This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit

Difference between revisions of "Testing Checklist"

Jump to: navigation, search
(27 intermediate revisions by 8 users not shown)
Line 1: Line 1:
{{Template:OWASP Testing Guide v3}}
{{Template:OWASP Testing Guide v4}}
'''This is a draft of a section of the new Testing Guide v3'''
The following is the list of controls to test during the assessment:
{| {{table}}
For version 3, we are going to branch out into 3 checklists as suggested by Mat.
| align="center" style="background:#f0f0f0;"|'''Ref. No.'''
| align="center" style="background:#f0f0f0;"|'''Category'''
They will be:
| align="center" style="background:#f0f0f0;"|'''Test Name'''
- Application Development Checklist (or SDLC checklist?) (Define your security requirements)
| ||||
- Application Review(?) Checklist. (Ensure you met your requirements)
| 4.2||||'''Information Gathering'''
- Application Testing Checklist. (Pen test the application)
| 4.2.1||OTG-INFO-001||Conduct Search Engine Discovery and Reconnaissance for Information Leakage
The current testing checklist can be found here:
| 4.2.2||OTG-INFO-002||Fingerprint Web Server
| 4.2.3||OTG-INFO-003||Review Webserver Metafiles for Information Leakage
| 4.2.4||OTG-INFO-004||Enumerate Applications on Webserver
Old versions (will be integrated into the current version):
* Here is a draft of the OWASP Testing Guide v3 [ Checklist]
| 4.2.5||OTG-INFO-005||Review Webpage Comments and Metadata for Information Leakage
| 4.2.6||OTG-INFO-006||Identify application entry points
| 4.2.7||OTG-INFO-007||Map execution paths through application
| 4.2.8||OTG-INFO-008||Fingerprint Web Application Framework
| 4.2.9||OTG-INFO-009||Fingerprint Web Application
| 4.2.10||OTG-INFO-010||Map Application Architecture
| ||||
| 4.3||||'''Configuration and Deploy Management Testing'''
| 4.3.1||OTG-CONFIG-001||Test Network/Infrastructure Configuration
| 4.3.2||OTG-CONFIG-002 ||Test Application Platform Configuration
| 4.3.3||OTG-CONFIG-003||Test File Extensions Handling for Sensitive Information
| 4.3.4||OTG-CONFIG-004|| Backup and Unreferenced Files for Sensitive Information
| 4.3.5||OTG-CONFIG-005||Enumerate Infrastructure and Application Admin Interfaces
| 4.3.6||OTG-CONFIG-006||Test HTTP Methods
| 4.3.7||OTG-CONFIG-007||Test HTTP Strict Transport Security
| 4.3.8||OTG-CONFIG-008||Test RIA cross domain policy
| ||||
| 4.4||||'''Identity Management Testing'''
| 4.4.1||OTG-IDENT-001||Test Role Definitions
| 4.4.2||OTG-IDENT-002||Test User Registration Process
| 4.4.3||OTG-IDENT-003||Test Account Provisioning Process
| 4.4.4||OTG-IDENT-004||Testing for Account Enumeration and Guessable User Account
| 4.4.5||OTG-IDENT-005||Testing for Weak or unenforced username policy
| 4.4.6||OTG-IDENT-006||Test Permissions of Guest/Training Accounts
| 4.4.7||OTG-IDENT-007||Test Account Suspension/Resumption Process
| ||||
| 4.5||||'''Authentication Testing'''
| 4.5.1||OTG-AUTHN-001||Testing for Credentials Transported over an Encrypted Channel
| 4.5.2||OTG-AUTHN-002||Testing for default credentials
| 4.5.3||OTG-AUTHN-003||Testing for Weak lock out mechanism
| 4.5.4||OTG-AUTHN-004||Testing for bypassing authentication schema
| 4.5.5||OTG-AUTHN-005||Test remember password functionality
| 4.5.6||OTG-AUTHN-006||Testing for Browser cache weakness
| 4.5.7||OTG-AUTHN-007||Testing for Weak password policy
| 4.5.8||OTG-AUTHN-008||Testing for Weak security question/answer
| 4.5.9||OTG-AUTHN-009||Testing for weak password change or reset functionalities
| 4.5.10||OTG-AUTHN-010||Testing for Weaker authentication in alternative channel
| ||||
| 4.6||||'''Authorization Testing'''
| 4.6.1||OTG-AUTHZ-001||Testing Directory traversal/file include
| 4.6.2||OTG-AUTHZ-002||Testing for bypassing authorization schema
| 4.6.3||OTG-AUTHZ-003||Testing for Privilege Escalation
| 4.6.4||OTG-AUTHZ-004||Testing for Insecure Direct Object References
| ||||
| 4.7||||'''Session Management Testing'''
| 4.7.1||OTG-SESS-001 ||Testing for Bypassing Session Management Schema
| 4.7.2||OTG-SESS-002 ||Testing for Cookies attributes
| 4.7.3||OTG-SESS-003 ||Testing for Session Fixation
| 4.7.4||OTG-SESS-004 ||Testing for Exposed Session Variables
| 4.7.5||OTG-SESS-005 ||Testing for Cross Site Request Forgery
| 4.7.6||OTG-SESS-006 ||Testing for logout functionality
| 4.7.7||OTG-SESS-007 ||Test Session Timeout
| 4.7.8||OTG-SESS-008 ||Testing for Session puzzling
| ||||
| 4.8||||'''Data Validation Testing'''
| 4.8.1||OTG-INPVAL-001||Testing for Reflected Cross Site Scripting
| 4.8.2||OTG-INPVAL-002||Testing for Stored Cross Site Scripting
| 4.8.3||OTG-INPVAL-003 ||Testing for HTTP Verb Tampering
| 4.8.4||OTG-INPVAL-004||Testing for HTTP Parameter pollution
| 4.8.5||OTG-INPVAL-005||Testing for SQL Injection
|||||Oracle Testing
|||||MySQL Testing
|||||SQL Server Testing
|||||Testing PostgreSQL
|||||MS Access Testing
|||||Testing for NoSQL injection
| 4.8.6||OTG-INPVAL-006||Testing for LDAP Injection
| 4.8.7||OTG-INPVAL-007||Testing for ORM Injection
| 4.8.8||OTG-INPVAL-008||Testing for XML Injection
| 4.8.9||OTG-INPVAL-009||Testing for SSI Injection
| 4.8.10||OTG-INPVAL-010||Testing for XPath Injection
| 4.8.11||OTG-INPVAL-011||IMAP/SMTP Injection
| 4.8.12||OTG-INPVAL-012||Testing for Code Injection
|||||Testing for Local File Inclusion
|||||Testing for Remote File Inclusion
| 4.8.13||OTG-INPVAL-013||Testing for Command Injection
| 4.8.14||OTG-INPVAL-014||Testing for Buffer overflow
|||||Testing for Heap overflow
|||||Testing for Stack overflow
|||||Testing for Format string
| 4.8.15||OTG-INPVAL-015||Testing for incubated vulnerabilities
| 4.8.16||OTG-INPVAL-016||Testing for HTTP Splitting/Smuggling
| ||||
| 4.9||||'''Error Handling'''
| 4.9.1||OTG-ERR-001||Analysis of Error Codes
| 4.9.2||OTG-ERR-002||Analysis of Stack Traces
| ||||
| 4.10||||'''Cryptography'''
| 4.10.1||OTG-CRYPST-001||Testing for Weak SSL/TSL Ciphers,  Insufficient Transport Layer Protection
| 4.10.2||OTG-CRYPST-002||Testing for Padding Oracle
| 4.10.3||OTG-CRYPST-003||Testing for Sensitive information sent via unencrypted channels
| ||||
| 4.11|| ||'''Business Logic Testing'''
| 4.11.1||OTG-BUSLOGIC-001||Test Business Logic Data Validation
| 4.11.2||OTG-BUSLOGIC-002||Test Ability to Forge Requests
| 4.11.3||OTG-BUSLOGIC-003||Test Integrity Checks
| 4.11.4||OTG-BUSLOGIC-004||Test for Process Timing
| 4.11.5||OTG-BUSLOGIC-005||Test Number of Times a Function Can be Used Limits
| 4.11.6||OTG-BUSLOGIC-006||Testing for the Circumvention of Work Flows
| 4.11.7||OTG-BUSLOGIC-007||Test Defenses Against Application Mis-use
| 4.11.8||OTG-BUSLOGIC-008||Test Upload of Unexpected File Types
| 4.11.9||OTG-BUSLOGIC-009||Test Upload of Malicious Files
| ||||
| 4.12||||'''Client Side Testing'''
| 4.12.1||OTG-CLIENT-001||Testing for DOM based Cross Site Scripting
| 4.12.2||OTG-CLIENT-002||Testing for JavaScript Execution
| 4.12.3||OTG-CLIENT-003||Testing for HTML Injection
| 4.12.4||OTG-CLIENT-004 ||Testing for Client Side URL Redirect
| 4.12.5||OTG-CLIENT-005||Testing for CSS Injection
| 4.12.6||OTG-CLIENT-006||Testing for Client Side Resource Manipulation
| 4.12.7||OTG-CLIENT-007||Test Cross Origin Resource Sharing
| 4.12.8||OTG-CLIENT-008||Testing for Cross Site Flashing
| 4.12.9||OTG-CLIENT-009||Testing for Clickjacking
| 4.12.10||OTG-CLIENT-010||Testing WebSockets
| 4.12.11||OTG-CLIENT-011||Test Web Messaging
| 4.12.12||OTG-CLIENT-012||Test Local Storage

Latest revision as of 12:10, 8 August 2014

This article is part of the new OWASP Testing Guide v4.
Back to the OWASP Testing Guide v4 ToC: Back to the OWASP Testing Guide Project:

The following is the list of controls to test during the assessment:

Ref. No. Category Test Name
4.2 Information Gathering
4.2.1 OTG-INFO-001 Conduct Search Engine Discovery and Reconnaissance for Information Leakage
4.2.2 OTG-INFO-002 Fingerprint Web Server
4.2.3 OTG-INFO-003 Review Webserver Metafiles for Information Leakage
4.2.4 OTG-INFO-004 Enumerate Applications on Webserver
4.2.5 OTG-INFO-005 Review Webpage Comments and Metadata for Information Leakage
4.2.6 OTG-INFO-006 Identify application entry points
4.2.7 OTG-INFO-007 Map execution paths through application
4.2.8 OTG-INFO-008 Fingerprint Web Application Framework
4.2.9 OTG-INFO-009 Fingerprint Web Application
4.2.10 OTG-INFO-010 Map Application Architecture
4.3 Configuration and Deploy Management Testing
4.3.1 OTG-CONFIG-001 Test Network/Infrastructure Configuration
4.3.2 OTG-CONFIG-002 Test Application Platform Configuration
4.3.3 OTG-CONFIG-003 Test File Extensions Handling for Sensitive Information
4.3.4 OTG-CONFIG-004 Backup and Unreferenced Files for Sensitive Information
4.3.5 OTG-CONFIG-005 Enumerate Infrastructure and Application Admin Interfaces
4.3.6 OTG-CONFIG-006 Test HTTP Methods
4.3.7 OTG-CONFIG-007 Test HTTP Strict Transport Security
4.3.8 OTG-CONFIG-008 Test RIA cross domain policy
4.4 Identity Management Testing
4.4.1 OTG-IDENT-001 Test Role Definitions
4.4.2 OTG-IDENT-002 Test User Registration Process
4.4.3 OTG-IDENT-003 Test Account Provisioning Process
4.4.4 OTG-IDENT-004 Testing for Account Enumeration and Guessable User Account
4.4.5 OTG-IDENT-005 Testing for Weak or unenforced username policy
4.4.6 OTG-IDENT-006 Test Permissions of Guest/Training Accounts
4.4.7 OTG-IDENT-007 Test Account Suspension/Resumption Process
4.5 Authentication Testing
4.5.1 OTG-AUTHN-001 Testing for Credentials Transported over an Encrypted Channel
4.5.2 OTG-AUTHN-002 Testing for default credentials
4.5.3 OTG-AUTHN-003 Testing for Weak lock out mechanism
4.5.4 OTG-AUTHN-004 Testing for bypassing authentication schema
4.5.5 OTG-AUTHN-005 Test remember password functionality
4.5.6 OTG-AUTHN-006 Testing for Browser cache weakness
4.5.7 OTG-AUTHN-007 Testing for Weak password policy
4.5.8 OTG-AUTHN-008 Testing for Weak security question/answer
4.5.9 OTG-AUTHN-009 Testing for weak password change or reset functionalities
4.5.10 OTG-AUTHN-010 Testing for Weaker authentication in alternative channel
4.6 Authorization Testing
4.6.1 OTG-AUTHZ-001 Testing Directory traversal/file include
4.6.2 OTG-AUTHZ-002 Testing for bypassing authorization schema
4.6.3 OTG-AUTHZ-003 Testing for Privilege Escalation
4.6.4 OTG-AUTHZ-004 Testing for Insecure Direct Object References
4.7 Session Management Testing
4.7.1 OTG-SESS-001 Testing for Bypassing Session Management Schema
4.7.2 OTG-SESS-002 Testing for Cookies attributes
4.7.3 OTG-SESS-003 Testing for Session Fixation
4.7.4 OTG-SESS-004 Testing for Exposed Session Variables
4.7.5 OTG-SESS-005 Testing for Cross Site Request Forgery
4.7.6 OTG-SESS-006 Testing for logout functionality
4.7.7 OTG-SESS-007 Test Session Timeout
4.7.8 OTG-SESS-008 Testing for Session puzzling
4.8 Data Validation Testing
4.8.1 OTG-INPVAL-001 Testing for Reflected Cross Site Scripting
4.8.2 OTG-INPVAL-002 Testing for Stored Cross Site Scripting
4.8.3 OTG-INPVAL-003 Testing for HTTP Verb Tampering
4.8.4 OTG-INPVAL-004 Testing for HTTP Parameter pollution
4.8.5 OTG-INPVAL-005 Testing for SQL Injection Oracle Testing MySQL Testing SQL Server Testing Testing PostgreSQL MS Access Testing Testing for NoSQL injection
4.8.6 OTG-INPVAL-006 Testing for LDAP Injection
4.8.7 OTG-INPVAL-007 Testing for ORM Injection
4.8.8 OTG-INPVAL-008 Testing for XML Injection
4.8.9 OTG-INPVAL-009 Testing for SSI Injection
4.8.10 OTG-INPVAL-010 Testing for XPath Injection
4.8.11 OTG-INPVAL-011 IMAP/SMTP Injection
4.8.12 OTG-INPVAL-012 Testing for Code Injection Testing for Local File Inclusion Testing for Remote File Inclusion
4.8.13 OTG-INPVAL-013 Testing for Command Injection
4.8.14 OTG-INPVAL-014 Testing for Buffer overflow Testing for Heap overflow Testing for Stack overflow Testing for Format string
4.8.15 OTG-INPVAL-015 Testing for incubated vulnerabilities
4.8.16 OTG-INPVAL-016 Testing for HTTP Splitting/Smuggling
4.9 Error Handling
4.9.1 OTG-ERR-001 Analysis of Error Codes
4.9.2 OTG-ERR-002 Analysis of Stack Traces
4.10 Cryptography
4.10.1 OTG-CRYPST-001 Testing for Weak SSL/TSL Ciphers, Insufficient Transport Layer Protection
4.10.2 OTG-CRYPST-002 Testing for Padding Oracle
4.10.3 OTG-CRYPST-003 Testing for Sensitive information sent via unencrypted channels
4.11 Business Logic Testing
4.11.1 OTG-BUSLOGIC-001 Test Business Logic Data Validation
4.11.2 OTG-BUSLOGIC-002 Test Ability to Forge Requests
4.11.3 OTG-BUSLOGIC-003 Test Integrity Checks
4.11.4 OTG-BUSLOGIC-004 Test for Process Timing
4.11.5 OTG-BUSLOGIC-005 Test Number of Times a Function Can be Used Limits
4.11.6 OTG-BUSLOGIC-006 Testing for the Circumvention of Work Flows
4.11.7 OTG-BUSLOGIC-007 Test Defenses Against Application Mis-use
4.11.8 OTG-BUSLOGIC-008 Test Upload of Unexpected File Types
4.11.9 OTG-BUSLOGIC-009 Test Upload of Malicious Files
4.12 Client Side Testing
4.12.1 OTG-CLIENT-001 Testing for DOM based Cross Site Scripting
4.12.2 OTG-CLIENT-002 Testing for JavaScript Execution
4.12.3 OTG-CLIENT-003 Testing for HTML Injection
4.12.4 OTG-CLIENT-004 Testing for Client Side URL Redirect
4.12.5 OTG-CLIENT-005 Testing for CSS Injection
4.12.6 OTG-CLIENT-006 Testing for Client Side Resource Manipulation
4.12.7 OTG-CLIENT-007 Test Cross Origin Resource Sharing
4.12.8 OTG-CLIENT-008 Testing for Cross Site Flashing
4.12.9 OTG-CLIENT-009 Testing for Clickjacking
4.12.10 OTG-CLIENT-010 Testing WebSockets
4.12.11 OTG-CLIENT-011 Test Web Messaging
4.12.12 OTG-CLIENT-012 Test Local Storage