OWASP Guide 3.0 Penetration Testing Standards

This project’s goal is to create a “best practices” web application penetration testing framework which users can implement in their own organizations and a “low level” web application penetration testing guide that describes how to find certain issues.

Version 3 of the Testing Guide was released in December 2008.



4.1 Introduction and Objectives

4.1.1 Testing Checklist

4.2 Information Gathering

4.2.1 Spiders, Robots and Crawlers (OWASP-IG-001)

4.2.2 Search Engine Discovery/Reconnaissance (OWASP-IG-002)

4.2.3 Identify application entry points (OWASP-IG-003)

4.2.4 Testing for Web Application Fingerprint (OWASP-IG-004)

4.2.5 Application Discovery (OWASP-IG-005)

4.2.6 Analysis of Error Codes (OWASP-IG-006)



4.3 Configuration Management Testing

4.3.1 SSL/TLS Testing (SSL Version, Algorithms, Key length, Digital Cert. Validity) (OWASP-CM-001)

4.3.2 DB Listener Testing (OWASP-CM-002)

4.3.3 Infrastructure Configuration Management Testing (OWASP-CM-003)

4.3.4 Application Configuration Management Testing (OWASP-CM-004)

4.3.5 Testing for File Extensions Handling (OWASP-CM-005)

4.3.6 Old, Backup and Unreferenced Files (OWASP-CM-006)

4.3.7 Infrastructure and Application Admin Interfaces (OWASP-CM-007)

4.3.8 Testing for HTTP Methods and Cross Site Tracing (XST) (OWASP-CM-008)



4.4 Authentication Testing

4.4.1 Credentials transport over an encrypted channel (OWASP-AT-001)

4.4.2 Testing for user enumeration (OWASP-AT-002)

4.4.3 Testing for Guessable (Dictionary) User Account (OWASP-AT-003)

4.4.4 Brute Force Testing (OWASP-AT-004)

4.4.5 Testing for bypassing authentication schema (OWASP-AT-005)

4.4.6 Testing for vulnerable remember password and pwd reset (OWASP-AT-006)

4.4.7 Testing for Logout and Browser Cache Management (OWASP-AT-007)

4.4.8 Testing for CAPTCHA (OWASP-AT-008)

4.4.9 Testing Multiple Factors Authentication (OWASP-AT-009)

4.4.10 Testing for Race Conditions (OWASP-AT-010)



4.5 Session Management Testing

4.5.1 Testing for Session Management Schema (OWASP-SM-001)

4.5.2 Testing for Cookies attributes (OWASP-SM-002)

4.5.3 Testing for Session Fixation (OWASP-SM-003)

4.5.4 Testing for Exposed Session Variables (OWASP-SM-004)

4.5.5 Testing for Cross Site Request Forgery (CSRF) (OWASP-SM-005)



4.6 Authorization Testing

4.6.1 Testing for path traversal (OWASP-AZ-001)

4.6.2 Testing for bypassing authorization schema (OWASP-AZ-002)

4.6.3 Testing for Privilege Escalation (OWASP-AZ-003)

4.7 Business Logic Testing (OWASP-BL-001)



4.8 Data Validation Testing

4.8.1 Testing for Reflected Cross Site Scripting (OWASP-DV-001)

4.8.2 Testing for Stored Cross Site Scripting (OWASP-DV-002)

4.8.3 Testing for DOM based Cross Site Scripting (OWASP-DV-003)

4.8.4 Testing for Cross Site Flashing (OWASP-DV-004)

4.8.5 Testing for SQL Injection (OWASP-DV-005) Oracle Testing MySQL Testing SQL Server Testing MS Access Testing Testing PostgreSQL (from OWASP BSP)

4.8.6 Testing for LDAP Injection (OWASP-DV-006)

4.8.7 Testing for ORM Injection (OWASP-DV-007)

4.8.8 Testing for XML Injection (OWASP-DV-008)

4.8.9 Testing for SSI Injection (OWASP-DV-009)

4.8.10 Testing for XPath Injection (OWASP-DV-010)

4.8.11 IMAP/SMTP Injection (OWASP-DV-011)

4.8.12 Testing for Code Injection (OWASP-DV-012)

4.8.13 Testing for Command Injection (OWASP-DV-013)

4.8.14 Testing for Buffer overflow (OWASP-DV-014) Testing for Heap overflow Testing for Stack overflow Testing for Format string

4.8.15 Testing for incubated vulnerabilities (OWASP-DV-015)

4.8.16 Testing for HTTP Splitting/Smuggling (OWASP-DV-016)



4.9 Testing for Denial of Service

4.9.1 Testing for SQL Wildcard Attacks (OWASP-DS-001)

4.9.2 Testing for DoS Locking Customer Accounts (OWASP-DS-002)

4.9.3 Testing for DoS Buffer Overflows (OWASP-DS-003)

4.9.4 Testing for DoS User Specified Object Allocation (OWASP-DS-004)

4.9.5 Testing for User Input as a Loop Counter (OWASP-DS-005)

4.9.6 Testing for Writing User Provided Data to Disk (OWASP-DS-006)

4.9.7 Testing for DoS Failure to Release Resources (OWASP-DS-007)

4.9.8 Testing for Storing too Much Data in Session (OWASP-DS-008)



4.10 Web Services Testing

4.10.1 WS Information Gathering (OWASP-WS-001)

4.10.2 Testing WSDL (OWASP-WS-002)

4.10.3 XML Structural Testing (OWASP-WS-003)

4.10.4 XML Content-level Testing (OWASP-WS-004)

4.10.5 HTTP GET parameters/REST Testing (OWASP-WS-005)

4.10.6 Naughty SOAP attachments (OWASP-WS-006)

4.10.7 Replay Testing (OWASP-WS-007)



4.11 AJAX Testing

4.11.1 AJAX Vulnerabilities (OWASP-AJ-001)

4.11.2 How to test AJAX (OWASP-AJ-002)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s