OWASP TESTING GUIDE 2008 V3.0 © 2002-2008 OWASP Foundation This document is licensed under the Creative Commons Attribution-ShareAlike 3.0 license. You must attribute your version to the OWASP Testing or the OWASP Foundation. Table of Contents Foreword ..................................................................................................................................................................................... 7 Why OWASP? .......................................................................................................................................................................... 7 Tailoring and Prioritizing ......................................................................................................................................................... 7 The Role of Automated Tools.................................................................................................................................................. 8 Call to Action ........................................................................................................................................................................... 8 1. Frontispiece ............................................................................................................................................................................. 9 Welcome to the OWASP Testing Guide 3.0 ............................................................................................................................ 9 About The Open Web Application Security Project .............................................................................................................. 12 2. Introduction ........................................................................................................................................................................... 14 Principles of Testing .............................................................................................................................................................. 16 Testing Techniques Explained ............................................................................................................................................... 19 Security Requirements Test Derivation ................................................................................................................................ 25 3. The OWASP Testing Framework ............................................................................................................................................ 40 Overview ............................................................................................................................................................................... 40 Phase 1: Before Development Begins ................................................................................................................................... 41 Phase 2: During Definition and Design .................................................................................................................................. 41 Phase 3: During Development .............................................................................................................................................. 42 Phase 4: During Deployment ................................................................................................................................................ 43 Phase 5: Maintenance and Operations ................................................................................................................................. 44 4 Web Application Penetration Testing ..................................................................................................................................... 46 4.1 Introduction and objectives ............................................................................................................................................ 46 4.2 Information Gathering .................................................................................................................................................... 51 4.2.1 Testing: Spiders, robots, and Crawlers (OWASP-IG-001) ............................................................................................. 52 4.2.2 Search engine discovery/Reconnaissance (OWASP-IG-002) ........................................................................................ 54 4.2.3 Identify application entry points (OWASP-IG-003) ...................................................................................................... 56 4.2.4 Testing for Web Application Fingerprint (OWASP-IG-004) .......................................................................................... 59 2 OWASP Testing Guide v3.0 4.2.5 Application Discovery (OWASP-IG-005) ....................................................................................................................... 65 4.2.6 Analysis of Error Codes (OWASP-IG-006) ..................................................................................................................... 71 4.3 Configuration Management Testing ............................................................................................................................... 75 4.3.1 SSL/TLS Testing (OWASP-CM-001) ............................................................................................................................... 76 4.3.2 DB Listener Testing (OWASP-CM-002) ......................................................................................................................... 82 4.3.3 Infrastructure configuration management testing (OWASP-CM-003) ......................................................................... 86 4.3.4 Application configuration management testing (OWASP-CM-004) ............................................................................. 91 4.3.5 Testing for File extensions handling (OWASP-CM-005) ............................................................................................... 95 4.3.6 Old, backup and unreferenced files (OWASP-CM-006) ............................................................................................... 97 4.3.7 Infrastructure and Application Admin Interfaces (OWASP-CM-007) ......................................................................... 102 4.3.8 Testing for HTTP Methods and XST (OWASP-CM-008) .............................................................................................. 104 4.4 Authentication Testing .................................................................................................................................................. 109 4.4.1 Credentials transport over an encrypted channel (OWASP-AT-001) ........................................................................ 110 4.4.2 Testing for user enumeration (OWASP-AT-002) ........................................................................................................ 113 4.4.3 Default or guessable (dictionary) user account (OWASP-AT-003) ............................................................................. 117 4.4.4 Testing For Brute Force (OWASP-AT-004) .................................................................................................................. 120 4.4.5 Testing for Bypassing authentication schema (OWASP-AT-005) ............................................................................... 126 4.4.6 Testing for Vulnerable remember password and pwd reset (OWASP-AT-006) ......................................................... 131 4.4.7 Testing for Logout and Browser Cache Management (OWASP-AT-007) ................................................................... 133 4.4.8 Testing for Captcha (OWASP-AT-008) ........................................................................................................................ 138 4.4.9 Testing for Multiple factors Authentication (OWASP-AT-009) .................................................................................. 140 4.4.10 Testing for Race Conditions (OWASP-AT-010) ......................................................................................................... 144 4.5 Session Management Testing ....................................................................................................................................... 146 4.5.1 Testing for Session Management Schema (OWASP-SM-001) .................................................................................... 147 4.5.2 Testing for Cookies attributes (OWASP-SM-002) ....................................................................................................... 156 4.5.3 Testing for Session Fixation (OWASP-SM_003) .......................................................................................................... 159 4.5.4 Testing for Exposed Session Variables (OWASP-SM-004) .......................................................................................... 161 3 4.5.5 Testing for CSRF (OWASP-SM-005) ............................................................................................................................ 164 4.6 Authorization testing .................................................................................................................................................... 170 4.6.1 Testing for path traversal (OWASP-AZ-001) ............................................................................................................... 170 4.6.2 Testing for bypassing authorization