Transcription of Testing Guide 4 - OWASP
1 GuideProject Leaders: Matteo Meucci and Andrew Muller Creative Commons (CC) Attribution Share-AlikeFree version at 2 The Open web application Security Project ( OWASP ) is a worldwide free and open com-munity focused on improving the security of application software. Our mission is to make application security visible , so that people and organizations can make informed decisions about application security risks. Every one is free to participate in OWASP and all of our materials are available under a free and open software license. The OWASP Foundation is a 501c3 not-for-profit charitable organization that ensures the ongoing availability and support for our work. THE ICONS BELOW REPRESENT WHAT OTHER VERSIONS ARE AVAILABLE IN PRINT FOR THIS BOOK : Alpha Quality book content is a working draft. Content is very rough and in development until the next level of publishing.
2 BETA: Beta Quality book content is the next highest level. Content is still in development until the next publishing. RELEASE: Release Quality book content is the highest level of quality in a book title s lifecycle, and is a final product. To Share - to copy, distribute and transmit the workAttribution. You must attribute the work in the manner specified by the author or licensor (but not in any way that suggests that they endorse you or your use of the work). Share Alike. If you alter, transform, or build upon this work, you may distribute the resulting work only under the same, similar or a compatible license. To Remix - to adapt the work YOU ARE FREE:UNDER THE FOLLOWING CONDITIONS:ALPHABETARELEASEP roject Leaders: Matteo Meucci and Andrew Muller Foreword by Eoin KearyFrontispieceAbout the OWASP Testing Guide ProjectAbout The Open web application Security Project 3 - 45 - 6 Testing Guide Foreword - Table of contents01 IntroductionThe OWASP Testing ProjectPrinciples of TestingTesting Techniques ExplainedDeriving Security Test RequirementsSecurity Tests Integrated in Development and Testing WorkflowsSecurity Test Data Analysis and Reporting 7 - 212 The OWASP Testing FrameworkOverviewPhase 1: Before Development BeginsPhase 2: During Definition and DesignPhase 3: During DevelopmentPhase 4: During DeploymentPhase 5.
3 Maintenance and OperationsA Typical SDLC Testing Workflow 22 - 243 web application Security TestingIntroduction and ObjectivesTesting ChecklistInformation GatheringConduct Search Engine Discovery and Reconnaissance for Information Leakage (OTG-INFO-001)Fingerprint Web Server (OTG-INFO-002)Review Webserver Metafiles for Information Leakage (OTG-INFO-003)Enumerate applications on Webserver (OTG-INFO-004)Review Webpage Comments and Metadata for Information Leakage (OTG-INFO-005)Identify application entry points (OTG-INFO-006)Map execution paths through application (OTG-INFO-007)Fingerprint web application Framework (OTG-INFO-008)Fingerprint web application (OTG-INFO-009)Map Application Architecture (OTG-INFO-010)Configuration and Deployment Management TestingTest Network/Infrastructure Configuration (OTG-CONFIG-001)Test Application Platform Configuration (OTG-CONFIG-002)25 - 2074 Testing Guide Foreword - Table of contentsTest File Extensions Handling for Sensitive Information (OTG-CONFIG-003)Review Old, Backup and Unreferenced Files for Sensitive Information (OTG-CONFIG-004)Enumerate Infrastructure and Application Admin Interfaces (OTG-CONFIG-005)Test HTTP Methods (OTG-CONFIG-006)Test HTTP Strict Transport Security (OTG-CONFIG-007)Test RIA cross domain policy (OTG-CONFIG-008)Identity Management TestingTest Role Definitions (OTG-IDENT-001)Test User Registration Process (OTG-IDENT-002)Test Account Provisioning Process (OTG-IDENT-003) Testing for Account Enumeration and Guessable User Account (OTG-IDENT-004) Testing for Weak or unenforced username policy (OTG-IDENT-005)Authentication TestingTesting for Credentials Transported over an Encrypted Channel (OTG-AUTHN-001) Testing for default credentials (OTG-AUTHN-002) Testing for Weak lock out mechanism (OTG-AUTHN-003)
4 Testing for bypassing authentication schema (OTG-AUTHN-004)Test remember password functionality (OTG-AUTHN-005) Testing for Browser cache weakness (OTG-AUTHN-006) Testing for Weak password policy (OTG-AUTHN-007) Testing for Weak security question/answer (OTG-AUTHN-008) Testing for weak password change or reset functionalities (OTG-AUTHN-009) Testing for Weaker authentication in alternative channel (OTG-AUTHN-010)Authorization TestingTesting Directory traversal/file include (OTG-AUTHZ-001) Testing for bypassing authorization schema (OTG-AUTHZ-002) Testing for Privilege Escalation (OTG-AUTHZ-003) Testing for Insecure Direct Object References (OTG-AUTHZ-004)Session Management TestingTesting for Bypassing Session Management Schema (OTG-SESS-001) Testing for Cookies attributes (OTG-SESS-002) Testing for Session Fixation (OTG-SESS-003) Testing for Exposed Session Variables (OTG-SESS-004) Testing for Cross Site Request Forgery (CSRF) (OTG-SESS-005) Testing for logout functionality (OTG-SESS-006)Test Session Timeout (OTG-SESS-007) Testing for Session puzzling (OTG-SESS-008)Input Validation TestingTesting for Reflected Cross Site Scripting (OTG-INPVAL-001) Testing for Stored Cross Site Scripting (OTG-INPVAL-002) Testing for HTTP Verb Tampering (OTG-INPVAL-003) Testing for HTTP Parameter pollution (OTG-INPVAL-004) Testing for SQL Injection (OTG-INPVAL-005)Oracle TestingMySQL TestingSQL Server TestingTesting PostgreSQL (from OWASP BSP)MS Access Testing3 Testing Guide Foreword - Table of contentsTesting for NoSQL injectionTesting for LDAP Injection (OTG-INPVAL-006) Testing for ORM Injection (OTG-INPVAL-007) Testing for XML Injection (OTG-INPVAL-008) Testing for SSI Injection (OTG-INPVAL-009) Testing for XPath Injection (OTG-INPVAL-010)IMAP/SMTP Injection (OTG-INPVAL-011) Testing for Code Injection (OTG-INPVAL-012)
5 Testing for Local File InclusionTesting for Remote File InclusionTesting for Command Injection (OTG-INPVAL-013) Testing for Buffer overflow (OTG-INPVAL-014) Testing for Heap overflowTesting for Stack overflowTesting for Format stringTesting for incubated vulnerabilities (OTG-INPVAL-015) Testing for HTTP Splitting/Smuggling (OTG-INPVAL-016) Testing for Error HandlingAnalysis of Error Codes (OTG-ERR-001)Analysis of Stack Traces (OTG-ERR-002) Testing for weak CryptographyTesting for Weak SSL/TLS Ciphers, Insufficient Transport Layer Protection (OTG-CRYPST-001) Testing for Padding Oracle (OTG-CRYPST-002) Testing for Sensitive information sent via unencrypted channels (OTG-CRYPST-003)Business Logic TestingTest Business Logic Data Validation (OTG-BUSLOGIC-001)Test Ability to Forge Requests (OTG-BUSLOGIC-002)Test Integrity Checks (OTG-BUSLOGIC-003)Test for Process Timing (OTG-BUSLOGIC-004)Test Number of Times a Function Can be Used Limits (OTG-BUSLOGIC-005) Testing for the Circumvention of Work Flows (OTG-BUSLOGIC-006)Test Defenses Against Application Mis-use (OTG-BUSLOGIC-007)Test Upload of Unexpected File Types (OTG-BUSLOGIC-008)Test Upload of Malicious Files (OTG-BUSLOGIC-009)Client Side TestingTesting for DOM based Cross Site Scripting (OTG-CLIENT-001) Testing for JavaScript Execution (OTG-CLIENT-002) Testing for HTML Injection (OTG-CLIENT-003) Testing for Client Side URL Redirect (OTG-CLIENT-004) Testing for CSS Injection (OTG-CLIENT-005) Testing for Client Side Resource Manipulation (OTG-CLIENT-006)Test Cross Origin Resource Sharing (OTG-CLIENT-007) Testing for Cross Site Flashing (OTG-CLIENT-008) Testing for Clickjacking (OTG-CLIENT-009) Testing WebSockets (OTG-CLIENT-010)Test Web Messaging (OTG-CLIENT-011)Test Local Storage (OTG-CLIENT-012) 4 Testing Guide Foreword - Table of contentsReportingAppendix A.
6 Testing ToolsBlack Box Testing ToolsAppendix B: Suggested ReadingWhitepapersBooksUseful WebsitesAppendix C: Fuzz VectorsFuzz CategoriesAppendix D: Encoded InjectionInput EncodingOutput Encoding208 - 22255 The problem of insecure software is perhaps the most important technical challenge of our time. The dramatic rise of web applications enabling business, social networking etc has only compounded the requirements to establish a robust approach to writing and securing our Internet, Web applications and Guide ForewordTesting Guide Foreword - By Eoin KearyForeword by Eoin Keary, OWASP Global BoardThe problem of insecure software is perhaps the most important technical challenge of our time. The dramatic rise of web appli-cations enabling business, social networking etc has only com-pounded the requirements to establish a robust approach to writ-ing and securing our Internet, Web applications and The Open web application Security Project ( OWASP ), we re trying to make the world a place where insecure software is the anomaly, not the norm.
7 The OWASP Testing Guide has an import-ant role to play in solving this serious issue. It is vitally important that our approach to Testing software for security issues is based on the principles of engineering and science. We need a consis-tent, repeatable and defined approach to Testing web applications . A world without some minimal standards in terms of engineering and technology is a world in goes without saying that you can t build a secure application without performing security Testing on it. Testing is part of a wider approach to building a secure system. Many software develop-ment organizations do not include security Testing as part of their standard software development process. What is even worse is that many security vendors deliver Testing with varying degrees of quality and Testing , by itself, isn t a particularly good stand alone measure of how secure an application is, because there are an in-finite number of ways that an attacker might be able to make an application break, and it simply isn t possible to test them all.
8 We can t hack ourselves secure and we only have a limited time to test and defend where an attacker does not have such conjunction with other OWASP projects such as the Code review Guide , the Development Guide and tools such as OWASP ZAP, this is a great start towards building and maintaining secure applica-tions. The Development Guide will show your project how to archi-tect and build a secure application, the Code Review Guide will tell you how to verify the security of your application s source code, and this Testing Guide will show you how to verify the security of your running application. I highly recommend using these guides as part of your application security OWASP ?Creating a Guide like this is a huge undertaking, requiring the ex-pertise of hundreds of people around the world. There are many different ways to test for security flaws and this Guide captures the consensus of the leading experts on how to perform this test-ing quickly, accurately, and efficiently.
9 OWASP gives like minded security folks the ability to work together and form a leading prac-tice approach to a security importance of having this Guide available in a completely free and open way is important for the foundations mission. It gives anyone the ability to understand the techniques used to test for common security issues. Security should not be a black art or closed secret that only a few can practice. It should be open to all and not exclusive to security practitioners but also QA, Developers 6 Testing Guide Foreword - By Eoin Kearyand Technical Managers. The project to build this Guide keeps this expertise in the hands of the people who need it - you, me and anyone that is involved in building Guide must make its way into the hands of developers and software testers. There are not nearly enough application security experts in the world to make any significant dent in the overall problem.
10 The initial responsibility for application security must fall on the shoulders of the developers, they write the code. It shouldn t be a surprise that developers aren t producing secure code if they re not Testing for it or consider the types of bugs which introduce this information up to date is a critical aspect of this Guide project. By adopting the wiki approach, the OWASP community can evolve and expand the information in this Guide to keep pace with the fast moving application security threat Guide is a great testament to the passion and energy our members and project volunteers have for this subject. It shall cer-tainly help change the world a line of code at a and PrioritizingYou should adopt this Guide in your organization. You may need to tailor the information to match your organization s technologies, processes, and organizational general there are several different roles within organizations that may use this Guide : Developers should use this Guide to ensure that they are produc-ing secure code.
