1BO4r2U
1BO4r2U
1BO4r2U
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
3 4<br />
Testing Guide Frontispiece<br />
Testing Guide Frontispiece<br />
1<br />
“Open and collaborative knowledge: that is the<br />
OWASP way.”<br />
With V4 we realized a new guide that will be the<br />
standard de-facto guide to perform Web Application<br />
Penetration Testing<br />
“Open and collaborative knowledge: that is the OWASP way.”<br />
With V4 we realized a new guide that will be the standard de-facto<br />
guide to perform Web Application Penetration Testing. - Matteo<br />
Meucci<br />
OWASP thanks the many authors, reviewers, and editors for their<br />
hard work in bringing this guide to where it is today. If you have any<br />
comments or suggestions on the Testing Guide, please e-mail the<br />
Testing Guide mail list:<br />
Testing Guide Frontispiece<br />
http:/lists.owasp.org/mailman/listinfo/owasp-testing<br />
Or drop an e-mail to the project leaders: Andrew Muller and Matteo Meucci<br />
Version 4.0<br />
The OWASP Testing Guide version 4 improves on version 3 in three ways:<br />
[1] This version of the Testing Guide integrates with the two other<br />
flagship OWASP documentation products: the Developers Guide and<br />
the Code Review Guide. To achieve this we aligned the testing categories<br />
and test numbering with those in other OWASP products. The<br />
aim of the Testing and Code Review Guides is to evaluate the security<br />
controls described by the Developers Guide.<br />
[2] All chapters have been improved and test cases expanded to 87<br />
(64 test cases in v3) including the introduction of four new chapters<br />
and controls:<br />
• Identity Management Testing<br />
• Error Handling<br />
• Cryptography<br />
• Client Side Testing<br />
[3] This version of the Testing Guide encourages the community not<br />
to simply accept the test cases outlined in this guide. We encourage<br />
security testers to integrate with other software testers and devise<br />
test cases specific to the target application. As we find test cases that<br />
have wider applicability we encourage the security testing community<br />
to share them and contribute them to the Testing Guide. This will continue<br />
to build the application security body of knowledge and allow<br />
the development of the Testing Guide to be an iterative rather than<br />
monolithic process.<br />
Copyright and License<br />
Copyright (c) 2014 The OWASP Foundation.<br />
This document is released under the Creative Commons 2.5 License.<br />
Please read and understand the license and copyright conditions.<br />
Revision History<br />
The Testing Guide v4 will be released in 2014. The Testing guide originated<br />
in 2003 with Dan Cuthbert as one of the original editors. It was<br />
handed over to Eoin Keary in 2005 and transformed into a wiki. Matteo<br />
Meucci has taken on the Testing guide and is now the lead of the<br />
OWASP Testing Guide Project. From 2012 Andrew Muller co-leadership<br />
the project with Matteo Meucci.<br />
2014<br />
• “OWASP Testing Guide”, Version 4.0<br />
15th September, 2008<br />
• “OWASP Testing Guide”, Version 3.0<br />
December 25, 2006<br />
• “OWASP Testing Guide”, Version 2.0<br />
July 14, 2004<br />
• “OWASP Web Application Penetration Checklist”, Version 1.1<br />
December 2004<br />
• “The OWASP Testing Guide”, Version 1.0<br />
Project Leaders<br />
Andrew Muller<br />
Andrew Muller: OWASP Testing Guide Lead since 2013.<br />
Matteo Meucci: OWASP Testing Guide Lead since 2007.<br />
Eoin Keary: OWASP Testing Guide 2005-2007 Lead.<br />
Daniel Cuthbert: OWASP Testing Guide 2003-2005 Lead.<br />
Matteo Meucci<br />
v4 Authors<br />
• Matteo Meucci<br />
• Pavol Luptak<br />
• Marco Morana<br />
• Giorgio Fedon<br />
• Stefano Di Paola<br />
• Gianrico Ingrosso<br />
• Giuseppe Bonfà<br />
• Andrew Muller<br />
• Robert Winkel<br />
• Roberto Suggi Liverani<br />
• Robert Smith<br />
• Tripurari Rai<br />
v4 Reviewers<br />
• Davide Danelon<br />
• Andrea Rosignoli<br />
• Irene Abezgauz<br />
• Lode Vanstechelman<br />
• Sebastien Gioria<br />
• Yiannis Pavlosoglou<br />
• Aditya Balapure<br />
v2 Authors<br />
• Vicente Aguilera<br />
• Mauro Bregolin<br />
• Tom Brennan<br />
• Gary Burns<br />
• Luca Carettoni<br />
• Dan Cornell<br />
• Mark Curphey<br />
• Daniel Cuthbert<br />
• Sebastien Deleersnyder<br />
• Stephen DeVries<br />
v2 Reviewers<br />
• Vicente Aguilera<br />
• Marco Belotti<br />
• Mauro Bregolin<br />
• Marco Cova<br />
• Daniel Cuthbert<br />
• Paul Davies<br />
• Stefano Di Paola<br />
• Matteo G.P. Flora<br />
• Simona Forti<br />
• Darrell Groundy<br />
• Thomas Ryan<br />
• Tim Bertels<br />
• Cecil Su<br />
• Aung KhAnt<br />
• Norbert Szetei<br />
• Michael Boman<br />
• Wagner Elias<br />
• Kevin Horvat<br />
• Tom Brennan<br />
• Tomas Zatko<br />
• Juan Galiana Lara<br />
• Sumit Siddharth<br />
v3 Authors<br />
• Anurag Agarwwal<br />
• Daniele Bellucci<br />
• Ariel Coronel<br />
• Stefano Di Paola<br />
• Giorgio Fedon<br />
• Adam Goodman<br />
• Christian Heinrich<br />
• Kevin Horvath<br />
• Gianrico Ingrosso<br />
• Roberto Suggi Liverani<br />
• Kuza55<br />
• Stefano Di Paola<br />
• David Endler<br />
• Giorgio Fedon<br />
• Javier Fernández-Sanguino<br />
• Glyn Geoghegan<br />
• Stan Guzik<br />
• Madhura Halasgikar<br />
• Eoin Keary<br />
• David Litchfield<br />
• Andrea Lombardini<br />
• Eoin Keary<br />
• James Kist<br />
• Katie McDowell<br />
• Marco Mella<br />
• Matteo Meucci<br />
• Syed Mohamed A<br />
• Antonio Parata<br />
• Alberto Revelli<br />
• Mark Roxberry<br />
• Dave Wichers<br />
• Mike Hryekewicz<br />
• Simon Bennetts<br />
• Ray Schippers<br />
• Raul Siles<br />
• Jayanta Karmakar<br />
• Brad Causey<br />
• Vicente Aguilera<br />
• Ismael Gonçalves<br />
• David Fern<br />
• Tom Eston<br />
• Kevin Horvath<br />
• Rick Mitchell<br />
• Pavol Luptak<br />
• Ferruh Mavituna<br />
• Marco Mella<br />
• Matteo Meucci<br />
• Marco Morana<br />
• Antonio Parata<br />
• Cecil Su<br />
• Harish Skanda Sureddy<br />
• Mark Roxberry<br />
• Andrew Van der Stock<br />
• Ralph M. Los<br />
• Claudio Merloni<br />
• Matteo Meucci<br />
• Marco Morana<br />
• Laura Nunez<br />
• Gunter Ollmann<br />
• Antonio Parata<br />
• Yiannis Pavlosoglou<br />
• Carlo Pelliccioni<br />
• Harinath Pudipeddi<br />
• Eduardo Castellanos<br />
• Simone Onofri<br />
• Harword Sheen<br />
• Amro AlOlaqi<br />
• Suhas Desai<br />
• Ryan Dewhurst<br />
• Zaki Akhmad<br />
• Davide Danelon<br />
• Alexander Antukh<br />
• Thomas Kalamaris<br />
• Alexander Vavousis<br />
• Clerkendweller<br />
v3 Reviewers<br />
• Marco Cova<br />
• Kevin Fuller<br />
• Matteo Meucci<br />
• Nam Nguyen<br />
• Rick Mitchell<br />
• Alberto Revelli<br />
• Mark Roxberry<br />
• Tom Ryan<br />
• Anush Shetty<br />
• Larry Shields<br />
• Dafydd Studdard<br />
• Andrew van der Stock<br />
• Ariel Waissbein<br />
• Jeff Williams<br />
• Tushar Vartak<br />
• Christian Heinrich<br />
• Babu Arokiadas<br />
• Rob Barnes<br />
• Ben Walther<br />
• Anant Shrivastava<br />
• Colin Watson<br />
• Luca Carettoni<br />
• Eoin Keary<br />
• Jeff Williams<br />
• Juan Manuel Bahamonde<br />
• Thomas Skora<br />
• Hugo Costa<br />
Trademarks<br />
• Java, Java Web Server, and JSP are registered trademarks<br />
of Sun Microsystems, Inc.<br />
• Merriam-Webster is a trademark of Merriam-Webster, Inc.<br />
• Microsoft is a registered trademark of Microsoft Corporation.<br />
• Octave is a service mark of Carnegie Mellon University.<br />
• VeriSign and Thawte are registered trademarks<br />
of VeriSign, Inc.<br />
• Visa is a registered trademark of VISA USA.<br />
• OWASP is a registered trademark of the OWASP Foundation<br />
All other products and company names may be trademarks of their<br />
respective owners. Use of a term in this document should not be<br />
regarded as affecting the validity of any trademark or service mark.