Mastering Kali Linux for Web Penetration Testing
上QQ阅读APP看书,第一时间看更新
上一章目录下一章

OWASP's OTG

The most widely accepted reference in web pen testing is the OWASP Testing Guide also known as OTG, Version 4 (https://www.owasp.org/index.php/OWASP_Testing_Project). The OWASP has led the field for many years due to heavy participation from the community and its stellar reputation for anticipating trends and teaching the community to test against them. OWASP's influence is a major driver in presentations at conferences such as those run by SANS, Black Hat, and DevCon, and their top 10 web security threats are a must-read for any of us.

The OTG, much like the NIST guidance, provides some tips and pointers for incorporating testing in appropriate phases. OWASP maintains the OTG more regularly that the other full-coverage frameworks discussed previously, with new releases of both the top 10 and the OTG every three to four years. The bulk of the OTG, however, dives right into the web-specific testing that can provide full coverage of not only the top 10 threats but a whole host of vulnerabilities that are actively tracked by the OWASP team.

While the OTG covers a lot of ground, it begins with a primer including OWASP's best practices in the SDLC and the proper phases for tests. The OTS also goes beyond technical vulnerabilities to show how target customers may benefit from red teaming (conducting mock security intrusions) and the many recons and footprinting aspects particular to web pen testing. Once this foundation is discussed, the following sections break the web app pen testing down into logical groups focused on a specific area of the architecture that can be covered by similar tests, tools, and in similar phases of development or deployment:

  • Identity management, authentication, and authorization
  • Session management
  • Input validation
  • Error handling
  • Cryptography
  • Business logic (the processing and manipulation of data based on inputs or updates)
  • Client-side (typically victim browsers)

If you haven't guessed by now, the OWASP testing guide is what we'll be referring to as our foundation through this book. In practice, other frameworks may work better for you, but the currency, focus, completeness, and the accessibility of their documentation as well as the tests they recommend provide a firm foundation for us to use it with Kali Linux in testing our target applications.

上一章目录下一章