Example: biology

Testing Guide 4 - OWASP

GuideProject Leaders: Matteo Meucci and Andrew Muller Creative Commons (CC) Attribution Share-AlikeFree version at 2 The Open Web Application Security Project ( OWASP ) is a worldwide free and open com-munity focused on improving the security of application software. Our mission is to make application security visible , so that people and organizations can make informed decisions about application security risks. Every one is free to participate in OWASP and all of our materials are available under a free and open software license. The OWASP Foundation is a 501c3 not-for-profit charitable organization that ensures the ongoing availability and support for our work.

In conjunction with other OWASP projects such as the Code review Guide, the Development Guide and tools such as OWASP ZAP, this is a great start towards building and maintaining secure applica-tions. The Development Guide will show your project how to archi-tect and build a secure application, the Code Review Guide will tell

Fullscreen Download

Tags:

  Guide, Code, Review, Owasp, Code review guide

Information

Domain:

Source:

Link to this page:

Please notify us if you found a problem with this document:

Other abuse

Advertisement

Transcription of Testing Guide 4 - OWASP

1 GuideProject Leaders: Matteo Meucci and Andrew Muller Creative Commons (CC) Attribution Share-AlikeFree version at 2 The Open Web Application Security Project ( OWASP ) is a worldwide free and open com-munity focused on improving the security of application software. Our mission is to make application security visible , so that people and organizations can make informed decisions about application security risks. Every one is free to participate in OWASP and all of our materials are available under a free and open software license. The OWASP Foundation is a 501c3 not-for-profit charitable organization that ensures the ongoing availability and support for our work.

2 THE ICONS BELOW REPRESENT WHAT OTHER VERSIONS ARE AVAILABLE IN PRINT FOR THIS BOOK : Alpha Quality book content is a working draft. Content is very rough and in development until the next level of publishing. BETA: Beta Quality book content is the next highest level. Content is still in development until the next publishing. RELEASE: Release Quality book content is the highest level of quality in a book title s lifecycle, and is a final product. To Share - to copy, distribute and transmit the workAttribution.

3 You must attribute the work in the manner specified by the author or licensor (but not in any way that suggests that they endorse you or your use of the work). Share Alike. If you alter, transform, or build upon this work, you may distribute the resulting work only under the same, similar or a compatible license. To Remix - to adapt the work YOU ARE FREE:UNDER THE FOLLOWING CONDITIONS:ALPHABETARELEASEP roject Leaders: Matteo Meucci and Andrew Muller Foreword by Eoin KearyFrontispieceAbout the OWASP Testing Guide ProjectAbout The Open Web Application Security Project 3 - 45 - 6 Testing Guide Foreword - Table of contents01 IntroductionThe OWASP Testing ProjectPrinciples of TestingTesting Techniques ExplainedDeriving Security Test RequirementsSecurity Tests Integrated in Development and Testing WorkflowsSecurity Test Data Analysis and Reporting 7 - 212 The OWASP Testing FrameworkOverviewPhase 1: Before Development BeginsPhase 2: During Definition and DesignPhase 3.

4 During DevelopmentPhase 4: During DeploymentPhase 5: Maintenance and OperationsA Typical SDLC Testing Workflow 22 - 243 Web Application Security TestingIntroduction and ObjectivesTesting ChecklistInformation GatheringConduct Search Engine Discovery and Reconnaissance for Information Leakage (OTG-INFO-001)Fingerprint Web Server (OTG-INFO-002) review Webserver Metafiles for Information Leakage (OTG-INFO-003)Enumerate Applications on Webserver (OTG-INFO-004) review Webpage Comments and Metadata for Information Leakage (OTG-INFO-005)Identify application entry points (OTG-INFO-006)

5 Map execution paths through application (OTG-INFO-007)Fingerprint Web Application Framework (OTG-INFO-008)Fingerprint Web Application (OTG-INFO-009)Map Application Architecture (OTG-INFO-010)Configuration and Deployment Management TestingTest Network/Infrastructure Configuration (OTG-CONFIG-001)Test Application Platform Configuration (OTG-CONFIG-002)25 - 2074 Testing Guide Foreword - Table of contentsTest File Extensions Handling for Sensitive Information (OTG-CONFIG-003) review Old, Backup and Unreferenced Files for Sensitive Information (OTG-CONFIG-004)Enumerate Infrastructure and Application Admin Interfaces (OTG-CONFIG-005)Test HTTP Methods (OTG-CONFIG-006)Test HTTP Strict Transport Security (OTG-CONFIG-007)Test RIA cross domain policy (OTG-CONFIG-008)Identity Management TestingTest Role Definitions (OTG-IDENT-001)Test User Registration Process (OTG-IDENT-002)Test Account Provisioning Process (OTG-IDENT-003) Testing for Account Enumeration and Guessable User Account (OTG-IDENT-004) Testing for Weak or unenforced username policy (OTG-IDENT-005)

6 Authentication TestingTesting for Credentials Transported over an Encrypted Channel (OTG-AUTHN-001) Testing for default credentials (OTG-AUTHN-002) Testing for Weak lock out mechanism (OTG-AUTHN-003) Testing for bypassing authentication schema (OTG-AUTHN-004)Test remember password functionality (OTG-AUTHN-005) Testing for Browser cache weakness (OTG-AUTHN-006) Testing for Weak password policy (OTG-AUTHN-007) Testing for Weak security question/answer (OTG-AUTHN-008) Testing for weak password change or reset functionalities (OTG-AUTHN-009) Testing for Weaker authentication in alternative channel (OTG-AUTHN-010)Authorization TestingTesting Directory traversal/file include (OTG-AUTHZ-001) Testing for bypassing authorization schema (OTG-AUTHZ-002) Testing for Privilege Escalation (OTG-AUTHZ-003) Testing for Insecure Direct Object References (OTG-AUTHZ-004)Session Management TestingTesting for Bypassing Session Management Schema (OTG-SESS-001) Testing for Cookies attributes (OTG-SESS-002) Testing for Session Fixation (OTG-SESS-003) Testing for Exposed Session Variables (OTG-SESS-004)

7 Testing for Cross Site Request Forgery (CSRF) (OTG-SESS-005) Testing for logout functionality (OTG-SESS-006)Test Session Timeout (OTG-SESS-007) Testing for Session puzzling (OTG-SESS-008)Input Validation TestingTesting for Reflected Cross Site Scripting (OTG-INPVAL-001) Testing for Stored Cross Site Scripting (OTG-INPVAL-002) Testing for HTTP Verb Tampering (OTG-INPVAL-003) Testing for HTTP Parameter pollution (OTG-INPVAL-004) Testing for SQL Injection (OTG-INPVAL-005)Oracle TestingMySQL TestingSQL Server TestingTesting PostgreSQL (from OWASP BSP)MS Access Testing3 Testing Guide Foreword - Table of contentsTesting for NoSQL injectionTesting for LDAP Injection (OTG-INPVAL-006) Testing for ORM Injection (OTG-INPVAL-007) Testing for XML Injection (OTG-INPVAL-008) Testing for SSI Injection (OTG-INPVAL-009) Testing for XPath Injection (OTG-INPVAL-010)IMAP/SMTP Injection (OTG-INPVAL-011) Testing for code Injection (OTG-INPVAL-012) Testing for Local File InclusionTesting for Remote File InclusionTesting for Command Injection (OTG-INPVAL-013) Testing for Buffer overflow (OTG-INPVAL-014)

8 Testing for Heap overflowTesting for Stack overflowTesting for Format stringTesting for incubated vulnerabilities (OTG-INPVAL-015) Testing for HTTP Splitting/Smuggling (OTG-INPVAL-016) Testing for Error HandlingAnalysis of Error Codes (OTG-ERR-001)Analysis of Stack Traces (OTG-ERR-002) Testing for weak CryptographyTesting for Weak SSL/TLS Ciphers, Insufficient Transport Layer Protection (OTG-CRYPST-001) Testing for Padding Oracle (OTG-CRYPST-002) Testing for Sensitive information sent via unencrypted channels (OTG-CRYPST-003)Business Logic TestingTest Business Logic Data Validation (OTG-BUSLOGIC-001)Test Ability to Forge Requests (OTG-BUSLOGIC-002)Test Integrity Checks (OTG-BUSLOGIC-003)Test for Process Timing (OTG-BUSLOGIC-004)Test Number of Times a Function Can be Used Limits (OTG-BUSLOGIC-005) Testing for the Circumvention of Work Flows (OTG-BUSLOGIC-006)Test Defenses Against Application Mis-use (OTG-BUSLOGIC-007)Test Upload of Unexpected File Types (OTG-BUSLOGIC-008)Test Upload of Malicious Files (OTG-BUSLOGIC-009)Client Side TestingTesting for DOM based Cross Site Scripting (OTG-CLIENT-001)

9 Testing for JavaScript Execution (OTG-CLIENT-002) Testing for HTML Injection (OTG-CLIENT-003) Testing for Client Side URL Redirect (OTG-CLIENT-004) Testing for CSS Injection (OTG-CLIENT-005) Testing for Client Side Resource Manipulation (OTG-CLIENT-006)Test Cross Origin Resource Sharing (OTG-CLIENT-007) Testing for Cross Site Flashing (OTG-CLIENT-008) Testing for Clickjacking (OTG-CLIENT-009) Testing WebSockets (OTG-CLIENT-010)Test Web Messaging (OTG-CLIENT-011)Test Local Storage (OTG-CLIENT-012) 4 Testing Guide Foreword - Table of contentsReportingAppendix A: Testing ToolsBlack Box Testing ToolsAppendix B: Suggested ReadingWhitepapersBooksUseful WebsitesAppendix C: Fuzz VectorsFuzz CategoriesAppendix D: Encoded InjectionInput EncodingOutput Encoding208 - 22255 The problem of insecure software is perhaps the most important technical challenge of our time.

10 The dramatic rise of web applications enabling business, social networking etc has only compounded the requirements to establish a robust approach to writing and securing our Internet, Web Applications and Guide ForewordTesting Guide Foreword - By Eoin KearyForeword by Eoin Keary, OWASP Global BoardThe problem of insecure software is perhaps the most important technical challenge of our time. The dramatic rise of web appli-cations enabling business, social networking etc has only com-pounded the requirements to establish a r

Show more

Documents from same domain

Secure Development Lifecycle - OWASP

Secure Development Lifecycle - OWASP

owasp.org

OWASP Cheat-Sheet Series Manager ... Security Sprint Approach Every Sprint Approach Security Sprint Approach: Dedicated sprint focusing on application security. Stories implemented are security related. Code is reviewed. ... Planning the security testing phase

  Development, Sheet, Planning, Lifecycle, Teach, Sprint, Development lifecycle

Secure Coding Practices - Quick Reference Guide

Secure Coding Practices - Quick Reference Guide

owasp.org

Version 2.0 4 Software Security and Risk Principles Overview Building secure software requires a basic understanding of security principles. While a comprehensive review of security principles is beyond the scope of this guide, a quick overview is provided.

  Coding, Practices, Secure, Secure coding practices

Shellshock Vulnerability - OWASP

Shellshock Vulnerability - OWASP

owasp.org

root@owasp:~#echo “Bash is a Unix shell written for the GNU Project as a free software replacement for the Bourne shell (sh)” root@owasp:~#echo “Often installed as the system's default command-line interface”

  Bourne, The bourne

Cookie Security - OWASP

Cookie Security - OWASP

owasp.org

Nov 30, 2017 · –The security model has many weaknesses –Don’t build your application on false assumptions about cookie security –Application and framework developers should take advantage of new improvements to cookie security –Beware that not all browsers are using the same cookie recipe (yet)

  Security

Introduction to the OWASP Top Ten

Introduction to the OWASP Top Ten

owasp.org

Feb 09, 2020 · components Budget for ongoing maintenance for all software projects. A10 Insucient Logging & Monitoring Web Server Site A Web Browser sitea.com GET / X Y Site A Site B DOM + JS SIEM. A10 Insucient Logging & Monitoring You can’t react to attacks that you don’t know about. Logs are important for: Detecting incidents Understanding what happened

  Important, Component

NOSQL INJECTION - OWASP

NOSQL INJECTION - OWASP

owasp.org

4 . 2 SCOPE - DATABASES Database Type Ranking Document store 5. Key-value store 9. Key-value cache 23. Document store 26.

Attacking and Securing JWT - OWASP

Attacking and Securing JWT - OWASP

owasp.org

JWT Secret Brute Forcing RFC 7518 (JSON Web Algorithms) states that "A key of the same size as the hash output (for instance, 256 bits for "HS256") or larger MUST be used with this

OWASP Application Security Verification Standard 4.0-en

OWASP Application Security Verification Standard 4.0-en

owasp.org

OWASP Application Security Verification Standard 4.0 7 Frontispiece About the Standard The Application Security Verification Standard is a list of application security requirements or tests that can be used by architects, developers, testers, security professionals, tool vendors, and consumers to define, build, test and verify secure applications.

  Security, Standards

Cloud Security – An Overview

Cloud Security – An Overview

owasp.org

data centers Thus, your cloud provider could be working someplace you may never have heard of, such as The Dalles, Oregon, where power is cheap and fiber is plentiful, or just as easily ... "Cloud Computing Security: Raining On The Trendy New Parade," BlackHat USA 2009,

  Computing, Security, Cloud, Data, Cloud security, Cloud computing security

Software Assurance Maturity Model (SAMM)

Software Assurance Maturity Model (SAMM)

owasp.org

The Software Assurance Maturity Model (SAMM) is an open framework to help organizations formulate and implement a strategy for software security that is tailored to the specific risks facing the organization. The resources provided by SAMM will aid in: Evaluating an organization’s existing software security practices.

  Model, Assurance, Software, Maturity, Software assurance maturity model

Related documents

OWASP Web Application Penetration Checklist

OWASP Web Application Penetration Checklist

owasp.org

This check list is likely to become an Appendix to Part Two of the OWASP Testing framework along with similar check lists for source code review. The OASIS WAS Standard The issues identified in this check list are not ordered in a specific manner of importance or criticality. Several members of the OWASP Team are working on an XML standard to

  Code, Review, Oecd review, Owasp

Related search queries

OWASP, Code review