Welcome to Scribd, the world's digital library. Read, publish, and share books and documents. See more
Download
Standard view
Full view
of .
Save to My Library
Look up keyword or section
Like this
22Activity

Table Of Contents

0 of .
Results for:
No results containing your search query
P. 1
OWASP Testing Guide

OWASP Testing Guide

Ratings: (0)|Views: 1,278 |Likes:
Published by mehtaankit

More info:

Published by: mehtaankit on Apr 09, 2009
Copyright:Attribution Non-commercial

Availability:

Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less

09/30/2012

pdf

text

original

 
 
OWASP TESTING GUIDE
2008 V3.0
© 2002-2008 OWASP FoundationThis document is licensed under the Creative Commons Attribution-ShareAlike 3.0license. You must attribute your version tothe OWASP Testing or the OWASP Foundation.
 
 2
Table of Contents
Foreword ..................................................................................................................................................................................... 7
 
Why OWASP? .......................................................................................................................................................................... 7
 
Tailoring and Prioritizing ......................................................................................................................................................... 7
 
The Role of Automated Tools.................................................................................................................................................. 8
 
Call to Action ........................................................................................................................................................................... 8
 
1. Frontispiece ............................................................................................................................................................................. 9
 
Welcome to the OWASP Testing Guide 3.0 ............................................................................................................................ 9
 
About The Open Web Application Security Project .............................................................................................................. 12
 
2. Introduction ........................................................................................................................................................................... 14
 
Principles of Testing .............................................................................................................................................................. 16
 
Testing Techniques Explained ............................................................................................................................................... 19
 
Security Requirements Test Derivation ................................................................................................................................ 25
 
3. The OWASP Testing Framework ............................................................................................................................................ 40
 
Overview ............................................................................................................................................................................... 40
 
Phase 1: Before Development Begins ................................................................................................................................... 41
 
Phase 2: During Definition and Design .................................................................................................................................. 41
 
Phase 3: During Development .............................................................................................................................................. 42
 
Phase 4: During Deployment ................................................................................................................................................ 43
 
Phase 5: Maintenance and Operations ................................................................................................................................. 44
 
4 Web Application Penetration Testing ..................................................................................................................................... 46
 
4.1 Introduction and objectives ............................................................................................................................................ 46
 
4.2 Information Gathering .................................................................................................................................................... 51
 
4.2.1 Testing: Spiders, robots, and Crawlers (OWASP-IG-001) ............................................................................................. 52
 
4.2.2 Search engine discovery/Reconnaissance (OWASP-IG-002) ........................................................................................ 54
 
4.2.3 Identify application entry points (OWASP-IG-003) ...................................................................................................... 56
 
4.2.4 Testing for Web Application Fingerprint (OWASP-IG-004) .......................................................................................... 59
 
 
OWASP Testing Guide v3.034.2.5 Application Discovery (OWASP-IG-005) ....................................................................................................................... 65
 
4.2.6 Analysis of Error Codes (OWASP-IG-006) ..................................................................................................................... 71
 
4.3 Configuration Management Testing ............................................................................................................................... 75
 
4.3.1 SSL/TLS Testing (OWASP-CM-001) ............................................................................................................................... 76
 
4.3.2 DB Listener Testing (OWASP-CM-002) ......................................................................................................................... 82
 
4.3.3 Infrastructure configuration management testing (OWASP-CM-003) ......................................................................... 86
 
4.3.4 Application configuration management testing (OWASP-CM-004) ............................................................................. 91
 
4.3.5 Testing for File extensions handling (OWASP-CM-005) ............................................................................................... 95
 
4.3.6 Old, backup and unreferenced files (OWASP-CM-006) ............................................................................................... 97
 
4.3.7 Infrastructure and Application Admin Interfaces (OWASP-CM-007) ......................................................................... 102
 
4.3.8 Testing for HTTP Methods and XST (OWASP-CM-008) .............................................................................................. 104
 
4.4 Authentication Testing .................................................................................................................................................. 109
 
4.4.1 Credentials transport over an encrypted channel (OWASP-AT-001) ........................................................................ 110
 
4.4.2 Testing for user enumeration (OWASP-AT-002) ........................................................................................................ 113
 
4.4.3 Default or guessable (dictionary) user account (OWASP-AT-003) ............................................................................. 117
 
4.4.4 Testing For Brute Force (OWASP-AT-004) .................................................................................................................. 120
 
4.4.5 Testing for Bypassing authentication schema (OWASP-AT-005) ............................................................................... 126
 
4.4.6 Testing for Vulnerable remember password and pwd reset (OWASP-AT-006) ......................................................... 131
 
4.4.7 Testing for Logout and Browser Cache Management (OWASP-AT-007) ................................................................... 133
 
4.4.8 Testing for Captcha (OWASP-AT-008) ........................................................................................................................ 138
 
4.4.9 Testing for Multiple factors Authentication (OWASP-AT-009) .................................................................................. 140
 
4.4.10 Testing for Race Conditions (OWASP-AT-010) ......................................................................................................... 144
 
4.5 Session Management Testing ....................................................................................................................................... 146
 
4.5.1 Testing for Session Management Schema (OWASP-SM-001) .................................................................................... 147
 
4.5.2 Testing for Cookies attributes (OWASP-SM-002) ....................................................................................................... 156
 
4.5.3 Testing for Session Fixation (OWASP-SM_003) .......................................................................................................... 159
 
4.5.4 Testing for Exposed Session Variables (OWASP-SM-004) .......................................................................................... 161
 

Activity (22)

You've already reviewed this. Edit your review.
1 hundred reads
1 thousand reads
takoen27 liked this
j-angulo121 liked this
Gillou47 liked this
Piet.deRoo liked this
vamsi2903 liked this
vamsi2903 liked this
arivera777 liked this
Bruno Lucena liked this

You're Reading a Free Preview

Download
/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->