is a comprehensive manual for web application security. It is often described as the "bible" for security auditors. OWASP Web Security Testing Guide
This story illustrates the value of the by contrasting it with automated vulnerability scanning: owasp testing
| OWASP Category | Tests Performed | |----------------|-----------------| | | Fingerprint Web Server, Review Web App Metadata, Enumeration of Subdomains | | Configuration & Deployment Management | Test Network/Infrastructure, Test Platform, Test File Extensions | | Identity Management Testing | Test Role Definitions, Registration Process, Account Provisioning | | Authentication Testing | Credential Transport, Default Credentials, Lockout Mechanism, Bypassing Authentication | | Authorization Testing | Directory Traversal, Privilege Escalation, Insecure Direct Object References (IDOR) | | Session Management Testing | Cookie Attributes, Session Fixation, CSRF, Logout Functionality | | Input Validation Testing | SQL Injection, Cross-Site Scripting (XSS), Command Injection, LDAP Injection | | Error Handling | Stack Trace Analysis, Error Message Obfuscation | | Business Logic | Workflow Bypass, Functionality Misuse, CAPTCHA Bypass | | Client-Side Testing | DOM-Based XSS, Clickjacking, Cross-Origin Resource Sharing (CORS) | is a comprehensive manual for web application security
