OWASP Testing Guide
  • Foreword by Eoin Keary
  • Frontispiece
  • Introduction
  • The OWASP Testing Framework
    • The Web Security Testing Framework
    • Penetration Testing Methodologies
  • Web Application Security Testing
    • Introduction and Objectives
    • Information Gathering
      • Conduct Search Engine Discovery Reconnaissance for Information Leakage (WSTG-INFO-01)
      • Fingerprint Web Server (WSTG-INFO-02)
      • Review Webserver Metafiles for Information Leakage (WSTG-INFO-03)
      • Enumerate Applications on Webserver (WSTG-INFO-04)
      • Review Webpage Content for Information Leakage (WSTG-INFO-05)
      • Identify Application Entry Points (WSTG-INFO-06)
      • Map Execution Paths Through Application (WSTG-INFO-07)
      • Fingerprint Web Application Framework (WSTG-INFO-08)
      • Fingerprint Web Application (WSTG-INFO-09)
      • Map Application Architecture (WSTG-INFO-10)
    • Configuration and Deployment Management Testing
      • Test Network Infrastructure Configuration (WSTG-CONF-01)
      • Test Application Platform Configuration (WSTG-CONF-02)
      • Test File Extensions Handling for Sensitive Information (WSTG-CONF-03)
      • Review Old Backup and Unreferenced Files for Sensitive Information (WSTG-CONF-04)
      • Enumerate Infrastructure and Application Admin Interfaces (WSTG-CONF-05)
      • Test HTTP Methods (WSTG-CONF-06)
      • Test HTTP Strict Transport Security (WSTG-CONF-07)
      • Test RIA Cross Domain Policy (WSTG-CONF-08)
      • Test File Permission (WSTG-CONF-09)
      • Test for Subdomain Takeover (WSTG-CONF-10)
      • Test Cloud Storage (WSTG-CONF-11)
      • Testing for Content Security Policy (WSTG-CONF-12)
    • Identity Management Testing
      • Test Role Definitions (WSTG-IDNT-01)
      • Test User Registration Process (WSTG-IDNT-02)
      • Test Account Provisioning Process (WSTG-IDNT-03)
      • Testing for Account Enumeration and Guessable User Account (WSTG-IDNT-04)
      • Testing for Weak or Unenforced Username Policy (WSTG-IDNT-05)
    • Authentication Testing
      • Testing for Credentials Transported over an Encrypted Channel (WSTG-ATHN-01)
      • Testing for Default Credentials (WSTG-ATHN-02)
      • Testing for Weak Lock Out Mechanism (WSTG-ATHN-03)
      • Testing for Bypassing Authentication Schema (WSTG-ATHN-04)
      • Testing for Vulnerable Remember Password (WSTG-ATHN-05)
      • Testing for Browser Cache Weaknesses (WSTG-ATHN-06)
      • Testing for Weak Password Policy (WSTG-ATHN-07)
      • Testing for Weak Security Question Answer (WSTG-ATHN-08)
      • Testing for Weak Password Change or Reset Functionalities (WSTG-ATHN-09)
      • Testing for Weaker Authentication in Alternative Channel (WSTG-ATHN-10)
      • Testing Multi-Factor Authentication (MFA) (WSTG-AUTH-11)
    • Authorization Testing
      • Testing Directory Traversal File Include (WSTG-ATHZ-01)
      • Testing for Bypassing Authorization Schema (WSTG-ATHZ-02)
      • Testing for Privilege Escalation (WSTG-ATHZ-03)
      • Testing for Insecure Direct Object References (WSTG-ATHZ-04)
      • Testing for OAuth Authorization Server Weaknesses
      • Testing for OAuth Client Weaknesses
      • Testing for OAuth Weaknesses (WSTG-ATHZ-05)
    • Session Management Testing
      • Testing for Session Management Schema (WSTG-SESS-01)
      • Testing for Cookies Attributes (WSTG-SESS-02)
      • Testing for Session Fixation (WSTG-SESS-03)
      • Testing for Exposed Session Variables (WSTG-SESS-04)
      • Testing for Cross Site Request Forgery (WSTG-SESS-05)
      • Testing for Logout Functionality (WSTG-SESS-06)
      • Testing Session Timeout (WSTG-SESS-07)
      • Testing for Session Puzzling (WSTG-SESS-08)
      • Testing for Session Hijacking (WSTG-SESS-09)
      • Testing JSON Web Tokens (WSTG-SESS-10)
    • Input Validation Testing
      • Testing for Reflected Cross Site Scripting (WSTG-INPV-01)
      • Testing for Stored Cross Site Scripting (WSTG-INPV-02)
      • Testing for HTTP Verb Tampering (WSTG-INPV-03)
      • Testing for HTTP Parameter Pollution (WSTG-INPV-04)
      • Testing for Oracle
      • Testing for MySQL
      • Testing for SQL Server
      • Testing PostgreSQL
      • Testing for MS Access
      • Testing for NoSQL Injection
      • Testing for ORM Injection
      • Testing for Client-side
      • Testing for SQL Injection (WSTG-INPV-05)
      • Testing for LDAP Injection (WSTG-INPV-06)
      • Testing for XML Injection (WSTG-INPV-07)
      • Testing for SSI Injection (WSTG-INPV-08)
      • Testing for XPath Injection (WSTG-INPV-09)
      • Testing for IMAP SMTP Injection (WSTG-INPV-10)
      • Testing for File Inclusion
      • Testing for Code Injection (WSTG-INPV-11)
      • Testing for Command Injection (WSTG-INPV-12)
      • Testing for Buffer Overflow (WSTG-INPV-13)
      • Testing for Format String Injection (WSTG-INPV-13)
      • Testing for Incubated Vulnerability (WSTG-INPV-14)
      • Testing for HTTP Splitting Smuggling (WSTG-INPV-15)
      • Testing for HTTP Incoming Requests (WSTG-INPV-16)
      • Testing for Host Header Injection (WSTG-INPV-17)
      • Testing for Server-side Template Injection (WSTG-INPV-18)
      • Testing for Server-Side Request Forgery (WSTG-INPV-19)
      • Testing for Mass Assignment (WSTG-INPV-20)
    • Testing for Error Handling
      • Testing for Improper Error Handling (WSTG-ERRH-01)
      • Testing for Stack Traces (WSTG-ERRH-02)
    • Testing for Weak Cryptography
      • Testing for Weak Transport Layer Security (WSTG-CRYP-01)
      • Testing for Padding Oracle (WSTG-CRYP-02)
      • Testing for Sensitive Information Sent via Unencrypted Channels (WSTG-CRYP-03)
      • Testing for Weak Encryption (WSTG-CRYP-04)
    • Business Logic Testing
      • Introduction to Business Logic
      • Test Business Logic Data Validation (WSTG-BUSL-01)
      • Test Ability to Forge Requests (WSTG-BUSL-02)
      • Test Integrity Checks (WSTG-BUSL-03)
      • Test for Process Timing (WSTG-BUSL-04)
      • Test Number of Times a Function Can Be Used Limits (WSTG-BUSL-05)
      • Testing for the Circumvention of Work Flows (WSTG-BUSL-06)
      • Test Defenses Against Application Misuse (WSTG-BUSL-07)
      • Test Upload of Unexpected File Types (WSTG-BUSL-08)
      • Test Upload of Malicious Files (WSTG-BUSL-09)
      • Test Payment Functionality (WSTG-BUSL-10)
    • Client-Side Testing
      • Testing for Self DOM Based Cross-Site Scripting
      • Testing for DOM-Based Cross Site Scripting (WSTG-CLNT-01)
      • Testing for JavaScript Execution (WSTG-CLNT-02)
      • Testing for HTML Injection (WSTG-CLNT-03)
      • Testing for Client-side URL Redirect (WSTG-CLNT-04)
      • Testing for CSS Injection (WSTG-CLNT-05)
      • Testing for Client-side Resource Manipulation (WSTG-CLNT-06)
      • Testing Cross Origin Resource Sharing (WSTG-CLNT-07)
      • Testing for Cross Site Flashing (WSTG-CLNT-08)
      • Testing for Clickjacking (WSTG-CLNT-09)
      • Testing WebSockets (WSTG-CLNT-10)
      • Testing Web Messaging (WSTG-CLNT-11)
      • Testing Browser Storage (WSTG-CLNT-12)
      • Testing for Cross Site Script Inclusion (WSTG-CLNT-13)
      • Testing for Reverse Tabnabbing (WSTG-CLNT-14)
    • API Testing
      • Testing GraphQL (WSTG-APIT-01)
  • Reporting
    • Reporting
    • Vulnerability Naming Schemes
  • Appendix
    • Testing Tools Resource
    • Suggested Reading
    • Fuzz Vectors
    • Encoded Injection
    • History
    • Leveraging Dev Tools
  • Testing Checklist
  • Table of Contents
  • REST Assessment Cheat Sheet
  • API Testing
Powered by GitBook
On this page
  • 0. Foreword by Eoin Keary
  • 1. Frontispiece
  • 2. Introduction
  • 2.1 The OWASP Testing Project
  • 2.2 Principles of Testing
  • 2.3 Testing Techniques Explained
  • 2.4 Manual Inspections and Reviews
  • 2.5 Threat Modeling
  • 2.6 Source Code Review
  • 2.7 Penetration Testing
  • 2.8 The Need for a Balanced Approach
  • 2.9 Deriving Security Test Requirements
  • 2.10 Security Tests Integrated in Development and Testing Workflows
  • 2.11 Security Test Data Analysis and Reporting
  • 3. The OWASP Testing Framework
  • 3.1 The Web Security Testing Framework
  • 3.2 Phase 1 Before Development Begins
  • 3.3 Phase 2 During Definition and Design
  • 3.4 Phase 3 During Development
  • 3.5 Phase 4 During Deployment
  • 3.6 Phase 5 During Maintenance and Operations
  • 3.7 A Typical SDLC Testing Workflow
  • 3.8 Penetration Testing Methodologies
  • 4. Web Application Security Testing
  • 4.0 Introduction and Objectives
  • 4.1 Information Gathering
  • 4.2 Configuration and Deployment Management Testing
  • 4.3 Identity Management Testing
  • 4.4 Authentication Testing
  • 4.5 Authorization Testing
  • 4.6 Session Management Testing
  • 4.7 Input Validation Testing
  • 4.8 Testing for Error Handling
  • 4.9 Testing for Weak Cryptography
  • 4.10 Business Logic Testing
  • 4.11 Client-side Testing
  • 4.12 API Testing
  • 5. Reporting
  • 5.1 Reporting Structure
  • 5.2 Naming Schemes
  • Appendix A. Testing Tools Resource
  • Appendix B. Suggested Reading
  • Appendix C. Fuzz Vectors
  • Appendix D. Encoded Injection
  • Appendix E. History
  • Appendix F. Leveraging Dev Tools

Table of Contents

PreviousTesting ChecklistNextREST Assessment Cheat Sheet

Last updated 2 years ago

0.

1.

2.

2.1

2.2

2.3

2.4

2.5

2.6

2.7

2.8

2.9

2.10

2.11

3.

3.1

3.2

3.3

3.4

3.5

3.6

3.7

3.8

4.

4.0

4.1

4.1.1

4.1.2

4.1.3

4.1.4

4.1.5

4.1.6

4.1.7

4.1.8

4.1.9

4.1.10

4.2

4.2.1

4.2.2

4.2.3

4.2.4

4.2.5

4.2.6

4.2.7

4.2.8

4.2.9

4.2.10

4.2.11

4.2.12

4.3

4.3.1

4.3.2

4.3.3

4.3.4

4.3.5

4.4

4.4.1

4.4.2

4.4.3

4.4.4

4.4.5

4.4.6

4.4.7

4.4.8

4.4.9

4.4.10

4.4.11

4.5

4.5.1

4.5.2

4.5.3

4.5.4

4.5.5

4.5.5.1

4.5.5.2

4.6

4.6.1

4.6.2

4.6.3

4.6.4

4.6.5

4.6.6

4.6.7

4.6.8

4.6.9

4.6.10

4.7

4.7.1

4.7.2

4.7.3

4.7.4

4.7.5

4.7.5.1

4.7.5.2

4.7.5.3

4.7.5.4

4.7.5.5

4.7.5.6

4.7.5.7

4.7.5.8

4.7.6

4.7.7

4.7.8

4.7.9

4.7.10

4.7.11

4.7.11.1

4.7.12

4.7.13

4.7.14

4.7.15

4.7.16

4.7.17

4.7.18

4.7.19

4.7.20

4.8

4.8.1

4.8.2

4.9

4.9.1

4.9.2

4.9.3

4.9.4

4.10

4.10.0

4.10.1

4.10.2

4.10.3

4.10.4

4.10.5

4.10.6

4.10.7

4.10.8

4.10.9

4.10.10

4.11

4.11.1

4.11.1.1

4.11.2

4.11.3

4.11.4

4.11.5

4.11.6

4.11.7

4.11.8

4.11.9

4.11.10

4.11.11

4.11.12

4.11.13

4.11.14

4.12

4.12.1

5.

5.1

5.2

Appendix A.

Appendix B.

Appendix C.

Appendix D.

Appendix E.

Appendix F.

The OWASP Testing Framework
The Web Security Testing Framework
Penetration Testing Methodologies
Web Application Security Testing
Introduction and Objectives
Information Gathering
Conduct Search Engine Discovery Reconnaissance for Information Leakage
Fingerprint Web Server
Review Webserver Metafiles for Information Leakage
Enumerate Applications on Webserver
Review Webpage Content for Information Leakage
Identify Application Entry Points
Map Execution Paths Through Application
Fingerprint Web Application Framework
Fingerprint Web Application
Map Application Architecture
Configuration and Deployment Management Testing
Test Network Infrastructure Configuration
Test Application Platform Configuration
Test File Extensions Handling for Sensitive Information
Review Old Backup and Unreferenced Files for Sensitive Information
Enumerate Infrastructure and Application Admin Interfaces
Test HTTP Methods
Test HTTP Strict Transport Security
Test RIA Cross Domain Policy
Test File Permission
Test for Subdomain Takeover
Test Cloud Storage
Test for Content Security Policy
Identity Management Testing
Test Role Definitions
Test User Registration Process
Test Account Provisioning Process
Testing for Account Enumeration and Guessable User Account
Testing for Weak or Unenforced Username Policy
Authentication Testing
Testing for Credentials Transported over an Encrypted Channel
Testing for Default Credentials
Testing for Weak Lock Out Mechanism
Testing for Bypassing Authentication Schema
Testing for Vulnerable Remember Password
Testing for Browser Cache Weaknesses
Testing for Weak Password Policy
Testing for Weak Security Question Answer
Testing for Weak Password Change or Reset Functionalities
Testing for Weaker Authentication in Alternative Channel
Testing Multi-Factor Authentication
Authorization Testing
Testing Directory Traversal File Include
Testing for Bypassing Authorization Schema
Testing for Privilege Escalation
Testing for Insecure Direct Object References
Testing for OAuth Weaknesses
Testing for OAuth Authorization Server Weaknesses
Testing for OAuth Client Weaknesses
Session Management Testing
Testing for Session Management Schema
Testing for Cookies Attributes
Testing for Session Fixation
Testing for Exposed Session Variables
Testing for Cross Site Request Forgery
Testing for Logout Functionality
Testing Session Timeout
Testing for Session Puzzling
Testing for Session Hijacking
Testing JSON Web Tokens
Input Validation Testing
Testing for Reflected Cross Site Scripting
Testing for Stored Cross Site Scripting
Testing for HTTP Verb Tampering
Testing for HTTP Parameter Pollution
Testing for SQL Injection
Testing for Oracle
Testing for MySQL
Testing for SQL Server
Testing PostgreSQL
Testing for MS Access
Testing for NoSQL Injection
Testing for ORM Injection
Testing for Client-side
Testing for LDAP Injection
Testing for XML Injection
Testing for SSI Injection
Testing for XPath Injection
Testing for IMAP SMTP Injection
Testing for Code Injection
Testing for File Inclusion
Testing for Command Injection
Testing for Format String Injection
Testing for Incubated Vulnerability
Testing for HTTP Splitting Smuggling
Testing for HTTP Incoming Requests
Testing for Host Header Injection
Testing for Server-side Template Injection
Testing for Server-Side Request Forgery
Testing for Mass Assignment
Testing for Error Handling
Testing for Improper Error Handling
Testing for Stack Traces
Testing for Weak Cryptography
Testing for Weak Transport Layer Security
Testing for Padding Oracle
Testing for Sensitive Information Sent via Unencrypted Channels
Testing for Weak Encryption
Business Logic Testing
Introduction to Business Logic
Test Business Logic Data Validation
Test Ability to Forge Requests
Test Integrity Checks
Test for Process Timing
Test Number of Times a Function Can Be Used Limits
Testing for the Circumvention of Work Flows
Test Defenses Against Application Misuse
Test Upload of Unexpected File Types
Test Upload of Malicious Files
Test Payment Functionality
Client-side Testing
Testing for DOM-Based Cross Site Scripting
Testing for Self DOM Based Cross-Site Scripting
Testing for JavaScript Execution
Testing for HTML Injection
Testing for Client-side URL Redirect
Testing for CSS Injection
Testing for Client-side Resource Manipulation
Testing Cross Origin Resource Sharing
Testing for Cross Site Flashing
Testing for Clickjacking
Testing WebSockets
Testing Web Messaging
Testing Browser Storage
Testing for Cross Site Script Inclusion
Testing for Reverse Tabnabbing
API Testing
Testing GraphQL
Reporting
Reporting Structure
Naming Schemes
Testing Tools Resource
Suggested Reading
Fuzz Vectors
Encoded Injection
History
Leveraging Dev Tools
Foreword by Eoin Keary
Frontispiece
Introduction
The OWASP Testing Project
Principles of Testing
Testing Techniques Explained
Manual Inspections and Reviews
Threat Modeling
Source Code Review
Penetration Testing
The Need for a Balanced Approach
Deriving Security Test Requirements
Security Tests Integrated in Development and Testing Workflows
Security Test Data Analysis and Reporting
Phase 1 Before Development Begins
Phase 2 During Definition and Design
Phase 3 During Development
Phase 4 During Deployment
Phase 5 During Maintenance and Operations
A Typical SDLC Testing Workflow