OWASP Testing Guide v3 Startup
Planning the new OWASP Testing Guide v3
3rd October 2007: Startup v3
The OWASP Testing Guide v2 was a great success, with thousand download and many many Companies that have adopted it as standard for a Web Application Penetration Testing.
Now we would like to begin a new project that is based on v2 but improve it and complete it.
In the OWASP Testing Guide v2 we have split the set of tests in 8 sub-categories:
- Information Gathering
- Business logic testing
- Authentication Testing
- Session Management Testing
- Data Validation Testing
- Denial of Service Testing
- Web Services Testing
- AJAX Testing
The following are my thoughts about the new OWASP Testing Guide v3:
1) Authorization testing missing. As Jeff and Dave said many time before it's important to create a new category.
2) Information gathering is not a set of vulnerabilities. I think we can add a new category Infrastructural testing.
3) Web Services section needs improvement.
4) AJAX Testing section needs improvement.
5) New category: Client side Testing: nowadays in web 2.0 applications it's really important to test for client side vulnerabilities that can introduce new type of attacks: for example a XSS on flash movie loaded on the client (see the last work of Di Paola).
For each category we describe the v2 and the possible improvement.
- Application Fingerprint
- Application Discovery
- Spidering and googling
- Collection of error code
- SSL/TLS Testing
- DB Listener Testing
- File extensions handling
- Old, backup and unreferenced files