OWASP testing guide and OSCP

OWASP testing

owasp-logoThe OWASP Testing Project has been in development for many years. With this project, we wanted to help people understand the what, why, when, where, and how of testing their web applications, and not just provide a simple checklist or prescription of issues that should be addressed. The outcome of this project is a complete Testing Framework, from which others cn build their own testing programs or qualify other people’s processes. The Testing Guide describes in details both the general Testing Framework and the techniques required to implement the framework in practice.

Writing the Testing Guide has proven to be a difficult task. It has been a challenge to obtain consensus and develop the content that allow people to apply the concepts described here, while enabling them to work in their own environment and culture. It has also been a challenge to change the focus of web application testing from penetration testing to testing integrated in the software development life cycle. However, we are very satisfied with the results we have reached. Many industry experts and those responsible for software security at some of the largest companies in the world are validating the Testing Framework. This framework helps organizations test their web applications in order to build reliable and secure software, rather than simply highlighting areas of weakness, although the latter is certainly a byproduct of many of OWASP’s guides and checklists. As such, we have made some hard decisions about the appropriateness of certain testing techniques and technologies, which we fully understand will not be agreed upon by everyone. However, OWASP is able to take the high ground and change culture over time through awareness and education based on consensus and experience.The rest of this guide is organized as follows. This introduction covers the pre-requisites of testing web applications: the scope of testing, the principles of successful testing, and the testing techniques. Chapter 3 presents the OWASP Testing Framework and explains its techniques and tasks in relation to the various phases of the software development life cycle. Chapter 4 covers how to test for specific vulnerabilities (e.g., SQL Injection) by code inspection and penetration testing.

For more information




OSCP imageWhen executing a pen test besides the methodology and techniques you depend on the tools and moreover, you depend on the expertise of a pen tester. It is recommandable to have or hire an OSCP pen tester. This is an Offensive Security Certified Professional (OSCP). This is an ethical hacking certification that teaches penetration testing methodologies and the use of the tools included with the Kali Linux distribution (successor of BackTrack). It consists of two parts: a nearly 24-hour pen testing exam, and a documentation report due 24 hours after it. OSCP is a very hands-on exam.

Preparing for OSCP

With thanks to Alienvault.

  1. Linux and Windows Environment – You need to be familiar with both. These will help you spot clues for privilege escalation. I’m a Windows guy and during the labs I learned Linux the hard way.
  2. Linux and Windows Commands – Knowing Linux and Windows commands helps a lot. Brush up on them!
  3. Basic Programming Skills – Expect to debug and rewrite exploits, so know Bash Scripting. This will help you to automate redundant tasks.
  4. Web application attacks (SQLi, XSS, Local File Inclusion, Remote File Inclusion and Command Execution) – Expect a lot of web application content in the labs. Also practice bypassing web security filters for injection attacks.
  5. Metasploit Framework – Brush up on creating payloads with different formats, using multi handlers, and using staged vs non-staged payloads. Knowing these things will save you some time during your exam.
  6. Nmap – Different scanning techniques and Nmap NSE Scripts will help you a lot during your lab or exam.
  7. Netcat and Ncat – You’ll be using these a lot during the OSCP.
  8. Wireshark and tcpdump – Those are important because you’ll be using Wireshark to debug your exploit – or tcpdump, when machines don’t have a GUI.
  9. Windows and Linux Privilege Escalation – Aside from using kernel exploits, brush up on misconfigurations like weak service/file permissions and NFS/Shares.
  10. Escaping restricted shells and spawning shells – You’ll encounter these a lot during your OSCP.
  11. File transfer – It is important that you know the different techniques to transfer files to a target machine.

Additional reading

  1. OSCP Like vulnerable machines list by abatchy
  2. Exploit-exercises.com – They provide Linux virtual machines that can be used to practice privilege escalations, reverse engineering and exploit development.
  3. Over The Wire: Natas – It focuses on web application challenges.
  4. Hackthebox.eu – They have several Windows boxes so if you want to focus on Windows I highly suggest this.