This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Reporting"
From OWASP
| Line 1: | Line 1: | ||
{{Template:OWASP Testing Guide v2}} | {{Template:OWASP Testing Guide v2}} | ||
| + | |||
| + | {| border=1 | ||
| + | || '''Category''' || '''Ref Number''' || '''Name ''' || '''Finding ''' ||'''Affected Item'''|| '''Comment/Solution ''' || '''Risk Value ''' | ||
| + | |- | ||
| + | || Information Gathering || || Application Discovery || || || || | ||
| + | |- | ||
| + | || || || Spidering and googling || || || || | ||
| + | |- | ||
| + | || || || Analisys of error code || || || || | ||
| + | |- | ||
| + | || || || SSL/TLS Testing || || || || | ||
| + | |- | ||
| + | || || || DB Listener Testing || || || || | ||
| + | |- | ||
| + | || || || File extensions handling || || || || | ||
| + | |- | ||
| + | || || || Old, backup and unreferenced files || || || || | ||
| + | |- | ||
| + | ||Business logic testing || || || || || || | ||
| + | |- | ||
| + | || Authentication Testing || || Default or guessable account || || || || | ||
| + | |- | ||
| + | || || || Brute Force || || || || | ||
| + | |- | ||
| + | || || || Bypassing authentication schema || || || || | ||
| + | |- | ||
| + | || || || Directory traversal/file include || || || || | ||
| + | |- | ||
| + | || || || Vulnerable remember password and pwd reset || || || || | ||
| + | |- | ||
| + | || || || Logout and Browser Cache Management Testing || || || || | ||
| + | |- | ||
| + | || Session Management Testing || || Session Management Schema || || || || | ||
| + | |- | ||
| + | || || || Session Token Manipulation || || || || | ||
| + | |- | ||
| + | || || || Exposed Session Variables || || || || | ||
| + | |- | ||
| + | || || || Session Riding || || || || | ||
| + | |- | ||
| + | || || || HTTP Exploit || || || || | ||
| + | |- | ||
| + | || Data Validation Testing || || Cross site scripting || || || || | ||
| + | |- | ||
| + | || || || HTTP Methods and XST || || || || | ||
| + | |- | ||
| + | || || || SQL Injection || || || || | ||
| + | |- | ||
| + | || || || Stored procedure injection || || || || | ||
| + | |- | ||
| + | || || || ORM Injection || || || || | ||
| + | |- | ||
| + | || || || LDAP Injection || || || || | ||
| + | |- | ||
| + | || || || XML Injection || || || || | ||
| + | |- | ||
| + | || || || SSI Injection || || || || | ||
| + | |- | ||
| + | || || || XPath Injection || || || || | ||
| + | |- | ||
| + | || || || IMAP/SMTP Injection || || || || | ||
| + | |- | ||
| + | || || || Code Injection || || || || | ||
| + | |- | ||
| + | || || || OS Commanding || || || || | ||
| + | |- | ||
| + | || || || Buffer overflow || || || || | ||
| + | |- | ||
| + | || || || Incubated vulnerability || || || || | ||
| + | |- | ||
| + | || Denial of Service Testing || || Locking Customer Accounts || || || || | ||
| + | |- | ||
| + | || || || User Specified Object Allocation || || || || | ||
| + | |- | ||
| + | || || || User Input as a Loop Counter || || || || | ||
| + | |- | ||
| + | || || || Writing User Provided Data to Disk || || || || | ||
| + | |- | ||
| + | || || || Failure to Release Resources || || || || | ||
| + | |- | ||
| + | || || || Storing too Much Data in Session || || || || | ||
| + | |- | ||
| + | || Web Services Testing || || XML Structural Testing || || || || | ||
| + | |- | ||
| + | || || || XML content-level Testing || || || || | ||
| + | |- | ||
| + | || || || HTTP GET parameters/REST Testing || || || || | ||
| + | |- | ||
| + | || || || Naughty SOAP attachments || || || || | ||
| + | |- | ||
| + | || || || Replay Testing || || || || | ||
| + | |- | ||
| + | || AJAX Testing || || AJAX Vulnerabilities || || || || | ||
| + | |- | ||
| + | |} | ||
| + | |||
| + | |||
| + | |||
| − | |||
{{Category:OWASP Testing Project AoC}} | {{Category:OWASP Testing Project AoC}} | ||
| − | |||
Revision as of 18:26, 19 November 2006
OWASP Testing Guide v2 Table of Contents
| Category | Ref Number | Name | Finding | Affected Item | Comment/Solution | Risk Value |
| Information Gathering | Application Discovery | |||||
| Spidering and googling | ||||||
| Analisys of error code | ||||||
| SSL/TLS Testing | ||||||
| DB Listener Testing | ||||||
| File extensions handling | ||||||
| Old, backup and unreferenced files | ||||||
| Business logic testing | ||||||
| Authentication Testing | Default or guessable account | |||||
| Brute Force | ||||||
| Bypassing authentication schema | ||||||
| Directory traversal/file include | ||||||
| Vulnerable remember password and pwd reset | ||||||
| Logout and Browser Cache Management Testing | ||||||
| Session Management Testing | Session Management Schema | |||||
| Session Token Manipulation | ||||||
| Exposed Session Variables | ||||||
| Session Riding | ||||||
| HTTP Exploit | ||||||
| Data Validation Testing | Cross site scripting | |||||
| HTTP Methods and XST | ||||||
| SQL Injection | ||||||
| Stored procedure injection | ||||||
| ORM Injection | ||||||
| LDAP Injection | ||||||
| XML Injection | ||||||
| SSI Injection | ||||||
| XPath Injection | ||||||
| IMAP/SMTP Injection | ||||||
| Code Injection | ||||||
| OS Commanding | ||||||
| Buffer overflow | ||||||
| Incubated vulnerability | ||||||
| Denial of Service Testing | Locking Customer Accounts | |||||
| User Specified Object Allocation | ||||||
| User Input as a Loop Counter | ||||||
| Writing User Provided Data to Disk | ||||||
| Failure to Release Resources | ||||||
| Storing too Much Data in Session | ||||||
| Web Services Testing | XML Structural Testing | |||||
| XML content-level Testing | ||||||
| HTTP GET parameters/REST Testing | ||||||
| Naughty SOAP attachments | ||||||
| Replay Testing | ||||||
| AJAX Testing | AJAX Vulnerabilities |
OWASP Testing Guide v2
Here is the OWASP Testing Guide v2 Table of Contents
