OWASP总述
早就想写这个日志了。
OWASP( 开放 Web 软体安全项目 - Open Web Application Security Project) 是一个开放社群、非营利性组织,其主要目标是研议协助解决 Web 软体安全之标准、工具与技术文件,长期致力于协助政府或企业了解并改善网页应用程式与网页服务的安全性。
大概是 2008 年 12 月出了一个版本的 testing guide (测试指南)。今年修订出一个 v3.0 版本。
OK ,摘要的说一下,这个测试指南一共分五章。
第一章开门篇,忽略;
第二章,介绍,也忽略;
第三章差不多进入正题,说测试框架。大致讲每个阶段测试的重要性和必要性,以及每个阶段测试的大体方向和需要注意的要点。
关键是第四章,是各个测试项。
| Category |
Ref. Number |
Test Name |
Vulnerability |
| Information Gathering |
OWASP-IG-001 |
Spiders, Robots and Crawlers -
|
N.A. |
| OWASP-IG-002 |
Search Engine Discovery/Reconnaissance |
N.A. |
|
| OWASP-IG-003 |
Identify application entry points |
N.A. |
|
| OWASP-IG-004 |
Testing for Web Application Fingerprint |
N.A. |
|
| OWASP-IG-005 |
Application Discovery |
N.A. |
|
| OWASP-IG-006 |
Analysis of Error Codes |
Information Disclosure |
|
| Configuration Management Testing |
OWASP-CM-001 |
SSL/TLS Testing (SSL Version, Algorithms, Key length, Digital Cert. Validity) |
SSL Weakness |
| OWASP-CM-002 |
DB Listener Testing |
DB Listener weak |
|
| OWASP-CM-003 |
Infrastructure Configuration Management Testing |
Infrastructure Configuration management weakness |
|
| OWASP-CM-004 |
Application Configuration Management Testing |
Application Configuration management weakness |
|
| OWASP-CM-005 |
Testing for File Extensions Handling |
File extensions handling |
|
| OWASP-CM-006 |
Old, backup and unreferenced files |
Old, backup and unreferenced files |
|
| OWASP-CM-007 |
Infrastructure and Application Admin Interfaces |
Access to Admin interfaces |
|
| OWASP-CM-008 |
Testing for HTTP Methods and XST |
HTTP Methods enabled, XST permitted, HTTP Verb |
|
| Authentication Testing |
OWASP-AT-001 |
Credentials transport over an encrypted channel |
Credentials transport over an encrypted channel |
| OWASP-AT-002 |
Testing for user enumeration |
User enumeration |
|
| OWASP-AT-003 |
Testing for Guessable (Dictionary) User Account |
Guessable user account |
|
| OWASP-AT-004 |
Brute Force Testing |
Credentials Brute forcing |
|
| OWASP-AT-005 |
Testing for bypassing authentication schema |
Bypassing authentication schema |
|
| OWASP-AT-006 |
Testing for vulnerable remember password and pwd reset |
Vulnerable remember password, weak pwd reset |
|
| OWASP-AT-007 |
Testing for Logout and Browser Cache Management |
Logout function not properly implemented, browser cache weakness |
|
| OWASP-AT-008 |
Testing for CAPTCHA |
Weak Captcha implementation |
|
| OWASP-AT-009 |
Testing Multiple Factors Authentication |
Weak Multiple Factors Authentication |
|
| OWASP-AT-010 |
Testing for Race Conditions |
Race Conditions vulnerability |
|
|
Session Management |
OWASP-SM-001 |
Testing for Session Management Schema |
Bypassing Session Management Schema, Weak Session Token |
| OWASP-SM-002 |
Testing for Cookies attributes
|
Cookies are set not ‘HTTP Only’, ‘Secure’, and no time validity |
|
| OWASP-SM-003 |
Testing for Session Fixation |
Session Fixation |
|
| OWASP-SM-004 |
Testing for Exposed Session Variables |
Exposed sensitive session variables |
|
| OWASP-SM-005 |
Testing for CSRF |
CSRF |
|
| Authorization Testing |
OWASP-AZ-001 |
Testing for Path Traversal
|
Path Traversal |
| OWASP-AZ-002 |
Testing for bypassing authorization schema
|
Bypassing authorization schema |
|
| OWASP-AZ-003 |
Testing for Privilege Escalation |
Privilege Escalation |
|
| Business logic testing |
OWASP-BL-001 |
Testing for business logic |
Bypassable business logic |
|
Data Validation Testing |
OWASP-DV-001 |
Testing for Reflected Cross Site Scripting |
Reflected XSS |
| OWASP-DV-002 |
Testing for Stored Cross Site Scripting |
Stored XSS |
|
| OWASP-DV-003 |
Testing for DOM based Cross Site Scripting |
DOM XSS |
|
| OWASP-DV-004 |
Testing for Cross Site Flashing |
Cross Site Flashing |
|
| OWASP-DV-005 |
SQL Injection |
SQL Injection |
|
| OWASP-DV-006 |
LDAP Injection |
LDAP Injection |
|
| OWASP-DV-007 |
ORM Injection |
ORM Injection |
|
| OWASP-DV-008 |
XML Injection |
XML Injection |
|
| OWASP-DV-009 |
SSI Injection |
SSI Injection |
|
| OWASP-DV-010 |
XPath Injection |
XPath Injection |
|
| OWASP-DV-011 |
IMAP/SMTP Injection |
IMAP/SMTP Injection |
|
| OWASP-DV-012 |
Code Injection |
Code Injection |
|
| OWASP-DV-013 |
OS Commanding |
OS Commanding |
|
| OWASP-DV-014 |
Buffer overflow |
Buffer overflow |
|
| OWASP-DV-015 |
Incubated vulnerability Testing |
Incubated vulnerability |
|
| OWASP-DV-016 |
Testing for HTTP Splitting/Smuggling
|
HTTP Splitting, Smuggling |
|
|
Denial of Service Testing |
OWASP-DS-001 |
Testing for SQL Wildcard Attacks |
SQL Wildcard vulnerability |
| OWASP-DS-002 |
Locking Customer Accounts |
Locking Customer Accounts |
|
| OWASP-DS-003 |
Testing for DoS Buffer Overflows |
Buffer Overflows |
|
| OWASP-DS-004 |
User Specified Object Allocation |
User Specified Object Allocation |
|
| OWASP-DS-005 |
User Input as a Loop Counter |
User Input as a Loop Counter |
|
| OWASP-DS-006 |
Writing User Provided Data to Disk |
Writing User Provided Data to Disk |
|
| OWASP-DS-007 |
Failure to Release Resources |
Failure to Release Resources |
|
| OWASP-DS-008 |
Storing too Much Data in Session |
Storing too Much Data in Session |
|
| Web Services Testing |
OWASP-WS-001 |
WS Information Gathering |
N.A. |
| OWASP-WS-002 |
Testing WSDL |
WSDL Weakness |
|
| OWASP-WS-003 |
XML Structural Testing |
Weak XML Structure |
|
| OWASP-WS-004 |
XML content-level Testing |
XML content-level |
|
| OWASP-WS-005 |
HTTP GET parameters/REST Testing |
WS HTTP GET parameters/REST |
|
| OWASP-WS-006 |
Naughty SOAP attachments |
WS Naughty SOAP attachments |
|
| OWASP-WS-007 |
Replay Testing |
WS Replay Testing |
|
| AJAX Testing |
OWASP-AJ-001 |
AJAX Vulnerabilities |
N.A |
| OWASP-AJ-002 |
AJAX Testing |
AJAX weakness |