4.0

More documents

Recommendations

Info

6 Testing Guide Foreword - By Eoin Keary and Technical Managers. The project to build this guide keeps this expertise in the hands of the people who need it - you, me and anyone that is involved in building software. This guide must make its way into the hands of developers and software testers. There are not nearly enough application security experts in the world to make any significant dent in the overall problem. The initial responsibility for application security must fall on the shoulders of the developers, they write the code. It shouldn’t be a surprise that developers aren’t producing secure code if they’re not testing for it or consider the types of bugs which introduce vulnerability. Keeping this information up to date is a critical aspect of this guide project. By adopting the wiki approach, the OWASP community can evolve and expand the information in this guide to keep pace with the fast moving application security threat landscape. This Guide is a great testament to the passion and energy our members and project volunteers have for this subject. It shall certainly help change the world a line of code at a time. Tailoring and Prioritizing You should adopt this guide in your organization. You may need to tailor the information to match your organization’s technologies, processes, and organizational structure. In general there are several different roles within organizations that may use this guide: • Developers should use this guide to ensure that they are producing secure code. These tests should be a part of normal code and unit testing procedures. • Software testers and QA should use this guide to expand the set of test cases they apply to applications. Catching these vulnerabilities early saves considerable time and effort later. • Security specialists should use this guide in combination with other techniques as one way to verify that no security holes have been missed in an application. • Project Managers should consider the reason this guide exists and that security issues are manifested via bugs in code and design. The most important thing to remember when performing security testing is to continuously re-prioritize. There are an infinite number of possible ways that an application could fail, and organizations always have limited testing time and resources. Be sure time and resources are spent wisely. Try to focus on the security holes that are a real risk to your business. Try to contextualize risk in terms of the application and its use cases. This guide is best viewed as a set of techniques that you can use to find different types of security holes. But not all the techniques are equally important. Try to avoid using the guide as a checklist, new vulnerabilities are always manifesting and no guide can be an exhaustive list of “things to test for”, but rather a great place to start. The Role of Automated Tools There are a number of companies selling automated security analysis and testing tools. Remember the limitations of these tools so that you can use them for what they’re good at. As Michael Howard put it at the 2006 OWASP AppSec Conference in Seattle, “Tools do not make software secure! They help scale the process and help enforce policy.” Most importantly, these tools are generic - meaning that they are not designed for your custom code, but for applications in general. That means that while they can find some generic problems, they do not have enough knowledge of your application to allow them to detect most flaws. In my experience, the most serious security issues are the ones that are not generic, but deeply intertwined in your business logic and custom application design. These tools can also be seductive, since they do find lots of potential issues. While running the tools doesn’t take much time, each one of the potential problems takes time to investigate and verify. If the goal is to find and eliminate the most serious flaws as quickly as possible, consider whether your time is best spent with automated tools or with the techniques described in this guide. Still, these tools are certainly part of a well-balanced application security program. Used wisely, they can support your overall processes to produce more secure code. Call to Action If you’re building, designing or testing software, I strongly encourage you to get familiar with the security testing guidance in this document. It is a great road map for testing the most common issues facing applications today, but it is not exhaustive. If you find errors, please add a note to the discussion page or make the change yourself. You’ll be helping thousands of others who use this guide. Please consider joining us as an individual or corporate member so that we can continue to produce materials like this testing guide and all the other great projects at OWASP. Thank you to all the past and future contributors to this guide, your work will help to make applications worldwide more secure. Eoin Keary, OWASP Board Member, April 19, 2013
7 Testing Guide Frontispiece 1 Testing Guide Frontispiece “Open and collaborative knowledge: that is the OWASP way.” With V4 we realized a new guide that will be the standard de-facto guide to perform Web Application Penetration Testing “Open and collaborative knowledge: that is the OWASP way.” With V4 we realized a new guide that will be the standard de-facto guide to perform Web Application Penetration Testing. - Matteo Meucci OWASP thanks the many authors, reviewers, and editors for their hard work in bringing this guide to where it is today. If you have any comments or suggestions on the Testing Guide, please e-mail the Testing Guide mail list: http:/lists.owasp.org/mailman/listinfo/owasp-testing Or drop an e-mail to the project leaders: Andrew Muller and Matteo Meucci Version <strong>4.0</strong> The OWASP Testing Guide version 4 improves on version 3 in three ways: [1] This version of the Testing Guide integrates with the two other flagship OWASP documentation products: the Developers Guide and the Code Review Guide. To achieve this we aligned the testing categories and test numbering with those in other OWASP products. The aim of the Testing and Code Review Guides is to evaluate the security controls described by the Developers Guide. [2] All chapters have been improved and test cases expanded to 87 (64 test cases in v3) including the introduction of four new chapters and controls: • Identity Management Testing • Error Handling • Cryptography • Client Side Testing [3] This version of the Testing Guide encourages the community not to simply accept the test cases outlined in this guide. We encourage security testers to integrate with other software testers and devise test cases specific to the target application. As we find test cases that have wider applicability we encourage the security testing community to share them and contribute them to the Testing Guide. This will continue to build the application security body of knowledge and allow the development of the Testing Guide to be an iterative rather than monolithic process. Copyright and License Copyright (c) 2014 The OWASP Foundation. This document is released under the Creative Commons 2.5 License. Please read and understand the license and copyright conditions. Revision History The Testing Guide v4 will be released in 2014. The Testing guide originated in 2003 with Dan Cuthbert as one of the original editors. It was handed over to Eoin Keary in 2005 and transformed into a wiki. Matteo Meucci has taken on the Testing guide and is now the lead of the OWASP Testing Guide Project. From 2012 Andrew Muller co-leadership the project with Matteo Meucci. 2014 • “OWASP Testing Guide”, Version <strong>4.0</strong> 15th September, 2008 • “OWASP Testing Guide”, Version 3.0 December 25, 2006 • “OWASP Testing Guide”, Version 2.0 July 14, 2004 • “OWASP Web Application Penetration Checklist”, Version 1.1 December 2004 • “The OWASP Testing Guide”, Version 1.0 Project Leaders Andrew Muller Andrew Muller: OWASP Testing Guide Lead since 2013. Matteo Meucci: OWASP Testing Guide Lead since 2007. Eoin Keary: OWASP Testing Guide 2005-2007 Lead. Daniel Cuthbert: OWASP Testing Guide 2003-2005 Lead. Matteo Meucci
Page 1 and 2: 1 Testing Guide 4.0 Project Leaders
Page 3 and 4: Testing Guide Foreword - Table of c
Page 5 and 6: 3 Testing Guide Foreword - Table of
Page 7: 5 Testing Guide Foreword - By Eoin
Page 11 and 12: 9 Testing Guide Introduction 2 The
Page 13 and 14: 11 Testing Guide Introduction vide
Page 15 and 16: 13 Testing Guide Introduction Testi
Page 17 and 18: 15 Testing Guide Introduction laid
Page 19 and 20: 17 Testing Guide Introduction valid
Page 21 and 22: 19 Testing Guide Introduction USER
Page 23 and 24: 21 Testing Guide Introduction ment
Page 25 and 26: 23 Testing Guide Introduction offen
Page 27 and 28: 25 The OWASP Testing Framework sect
Page 29 and 30: 27 Web Application Penetration Test
Page 59 and 60:
57 Web Application Penetration Test
Page 61 and 62:
Page 63 and 64:
Page 65 and 66:
Page 67 and 68:
Page 69 and 70:
Page 71 and 72:
Page 73 and 74:
Page 75 and 76:
Page 77 and 78:
Page 79 and 80:
Page 81 and 82:
Page 83 and 84:
Page 85 and 86:
Page 87 and 88:
Page 89 and 90:
Page 91 and 92:
Page 93 and 94:
Page 95 and 96:
Page 97 and 98:
Page 99 and 100:
Page 101 and 102:
Page 103 and 104:
101 Web Application Penetration Tes
Page 105 and 106:
Page 107 and 108:
Page 109 and 110:
Page 111 and 112:
Page 113 and 114:
Page 115 and 116:
Page 117 and 118:
Page 119 and 120:
Page 121 and 122:
Page 123 and 124:
Page 125 and 126:
Page 127 and 128:
Page 129 and 130:
Page 131 and 132:
Page 133 and 134:
Page 135 and 136:
Page 137 and 138:
Page 139 and 140:
Page 141 and 142:
Page 143 and 144:
Page 145 and 146:
Page 147 and 148:
Page 149 and 150:
Page 151 and 152:
Page 153 and 154:
Page 155 and 156:
Page 157 and 158:
Page 159 and 160:
Page 161 and 162:
Page 163 and 164:
Page 165 and 166:
Page 167 and 168:
Page 169 and 170:
Page 171 and 172:
Page 173 and 174:
Page 175 and 176:
Page 177 and 178:
Page 179 and 180:
Page 181 and 182:
Page 183 and 184:
Page 185 and 186:
Page 187 and 188:
Page 189 and 190:
Page 191 and 192:
Page 193 and 194:
Page 195 and 196:
Page 197 and 198:
Page 199 and 200:
Page 201 and 202:
Page 203 and 204:
Page 205 and 206:
Page 207 and 208:
Page 209 and 210:
Page 211 and 212:
209 same code can be applied to ses
Page 213 and 214:
211 Reporting Test ID Lowest versio
Page 215 and 216:
213 Reporting Test ID Business Logi
Page 217 and 218:
215 Appendix kajfghlhfkcocafkcjlajl
Page 219 and 220:
217 Appendix Testing - http:/www.ni
Page 221 and 222:
219 Cross Site Scripting (XSS) For
Page 223 and 224:
221 LDAP Injection For details on L
show all

4.0

Create successful ePaper yourself

Delete template?

Save as template?