OWASP Testing Guide v4 Table of Contents

Revision as of 12:31, 5 October 2012 by Mmeucci (talk | contribs) (4. Web Application Penetration Testing)

Jump to: navigation, search

This is DRAFT of the table of content of the New Testing Guide v4.

You can download the stable version here

Back to the OWASP Testing Guide Project: http://www.owasp.org/index.php/OWASP_Testing_Project

Updated: 5th October 2012

Contributors List

The following is a DRAFT of the Toc based on the feedback already received.

Table of Contents

Foreword by OWASP Chair

[To review--> OWASP Chair]

1. Frontispiece

[To review--> Mat]

1.1 About the OWASP Testing Guide Project [To review--> Mat]

1.2 About The Open Web Application Security Project [To review--> ]

2. Introduction

2.1 The OWASP Testing Project

2.2 Principles of Testing

2.3 Testing Techniques Explained

2.4 Security requirements test derivation,functional and non functional test requirements, and test cases through use and misuse cases

2.5 Security test data analysis and reporting: root cause identification and business/role case test data reporting

3. The OWASP Testing Framework

3.1. Overview

3.2. Phase 1: Before Development Begins

3.3. Phase 2: During Definition and Design

3.4. Phase 3: During Development

3.5. Phase 4: During Deployment

3.6. Phase 5: Maintenance and Operations

3.7. A Typical SDLC Testing Workflow

4. Web Application Penetration Testing

4.1 Introduction and Objectives [To review--> Mat]

4.1.1 Testing Checklist [To review at the end of brainstorming --> Mat]

4.2 Information Gathering [To review--> contributor here]

4.3 Configuration and Deploy Management Testing

Testing for Infrastructure Configuration management weakness
Testing for Application Configuration management weakness
File extensions handling
Old, backup and unreferenced files
Access to Admin interfaces
Bad HTTP Methods enabled, [new - Abian Blome]
Informative Error Messages
Database credentials/connection strings available
Missing or weakly defined for Content Security Policy[New!]
Missing HSTS header[New!]
Missing or weakly defined RIA policy files[New!]
Incorrect time[New!]
Unpatched components and libraries (e.g. JavaScript libraries)[New!]
Test data in production systems (and vice versa)[New!]

4.4 Authentication Testing

4.4.1 Testing for Credentials transport over an encrypted channel (OWASP-AT-001) [Robert Winkel]

4.4.2 Testing for user enumeration and guessable user account (OWASP-AT-002) [Robert Winkel]

4.4.3 Testing for default credentials

4.4.4 Testing for Weak lock out mechanism [New! - Robert Winkel]

> Account lockout DoS [New! - Robert Winkel - we can put it in the 4.4.4]

4.4.5 Testing for bypassing authentication schema (OWASP-AT-005)

4.4.6 Testing for vulnerable remember password and pwd reset functionalities (OWASP-AT-006) [Robert Winkel]

4.4.7 Testing for Browser cache weakness [New! - Abian Blome]

4.4.8 Testing for Weak password policy [New! - Robert Winkel]

4.4.9 Testing for Weak or unenforced username policy [New! - Robert Winkel]

> Weak security question/answer [New! - Robert Winkel - MAT Note: same as AT-006]

4.4.10 Testing for failure to restrict access to authenticated resource [New!]

Testing for weak password change function [New! - Robert Winkel]

4.4.8 Testing for CAPTCHA (OWASP-AT-012)

> Weaker authentication in alternative channel (e.g. mobile app, IVR, help desk) [New!: MAT Note: to explain better the kind of test to perform please]

4.5 Session Management Testing

Bypassing Session Management Schema
Weak Session Token
Cookies are set not ‘HTTP Only’, ‘Secure’, and no time validity
Exposed sensitive session variables
Session passed over http [New!]
Session token within URL [New!]
Session Fixation
Session token not removed on server after logout [New!]
Persistent session token [New!]
Session token not restricted properly (such as domain or path not set properly) [New! - Abian Blome]
Logout function not properly implemented
Session puzzling[New! - Abian Blome]
Missing user-viewable log of authentication events[New!]

4.6 Authorization Testing

Bypassing authorization schema
Directory traversal/file include [Juan Galiana]
Privilege Escalation [Irene Abezgauz]
Insecure Direct Object References [Irene Abezgauz]
Failure to Restrict access to authorized resource [New!]
Server component has excessive privileges (e.g. indexing service, reporting interface, file generator)[New!]
Lack of enforcement of application entry points (including exposure of objects)[New!]

4.7 Business Logic Testing (OWASP-BL-001) [To review--> contributor here] Business Logic

Business logic data validation[New!]
Ability to forge requests[New!]
Lack of integrity checks (e.g. overwriting updates) [New!]
Lack of tamper evidence[New!]
Use of untrusted time source[New!]
Lack of limits to excessive rate (speed) of use[New!]
Lack of limits to size of request[New!]
Lack of limit to number of times a function can be used[New!]
Bypass of correct sequence[New!]
Missing user-viewable log of actvity[New!]
Self-hosted payment cardholder data processing[New!]
Lack of security incident reporting information[New!]
Defenses against application mis-use[New!]

4.8 Data Validation Testing

Reflected XSS
Stored XSS
HTTP Verb Tampering [Brad Causey]
HTTP Parameter pollution [Brad Causey]
Unvalidated Redirects and Forwards [Brad Causey]
SQL Injection [Brad Causey]
LDAP Injection
ORM Injection
XML Injection
SSI Injection
XPath Injection
SOAP Injection
IMAP/SMTP Injection
Code Injection
NoSQL injection[New!]
OS Commanding [Juan Galiana]
Buffer overflow
Incubated vulnerability
HTTP Splitting/Smuggling [Juan Galiana]
Regular expression DoS[New!]

Testing for Data Encryption (New!)

[[Testing for Insecure encryption usage | x.x.1
x.x.2 Testing for Weak SSL/TSL Ciphers, Insufficient Transport Layer Protection (OWASP-EN-002) --> [[Testing for Cacheable HTTPS Response | x.x.3 Testing for Cacheable HTTPS Response
Cache directives insecure
--> Testing for Insecure Cryptographic Storage [put in x.x.1]
[[Testing for Sensitive information sent via unencrypted channels | x.x.4

XML Interpreter? (New!)

Testing for Weak XML Structure Testing for XML content-level WS HTTP GET parameters/REST WS Naughty SOAP attachments WS Replay Testing

Client Side Testing (New!)

Testing for DOM Based XSS
Testing for HTML5 [Juan Galiana]
Testing for Cross Site Flashing
Testing for ClickHijacking

5. Writing Reports: value the real risk

5.1 How to value the real risk [To review--> contributor here]

5.2 How to write the report of the testing [To review--> contributor here]

Appendix A: Testing Tools

  • Black Box Testing Tools [To review--> Amro. We need only tools fo webapp testing]

Appendix B: Suggested Reading

  • Whitepapers [To review--> contributor here]
  • Books [To review--> contributor here]
  • Useful Websites [To review--> contributor here]

Appendix C: Fuzz Vectors

  • Fuzz Categories [To review--> contributor here]

Appendix D: Encoded Injection

[To review--> contributor here]