4. Web Application Penetration Testing:
← Older revision
Revision as of 16:59, 5 October 2012
(2 intermediate revisions by one user not shown)
Line 7:
Line 7:
http://www.owasp.org/index.php/OWASP_Testing_Project
http://www.owasp.org/index.php/OWASP_Testing_Project
−
'''Updated:
31st August
2012'''
+
'''Updated:
5th October
2012'''
[[ OWTGv4 Contributors list|'''Contributors List]]
[[ OWTGv4 Contributors list|'''Contributors List]]
Line 13:
Line 13:
----
----
−
The following are the main improvements we have to realize:
−
(1) - Add new testing techniques and OWASP Top10 update:
−
- Testing for HTTP Verb tampering
−
- Testing for HTTP Parameter Pollutions
−
- Testing for URL Redirection
−
- Testing for Insecure Direct Object References
−
- Testing for Insecure Cryptographic Storage
−
- Testing for Failure to Restrict URL Access
−
- Testing for Insufficient Transport Layer Protection
−
- Testing for Unvalidated Redirects and Forwards.
−
−
(2) - Review and improve all the sections in v3,
−
−
(3) - Create a more readable guide, eliminating some sections that are not
−
really useful, Rationalize some sections as Session Management Testing.
−
−
(4) Pavol says: - add new opensource testing tools that appeared during last 3 years
−
(and are missing in the OWASP Testing Guide v3)
−
−
- add few useful and life-scenarios of possible
−
vulnerabilities in Bussiness Logic Testing (many testers have no idea what
−
vulnerabilities in Business Logic exactly mean)
−
−
- "Brute force testing" of "session ID" is missing in "Session Management
−
Testing", describe other tools for Session ID entropy analysis
−
(e.g. Stompy)
−
−
- in "Data Validation Testing" describe some basic obfuscation methods for
−
malicious code injection including the statements how it is possible to
−
detect it (web application obfuscation is quite succesfull in bypassing
−
many data validation controls)
−
−
- split the phase Logout and Browser Cache Management" into two sections
−
The following is a DRAFT of the Toc based on the feedback already received.
The following is a DRAFT of the Toc based on the feedback already received.
Line 103:
Line 69:
[[Testing for configuration management|'''4.3 Configuration and Deploy Management Testing ''']]
[[Testing for configuration management|'''4.3 Configuration and Deploy Management Testing ''']]
−
Infrastructure Configuration management weakness
+
Testing for
Infrastructure Configuration management weakness
−
Application Configuration management weakness
+
Testing for
Application Configuration management weakness
File extensions handling
File extensions handling
Old, backup and unreferenced files
Old, backup and unreferenced files
Line 120:
Line 86:
[[Testing for authentication|'''4.4 Authentication Testing ''']]
[[Testing for authentication|'''4.4 Authentication Testing ''']]
−
Credentials transport over an
unencrypted
channel [Robert Winkel]
+
[[Testing for credentials transport (OWASP-AT-001)|4.4.1 Testing for
Credentials transport over an
encrypted
channel
(OWASP-AT-001)]]
[Robert Winkel]
−
User
enumeration (
also Guessable
user account) [Robert Winkel]
+
[[Testing for user
enumeration
(
OWASP-AT-002)|4.4.2 Testing for user enumeration and guessable
user account
(OWASP-AT-002
)
]]
[Robert Winkel]
−
Default or test accounts
[
New!
]
+
[
[Testing for default credentials (OWASP-AT-003)|4.4.3 Testing for default credentials
]]
−
Default passwords [Robert Winkel
]
+
[[Testing for
Weak lock out mechanism
(OWASP-AT-004)|4.4.4 Testing for Weak lock out mechanism]]
[New! - Robert Winkel]
−
Weak lock out mechanism [New! - Robert Winkel]
+
>
Account lockout DoS [New! - Robert Winkel
- we can put it in the 4.4.4
]
−
Account lockout DoS [New! - Robert Winkel]
+
[[Testing for
Bypassing
Authentication Schema (OWASP-AT-005)|4.4.5 Testing for bypassing
authentication schema
(OWASP-AT-005)]]
−
Bypassing authentication schema
+
−
Vulnerable remember password [Robert Winkel]
+
[[Testing for
Vulnerable
Remember Password and Pwd Reset (OWASP-AT-006)|4.4.6 Testing for vulnerable
remember
−
Browser cache weakness [New! - Abian Blome]
+
password
and pwd reset functionalities (OWASP-AT-006)]]
[Robert Winkel]
−
Weak or unenforced password policy [New! - Robert Winkel]
+
+
[[Testing for
Browser cache weakness
(OWASP-AT-007)
[New! - Abian Blome]
+
[[Testing for
Weak or unenforced password policy [New! - Robert Winkel]
Weak or unenforced username policy [New! - Robert Winkel]
Weak or unenforced username policy [New! - Robert Winkel]
Weak security question/answer [New! - Robert Winkel]
Weak security question/answer [New! - Robert Winkel]
Line 207:
Line 175:
[[Testing for Data Encryption (New!)]]
[[Testing for Data Encryption (New!)]]
−
Application did not use
encryption
+
[[Testing for Insecure
encryption
usage | x.x.1
−
Weak SSL/TSL Ciphers, Insufficient Transport Layer Protection
+
[[Testing for
Weak SSL/TSL Ciphers, Insufficient Transport Layer Protection
| x.x.2 Testing for Weak SSL/TSL Ciphers, Insufficient Transport Layer Protection (OWASP-EN-002)]]
−
Cacheable HTTPS Response
+
--> [[Testing for Cacheable HTTPS Response | x.x.3 Testing for
Cacheable HTTPS Response
Cache directives insecure
Cache directives insecure
−
Insecure Cryptographic Storage [
mainly CR Guide
]
+
--> Testing for
Insecure Cryptographic Storage [
put in x.x.1
]
−
Sensitive information sent via unencrypted
+
[[Testing for
Sensitive information sent via unencrypted channels
| x.x.4
−
channels
+
[[ XML Interpreter? (New!)]]
[[ XML Interpreter? (New!)]]
−
Weak XML Structure
+
Testing for
Weak XML Structure
−
XML content-level
+
Testing for
XML content-level
WS HTTP GET parameters/REST
WS HTTP GET parameters/REST
WS Naughty SOAP attachments
WS Naughty SOAP attachments
Line 225:
Line 193:
[[ Client Side Testing (New!) ]]
[[ Client Side Testing (New!) ]]
−
DOM XSS
+
Testing for
DOM
Based
XSS
−
HTML5 [Juan Galiana]
+
Testing for
HTML5 [Juan Galiana]
−
Cross Site Flashing
+
Testing for
Cross Site Flashing
−
ClickHijacking
+
Testing for
ClickHijacking
==[[Writing Reports: value the real risk |5. Writing Reports: value the real risk ]]==
==[[Writing Reports: value the real risk |5. Writing Reports: value the real risk ]]==