeware
         * Commercial 
  2. Black Box Scanners
         * Open Source
         * Commercial 
  3. Other Tools
         * Runtime Analysis
         * Binary Analysis
         * Requirements Management 

Appendix B: Suggested Reading 95% (Review)

  1. Whitepapers
  2. Books
  3. Articles
  4. Useful Websites
  5. OWASP — http://www.owasp.org 

Appendix C: Fuzz Vectors 95% (Review)