Difference between revisions of "Testing Checklist"

Revision as of 13:55, 26 November 2008

OWASP Testing Guide v3 Table of Contents

This article is part of the OWASP Testing Guide v3. The entire OWASP Testing Guide v3 can be downloaded here.

OWASP at the moment is working at the OWASP Testing Guide v4: you can browse the Guide here

The following is the list of controls to test during the assessment:

Category	-  Ref. Number	 -  Test Name	-   Vulnerability

Information Gathering
OWASP-IG-001 - 4.2.1 Spiders, Robots and Crawlers - N.A.

OWASP-IG-002 - 4.2.2 Search Engine Discovery/Reconnaissance - N.A.

OWASP-IG-003 - 4.2.3 Identify application entry points - N.A.

OWASP-IG-004 - 4.2.4 Testing for Web Application Fingerprint - N.A.

OWASP-IG-005 - 4.2.5 Application Discovery - N.A.

OWASP-IG-006 - 4.2.6 Analysis of Error Codes - Information Disclosure

Configuration Management Testing

OWASP-CM-001 - 4.3.1 SSL/TLS Testing (SSL Version, Algorithms, Key lenght, Digital Cert. Validity) - SSL Weakness

OWASP-CM-002 - 4.3.2 DB Listener Testing - DB Listener weak

OWASP-CM-003 - 4.3.3 Infrastructure Configuration Management Testing - Infrastructure Configuration management weakness

OWASP-CM-004 - 4.3.4 Application Configuration Management Testing - Application Configuration management weakness

OWASP-CM-005 - 4.3.5 Testing for File Extensions Handling - File extensions handling

OWASP-CM-006 - 4.3.6 Old, backup and unreferenced files - Old, backup and unreferenced files

OWASP-CM-007 - 4.3.7 Infrastructure and Application Admin Interfaces - Access to Admin interfaces

OWASP-CM-008 - 4.3.8 Testing for HTTP Methods and XST - HTTP Methods enabled, XST permitted, HTTP Verb

Authentication Testing

OWASP-AT-001 - 4.4.1 Credentials transport over an encrypted channel - Credentials transport over an encrypted channel

OWASP-AT-002 - 4.4.2 Testing for user enumeration - User enumeration

OWASP-AT-003 - 4.4.3 Testing for Guessable (Dictionary) User Account - Guessable user account

OWASP-AT-004 - 4.4.4 Brute Force Testing - Credentials Brute forcing

OWASP-AT-005 - 4.4.5 Testing for bypassing authentication schema - Bypassing authentication schema

OWASP-AT-006 - 4.4.6 Testing for vulnerable remember password and pwd reset - Vulnerable remember password, weak pwd reset

OWASP-AT-007 - 4.4.7 Testing for Logout and Browser Cache Management - - Logout function not properly implemented, browser cache weakness

OWASP-AT-008 - 4.4.8 Testing for CAPTCHA - Weak Captcha implementation

OWASP-AT-009 - 4.4.9 Testing Multiple Factors Authentication - Weak Multiple Factors Authentication

OWASP-AT-010 - 4.4.10 Testing for Race Conditions - Race Conditions vulnerability

Session Management

OWASP-SM-001 - 4.5.1 Testing for Session Management Schema - Bypassing Session Management Schema, Weak Session Token

OWASP-SM-002 - 4.5.2 Testing for Cookies attributes - Cookies are set not ‘HTTP Only’, ‘Secure’, and no time validity

OWASP-SM-003 - 4.5.3 Testing for Session Fixation - Session Fixation

OWASP-SM-004 - 4.5.4 Testing for Exposed Session Variables - Exposed sensitive session variables

OWASP-SM-005 - 4.5.5 Testing for CSRF - CSRF

Authorization Testing

OWASP-AZ-001 - 4.6.1 Testing for Path Traversal - Path Traversal

OWASP-AZ-002 - 4.6.2 Testing for bypassing authorization schema - Bypassing authorization schema

OWASP-AZ-003 - 4.6.3 Testing for Privilege Escalation - Privilege Escalation

Business logic testing

OWASP-BL-001 - 4.7 Testing for Business Logic - Bypassable business logic

Data Validation Testing

OWASP-DV-001 - 4.8.1 Testing for Reflected Cross Site Scripting - Reflected XSS

OWASP-DV-002 - 4.8.2 Testing for Stored Cross Site Scripting - Stored XSS

OWASP-DV-003 - 4.8.3 Testing for DOM based Cross Site Scripting - DOM XSS

OWASP-DV-004 - 4.8.4 Testing for Cross Site Flashing - Cross Site Flashing

OWASP-DV-005 - 4.8.5 SQL Injection - SQL Injection

OWASP-DV-006 - 4.8.6 LDAP Injection - LDAP Injection

OWASP-DV-007 - 4.8.7 ORM Injection - ORM Injection

OWASP-DV-008 - 4.8.8 XML Injection - XML Injection

OWASP-DV-009 - 4.8.9 SSI Injection - SSI Injection

OWASP-DV-010 - 4.8.10 XPath Injection - XPath Injection

OWASP-DV-011 - 4.8.11 IMAP/SMTP Injection - IMAP/SMTP Injection

OWASP-DV-012 - 4.8.12 Code Injection - Code Injection

OWASP-DV-013 - 4.8.13 OS Commanding - OS Commanding

OWASP-DV-014 - 4.8.14 Buffer overflow - Buffer overflow

OWASP-DV-015 - 4.8.15 Incubated vulnerability - Incubated vulnerability

OWASP-DV-016 - 4.8.16 Testing for HTTP Splitting/Smuggling - HTTP Splitting, Smuggling

Denial of Service Testing

OWASP-DS-001 - 4.9.1 Testing for SQL Wildcard Attacks - SQL Wildcard vulnerability

OWASP-DS-002 - 4.9.2 Locking Customer Accounts - Locking Customer Accounts

OWASP-DS-003 - 4.9.3 Testing for DoS Buffer Overflows - Buffer Overflows

OWASP-DS-004 - 4.9.4 User Specified Object Allocation - User Specified Object Allocation

OWASP-DS-005 - 4.9.5 User Input as a Loop Counter - User Input as a Loop Counter

OWASP-DS-006 - 4.9.6 Writing User Provided Data to Disk - Writing User Provided Data to Disk

OWASP-DS-007 - 4.9.7 Failure to Release Resources - Failure to Release Resources

OWASP-DS-008 - 4.9.8 Storing too Much Data in Session - Storing too Much Data in Session

Web Services Testing

OWASP-WS-001 - 4.10.1 WS Information Gathering - N.A.

OWASP-WS-002 - 4.10.2 Testing WSDL - WSDL Weakness

OWASP-WS-003 - 4.10.3 XML Structural Testing - Weak XML Structure

OWASP-WS-004 - 4.10.4 XML content-level Testing - XML content-level

OWASP-WS-005 - 4.10.5 HTTP GET parameters/REST Testing - WS HTTP GET parameters/REST

OWASP-WS-006 - 4.10.6 Naughty SOAP attachments - WS Naughty SOAP attachments

OWASP-WS-007 - 4.10.7 Replay Testing - WS Replay Testing

Ajax Testing

OWASP-AJ-001 - 4.11.1 AJAX Vulnerabilities - N.A.

OWASP-AJ-002 - 4.11.2 AJAX Testing - AJAX weakness