This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Testing Checklist"

From OWASP
Jump to: navigation, search
Line 7: Line 7:
  
 
'''Information Gathering ''' <br>
 
'''Information Gathering ''' <br>
OWASP-IG-001 4.2.1 Spiders, Robots and Crawlers N.A.
+
OWASP-IG-001 - 4.2.1 Spiders, Robots and Crawlers - N.A.
  
OWASP-IG-002 4.2.2 Search Engine Discovery/Reconnaissance N.A.
+
OWASP-IG-002 - 4.2.2 Search Engine Discovery/Reconnaissance - N.A.
  
OWASP-IG-003 4.2.3 Identify application entry points N.A.
+
OWASP-IG-003 - 4.2.3 Identify application entry points - N.A.
  
OWASP-IG-004 4.2.3 Testing for Web Application Fingerprint N.A.
+
OWASP-IG-004 - 4.2.3 Testing for Web Application Fingerprint - N.A.
  
OWASP-IG-005 4.2.4 Application Discovery N.A.
+
OWASP-IG-005 - 4.2.4 Application Discovery - N.A.
  
OWASP-IG-006 4.2.5 Analysis of Error Codes Information Disclosure
+
OWASP-IG-006 - 4.2.5 Analysis of Error Codes - Information Disclosure
  
  
 
'''Configuration Management Testing '''
 
'''Configuration Management Testing '''
  
OWASP-CM-001 4.3.1 SSL/TLS Testing (SSL Version, Alghoritms, Key lenght, Digital Cert. Validity) SSL Weakness
+
OWASP-CM-001 - 4.3.1 SSL/TLS Testing (SSL Version, Alghoritms, Key lenght, Digital Cert. Validity) - SSL Weakness
  
OWASP-CM-002 4.3.2 DB Listener Testing DB Listener weak
+
OWASP-CM-002 - 4.3.2 DB Listener Testing - DB Listener weak
  
OWASP-CM-003 4.3.3 Infrastructure Configuration Management Testing Infrastructure Configuration management weakness
+
OWASP-CM-003 - 4.3.3 Infrastructure Configuration Management Testing - Infrastructure Configuration management weakness
  
OWASP-CM-003 4.3.4 Application Configuration Management Testing Application Configuration management weakness
+
OWASP-CM-003 - 4.3.4 Application Configuration Management Testing - Application Configuration management weakness
  
OWASP-CM-005 4.3.5 Testing for File Extensions Handling File extensions handling
+
OWASP-CM-005 - 4.3.5 Testing for File Extensions Handling - File extensions handling
  
OWASP-CM-006 4.3.6 Old, backup and unreferenced files Old, backup and unreferenced files
+
OWASP-CM-006 - 4.3.6 Old, backup and unreferenced files - Old, backup and unreferenced files
  
OWASP-CM-007 4.3.7 Infrastructure and Application Admin Interfaces Access to Admin interfaces
+
OWASP-CM-007 - 4.3.7 Infrastructure and Application Admin Interfaces - Access to Admin interfaces
  
OWASP-CM-008 4.3.8 Testing for HTTP Methods and XST HTTP Methods enabled, XST permitted
+
OWASP-CM-008 - 4.3.8 Testing for HTTP Methods and XST - HTTP Methods enabled, XST permitted, HTTP Verb
  
  
 
'''Business logic testing '''
 
'''Business logic testing '''
  
OWASP-BL-001 Testing for Business Logic Bypassable business logic
+
OWASP-BL-001 - 4.4 Testing for Business Logic - Bypassable business logic
  
  
 
'''Authentication Testing '''
 
'''Authentication Testing '''
  
OWASP-AT-001 4.5.1 Credentials transport over an encrypted channel Credentials transport over an encrypted channel
+
OWASP-AT-001 - 4.5.1 Credentials transport over an encrypted channel Credentials transport over an encrypted channel
  
OWASP-AT-002 4.5.2 Testing for user enumeration User enumeration
+
OWASP-AT-002 - 4.5.2 Testing for user enumeration User enumeration
  
OWASP-AT-003 4.5.3 Testing for Guessable (Dictionary) User Account Guessable user account
+
OWASP-AT-003 - 4.5.3 Testing for Guessable (Dictionary) User Account Guessable user account
  
OWASP-AT-004 4.5.3 Brute Force Testing Brute forcing  
+
OWASP-AT-004 - 4.5.4 Brute Force Testing Brute forcing  
  
OWASP-AT-005 4.5.4 Testing for bypassing authentication schema bypassing authentication schema
+
OWASP-AT-005 - 4.5.5 Testing for bypassing authentication schema bypassing authentication schema
  
OWASP-AT-006 4.5.5 Testing for directory traversal/file include directory traversal/file include
+
OWASP-AT-006 - 4.5.6 Testing for vulnerable remember password and pwd reset vulnerable remember password, weak pwd reset
  
OWASP-AT-007 4.5.6 Testing for vulnerable remember password and pwd reset vulnerable remember password, weak pwd reset
+
OWASP-AT-007 - 4.5.7 Testing for Logout and Browser Cache Management Testing Logout function not properly implemented, browser
 +
cache weakness
  
OWASP-AT-008 4.5.7 Testing for Logout and Browser Cache Management Testing Logout function not properly implemented, browser
+
OWASP-AT-008 - 4.5.8 Testing for CAPTCHA  Captcha implementation weakeness
cache weakness
 
  
OWASP-AT-009 4.5.8 Testing for CAPTCHA  Captcha implementation weakeness
+
OWASP-AT-009 - 4.5.9 Testing Multiple Factors Authentication - Weak Multiple Factors Authentication
  
 
'''Authorization Testing '''
 
'''Authorization Testing '''
  
OWASP-AZ-001 (new)4.6.1 Testing for Path Traversal Path Traversal
+
OWASP-AZ-001 - 4.6.1 Testing for Path Traversal - Path Traversal
  
OWASP-AZ-002 (new)4.6.2 Testing for bypassing authorization schema Bypassing authorization schema
+
OWASP-AZ-002 - 4.6.2 Testing for bypassing authorization schema - Bypassing authorization schema
  
OWASP-AZ-003 (new)4.6.3 Testing for Privilege Escalation Privilege Escalation
+
OWASP-AZ-003 - 4.6.3 Testing for Privilege Escalation - Privilege Escalation
  
  
 
'''Session Management '''
 
'''Session Management '''
  
OWASP-SM-001 4.7.1 Testing for Session Management Schema Bypassing Session Management Schema, Weak Session Token
+
OWASP-SM-001 - 4.7.1 Testing for Session Management Schema - Bypassing Session Management Schema, Weak Session Token
  
OWASP-SM-002 4.7.2 Testing for Cookies attributes         Cookies are set not ‘HTTP Only’, ‘Secure’, and no time validity
+
OWASP-SM-002 - 4.7.2 Testing for Cookies attributes         - Cookies are set not ‘HTTP Only’, ‘Secure’, and no time validity
  
OWASP-SM-003    4.7.3 Testing for Session Fixation              Session Fixation
+
OWASP-SM-003    - 4.7.3 Testing for Session Fixation              - Session Fixation
  
OWASP-SM-004 4.7.4 Testing for Exposed Session Variables Exposed sensitive session variables
+
OWASP-SM-004 - 4.7.4 Testing for Exposed Session Variables - Exposed sensitive session variables
  
OWASP-SM-005 4.7.5 Testing for CSRF                         CSRF
+
OWASP-SM-005 - 4.7.5 Testing for CSRF                         - CSRF
  
OWASP-SM-006 4.7.6 Testing for HTTP Exploit                 HTTP Splitting, Smuggling, Verb
+
OWASP-SM-006 - 4.7.6 Testing for HTTP Exploit - HTTP Splitting, Smuggling
  
  
 
'''Data Validation Testing '''
 
'''Data Validation Testing '''
  
OWASP-DV-001 4.8.1 Testing for Reflected Cross Site Scripting Reflected XSS
+
OWASP-DV-001 - 4.8.1 Testing for Reflected Cross Site Scripting - Reflected XSS
  
OWASP-DV-002 4.8.2 Testing for Stored Cross Site Scripting Stored XSS
+
OWASP-DV-002 - 4.8.2 Testing for Stored Cross Site Scripting - Stored XSS
  
OWASP-DV-003 4.8.3 Testing for DOM based Cross Site Scripting DOM XSS
+
OWASP-DV-003 - 4.8.3 Testing for DOM based Cross Site Scripting - DOM XSS
  
OWASP-DV-004 4.8.4 Testing for Cross Site Flashing Cross Site Flashing
+
OWASP-DV-004 - 4.8.4 Testing for Cross Site Flashing - Cross Site Flashing
  
OWASP-DV-005 SQL Injection SQL Injection
+
OWASP-DV-005 - 4.8.5 SQL Injection - SQL Injection
  
OWASP-DV-006 LDAP Injection LDAP Injection   
+
OWASP-DV-006 - 4.8.6 LDAP Injection - LDAP Injection   
  
OWASP-DV-007 ORM Injection ORM Injection
+
OWASP-DV-007 - 4.8.7 ORM Injection - ORM Injection
  
OWASP-DV-008 XML Injection XML Injection
+
OWASP-DV-008 - 4.8.8 XML Injection - XML Injection
  
OWASP-DV-009 SSI Injection SSI Injection
+
OWASP-DV-009 - 4.8.9 SSI Injection - SSI Injection
  
OWASP-DV-010 XPath Injection XPath Injection
+
OWASP-DV-010 - 4.8.10 XPath Injection - XPath Injection
  
OWASP-DV-011 IMAP/SMTP Injection IMAP/SMTP Injection
+
OWASP-DV-011 - 4.8.11 IMAP/SMTP Injection - IMAP/SMTP Injection
  
OWASP-DV-012 Code Injection Code Injection
+
OWASP-DV-012 - 4.8.12 Code Injection - Code Injection
  
OWASP-DV-013 OS Commanding OS Commanding
+
OWASP-DV-013 - 4.8.13 OS Commanding - OS Commanding
  
OWASP-DV-014 Buffer overflow Buffer overflow
+
OWASP-DV-014 - 4.8.14 Buffer overflow - Buffer overflow
  
OWASP-DV-015 Incubated vulnerability Incubated vulnerability
+
OWASP-DV-015 - 4.8.15 Incubated vulnerability - Incubated vulnerability
  
  
 
'''Denial of Service Testing '''
 
'''Denial of Service Testing '''
  
OWASP-DS-001 Locking Customer Accounts Locking Customer Accounts
+
OWASP-DS-001 - Locking Customer Accounts - Locking Customer Accounts
  
OWASP-DS-002 User Specified Object Allocation User Specified Object Allocation
+
OWASP-DS-002 - User Specified Object Allocation - User Specified Object Allocation
  
OWASP-DS-003 User Input as a Loop Counter User Input as a Loop Counter
+
OWASP-DS-003 - User Input as a Loop Counter - User Input as a Loop Counter
  
OWASP-DS-004 Writing User Provided Data to Disk Writing User Provided Data to Disk
+
OWASP-DS-004 - Writing User Provided Data to Disk - Writing User Provided Data to Disk
  
OWASP-DS-005 Failure to Release Resources Failure to Release Resources
+
OWASP-DS-005 - Failure to Release Resources - Failure to Release Resources
  
OWASP-DS-006 Storing too Much Data in Session Storing too Much Data in Session
+
OWASP-DS-006 - Storing too Much Data in Session - Storing too Much Data in Session
  
  
 
'''Web Services Testing '''
 
'''Web Services Testing '''
  
OWASP-WS-001 XML Structural Testing Weak XML Structure
+
OWASP-WS-001 - 4.10.1 WS Information Gathering - N.A.
 +
 
 +
OWASP-WS-002 - 4.10.2 Testing WSDL - WSDL Weakness
 +
 
 +
OWASP-WS-003 - 4.10.3 XML Structural Testing - Weak XML Structure
 +
 
 +
OWASP-WS-004 - 4.10.4 XML content-level Testing - XML content-level
 +
 
 +
OWASP-WS-005 - 4.10.5 HTTP GET parameters/REST Testing - WS HTTP GET parameters/REST
  
OWASP-WS-002 XML content-level Testing XML content-level
+
OWASP-WS-006 - 4.10.6 Naughty SOAP attachments - WS Naughty SOAP attachments
  
OWASP-WS-003 HTTP GET parameters/REST Testing WS HTTP GET parameters/REST
+
OWASP-WS-007 - 4.10.7 Replay Testing - WS Replay Testing
  
OWASP-WS-004 Naughty SOAP attachments WS Naughty SOAP attachments
 
  
OWASP-WS-005 Replay Testing WS Replay Testing
+
'''Ajax Testing '''
  
  
'''Client Side Testing '''
+
OWASP-AJ-001 - 4.11.1 AJAX Vulnerabilities - N.A.
  
OWASP-CS-001
+
OWASP-AJ-002 - 4.11.2 How to test AJAX - AJAX weakness

Revision as of 12:12, 23 August 2008

OWASP Testing Guide v3 Table of Contents

This article is part of the OWASP Testing Guide v3. The entire OWASP Testing Guide v3 can be downloaded here.

OWASP at the moment is working at the OWASP Testing Guide v4: you can browse the Guide here


The following is the list of controls to test during the assessment: 

Category	-  Ref. Number	 -  Test Name	-   Vulnerability


Information Gathering
OWASP-IG-001 - 4.2.1 Spiders, Robots and Crawlers - N.A.

OWASP-IG-002 - 4.2.2 Search Engine Discovery/Reconnaissance - N.A.

OWASP-IG-003 - 4.2.3 Identify application entry points - N.A.

OWASP-IG-004 - 4.2.3 Testing for Web Application Fingerprint - N.A.

OWASP-IG-005 - 4.2.4 Application Discovery - N.A.

OWASP-IG-006 - 4.2.5 Analysis of Error Codes - Information Disclosure


Configuration Management Testing

OWASP-CM-001 - 4.3.1 SSL/TLS Testing (SSL Version, Alghoritms, Key lenght, Digital Cert. Validity) - SSL Weakness

OWASP-CM-002 - 4.3.2 DB Listener Testing - DB Listener weak

OWASP-CM-003 - 4.3.3 Infrastructure Configuration Management Testing - Infrastructure Configuration management weakness

OWASP-CM-003 - 4.3.4 Application Configuration Management Testing - Application Configuration management weakness

OWASP-CM-005 - 4.3.5 Testing for File Extensions Handling - File extensions handling

OWASP-CM-006 - 4.3.6 Old, backup and unreferenced files - Old, backup and unreferenced files

OWASP-CM-007 - 4.3.7 Infrastructure and Application Admin Interfaces - Access to Admin interfaces

OWASP-CM-008 - 4.3.8 Testing for HTTP Methods and XST - HTTP Methods enabled, XST permitted, HTTP Verb


Business logic testing

OWASP-BL-001 - 4.4 Testing for Business Logic - Bypassable business logic


Authentication Testing

OWASP-AT-001 - 4.5.1 Credentials transport over an encrypted channel Credentials transport over an encrypted channel

OWASP-AT-002 - 4.5.2 Testing for user enumeration User enumeration

OWASP-AT-003 - 4.5.3 Testing for Guessable (Dictionary) User Account Guessable user account

OWASP-AT-004 - 4.5.4 Brute Force Testing Brute forcing

OWASP-AT-005 - 4.5.5 Testing for bypassing authentication schema bypassing authentication schema

OWASP-AT-006 - 4.5.6 Testing for vulnerable remember password and pwd reset vulnerable remember password, weak pwd reset

OWASP-AT-007 - 4.5.7 Testing for Logout and Browser Cache Management Testing Logout function not properly implemented, browser cache weakness

OWASP-AT-008 - 4.5.8 Testing for CAPTCHA Captcha implementation weakeness

OWASP-AT-009 - 4.5.9 Testing Multiple Factors Authentication - Weak Multiple Factors Authentication

Authorization Testing

OWASP-AZ-001 - 4.6.1 Testing for Path Traversal - Path Traversal

OWASP-AZ-002 - 4.6.2 Testing for bypassing authorization schema - Bypassing authorization schema

OWASP-AZ-003 - 4.6.3 Testing for Privilege Escalation - Privilege Escalation


Session Management

OWASP-SM-001 - 4.7.1 Testing for Session Management Schema - Bypassing Session Management Schema, Weak Session Token

OWASP-SM-002 - 4.7.2 Testing for Cookies attributes - Cookies are set not ‘HTTP Only’, ‘Secure’, and no time validity

OWASP-SM-003 - 4.7.3 Testing for Session Fixation - Session Fixation

OWASP-SM-004 - 4.7.4 Testing for Exposed Session Variables - Exposed sensitive session variables

OWASP-SM-005 - 4.7.5 Testing for CSRF - CSRF

OWASP-SM-006 - 4.7.6 Testing for HTTP Exploit - HTTP Splitting, Smuggling


Data Validation Testing

OWASP-DV-001 - 4.8.1 Testing for Reflected Cross Site Scripting - Reflected XSS

OWASP-DV-002 - 4.8.2 Testing for Stored Cross Site Scripting - Stored XSS

OWASP-DV-003 - 4.8.3 Testing for DOM based Cross Site Scripting - DOM XSS

OWASP-DV-004 - 4.8.4 Testing for Cross Site Flashing - Cross Site Flashing

OWASP-DV-005 - 4.8.5 SQL Injection - SQL Injection

OWASP-DV-006 - 4.8.6 LDAP Injection - LDAP Injection

OWASP-DV-007 - 4.8.7 ORM Injection - ORM Injection

OWASP-DV-008 - 4.8.8 XML Injection - XML Injection

OWASP-DV-009 - 4.8.9 SSI Injection - SSI Injection

OWASP-DV-010 - 4.8.10 XPath Injection - XPath Injection

OWASP-DV-011 - 4.8.11 IMAP/SMTP Injection - IMAP/SMTP Injection

OWASP-DV-012 - 4.8.12 Code Injection - Code Injection

OWASP-DV-013 - 4.8.13 OS Commanding - OS Commanding

OWASP-DV-014 - 4.8.14 Buffer overflow - Buffer overflow

OWASP-DV-015 - 4.8.15 Incubated vulnerability - Incubated vulnerability


Denial of Service Testing

OWASP-DS-001 - Locking Customer Accounts - Locking Customer Accounts

OWASP-DS-002 - User Specified Object Allocation - User Specified Object Allocation

OWASP-DS-003 - User Input as a Loop Counter - User Input as a Loop Counter

OWASP-DS-004 - Writing User Provided Data to Disk - Writing User Provided Data to Disk

OWASP-DS-005 - Failure to Release Resources - Failure to Release Resources

OWASP-DS-006 - Storing too Much Data in Session - Storing too Much Data in Session


Web Services Testing

OWASP-WS-001 - 4.10.1 WS Information Gathering - N.A.

OWASP-WS-002 - 4.10.2 Testing WSDL - WSDL Weakness

OWASP-WS-003 - 4.10.3 XML Structural Testing - Weak XML Structure

OWASP-WS-004 - 4.10.4 XML content-level Testing - XML content-level

OWASP-WS-005 - 4.10.5 HTTP GET parameters/REST Testing - WS HTTP GET parameters/REST

OWASP-WS-006 - 4.10.6 Naughty SOAP attachments - WS Naughty SOAP attachments

OWASP-WS-007 - 4.10.7 Replay Testing - WS Replay Testing


Ajax Testing


OWASP-AJ-001 - 4.11.1 AJAX Vulnerabilities - N.A.

OWASP-AJ-002 - 4.11.2 How to test AJAX - AJAX weakness

Retrieved from "https://wiki.owasp.org/index.php?title=Testing_Checklist&oldid=37029"