Skip main navigation

What is the OWASP Testing Guide?

The OWASP Testing Guide is being developed as part of the OWASP Testing Project of the Open Web Application Security Project (OWASP).
© Coventry University. CC BY-NC 4.0

The OWASP Testing Guide is being developed as part of the OWASP Testing Project of the Open Web Application Security Project (OWASP). It is not a complete methodology covering a full penetration test; it is focused only on the core testing phases of web applications security testing.

What is the OWASP guide for?

The guide provides a detailed discussion on the security assessment of web applications as well as their deployment stack, including web server configuration. It follows a black-box pentesting approach and is comprehensive of ‘what’ and ‘when’. There are also some guides on ‘how’, mainly in the form of listing the tools which can be used in each step or task.

The main phases defined by the OWASP Testing Guide (OWASP 2017)

  • Information gathering – covering exposure assessment and deployment fingerprinting
  • Configuration and deployment management testing – assessing the server security configuration
  • Web application security testing – listing a set of steps testing for specific webapps vulnerabilities:
    • Identity management testing – assessing user account management
    • Authentication testing – assessing authentication methods
    • Authorisation testing – testing for vulnerabilities in bypassing authorisation and privilege escalation
    • Session management testing – finding session management flaws such as cross-site request forgery
    • Input validation testing – assessing vulnerabilities such as cross-site scripting and many of the injection flaws
    • Testing for error handling – looking for error message leaks
    • Testing for weak cryptography – assessing the encryption used
    • Business logic testing – covers a number of common flaws in business logic implementation
    • Client-side testing – looks for vulnerabilities such as JavaScript execution, HTML or CSS injection
  • Reporting – the final phase of the testing project as discussed in the guide

The OWASP community is very active, making this methodology one of the best maintained, comprehensive and up-to-date. With many of the pentesting projects now including some form of webapps, the OWASP Testing Guide is definitely one you should be familiar with and be able to take advantage of when required.

Reference

Open Web Application Security Project (OWASP) (2017) OWASP Testing Guide 4.0 [online] available from https://owasp.org/www-project-web-security-testing-guide/assets/archive/OWASP_Testing_Guide_v4.pdf [1 May 2020]

© Coventry University. CC BY-NC 4.0
This article is from the free online

Ethical Hacking: An Introduction

Created by
FutureLearn - Learning For Life

Our purpose is to transform access to education.

We offer a diverse selection of courses from leading universities and cultural institutions from around the world. These are delivered one step at a time, and are accessible on mobile, tablet and desktop, so you can fit learning around your life.

We believe learning should be an enjoyable, social experience, so our courses offer the opportunity to discuss what you’re learning with others as you go, helping you make fresh discoveries and form new ideas.
You can unlock new opportunities with unlimited access to hundreds of online short courses for a year by subscribing to our Unlimited package. Build your knowledge with top universities and organisations.

Learn more about how FutureLearn is transforming access to education