SlideShare a Scribd company logo

Applying OWASP web security testing guide (OWSTG)

V
Vandana Verma

Applying OWASP web security testing guide

Technology
1 of 38
APPLYING OWASP WEB SECURITY TESTING GUIDE
GUIDE CAN BE USEFUL FOR  Security specialists  Software testers and QA  Developers  Project Managers
CATEGORIZING TESTING  Passive Testing  Active Testing
INTRODUCTION
Yes Filling a form Finding the form Submit the form Authenticated Un-authenticated What was the User id? Session management – persist Validation of data? If validation worked What if there was an error? How the cryptography was used? Reflecting the output to the client What are the client side issues?
WEB APPLICATION SECURITY TESTING  4.1 Information Gathering  4.2 Configuration and Deployment Management Testing  4.3 Identity Management Testing  4.4 Authentication Testing  4.5 Authorization Testing  4.6 Session Management Testing  4.7 Input Validation Testing  4.8 Testing for Error Handling  4.9 Testing for Weak Cryptography  4.10 Business Logic Testing  4.11 Client-Side Testing
INFORMATION EVERY SECTION GIVES  Summary  How to Test  Tools  References/Whitepapers
4.1 INFORMATION GATHERING
 What is information gathering?  What are we doing here?
INFORMATION GATHERING  4.1.1 Conduct Search Engine Discovery Reconnaissance for Information Leakage  4.1.2 Fingerprint Web Server  4.1.3 Review Webserver Metafiles for Information Leakage  4.1.4 Enumerate Applications on Webserver  4.1.5 Review Webpage Comments and Metadata for Information Leakage  4.1.6 Identify Application Entry Points  4.1.7 Map Execution Paths Through Application  4.1.8 Fingerprint Web Application Framework  4.1.9 Fingerprint Web Application  4.1.10 Map Application Architecture
4.2 CONFIGURATION AND DEPLOYMENT MANAGEMENT TESTING
 What is Configuration Management?  What is Deployment Testing  What are we doing here?
CONFIGURATION AND DEPLOYMENT MANAGEMENT TESTING  4.2.1 Test Network Infrastructure Configuration  4.2.2 Test Application Platform Configuration  4.2.3 Test File Extensions Handling for Sensitive Information  4.2.4 Review Old Backup and Unreferenced Files for Sensitive Information  4.2.5 Enumerate Infrastructure and Application Admin Interfaces  4.2.6 Test HTTP Methods  4.2.7 Test HTTP Strict Transport Security  4.2.8 Test RIA Cross Domain Policy  4.2.9 Test File Permission  4.2.10 Test for Subdomain Takeover  4.2.11 Test Cloud Storage
4.3 IDENTITY MANAGEMENT TESTING
4.3 IDENTITY MANAGEMENT TESTING  4.3.1 Test Role Definitions  4.3.2 Test User Registration Process  4.3.3 Test Account Provisioning Process  4.3.4 Testing for Account Enumeration and Guessable User Account  4.3.5 Testing for Weak or Unenforced Username Policy
4.4 AUTHENTICATION TESTING
4.4 AUTHENTICATION TESTING  4.4.1 Testing for Credentials Transported over an Encrypted Channel  4.4.2 Testing for Default Credentials  4.4.3 Testing for Weak Lock Out Mechanism  4.4.4 Testing for Bypassing Authentication Schema  4.4.5 Testing for Vulnerable Remember Password  4.4.6 Testing for Browser Cache Weaknesses  4.4.7 Testing for Weak Password Policy  4.4.8 Testing for Weak Security Question Answer  4.4.9 Testing for Weak Password Change or Reset Functionalities  4.4.10 Testing for Weaker Authentication in Alternative Channel
4.5 AUTHORIZATION TESTING
4.5 AUTHORIZATION TESTING  4.5.1 Testing Directory Traversal File Include  4.5.2 Testing for Bypassing Authorization Schema  4.5.3 Testing for Privilege Escalation  4.5.4 Testing for Insecure Direct Object References
4.6 SESSION MANAGEMENT TESTING
4.6 SESSION MANAGEMENT TESTING  4.6.1 Testing for Session Management Schema  4.6.2 Testing for Cookies Attributes  4.6.3 Testing for Session Fixation  4.6.4 Testing for Exposed Session Variables  4.6.5 Testing for Cross Site Request Forgery  4.6.6 Testing for Logout Functionality  4.6.7 Testing Session Timeout  4.6.8 Testing for Session Puzzling
4.7 INPUT VALIDATION TESTING
4.7 INPUT VALIDATION TESTING  4.7.1 Testing for Reflected Cross Site Scripting  4.7.2 Testing for Stored Cross Site Scripting  4.7.3 Testing for HTTP Verb Tampering  4.7.4 Testing for HTTP Parameter Pollution
4.7.5 TESTING FOR SQL INJECTION  4.7.5.1 Testing for Oracle  4.7.5.2 Testing for MySQL  4.7.5.3 Testing for SQL Server  4.7.5.4 Testing PostgreSQL  4.7.5.5 Testing for MS Access  4.7.5.6 Testing for NoSQL Injection  4.7.5.7 Testing for ORM Injection  4.7.5.8 Testing for Client Side
 4.7.6 Testing for LDAP Injection  4.7.7 Testing for XML Injection  4.7.8 Testing for SSI Injection  4.7.9 Testing for XPath Injection  4.7.10 Testing for IMAP SMTP Injection  4.7.11 Testing for Code Injection  4.7.11.1 Testing for Local File Inclusion  4.7.11.2 Testing for Remote File Inclusion  4.7.12 Testing for Command Injection
 4.7.13 Testing for Buffer Overflow  4.7.13.1 Testing for Heap Overflow  4.7.13.2 Testing for Stack Overflow  4.7.13.3 Testing for Format String  4.7.14 Testing for Incubated Vulnerability  4.7.15 Testing for HTTP Splitting Smuggling  4.7.16 Testing for HTTP Incoming Requests  4.7.17 Testing for Host Header Injection  4.7.18 Testing for Server Side Template Injection
4.8 TESTING FOR ERROR HANDLING
4.8 TESTING FOR ERROR HANDLING  4.8.1 Testing for Error Code  4.8.2 Testing for Stack Traces
4.9 TESTING FOR WEAK CRYPTOGRAPHY
4.9 TESTING FOR WEAK CRYPTOGRAPHY  4.9.1 Testing for Weak SSL TLS Ciphers Insufficient Transport Layer Protection  4.9.2 Testing for Padding Oracle  4.9.3 Testing for Sensitive Information Sent via Unencrypted Channels  4.9.4 Testing for Weak Encryption
4.10 BUSINESS LOGIC TESTING
4.10 BUSINESS LOGIC TESTING  4.10.0 Introduction to Business Logic  4.10.1 Test Business Logic Data Validation  4.10.2 Test Ability to Forge Requests  4.10.3 Test Integrity Checks  4.10.4 Test for Process Timing  4.10.5 Test Number of Times a Function Can Be Used Limits  4.10.6 Testing for the Circumvention of Work Flows  4.10.7 Test Defences Against Application Misuse  4.10.8 Test Upload of Unexpected File Types  4.10.9 Test Upload of Malicious Files
4.11 CLIENT-SIDE TESTING
CLIENT-SIDE TESTING  4.11.1 Testing for DOM-Based Cross Site Scripting  4.11.2 Testing for JavaScript Execution  4.11.3 Testing for HTML Injection  4.11.4 Testing for Client Side URL Redirect  4.11.5 Testing for CSS Injection  4.11.6 Testing for Client Side Resource Manipulation  4.11.7 Testing Cross Origin Resource Sharing  4.11.8 Testing for Cross Site Flashing  4.11.9 Testing for Clickjacking  4.11.10 Testing WebSockets  4.11.11 Testing Web Messaging  4.11.12 Testing Browser Storage  4.11.13 Testing for Cross Site Script Inclusion
TOOLS OF TRADE  OWASP ZAP
REPORTING
REACH ME! Twitter: @InfosecVandana LinkedIn: vandana-verma
Thank you!

Recommended

Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
Running an app sec program with OWASP projects_ Defcon AppSec Village
Running an app sec program with OWASP projects_ Defcon AppSec VillageRunning an app sec program with OWASP projects_ Defcon AppSec Village
Running an app sec program with OWASP projects_ Defcon AppSec VillageVandana Verma
 
Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat ModelingMarco Morana
 
OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017TecsyntSolutions
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Amit Tyagi
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) securityNahidul Kibria
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)TzahiArabov
 
API Security Best Practices and Guidelines
API Security Best Practices and GuidelinesAPI Security Best Practices and Guidelines
API Security Best Practices and GuidelinesWSO2
 

Recommended

Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
Running an app sec program with OWASP projects_ Defcon AppSec Village
Running an app sec program with OWASP projects_ Defcon AppSec VillageRunning an app sec program with OWASP projects_ Defcon AppSec Village
Running an app sec program with OWASP projects_ Defcon AppSec VillageVandana Verma
 
Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat ModelingMarco Morana
 
OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017TecsyntSolutions
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Amit Tyagi
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) securityNahidul Kibria
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)TzahiArabov
 
API Security Best Practices and Guidelines
API Security Best Practices and GuidelinesAPI Security Best Practices and Guidelines
API Security Best Practices and GuidelinesWSO2
 
Web PenTest Sample Report
Web PenTest Sample ReportWeb PenTest Sample Report
Web PenTest Sample ReportOctogence
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
 
SSRF exploit the trust relationship
SSRF exploit the trust relationshipSSRF exploit the trust relationship
SSRF exploit the trust relationshipn|u - The Open Security Community
 
Nii sample pt_report
Nii sample pt_reportNii sample pt_report
Nii sample pt_reportChandan Bagai, GWAPT, CEHv8, CCNA
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World42Crunch
 
security misconfigurations
security misconfigurationssecurity misconfigurations
security misconfigurationsMegha Sahu
 
API Security Fundamentals
API Security FundamentalsAPI Security Fundamentals
API Security FundamentalsJosé Haro Peralta
 
OWASP Top Ten
OWASP Top TenOWASP Top Ten
OWASP Top TenChristian Heinrich
 
OWASP Top 10 API Security Risks
OWASP Top 10 API Security RisksOWASP Top 10 API Security Risks
OWASP Top 10 API Security RisksIndusfacePvtLtd
 
Security Exploit of Business Logic Flaws, Business Logic Attacks
Security Exploit of Business Logic Flaws, Business Logic AttacksSecurity Exploit of Business Logic Flaws, Business Logic Attacks
Security Exploit of Business Logic Flaws, Business Logic AttacksMarco Morana
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testingAbu Sadat Mohammed Yasin
 
Cisco Web and Email Security Overview
Cisco Web and Email Security OverviewCisco Web and Email Security Overview
Cisco Web and Email Security OverviewCisco Security
 
Pentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarPentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarOWASP Delhi
 
HTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsHTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsneexemil
 
CSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open RedirectCSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open RedirectBlueinfy Solutions
 
Directory Traversal & File Inclusion Attacks
Directory Traversal & File Inclusion AttacksDirectory Traversal & File Inclusion Attacks
Directory Traversal & File Inclusion AttacksRaghav Bisht
 
Malicious file upload attacks - a case study
Malicious file upload attacks - a case studyMalicious file upload attacks - a case study
Malicious file upload attacks - a case studyOktawian Powazka
 
Ssrf
SsrfSsrf
SsrfIlan Mindel
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing Priyanka Aash
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewMichael Furman
 
OWASP-Web-Security-testing-4.2
OWASP-Web-Security-testing-4.2OWASP-Web-Security-testing-4.2
OWASP-Web-Security-testing-4.2Massimo Talia
 
Owasp Eu Summit 2008 Owasp Testing Guide V3
Owasp Eu Summit 2008 Owasp Testing Guide V3Owasp Eu Summit 2008 Owasp Testing Guide V3
Owasp Eu Summit 2008 Owasp Testing Guide V3Matteo Meucci
 

More Related Content

What's hot

Web PenTest Sample Report
Web PenTest Sample ReportWeb PenTest Sample Report
Web PenTest Sample ReportOctogence
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World42Crunch
 
security misconfigurations
security misconfigurationssecurity misconfigurations
security misconfigurationsMegha Sahu
 
OWASP Top 10 API Security Risks
OWASP Top 10 API Security RisksOWASP Top 10 API Security Risks
OWASP Top 10 API Security RisksIndusfacePvtLtd
 
Security Exploit of Business Logic Flaws, Business Logic Attacks
Security Exploit of Business Logic Flaws, Business Logic AttacksSecurity Exploit of Business Logic Flaws, Business Logic Attacks
Security Exploit of Business Logic Flaws, Business Logic AttacksMarco Morana
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testingAbu Sadat Mohammed Yasin
 
Cisco Web and Email Security Overview
Cisco Web and Email Security OverviewCisco Web and Email Security Overview
Cisco Web and Email Security OverviewCisco Security
 
Pentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarPentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarOWASP Delhi
 
HTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsHTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsneexemil
 
CSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open RedirectCSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open RedirectBlueinfy Solutions
 
Directory Traversal & File Inclusion Attacks
Directory Traversal & File Inclusion AttacksDirectory Traversal & File Inclusion Attacks
Directory Traversal & File Inclusion AttacksRaghav Bisht
 
Malicious file upload attacks - a case study
Malicious file upload attacks - a case studyMalicious file upload attacks - a case study
Malicious file upload attacks - a case studyOktawian Powazka
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing Priyanka Aash
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewMichael Furman
 

What's hot (20)

Web PenTest Sample Report
Web PenTest Sample ReportWeb PenTest Sample Report
Web PenTest Sample Report
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
 
SSRF exploit the trust relationship
SSRF exploit the trust relationshipSSRF exploit the trust relationship
SSRF exploit the trust relationship
 
Nii sample pt_report
Nii sample pt_reportNii sample pt_report
Nii sample pt_report
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World
 
security misconfigurations
security misconfigurationssecurity misconfigurations
security misconfigurations
 
API Security Fundamentals
API Security FundamentalsAPI Security Fundamentals
API Security Fundamentals
 
OWASP Top Ten
OWASP Top TenOWASP Top Ten
OWASP Top Ten
 
OWASP Top 10 API Security Risks
OWASP Top 10 API Security RisksOWASP Top 10 API Security Risks
OWASP Top 10 API Security Risks
 
Security Exploit of Business Logic Flaws, Business Logic Attacks
Security Exploit of Business Logic Flaws, Business Logic AttacksSecurity Exploit of Business Logic Flaws, Business Logic Attacks
Security Exploit of Business Logic Flaws, Business Logic Attacks
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testing
 
Cisco Web and Email Security Overview
Cisco Web and Email Security OverviewCisco Web and Email Security Overview
Cisco Web and Email Security Overview
 
Pentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarPentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang Bhatnagar
 
HTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsHTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versions
 
CSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open RedirectCSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open Redirect
 
Directory Traversal & File Inclusion Attacks
Directory Traversal & File Inclusion AttacksDirectory Traversal & File Inclusion Attacks
Directory Traversal & File Inclusion Attacks
 
Malicious file upload attacks - a case study
Malicious file upload attacks - a case studyMalicious file upload attacks - a case study
Malicious file upload attacks - a case study
 
Ssrf
SsrfSsrf
Ssrf
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's New
 

Similar to Applying OWASP web security testing guide (OWSTG)

OWASP-Web-Security-testing-4.2
OWASP-Web-Security-testing-4.2OWASP-Web-Security-testing-4.2
OWASP-Web-Security-testing-4.2Massimo Talia
 
Owasp Eu Summit 2008 Owasp Testing Guide V3
Owasp Eu Summit 2008 Owasp Testing Guide V3Owasp Eu Summit 2008 Owasp Testing Guide V3
Owasp Eu Summit 2008 Owasp Testing Guide V3Matteo Meucci
 
OTG - Practical Hands on VAPT
OTG - Practical Hands on VAPTOTG - Practical Hands on VAPT
OTG - Practical Hands on VAPTshiriskumar
 
4 Testing Methods to Scale and Automate Your DevOps Pipeline
4 Testing Methods to Scale and Automate Your DevOps Pipeline4 Testing Methods to Scale and Automate Your DevOps Pipeline
4 Testing Methods to Scale and Automate Your DevOps PipelinePerfecto by Perforce
 
Galileo computing software testing
Galileo computing software testingGalileo computing software testing
Galileo computing software testingQualister
 
St & internationalization
St & internationalizationSt & internationalization
St & internationalizationSachin MK
 
CAS state of the project: Open Apereo 2015
CAS state of the project: Open Apereo 2015CAS state of the project: Open Apereo 2015
CAS state of the project: Open Apereo 2015Misagh Moayyed
 
IPv6 Development and Testing Services
IPv6 Development and Testing ServicesIPv6 Development and Testing Services
IPv6 Development and Testing ServicesTMA Solutions
 
How to Avoid Continuously Delivering Faulty Software
How to Avoid Continuously Delivering Faulty SoftwareHow to Avoid Continuously Delivering Faulty Software
How to Avoid Continuously Delivering Faulty SoftwareParasoft
 
open sta testing Certification
open sta testing Certificationopen sta testing Certification
open sta testing CertificationVskills
 
FIWARE Global Summit - Functional Testing – High-Quality Enablers for High-Qu...
FIWARE Global Summit - Functional Testing – High-Quality Enablers for High-Qu...FIWARE Global Summit - Functional Testing – High-Quality Enablers for High-Qu...
FIWARE Global Summit - Functional Testing – High-Quality Enablers for High-Qu...FIWARE
 
Demo how to efficiently evaluate nf-vi performance by leveraging opnfv testi...
Demo how to efficiently evaluate nf-vi performance by leveraging opnfv testi...Demo how to efficiently evaluate nf-vi performance by leveraging opnfv testi...
Demo how to efficiently evaluate nf-vi performance by leveraging opnfv testi...OPNFV
 
The Road to DevOps: Data, Environment, and Test Automation
The Road to DevOps: Data, Environment, and Test AutomationThe Road to DevOps: Data, Environment, and Test Automation
The Road to DevOps: Data, Environment, and Test AutomationJosiah Renaudin
 
software-testing-yogesh-singh (1).pdf
software-testing-yogesh-singh (1).pdfsoftware-testing-yogesh-singh (1).pdf
software-testing-yogesh-singh (1).pdfJhaKaustubh1
 

Similar to Applying OWASP web security testing guide (OWSTG) (20)

OWASP-Web-Security-testing-4.2
OWASP-Web-Security-testing-4.2OWASP-Web-Security-testing-4.2
OWASP-Web-Security-testing-4.2
 
Owasp Eu Summit 2008 Owasp Testing Guide V3
Owasp Eu Summit 2008 Owasp Testing Guide V3Owasp Eu Summit 2008 Owasp Testing Guide V3
Owasp Eu Summit 2008 Owasp Testing Guide V3
 
OWASP Testing Guide v3
OWASP Testing Guide v3OWASP Testing Guide v3
OWASP Testing Guide v3
 
OTG - Practical Hands on VAPT
OTG - Practical Hands on VAPTOTG - Practical Hands on VAPT
OTG - Practical Hands on VAPT
 
4 Testing Methods to Scale and Automate Your DevOps Pipeline
4 Testing Methods to Scale and Automate Your DevOps Pipeline4 Testing Methods to Scale and Automate Your DevOps Pipeline
4 Testing Methods to Scale and Automate Your DevOps Pipeline
 
Galileo computing software testing
Galileo computing software testingGalileo computing software testing
Galileo computing software testing
 
St & internationalization
St & internationalizationSt & internationalization
St & internationalization
 
CAS state of the project: Open Apereo 2015
CAS state of the project: Open Apereo 2015CAS state of the project: Open Apereo 2015
CAS state of the project: Open Apereo 2015
 
IPv6 Development and Testing Services
IPv6 Development and Testing ServicesIPv6 Development and Testing Services
IPv6 Development and Testing Services
 
Hemanth
HemanthHemanth
Hemanth
 
How to Avoid Continuously Delivering Faulty Software
How to Avoid Continuously Delivering Faulty SoftwareHow to Avoid Continuously Delivering Faulty Software
How to Avoid Continuously Delivering Faulty Software
 
Latest CAS News 2014
Latest CAS News 2014Latest CAS News 2014
Latest CAS News 2014
 
open sta testing Certification
open sta testing Certificationopen sta testing Certification
open sta testing Certification
 
Portal testing
Portal testingPortal testing
Portal testing
 
Testing
TestingTesting
Testing
 
Testing
TestingTesting
Testing
 
FIWARE Global Summit - Functional Testing – High-Quality Enablers for High-Qu...
FIWARE Global Summit - Functional Testing – High-Quality Enablers for High-Qu...FIWARE Global Summit - Functional Testing – High-Quality Enablers for High-Qu...
FIWARE Global Summit - Functional Testing – High-Quality Enablers for High-Qu...
 
Demo how to efficiently evaluate nf-vi performance by leveraging opnfv testi...
Demo how to efficiently evaluate nf-vi performance by leveraging opnfv testi...Demo how to efficiently evaluate nf-vi performance by leveraging opnfv testi...
Demo how to efficiently evaluate nf-vi performance by leveraging opnfv testi...
 
The Road to DevOps: Data, Environment, and Test Automation
The Road to DevOps: Data, Environment, and Test AutomationThe Road to DevOps: Data, Environment, and Test Automation
The Road to DevOps: Data, Environment, and Test Automation
 
software-testing-yogesh-singh (1).pdf
software-testing-yogesh-singh (1).pdfsoftware-testing-yogesh-singh (1).pdf
software-testing-yogesh-singh (1).pdf
 

More from Vandana Verma

Building security into the pipelines
Building security into the pipelinesBuilding security into the pipelines
Building security into the pipelinesVandana Verma
 
SARCON Talk - Vandana Verma Sehgal
SARCON Talk - Vandana Verma SehgalSARCON Talk - Vandana Verma Sehgal
SARCON Talk - Vandana Verma SehgalVandana Verma
 
Sacon 2020 living in the world of zero trust v1.0
Sacon 2020 living in the world of zero trust v1.0Sacon 2020 living in the world of zero trust v1.0
Sacon 2020 living in the world of zero trust v1.0Vandana Verma
 
Addo 2019 vandana_dev_secops_culturalchange
Addo 2019 vandana_dev_secops_culturalchangeAddo 2019 vandana_dev_secops_culturalchange
Addo 2019 vandana_dev_secops_culturalchangeVandana Verma
 
App Sec village DevSecOps as a culture
App Sec village DevSecOps as a cultureApp Sec village DevSecOps as a culture
App Sec village DevSecOps as a cultureVandana Verma
 
Web sockets - Pentesting
Web sockets - Pentesting Web sockets - Pentesting
Web sockets - Pentesting Vandana Verma
 
Story of http headers
Story of http headersStory of http headers
Story of http headersVandana Verma
 
Security audits & compliance
Security audits & complianceSecurity audits & compliance
Security audits & complianceVandana Verma
 
Basics of Server Side Template Injection
Basics of Server Side Template InjectionBasics of Server Side Template Injection
Basics of Server Side Template InjectionVandana Verma
 
SIEM Vendor Neutrality
SIEM Vendor NeutralitySIEM Vendor Neutrality
SIEM Vendor NeutralityVandana Verma
 
Getting started with android
Getting started with androidGetting started with android
Getting started with androidVandana Verma
 
Importance of Penetration Testing
Importance of Penetration TestingImportance of Penetration Testing
Importance of Penetration TestingVandana Verma
 
Identity & access management
Identity & access managementIdentity & access management
Identity & access managementVandana Verma
 
Chariot generic presentation owaspwia_Infosecgirls
Chariot generic presentation owaspwia_InfosecgirlsChariot generic presentation owaspwia_Infosecgirls
Chariot generic presentation owaspwia_InfosecgirlsVandana Verma
 
OWASP - Dependency Check
OWASP - Dependency CheckOWASP - Dependency Check
OWASP - Dependency CheckVandana Verma
 
Incident response in Cloud
Incident response in CloudIncident response in Cloud
Incident response in CloudVandana Verma
 

More from Vandana Verma (17)

Building security into the pipelines
Building security into the pipelinesBuilding security into the pipelines
Building security into the pipelines
 
SARCON Talk - Vandana Verma Sehgal
SARCON Talk - Vandana Verma SehgalSARCON Talk - Vandana Verma Sehgal
SARCON Talk - Vandana Verma Sehgal
 
Sacon 2020 living in the world of zero trust v1.0
Sacon 2020 living in the world of zero trust v1.0Sacon 2020 living in the world of zero trust v1.0
Sacon 2020 living in the world of zero trust v1.0
 
Addo 2019 vandana_dev_secops_culturalchange
Addo 2019 vandana_dev_secops_culturalchangeAddo 2019 vandana_dev_secops_culturalchange
Addo 2019 vandana_dev_secops_culturalchange
 
App Sec village DevSecOps as a culture
App Sec village DevSecOps as a cultureApp Sec village DevSecOps as a culture
App Sec village DevSecOps as a culture
 
Oscp - Journey
Oscp - JourneyOscp - Journey
Oscp - Journey
 
Web sockets - Pentesting
Web sockets - Pentesting Web sockets - Pentesting
Web sockets - Pentesting
 
Story of http headers
Story of http headersStory of http headers
Story of http headers
 
Security audits & compliance
Security audits & complianceSecurity audits & compliance
Security audits & compliance
 
Basics of Server Side Template Injection
Basics of Server Side Template InjectionBasics of Server Side Template Injection
Basics of Server Side Template Injection
 
SIEM Vendor Neutrality
SIEM Vendor NeutralitySIEM Vendor Neutrality
SIEM Vendor Neutrality
 
Getting started with android
Getting started with androidGetting started with android
Getting started with android
 
Importance of Penetration Testing
Importance of Penetration TestingImportance of Penetration Testing
Importance of Penetration Testing
 
Identity & access management
Identity & access managementIdentity & access management
Identity & access management
 
Chariot generic presentation owaspwia_Infosecgirls
Chariot generic presentation owaspwia_InfosecgirlsChariot generic presentation owaspwia_Infosecgirls
Chariot generic presentation owaspwia_Infosecgirls
 
OWASP - Dependency Check
OWASP - Dependency CheckOWASP - Dependency Check
OWASP - Dependency Check
 
Incident response in Cloud
Incident response in CloudIncident response in Cloud
Incident response in Cloud
 

Recently uploaded

The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 

Recently uploaded (20)

The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 

Applying OWASP web security testing guide (OWSTG)

  • 2. GUIDE CAN BE USEFUL FOR  Security specialists  Software testers and QA  Developers  Project Managers
  • 3. CATEGORIZING TESTING  Passive Testing  Active Testing
  • 5. Yes Filling a form Finding the form Submit the form Authenticated Un-authenticated What was the User id? Session management – persist Validation of data? If validation worked What if there was an error? How the cryptography was used? Reflecting the output to the client What are the client side issues?
  • 6. WEB APPLICATION SECURITY TESTING  4.1 Information Gathering  4.2 Configuration and Deployment Management Testing  4.3 Identity Management Testing  4.4 Authentication Testing  4.5 Authorization Testing  4.6 Session Management Testing  4.7 Input Validation Testing  4.8 Testing for Error Handling  4.9 Testing for Weak Cryptography  4.10 Business Logic Testing  4.11 Client-Side Testing
  • 7. INFORMATION EVERY SECTION GIVES  Summary  How to Test  Tools  References/Whitepapers
  • 9.  What is information gathering?  What are we doing here?
  • 10. INFORMATION GATHERING  4.1.1 Conduct Search Engine Discovery Reconnaissance for Information Leakage  4.1.2 Fingerprint Web Server  4.1.3 Review Webserver Metafiles for Information Leakage  4.1.4 Enumerate Applications on Webserver  4.1.5 Review Webpage Comments and Metadata for Information Leakage  4.1.6 Identify Application Entry Points  4.1.7 Map Execution Paths Through Application  4.1.8 Fingerprint Web Application Framework  4.1.9 Fingerprint Web Application  4.1.10 Map Application Architecture
  • 11. 4.2 CONFIGURATION AND DEPLOYMENT MANAGEMENT TESTING
  • 12.  What is Configuration Management?  What is Deployment Testing  What are we doing here?
  • 13. CONFIGURATION AND DEPLOYMENT MANAGEMENT TESTING  4.2.1 Test Network Infrastructure Configuration  4.2.2 Test Application Platform Configuration  4.2.3 Test File Extensions Handling for Sensitive Information  4.2.4 Review Old Backup and Unreferenced Files for Sensitive Information  4.2.5 Enumerate Infrastructure and Application Admin Interfaces  4.2.6 Test HTTP Methods  4.2.7 Test HTTP Strict Transport Security  4.2.8 Test RIA Cross Domain Policy  4.2.9 Test File Permission  4.2.10 Test for Subdomain Takeover  4.2.11 Test Cloud Storage
  • 15. 4.3 IDENTITY MANAGEMENT TESTING  4.3.1 Test Role Definitions  4.3.2 Test User Registration Process  4.3.3 Test Account Provisioning Process  4.3.4 Testing for Account Enumeration and Guessable User Account  4.3.5 Testing for Weak or Unenforced Username Policy
  • 17. 4.4 AUTHENTICATION TESTING  4.4.1 Testing for Credentials Transported over an Encrypted Channel  4.4.2 Testing for Default Credentials  4.4.3 Testing for Weak Lock Out Mechanism  4.4.4 Testing for Bypassing Authentication Schema  4.4.5 Testing for Vulnerable Remember Password  4.4.6 Testing for Browser Cache Weaknesses  4.4.7 Testing for Weak Password Policy  4.4.8 Testing for Weak Security Question Answer  4.4.9 Testing for Weak Password Change or Reset Functionalities  4.4.10 Testing for Weaker Authentication in Alternative Channel
  • 19. 4.5 AUTHORIZATION TESTING  4.5.1 Testing Directory Traversal File Include  4.5.2 Testing for Bypassing Authorization Schema  4.5.3 Testing for Privilege Escalation  4.5.4 Testing for Insecure Direct Object References
  • 21. 4.6 SESSION MANAGEMENT TESTING  4.6.1 Testing for Session Management Schema  4.6.2 Testing for Cookies Attributes  4.6.3 Testing for Session Fixation  4.6.4 Testing for Exposed Session Variables  4.6.5 Testing for Cross Site Request Forgery  4.6.6 Testing for Logout Functionality  4.6.7 Testing Session Timeout  4.6.8 Testing for Session Puzzling
  • 23. 4.7 INPUT VALIDATION TESTING  4.7.1 Testing for Reflected Cross Site Scripting  4.7.2 Testing for Stored Cross Site Scripting  4.7.3 Testing for HTTP Verb Tampering  4.7.4 Testing for HTTP Parameter Pollution
  • 24. 4.7.5 TESTING FOR SQL INJECTION  4.7.5.1 Testing for Oracle  4.7.5.2 Testing for MySQL  4.7.5.3 Testing for SQL Server  4.7.5.4 Testing PostgreSQL  4.7.5.5 Testing for MS Access  4.7.5.6 Testing for NoSQL Injection  4.7.5.7 Testing for ORM Injection  4.7.5.8 Testing for Client Side
  • 25.  4.7.6 Testing for LDAP Injection  4.7.7 Testing for XML Injection  4.7.8 Testing for SSI Injection  4.7.9 Testing for XPath Injection  4.7.10 Testing for IMAP SMTP Injection  4.7.11 Testing for Code Injection  4.7.11.1 Testing for Local File Inclusion  4.7.11.2 Testing for Remote File Inclusion  4.7.12 Testing for Command Injection
  • 26.  4.7.13 Testing for Buffer Overflow  4.7.13.1 Testing for Heap Overflow  4.7.13.2 Testing for Stack Overflow  4.7.13.3 Testing for Format String  4.7.14 Testing for Incubated Vulnerability  4.7.15 Testing for HTTP Splitting Smuggling  4.7.16 Testing for HTTP Incoming Requests  4.7.17 Testing for Host Header Injection  4.7.18 Testing for Server Side Template Injection
  • 27. 4.8 TESTING FOR ERROR HANDLING
  • 28. 4.8 TESTING FOR ERROR HANDLING  4.8.1 Testing for Error Code  4.8.2 Testing for Stack Traces
  • 29. 4.9 TESTING FOR WEAK CRYPTOGRAPHY
  • 30. 4.9 TESTING FOR WEAK CRYPTOGRAPHY  4.9.1 Testing for Weak SSL TLS Ciphers Insufficient Transport Layer Protection  4.9.2 Testing for Padding Oracle  4.9.3 Testing for Sensitive Information Sent via Unencrypted Channels  4.9.4 Testing for Weak Encryption
  • 32. 4.10 BUSINESS LOGIC TESTING  4.10.0 Introduction to Business Logic  4.10.1 Test Business Logic Data Validation  4.10.2 Test Ability to Forge Requests  4.10.3 Test Integrity Checks  4.10.4 Test for Process Timing  4.10.5 Test Number of Times a Function Can Be Used Limits  4.10.6 Testing for the Circumvention of Work Flows  4.10.7 Test Defences Against Application Misuse  4.10.8 Test Upload of Unexpected File Types  4.10.9 Test Upload of Malicious Files
  • 34. CLIENT-SIDE TESTING  4.11.1 Testing for DOM-Based Cross Site Scripting  4.11.2 Testing for JavaScript Execution  4.11.3 Testing for HTML Injection  4.11.4 Testing for Client Side URL Redirect  4.11.5 Testing for CSS Injection  4.11.6 Testing for Client Side Resource Manipulation  4.11.7 Testing Cross Origin Resource Sharing  4.11.8 Testing for Cross Site Flashing  4.11.9 Testing for Clickjacking  4.11.10 Testing WebSockets  4.11.11 Testing Web Messaging  4.11.12 Testing Browser Storage  4.11.13 Testing for Cross Site Script Inclusion
  • 35. TOOLS OF TRADE  OWASP ZAP

Editor's Notes

  1. The OWASP Testing Guide has an important role to play in solving this serious issue. It is vitally important that our approach to testing software for security issues is based on the principles of engineering and science. We need a consistent, repeatable and defined approach to testing web applications. A world without some minimal standards in terms of engineering and technology is a world in chaos. It goes without saying that we can’t build a secure application without performing security testing on it. Testing is part of a wider approach to build a secure system. Many software development organizations do not include security testing as part of their standard software development process. Security testing, by itself, isn’t a particularly good stand-alone measure of how secure an application is, because there are an infinite number of ways that an attacker might be able to make an application break, and it simply isn’t possible to test them all. We can’t hack ourselves secure as we only have a limited time to test and defend where an attacker does not have such constraints. In conjunction with other OWASP projects such as the Code Review Guide, the Development Guide and tools such as OWASP ZAP, this is a great start towards building and maintaining secure applications. This Testing Guide will show you how to verify the security of your running application. I highly recommend using these guides as part of your application security initiatives.
  2. Developers should use this guide to ensure that they are producing secure code. These tests should be a part of normal code and unit testing procedures. Software testers and QA should use this guide to expand the set of test cases they apply to applications. Catching these vulnerabilities early saves considerable time and effort later. Security specialists should use this guide in combination with other techniques as one way to verify that no security holes have been missed in an application. Project Managers should consider the reason this guide exists and that security issues are manifested via bugs in code and design.
  3. Passive Testing During passive testing, a tester tries to understand the application’s logic and explores the application as a user. Tools can be used for information gathering. For example, an HTTP proxy can be used to observe all the HTTP requests and responses. At the end of this phase, the tester should understand all the access points (gates) of the application (e.g., HTTP headers, parameters, and cookies). The Information Gathering section explains how to perform passive testing. For example, a tester may find a page at the following URL: https://www.example.com/login/Authentic_Form.html This may indicate an authentication form where the application requests a username and a password. The following parameters represent two access points (gates) to the application: http://www.example.com/Appx.jsp?a=1&b=1 In this case, the application shows two gates (parameters a and b). All the gates found in this phase represent a point of testing. A spreadsheet with the directory tree of the application and all the access points may be useful during active testing. Active Testing During active testing, a tester begins to use the methodologies described in the follow sections. The set of active tests have been split into 11 sub-categories for a total of 91 controls: Configuration and Deployment Management Testing Identity Management Testing Authentication Testing Authorization Testing Session Management Testing Input Validation Testing Error Handling Cryptography Business Logic Testing Client Side Testing
  4. The aim of the project is to help people understand the what, why, when, where, and how of testing web applications. The project is a complete testing framework, not merely a simple checklist or prescription of issues that should be addressed. The Testing Guide describes in detail both the general testing framework and the techniques required to implement the framework in practice. Writing the Testing Guide has proven to be a difficult task. It was a challenge to obtain consensus and develop content that allowed people to apply the concepts described in the guide, while also enabling them to work in their own environment and culture. It was also a challenge to change the focus of web application testing from penetration testing to testing integrated in the software development life cycle. However, the group is very satisfied with the results of the project. Many industry experts and security professionals, some of whom are responsible for software security at some of the largest companies in the world, are validating the testing framework. This framework helps organizations test their web applications in order to build reliable and secure software. The framework does not simply highlight areas of weakness, although that is certainly a by-product of many of the OWASP guides and checklists. As such, hard decisions had to be made about the appropriateness of certain testing techniques and technologies. The group fully understands that not everyone will agree with all of these decisions. However, OWASP is able to take the high ground and change culture over time through awareness and education, based on consensus and experience. Chapter 3 presents the OWASP Testing Framework and explains its techniques and tasks in relation to the various phases of the software development life cycle. Chapter 4 covers how to test for specific vulnerabilities (e.g., SQL Injection) by code inspection and penetration testing.
  5. Leverages existing process (get approvals from geo and ww sales lead), megan will accept a screen shot of the portal with list price. See discount on the solution. Its deal/transaction specific. R-Set
  6. Form submission – How do you know a form is present Submitted the form Authenticated Unauthenticated What was the id? Sesison management – persist? Validation of data ? If validation worked What if there was an error? How was cryptography used? Reflecting the output to the client? What could be the client side issues? Something which tools can help?
  7. Testing guide has following modules which helps with information gathering Screenshot of fingerprinting , waplyzer.
  8. Some tools are universal, tools which are optional specific to particular use case.