OWASP Penetration Testing Methodology
The OWASP Testing Guide is being developed as part of the OWASP Testing Project of the Open Web Application Security Project (OWASP). It is not a complete methodology covering a full penetration test. It is focused only on the core testing phases of web applications security testing.
The guide provides a detailed discussion on the security assessment of web applications as well as their deployment stack, including web server configuration. It follows a black-box pentesting approach and is comprehensive of ‘what’ and ‘when’. There are also some guides on ‘how’, mainly in the form of listing the tools which can be used in each step or task.
The main phases defined by the OWASP Testing Guide are:
- Information gathering – covering exposure assessment and deployment fingerprinting
- Configuration and deployment management testing – assessing the server security configuration
Web application security testing – listing a set of steps testing for specific webapps vulnerabilities:
- Identity management testing – assessing user account management
- Authentication testing – assessing authentication methods
- Authorisation testing – testing for vulnerabilities in bypassing authorisation and privilege escalation
- Session management testing – finding session management flaws such as cross-site request forgery
- Input validation testing – assessing vulnerabilities such as cross-site scripting and many of the injection flaws
- Testing for error handling – looking for error message leaks
- Testing for weak cryptography – assessing the encryption used
- Business logic testing – covers a number of common flaws in business logic implementation
- Reporting – the final phase of the testing project as discussed in the guide
The OWASP community is very active, making this methodology one of the best maintained, comprehensive and up to date. With many of the pentesting project nowadays including some form of webapps, the OWASP Testing Guide is definitely one you should be familiar with and be able to take advantage of when required.
Open Web Application Security Project (OWASP) (2017) OWASP Testing Guide v4 [online] Available from https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents [11 April 2019]
© Coventry University. CC BY-NC 4.0