[Owasp-testing] [OWASP ASVS] Documented workflows

Kevin Horvath kevin.horvath at gmail.com
Thu Apr 26 14:39:57 UTC 2012

Hi Jon,

There really isn't a set specific procedure as each application is
different.  The owasp testing guide is to give you general guidance on
what should be tested and how it can be tested.  A lot of testers have
their own methodology but at very high level I would recommend doing
the following first,

Understand the application (purpose and functionality).
- Walk the application with a proxy at each user level
(unauthenticated all the way through all access roles).  This is
important to understand things such as session handling, access roles,
redirects, error handling, functionality at each level, etc.
-Spider the app at each level to map it out

Once you have an understanding of the application and the scope of it
then you can proceed to test things such as input validation (manual
and with a scanner), session management, business logic, ssl/tls
ciphers, etc, etc.  Much of these can be tested without any
predetermined order usually but you definitely need to do the first
step mentioned above.  A lot this comes with experience of knowing
what to test first depending on what you see during your walk of the
application.  The first step is critical when it comes to trying this
such as vertical and horizontal privilege escalation, etc.

On Thu, Apr 26, 2012 at 9:56 AM, Jonathan Cran <jcran at 0x0e.org> wrote:
> On Thu, Apr 26, 2012 at 8:07 AM, crib bar <crib.bar at hotmail.co.uk> wrote:
>> Does anyone have any sort of documented workflow on the steps you take
>> when performing a web application assessment. I know often it's a
>> combination of tools and manual assessments when performing the audit, but
>> there must be some sort of logical workflow you follow when doing an audit,
>> i.e. 1) do this first .. 20) wrap up testing and write the report.
> Isn't this the OWASP testing guide?
> jcran
> _______________________________________________
> Owasp-testing mailing list
> Owasp-testing at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-testing

More information about the Owasp-testing mailing list