Difference between revisions of "OWASP Testing Guide v3 Startup"

From OWASP
Jump to: navigation, search
m
Line 7: Line 7:
 
In the OWASP Testing Guide v2 we have split the set of tests in 8 sub-categories:  
 
In the OWASP Testing Guide v2 we have split the set of tests in 8 sub-categories:  
 
* Information Gathering  
 
* Information Gathering  
* Business logic testing
+
* Business Logic Testing
 
* Authentication Testing  
 
* Authentication Testing  
 
* Session Management Testing  
 
* Session Management Testing  

Revision as of 06:57, 8 April 2008

Planning the new OWASP Testing Guide v3

3rd October 2007: Startup v3
The OWASP Testing Guide v2 was a great success, with thousand download and many many Companies that have adopted it as standard for a Web Application Penetration Testing.
Now we would like to begin a new project that is based on v2 but improve it and complete it.

In the OWASP Testing Guide v2 we have split the set of tests in 8 sub-categories:

  • Information Gathering
  • Business Logic Testing
  • Authentication Testing
  • Session Management Testing
  • Data Validation Testing
  • Denial of Service Testing
  • Web Services Testing
  • AJAX Testing

The following are my thoughts about the new OWASP Testing Guide v3:

1) Authorization testing missing. As Jeff and Dave said many time before it's important to create a new category.
2) Information gathering is not a set of vulnerabilities --> not in report --> new category: Passive mode
3) Business logic testing --> not in report --> Passive mode
4) Infrastructural test --> new category
5) Web Services section needs improvement
6) AJAX Testing section needs improvement
7) New category: Client side Testing. AJAX and Flash Testing


This document analyze the OWASP Testing Guide v2 vulnerabilities and a plan for create the new v3.