Welcome to the OWASP Testing Guide (OTG) v5 repository!
You can download the stable version v4 here.
Join the Testing Guide Google Group if there are things you want to discuss https://groups.google.com/a/owasp.org/forum/#!forum/testing-guide-project
- Checkout the issue tracker, tackle creating some new content.
- Read through some content and provide feedback (new issues with specific quotes/issues and potential solutions).
- Clean-up existing v4 content (the migration from the OWASP Media wiki to Github markup wasn't seamless, there is lots of stuff that can be tackled). (Ex: Existing Clean-up PRs)
- Please don't write in the first person (Ex: no "I" or "Me" statements).
- Please do use Title Caps for headings, using Title Capitalization as defined by the 'Chicago Manual of Style'. For quick reference you can use this online tool: https://capitalizemytitle.com/#Chicago (make sure you select the "Chicago" tab).
- Please do use serial or Oxford commas (https://www.grammarly.com/blog/what-is-the-oxford-comma-and-why-do-people-care-so-much-about-it/).
- Don't use
and/or
, chances are you can simply writeor
. (Note: The OR allows for the same True result as an AND, while also allowing for other combinations producing True results.) Unless, you actually mean something like "A and/exclusive or B" in which case read the sentence to yourself with those words and then figure out a different way to write it ☺
THIS IS THE OWASP TESTING GUIDE PROJECT ROADMAP FOR V5.
The OWASP Testing Guide v4 includes a “best practice” penetration testing framework which users can implement in their own organisations. The Testing Guide v4 also includes a “low level” penetration testing guide that describes techniques for testing the most common web application and web service security issues. Today the Testing Guide is the standard to perform Web Application Penetration Testing, and many companies around the world have adopted it. It is vital to maintain an updated project that represents the state of the art for WebAppSec.
The aim of the Working Session is to discuss and define the scope and content of OWASP Testing Guide v5.
- All sections in v4 reviewed
- Project aligned with the ASVS and OWASP Top 10 vulnerabilities
- A more readable guide created that eliminates sections that are not useful
- New testing techniques inserted
- Some sections rationalised as Session Management Testing
- New section created: Client side security and Firefox extensions testing
- Project v5 Deadlines:
- 1: Setup the team of authors
- 2: Start a brainstorming for the new index starting from “Release Description”
- 3: Create the new index and confirm new team
- 4: Start writing articles first phase
- 5: OWASP Summit TGv5 review and brainstorming
- 6: Start writing articles II phase
- 7: Start the second review phase
- 8: Create the RC1
- 9: Release version 5
This outline will include proposed test changes that need to be incorporated into OTG v5. These should be proposed significant changes that are associated with an explicit test.
- Server-Side Template Injection
- Testing for Horizontal Bypassing Authorization Schema
- Testing for CSRF
- (Include brief explanation of reasoning)
- (Include brief explanation of reasoning)