OWASP TESTING GUIDE
2008 V3.0
© 2002-2008 OWASP FoundationThis document is licensed under the Creative Commons Attribution-ShareAlike 3.0license. You must attribute your version tothe OWASP Testing or the OWASP Foundation.
2
Table of Contents
Foreword ..................................................................................................................................................................................... 7
Why OWASP? .......................................................................................................................................................................... 7
Tailoring and Prioritizing ......................................................................................................................................................... 7
The Role of Automated Tools.................................................................................................................................................. 8
Call to Action ........................................................................................................................................................................... 8
1. Frontispiece ............................................................................................................................................................................. 9
Welcome to the OWASP Testing Guide 3.0 ............................................................................................................................ 9
About The Open Web Application Security Project .............................................................................................................. 12
2. Introduction ........................................................................................................................................................................... 14
Principles of Testing .............................................................................................................................................................. 16
Testing Techniques Explained ............................................................................................................................................... 19
Security Requirements Test Derivation ................................................................................................................................ 25
3. The OWASP Testing Framework ............................................................................................................................................ 40
Overview ............................................................................................................................................................................... 40
Phase 1: Before Development Begins ................................................................................................................................... 41
Phase 2: During Definition and Design .................................................................................................................................. 41
Phase 3: During Development .............................................................................................................................................. 42
Phase 4: During Deployment ................................................................................................................................................ 43
Phase 5: Maintenance and Operations ................................................................................................................................. 44
4 Web Application Penetration Testing ..................................................................................................................................... 46
4.1 Introduction and objectives ............................................................................................................................................ 46
4.2 Information Gathering .................................................................................................................................................... 51
4.2.1 Testing: Spiders, robots, and Crawlers (OWASP-IG-001) ............................................................................................. 52
4.2.2 Search engine discovery/Reconnaissance (OWASP-IG-002) ........................................................................................ 54
4.2.3 Identify application entry points (OWASP-IG-003) ...................................................................................................... 56
4.2.4 Testing for Web Application Fingerprint (OWASP-IG-004) .......................................................................................... 59
OWASP Testing Guide v3.034.2.5 Application Discovery (OWASP-IG-005) ....................................................................................................................... 65
4.2.6 Analysis of Error Codes (OWASP-IG-006) ..................................................................................................................... 71
4.3 Configuration Management Testing ............................................................................................................................... 75
4.3.1 SSL/TLS Testing (OWASP-CM-001) ............................................................................................................................... 76
4.3.2 DB Listener Testing (OWASP-CM-002) ......................................................................................................................... 82
4.3.3 Infrastructure configuration management testing (OWASP-CM-003) ......................................................................... 86
4.3.4 Application configuration management testing (OWASP-CM-004) ............................................................................. 91
4.3.5 Testing for File extensions handling (OWASP-CM-005) ............................................................................................... 95
4.3.6 Old, backup and unreferenced files (OWASP-CM-006) ............................................................................................... 97
4.3.7 Infrastructure and Application Admin Interfaces (OWASP-CM-007) ......................................................................... 102
4.3.8 Testing for HTTP Methods and XST (OWASP-CM-008) .............................................................................................. 104
4.4 Authentication Testing .................................................................................................................................................. 109
4.4.1 Credentials transport over an encrypted channel (OWASP-AT-001) ........................................................................ 110
4.4.2 Testing for user enumeration (OWASP-AT-002) ........................................................................................................ 113
4.4.3 Default or guessable (dictionary) user account (OWASP-AT-003) ............................................................................. 117
4.4.4 Testing For Brute Force (OWASP-AT-004) .................................................................................................................. 120
4.4.5 Testing for Bypassing authentication schema (OWASP-AT-005) ............................................................................... 126
4.4.6 Testing for Vulnerable remember password and pwd reset (OWASP-AT-006) ......................................................... 131
4.4.7 Testing for Logout and Browser Cache Management (OWASP-AT-007) ................................................................... 133
4.4.8 Testing for Captcha (OWASP-AT-008) ........................................................................................................................ 138
4.4.9 Testing for Multiple factors Authentication (OWASP-AT-009) .................................................................................. 140
4.4.10 Testing for Race Conditions (OWASP-AT-010) ......................................................................................................... 144
4.5 Session Management Testing ....................................................................................................................................... 146
4.5.1 Testing for Session Management Schema (OWASP-SM-001) .................................................................................... 147
4.5.2 Testing for Cookies attributes (OWASP-SM-002) ....................................................................................................... 156
4.5.3 Testing for Session Fixation (OWASP-SM_003) .......................................................................................................... 159
4.5.4 Testing for Exposed Session Variables (OWASP-SM-004) .......................................................................................... 161
of 00
4.2.1 TESTING: SPIDERS, ROBOTS, AND CRAWLERS (OWASP-IG-001) for OWASP Testing Guide
7,052 Reads
Info and Rating
| Category: | |
| Rating: | |
| Upload Date: | 04/09/2009 |
| Copyright: | Attribution Non-commercial |
| Tags: |
Leave a Comment