Difference between revisions of "OWASP Testing Guide v3 Startup"

From OWASP
Jump to: navigation, search
Line 14: Line 14:
 
* Web Services Testing  
 
* Web Services Testing  
 
* AJAX Testing
 
* AJAX Testing
 +
 +
The following are my thoughts about the new OWASP Testing Guide v3:
 +
 +
1) Authorization testing missing. As Jeff and Dave said many time before it's important to create a new category.
 +
2) Information gathering is not a set of vulnerabilities. I think we can add a new category Infrastructural testing
 +
3) Web Services section needs improvement
 +
4) AJAX Testing section needs improvement
 +
5) New category: Client side Testing  Di Paola & PdP (new category). Particular focus on flash testing
 +
 +
  
  
 
== Information Gathering ==
 
== Information Gathering ==
 
v2: <br>
 
v2: <br>
Application Fingerprint <br>
+
* Application Fingerprint <br>
Application Discovery <br>
+
* Application Discovery <br>
Spidering and googling <br>
+
* Spidering and googling <br>
Collection  of error code <br>
+
* Collection  of error code <br>
SSL/TLS Testing<br>
+
* SSL/TLS Testing<br>
DB Listener Testing<br>
+
* DB Listener Testing<br>
File extensions handling<br>
+
* File extensions handling<br>
Old, backup and unreferenced files <br>
+
* Old, backup and unreferenced files <br>

Revision as of 14:57, 3 October 2007

Planning the new OWASP Testing Guide v3

3rd October 2007: Startup v3
The OWASP Testing Guide v2 was a great success, with thousand download and many many Companies that have adopted it as standard for a Web Application Penetration Testing.
Now we would like to begin a new project that is based on v2 but improve it and complete it.

In the OWASP Testing Guide v2 we have split the set of tests in 8 sub-categories:

  • Information Gathering
  • Business logic testing
  • Authentication Testing
  • Session Management Testing
  • Data Validation Testing
  • Denial of Service Testing
  • Web Services Testing
  • AJAX Testing

The following are my thoughts about the new OWASP Testing Guide v3:

1) Authorization testing missing. As Jeff and Dave said many time before it's important to create a new category. 2) Information gathering is not a set of vulnerabilities. I think we can add a new category Infrastructural testing 3) Web Services section needs improvement 4) AJAX Testing section needs improvement 5) New category: Client side Testing  Di Paola & PdP (new category). Particular focus on flash testing



Information Gathering

v2:

  • Application Fingerprint
  • Application Discovery
  • Spidering and googling
  • Collection of error code
  • SSL/TLS Testing
  • DB Listener Testing
  • File extensions handling
  • Old, backup and unreferenced files