早就想寫這個日誌了。
OWASP( 開放 Web 軟體安全項目 - Open Web Application Security Project) 是一個開放社羣、非營利性組織,其主要目標是研議協助解決 Web 軟體安全之標準、工具與技術文件,長期致力於協助政府或企業瞭解並改善網頁應用程式與網頁服務的安全性。
大概是 2008 年 12 月出了一個版本的 testing guide (測試指南)。今年修訂出一個 v3.0 版本。
OK ,摘要的說一下,這個測試指南一共分五章。
第一章開門篇,忽略;
第二章,介紹,也忽略;
第三章差不多進入正題,說測試框架。大致講每個階段測試的重要性和必要性,以及每個階段測試的大體方向和需要注意的要點。
關鍵是第四章,是各個測試項。
|
Category |
Ref. Number |
Test Name |
Vulnerability |
|
Information Gathering |
OWASP-IG-001 |
Spiders, Robots and Crawlers -
|
N.A. |
|
OWASP-IG-002 |
Search Engine Discovery/Reconnaissance |
N.A. |
|
|
OWASP-IG-003 |
Identify application entry points |
N.A. |
|
|
OWASP-IG-004 |
Testing for Web Application Fingerprint |
N.A. |
|
|
OWASP-IG-005 |
Application Discovery |
N.A. |
|
|
OWASP-IG-006 |
Analysis of Error Codes |
Information Disclosure |
|
|
Configuration Management Testing |
OWASP-CM-001 |
SSL/TLS Testing (SSL Version, Algorithms, Key length, Digital Cert. Validity) |
SSL Weakness |
|
OWASP-CM-002 |
DB Listener Testing |
DB Listener weak |
|
|
OWASP-CM-003 |
Infrastructure Configuration Management Testing |
Infrastructure Configuration management weakness |
|
|
OWASP-CM-004 |
Application Configuration Management Testing |
Application Configuration management weakness |
|
|
OWASP-CM-005 |
Testing for File Extensions Handling |
File extensions handling |
|
|
OWASP-CM-006 |
Old, backup and unreferenced files |
Old, backup and unreferenced files |
|
|
OWASP-CM-007 |
Infrastructure and Application Admin Interfaces |
Access to Admin interfaces |
|
|
OWASP-CM-008 |
Testing for HTTP Methods and XST |
HTTP Methods enabled, XST permitted, HTTP Verb |
|
|
Authentication Testing |
OWASP-AT-001 |
Credentials transport over an encrypted channel |
Credentials transport over an encrypted channel |
|
OWASP-AT-002 |
Testing for user enumeration |
User enumeration |
|
|
OWASP-AT-003 |
Testing for Guessable (Dictionary) User Account |
Guessable user account |
|
|
OWASP-AT-004 |
Brute Force Testing |
Credentials Brute forcing |
|
|
OWASP-AT-005 |
Testing for bypassing authentication schema |
Bypassing authentication schema |
|
|
OWASP-AT-006 |
Testing for vulnerable remember password and pwd reset |
Vulnerable remember password, weak pwd reset |
|
|
OWASP-AT-007 |
Testing for Logout and Browser Cache Management |
Logout function not properly implemented, browser cache weakness |
|
|
OWASP-AT-008 |
Testing for CAPTCHA |
Weak Captcha implementation |
|
|
OWASP-AT-009 |
Testing Multiple Factors Authentication |
Weak Multiple Factors Authentication |
|
|
OWASP-AT-010 |
Testing for Race Conditions |
Race Conditions vulnerability |
|
|
Session Management |
OWASP-SM-001 |
Testing for Session Management Schema |
Bypassing Session Management Schema, Weak Session Token |
|
OWASP-SM-002 |
Testing for Cookies attributes
|
Cookies are set not ‘HTTP Only’, ‘Secure’, and no time validity |
|
|
OWASP-SM-003 |
Testing for Session Fixation |
Session Fixation |
|
|
OWASP-SM-004 |
Testing for Exposed Session Variables |
Exposed sensitive session variables |
|
|
OWASP-SM-005 |
Testing for CSRF |
CSRF |
|
|
Authorization Testing |
OWASP-AZ-001 |
Testing for Path Traversal
|
Path Traversal |
|
OWASP-AZ-002 |
Testing for bypassing authorization schema
|
Bypassing authorization schema |
|
|
OWASP-AZ-003 |
Testing for Privilege Escalation |
Privilege Escalation |
|
|
Business logic testing |
OWASP-BL-001 |
Testing for business logic |
Bypassable business logic |
|
Data Validation Testing |
OWASP-DV-001 |
Testing for Reflected Cross Site Scripting |
Reflected XSS |
|
OWASP-DV-002 |
Testing for Stored Cross Site Scripting |
Stored XSS |
|
|
OWASP-DV-003 |
Testing for DOM based Cross Site Scripting |
DOM XSS |
|
|
OWASP-DV-004 |
Testing for Cross Site Flashing |
Cross Site Flashing |
|
|
OWASP-DV-005 |
SQL Injection |
SQL Injection |
|
|
OWASP-DV-006 |
LDAP Injection |
LDAP Injection |
|
|
OWASP-DV-007 |
ORM Injection |
ORM Injection |
|
|
OWASP-DV-008 |
XML Injection |
XML Injection |
|
|
OWASP-DV-009 |
SSI Injection |
SSI Injection |
|
|
OWASP-DV-010 |
XPath Injection |
XPath Injection |
|
|
OWASP-DV-011 |
IMAP/SMTP Injection |
IMAP/SMTP Injection |
|
|
OWASP-DV-012 |
Code Injection |
Code Injection |
|
|
OWASP-DV-013 |
OS Commanding |
OS Commanding |
|
|
OWASP-DV-014 |
Buffer overflow |
Buffer overflow |
|
|
OWASP-DV-015 |
Incubated vulnerability Testing |
Incubated vulnerability |
|
|
OWASP-DV-016 |
Testing for HTTP Splitting/Smuggling
|
HTTP Splitting, Smuggling |
|
|
Denial of Service Testing |
OWASP-DS-001 |
Testing for SQL Wildcard Attacks |
SQL Wildcard vulnerability |
|
OWASP-DS-002 |
Locking Customer Accounts |
Locking Customer Accounts |
|
|
OWASP-DS-003 |
Testing for DoS Buffer Overflows |
Buffer Overflows |
|
|
OWASP-DS-004 |
User Specified Object Allocation |
User Specified Object Allocation |
|
|
OWASP-DS-005 |
User Input as a Loop Counter |
User Input as a Loop Counter |
|
|
OWASP-DS-006 |
Writing User Provided Data to Disk |
Writing User Provided Data to Disk |
|
|
OWASP-DS-007 |
Failure to Release Resources |
Failure to Release Resources |
|
|
OWASP-DS-008 |
Storing too Much Data in Session |
Storing too Much Data in Session |
|
|
Web Services Testing |
OWASP-WS-001 |
WS Information Gathering |
N.A. |
|
OWASP-WS-002 |
Testing WSDL |
WSDL Weakness |
|
|
OWASP-WS-003 |
XML Structural Testing |
Weak XML Structure |
|
|
OWASP-WS-004 |
XML content-level Testing |
XML content-level |
|
|
OWASP-WS-005 |
HTTP GET parameters/REST Testing |
WS HTTP GET parameters/REST |
|
|
OWASP-WS-006 |
Naughty SOAP attachments |
WS Naughty SOAP attachments |
|
|
OWASP-WS-007 |
Replay Testing |
WS Replay Testing |
|
|
AJAX Testing |
OWASP-AJ-001 |
AJAX Vulnerabilities |
N.A |
|
OWASP-AJ-002 |
AJAX Testing |
AJAX weakness |
