OWASP Testing Guide v4 Table of Contents
| This project is part of the OWASP Breakers community. |
Feel free to browse other projects within the Defenders, Builders, and Breakers communities.
This is the FINAL table of content of the New Testing Guide v4.
At the moment the project is in the REVIEW phase.
You can download the stable version v3 here
Back to the OWASP Testing Guide Project: http://www.owasp.org/index.php/OWASP_Testing_Project
Updated: 1st April 2014
Table of Contents
2.1 The OWASP Testing Project
2.2 Principles of Testing
2.3 Testing Techniques Explained
2.4 Deriving Security Test Requirements
2.5 Security Tests Integrated in Development and Testing Workflows
2.6 Security Test Data Analysis and Reporting
3.2. Phase 1: Before Development Begins
3.3. Phase 2: During Definition and Design
3.4. Phase 3: During Development
3.5. Phase 4: During Deployment
3.6. Phase 5: Maintenance and Operations
3.7. A Typical SDLC Testing Workflow
- Black Box Testing Tools
- Useful Websites
- Fuzz Categories
- Input Encoding
- Output Encoding
CONFIGURATION AND DEPLOY MANAGEMENT TESTING:
4.3.7 Testing for Database credentials/connection strings available (OTG-CONFIG-007) formerly "Testing for Database credentials/connection strings available (OWASP-CM-007)"
4.3.8 Test Content Security Policy (OTG-CONFIG-008) formerly "Testing for Content Security Policy weakness (OWASP-CM-008)"
IDENTITY MANAGEMENT TESTING:
4.6.6 Testing for Failure to Restrict access to authorized resource (OTG-AUTHZ-006) formerly "Testing for Failure to Restrict access to authorized resource (OWASP-AZ-005)"
4.6.7 Test privileges of server components (OTG-AUTHZ-007) (e.g. indexing service, reporting interface, file generator)
4.6.8 Test enforcement of application entry points (OTG-AUTHZ-008) (including exposure of objects)
4.6.9 Testing for failure to restrict access to authenticated resource (OTG-AUTHZ-009) formerly "Testing for failure to restrict access to authenticated resource (OWASP-AT-010)"
SESSION MANAGEMENT TESTING:
DATA VALIDATION TESTING:
4.8.5 Testing for Unvalidated Redirects and Forwards (OTG-INPVAL-005) formerly "Testing for Unvalidated Redirects and Forwards (OWASP-DV-004)"
4.10.1 Testing for Insecure encryption usage (OTG-CRYPST-001) formerly "Testing for Insecure encryption usage (OWASP-EN-001)"
XXXX4.12.3 Testing for Forged Requests Using Predictive Parameters (OTG-BUSLOGIC-003) [New!]- [Combine with Test Ability to forge requests as an example]
4.12.3 Test Integrity Checks (OTG-BUSLOGIC-003) (e.g. overwriting updates)
DENIAL OF SERVICE
4.13.1 Test Regular expression DoS (OTG-DOS-001) [New!] note: to understand better
4.13.2 Test XML DoS (OTG-DOS-002) [New! - Andrew Muller]
4.13.3 Testing for CAPTCHA (OTG-DOS-003) formerly "Testing for CAPTCHA (OWASP-AT-012)"
4.13.4 Test excessive rate (speed) of use limits (OTG-DOS-004) [New!]- [Moved from Business Logic, formerly OTG-BUSLOGIC-006]
4.13.5 Test size of request limits (OTG-DOS-005) [New!] - [Moved from Business Logic, formerly OTG-BUSLOGIC-008]
WEB SERVICES TESTING
4.14 Web Service Testing [Tom Eston]
4.14.1 Scoping a Web Service Test (OTG-WEBSVC-001) formerly "Scoping a Web Service Test (OWASP-WS-001)"
4.14.2 WS Information Gathering (OTG-WEBSVC-002) formerly "WS Information Gathering (OWASP-WS-002)"
4.14.3 WS Authentication Testing (OTG-WEBSVC-003) formerly "WS Authentication Testing (OWASP-WS-003)"
4.14.4 WS Management Interface Testing (OTG-WEBSVC-004) formerly "WS Management Interface Testing (OWASP-WS-004)"
4.14.5 Weak XML Structure Testing (OTG-WEBSVC-005) formerly "Weak XML Structure Testing (OWASP-WS-005)"
4.14.6 XML Content-Level Testing (OTG-WEBSVC-006) formerly "XML Content-Level Testing (OWASP-WS-006)"
4.14.7 WS HTTP GET Parameters/REST Testing (OTG-WEBSVC-007) formerly "WS HTTP GET Parameters/REST Testing (OWASP-WS-007)"
4.14.8 WS Naughty SOAP Attachment Testing (OTG-WEBSVC-008) formerly "WS Naughty SOAP Attachment Testing (OWASP-WS-008)"
4.14.9 WS Replay/MiTM Testing (OTG-WEBSVC-009) formerly "WS Replay/MiTM Testing (OWASP-WS-009)"
4.14.10 WS BEPL Testing (OTG-WEBSVC-010) formerly "WS BEPL Testing (OWASP-WS-010)"
4.11 Logging Not convinced Logging should be included as it requires access to logs to test
4.11.1 Test time synchronisation (OTG-LOG-001) formerly "Incorrect time"