owasp安全测试指南V4-测试大纲(中文)

OWASP安全测试指南V4测试大纲使用搜索引擎发现和侦查信息泄漏webserver指纹识别审查webserver元文件信息泄漏枚举webserver上的应用审查网页注释和元数据中的信息泄漏识别应用入口通过应用绘出执行路径图web应用框架指纹识别web应用指纹识别绘出应用架构图测试网络/基础设施配置测试应用平台配置测试文件扩展名处理中的敏感信息审查旧文件、备份文件和未被引用的文件中的敏感信息枚举基础设施和应用程序管理界面测试HTTP方法测试HTTP严格传输安全测试RIA跨域策略测试角色定义测试用户注册过程测试账户设置过程测试账户枚举和可猜解用户账户测试弱用户名策略测试加密信道证书传输测试默认证书测试弱锁定机制测试认证模式绕过测试记住密码功能测试浏览器缓存弱点测试弱密码机制测试弱安全问题/答案测试弱密码修改和重置功能测试备用信道的弱认证测试路径遍历/文件包含测试绕过授权模式测试特权升级测试不安全的直接对象引用测试绕过会话管理模式测试cookies属性信息收集配置和开发管理测试身份管理测试认证测试授权测试会话管理测试测试会话固定测试会话变量泄漏测试跨站请求伪造CSRF测试注销功能测试会话超时测试会话变量超载测试反射型跨站脚本测试存储型跨站脚本测试HTTP方法篡改测试HTTP参数污染测试oracle测试MySQL测试SQLServer测试PostgreSQL（一种开源关系型数据库，特点是功能强大，支持面向对象等测试MSAccess测试NoSQL注入测试LDAP注入测试ORM注入测试XML注入测试SSI注入测试Xpath注入测试IMAP/SMPT注入测试本地文件测试远程文件测试命令注入测试堆溢出测试栈溢出测试代码注入测试sql注入会话管理测试输入验证测试测试缓冲区溢出测试格式化字测试潜伏式漏洞测试HTTPSplitting/Smuggling（拆分/分析错误代码分析堆栈踪迹测试弱SSL/TLS密码，不足的传输层保护测试PaddingOracle测试通过未加密的通道发送敏感信息测试业务逻辑数据验证测试伪造请求能力测试完整性检查测试处理时间测试一个功能可被使用的次数限制测试工作流欺骗测试防御应用的错误使用测试意外文件类型上传测试上传恶意文件测试基于DOM的跨站脚本测试JavaScript执行测试HTML注入测试客户端URL重定向测试CSS注入测试客户端资源操作测试跨域资源共享测试跨站flash测试点击劫持测试webcockets测试web消息测试本地存储输入验证测试测试错误处理测试弱密码测试业务逻辑客户端测试测试缓冲区溢出OWASP安全测试指南V4测试大纲4.2InformationGathering 4.2.1ConductSearchEngineDiscoveryandReconnaissanceforInformationLeakage(OTG-INFO-001) 4.2.2FingerprintWebServer(OTG-INFO-002) 4.2.3ReviewWebserverMetafilesforInformationLeakage(OTG-INFO-003) 4.2.4EnumerateApplicationsonWebserver(OTG-INFO-004) 4.2.5ReviewWebpageCommentsandMetadataforInformationLeakage(OTG-INFO-005) 4.2.6Identifyapplicationentrypoints(OTG-INFO-006) 4.2.7Mapexecutionpathsthroughapplication(OTG-INFO-007)4.2.8FingerprintWebApplicationFramework(OTG-INFO-008) 4.2.9FingerprintWebApplication(OTG-INFO-009) 4.2.10MapApplicationArchitecture(OTG-INFO-010) 4.3ConfigurationandDeploymentManagementTesting 4.3.1TestNetwork/InfrastructureConfiguration(OTG-CONFIG-001) 4.3.2TestApplicationPlatformConfiguration(OTG-CONFIG-002) 4.3.3TestFileExtensionsHandlingforSensitiveInformation(OTG-CONFIG-003) 4.3.4ReviewOld,BackupandUnreferencedFilesforSensitiveInformation(OTG-CONFIG-004) 4.3.5EnumerateInfrastructureandApplicationAdminInterfaces(OTG-CONFIG-005) 4.3.6TestHTTPMethods(OTG-CONFIG-006) 4.3.7TestHTTPStrictTransportSecurity(OTG-CONFIG-007) 4.3.8TestRIAcrossdomainpolicy(OTG-CONFIG-008) 4.4IdentityManagementTesting4.4.1TestRoleDefinitions(OTG-IDENT-001)4.4.2TestUserRegistrationProcess(OTG-IDENT-002)4.4.3TestAccountProvisioningProcess(OTG-IDENT-003)4.4.4TestingforAccountEnumerationandGuessableUserAccount(OTG-IDENT-004) 4.4.5TestingforWeakorunenforcedusernamepolicy(OTG-IDENT-005)4.5AuthenticationTesting 4.5.1TestingforCredentialsTransportedoveranEncryptedChannel(OTG-AUTHN-001)4.5.2Testingfordefaultcredentials(OTG-AUTHN-002)4.5.3TestingforWeaklockoutmechanism(OTG-AUTHN-003)4.5.4Testingforbypassingauthenticationschema(OTG-AUTHN-004)4.5.5Testrememberpasswordfunctionality(OTG-AUTHN-005)4.5.6TestingforBrowsercacheweakness(OTG-AUTHN-006)4.5.7TestingforWeakpasswordpolicy(OTG-AUTHN-007)4.5.8TestingforWeaksecurityquestion/answer(OTG-AUTHN-008)4.5.9Testingforweakpasswordchangeorresetfunctionalities(OTG-AUTHN-009)4.5.10TestingforWeakerauthenticationinalternativechannel(OTG-AUTHN-010)4.6AuthorizationTesting4.6.1TestingDirectorytraversal/fileinclude(OTG-AUTHZ-001)4.6.2Testingforbypassingauthorizationschema(OTG-AUTHZ-002)4.6.3TestingforPrivilegeEscalation(OTG-AUTHZ-003)4.6.4TestingforInsecureDirectObjectReferences(OTG-AUTHZ-004)4.7SessionManagementTesting4.7.1TestingforBypassingSessionManagementSchema(OTG-SESS-001)4.7.2TestingforCookiesattributes(OTG-SESS-002)4.7.3TestingforSessionFixation(OTG-SESS-003)4.7.4TestingforExposedSessionVariables(OTG-SESS-004)4.7.5TestingforCrossSiteRequestForgery(CSRF)(OTG-SESS-005)4.7.6Testingforlogoutfunctionality(OTG-SESS-006)4.7.7TestSessionTimeout(OTG-SESS-007)4.7.8TestingforSessionpuzzling(OTG-SESS-008)4.8InputValidationTesting4.8.1TestingforReflectedCrossSiteScripting(OTG-INPVAL-001)4.8.2TestingforStoredCrossSiteScripting(OTG-INPVAL-002)4.8.3TestingforHTTPVerbTampering(OTG-INPVAL-003)4.8.4TestingforHTTPParameterpollution(OTG-INPVAL-004) 4.8.5TestingforSQLInjection(OTG-INPVAL-005)4.8.5.1OracleTesting4.8.5.2MySQLTesting4.8.5.3SQLServerTesting4.8.5.4TestingPostgreSQL(fromOWASPBSP) 4.8.5.5MSAccessTesting4.8.5.6TestingforNoSQLinjection4.8.6TestingforLDAPInjection(OTG-INPVAL-006)4.8.7TestingforORMInjection(OTG-INPVAL-007)4.8.8TestingforXMLInjection(OTG-INPVAL-008)4.8.9TestingforSSIInjection(OTG-INPVAL-009)4.8.10TestingforXPathInjection(OTG-INPVAL-010)4.8.11IMAP/SMTPInjection(OTG-INPVAL-011)4.8.12TestingforCodeInjection(OTG-INPVAL-012)4.8.12.1TestingforLocalFileInclusion4.8.12.2TestingforRemoteFileInclusion4.8.13TestingforCommandInjection(OTG-INPVAL-013)4.8.14TestingforBufferoverflow(OTG-INPVAL-014)4.8.14.1TestingforHeapoverflow4.8.14.2TestingforStackoverflow4.8.14.3TestingforFormatstring4.8.15Testingforincubatedvulnerabilities(OTG-INPVAL-015)4.8.16TestingforHTTPSplitting/Smuggling(OTG-INPVAL-016) 4.9TestingforErrorHandling4.9.1AnalysisofErrorCodes(OTG-ERR-001)4.9.2AnalysisofStackTraces(OTG-ERR-002)4.10Testingfo