This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Testing Checklist"
From OWASP
(Converted 'Information Gathering' to use wiki table style (initial)) |
Dan Vasile (talk | contribs) |
||
Line 3: | Line 3: | ||
The following is the list of controls to test during the assessment: | The following is the list of controls to test during the assessment: | ||
− | {| | + | {| {{table}} |
− | | | + | | align="center" style="background:#f0f0f0;"|'''Ref. No.''' |
+ | | align="center" style="background:#f0f0f0;"|'''Category''' | ||
+ | | align="center" style="background:#f0f0f0;"|'''Test Name''' | ||
|- | |- | ||
− | + | | |||| | |
|- | |- | ||
− | + | | 4.2||||'''Information Gathering''' | |
|- | |- | ||
− | + | | 4.2.1||OTG-INFO-001||Conduct Search Engine Discovery and Reconnaissance for Information Leakage | |
|- | |- | ||
− | + | | 4.2.2||OTG-INFO-002||Fingerprint Web Server | |
|- | |- | ||
− | + | | 4.2.3||OTG-INFO-003||Review Webserver Metafiles for Information Leakage | |
|- | |- | ||
− | + | | 4.2.4||OTG-INFO-004||Enumerate Applications on Webserver | |
|- | |- | ||
− | | | + | | 4.2.5||OTG-INFO-005||Review Webpage Comments and Metadata for Information Leakage |
+ | |- | ||
+ | | 4.2.6||OTG-INFO-006||Identify application entry points | ||
+ | |- | ||
+ | | 4.2.8||OTG-INFO-008||Map execution paths through application | ||
+ | |- | ||
+ | | 4.2.9||OTG-INFO-009||Fingerprint Web Application Framework | ||
+ | |- | ||
+ | | 4.2.10||OTG-INFO-010||Fingerprint Web Application | ||
+ | |- | ||
+ | | 4.2.11||OTG-INFO-011||Map Network and Application Architecture | ||
+ | |- | ||
+ | | |||| | ||
+ | |- | ||
+ | | 4.3||||'''Configuration and Deploy Management Testing''' | ||
+ | |- | ||
+ | | 4.3.1||OTG-CONFIG-001||Test Network/Infrastructure Configuration | ||
+ | |- | ||
+ | | 4.3.2||OTG-CONFIG-002 ||Test Application Platform Configuration | ||
+ | |- | ||
+ | | 4.3.3||OTG-CONFIG-003||Test File Extensions Handling for Sensitive Information | ||
+ | |- | ||
+ | | 4.3.4||OTG-CONFIG-003|| Backup and Unreferenced Files for Sensitive Information | ||
+ | |- | ||
+ | | 4.3.5||OTG-CONFIG-005||Enumerate Infrastructure and Application Admin Interfaces | ||
+ | |- | ||
+ | | 4.3.6||OTG-CONFIG-006||Test HTTP Methods | ||
+ | |- | ||
+ | | 4.3.7||OTG-CONFIG-007||Testing for Database credentials/connection strings available | ||
+ | |- | ||
+ | | 4.3.8||OTG-CONFIG-008||Test Content Security Policy | ||
+ | |- | ||
+ | | 4.3.9||OTG-CONFIG-009||Test HTTP Strict Transport Security | ||
+ | |- | ||
+ | | 4.3.10||OTG-CONFIG-010||Test Frame Options | ||
+ | |- | ||
+ | | 4.3.11||OTG-CONFIG-011||Test RIA cross domain policy | ||
+ | |- | ||
+ | | 4.3.12||OTG-CONFIG-012||Test Content Type Options | ||
+ | |- | ||
+ | | |||| | ||
+ | |- | ||
+ | | 4.4||||'''Identity Management Testing''' | ||
+ | |- | ||
+ | | 4.4.1||OTG-IDENT-001||Test Role Definitions | ||
+ | |- | ||
+ | | 4.4.2||OTG-IDENT-002||Test User Registration Process | ||
+ | |- | ||
+ | | 4.4.3||OTG-IDENT-003||Test Account Provisioning Process | ||
+ | |- | ||
+ | | 4.4.4||OTG-IDENT-004||Testing for Account Enumeration and Guessable User Account | ||
+ | |- | ||
+ | | 4.4.5||OTG-IDENT-005||Testing for Weak or unenforced username policy | ||
+ | |- | ||
+ | | 4.4.6||OTG-IDENT-006||Test Permissions of Guest/Training Accounts | ||
+ | |- | ||
+ | | 4.4.7||OTG-IDENT-007||Test Account Suspension/Resumption Process | ||
+ | |- | ||
+ | | 4.4.8||OTG-IDENT-008||Test User Deregistration Process | ||
+ | |- | ||
+ | | 4.4.9||OTG-IDENT-009 ||Test Account Deregistration Process | ||
+ | |- | ||
+ | | |||| | ||
+ | |- | ||
+ | | 4.5||||'''Authentication Testing''' | ||
+ | |- | ||
+ | | 4.5.1||OTG-AUTHN-001||Testing for Credentials Transported over an Encrypted Channel | ||
+ | |- | ||
+ | | 4.5.2||OTG-AUTHN-002||Testing for default credentials | ||
+ | |- | ||
+ | | 4.5.3||OTG-AUTHN-003||Testing for Weak lock out mechanism | ||
+ | |- | ||
+ | | 4.5.4||OTG-AUTHN-004||Testing for bypassing authentication schema | ||
+ | |- | ||
+ | | 4.5.5||OTG-AUTHN-005||Test remember password functionality | ||
+ | |- | ||
+ | | 4.5.6||OTG-AUTHN-006||Testing for Browser cache weakness | ||
+ | |- | ||
+ | | 4.5.7||OTG-AUTHN-007||Testing for Weak password policy | ||
+ | |- | ||
+ | | 4.5.8||OTG-AUTHN-008||Testing for Weak security question/answer | ||
+ | |- | ||
+ | | 4.5.9||OTG-AUTHN-009||Testing for weak password change or reset functionalities | ||
+ | |- | ||
+ | | 4.5.10||OTG-AUTHN-010||Testing for Weaker authentication in alternative channel | ||
+ | |- | ||
+ | | |||| | ||
+ | |- | ||
+ | | 4.6||||'''Authorization Testing''' | ||
+ | |- | ||
+ | | 4.6.1||OTG-AUTHZ-001||Test Management of Account Permissions | ||
+ | |- | ||
+ | | 4.6.2||OTG-AUTHZ-002||Testing Directory traversal/file include | ||
+ | |- | ||
+ | | 4.6.3||OTG-AUTHZ-003||Testing for bypassing authorization schema | ||
+ | |- | ||
+ | | 4.6.4||OTG-AUTHZ-004||Testing for Privilege Escalation | ||
+ | |- | ||
+ | | 4.6.5||OTG-AUTHZ-005||Testing for Insecure Direct Object References | ||
+ | |- | ||
+ | | 4.6.6||OTG-AUTHZ-006||Testing for Failure to Restrict access to authorized resource | ||
+ | |- | ||
+ | | 4.6.7||OTG-AUTHZ-007||Test privileges of server components | ||
+ | |- | ||
+ | | 4.6.8||OTG-AUTHZ-008||Test enforcement of application entry points | ||
+ | |- | ||
+ | | 4.6.9||OTG-AUTHZ-009||Testing for failure to restrict access to authenticated resource | ||
+ | |- | ||
+ | | |||| | ||
+ | |- | ||
+ | | 4.7||||'''Session Management Testing''' | ||
+ | |- | ||
+ | | 4.7.1||OTG-SESS-001 ||Testing for Bypassing Session Management Schema | ||
+ | |- | ||
+ | | 4.7.2||OTG-SESS-002||Testing for Cookies attributes | ||
+ | |- | ||
+ | | 4.7.3||OTG-SESS-003||Testing for Session Fixation | ||
+ | |- | ||
+ | | 4.7.4||OTG-SESS-004||Testing for Exposed Session Variables | ||
+ | |- | ||
+ | | 4.7.5||OTG-SESS-005||Testing for Cross Site Request Forgery | ||
+ | |- | ||
+ | | 4.7.6||OTG-SESS-006||Test Session Token Strength | ||
+ | |- | ||
+ | | 4.7.7||OTG-SESS-007 ||Testing for logout functionality | ||
+ | |- | ||
+ | | 4.7.8||OTG-SESS-008||Test Session Timeout | ||
+ | |- | ||
+ | | 4.7.9||OTG-SESS-009||Test multiple concurrent sessions | ||
+ | |- | ||
+ | | 4.7.10||OTG-SESS-010||Testing for Session puzzling | ||
+ | |- | ||
+ | | |||| | ||
+ | |- | ||
+ | | 4.8||||'''Data Validation Testing''' | ||
+ | |- | ||
+ | | 4.8.1||OTG-INPVAL-001||Testing for Reflected Cross Site Scripting | ||
+ | |- | ||
+ | | 4.8.2||OTG-INPVAL-002||Testing for Stored Cross Site Scripting | ||
+ | |- | ||
+ | | 4.8.3||OTG-INPVAL-003 ||Testing for HTTP Verb Tampering | ||
+ | |- | ||
+ | | 4.8.4||OTG-INPVAL-004||Testing for HTTP Parameter pollution | ||
+ | |- | ||
+ | | 4.8.5||OTG-INPVAL-005 ||Testing for Unvalidated Redirects and Forwards | ||
+ | |- | ||
+ | | 4.8.6||OTG-INPVAL-006||Testing for SQL Injection | ||
+ | |- | ||
+ | | 4.8.6.1||||Oracle Testing | ||
+ | |- | ||
+ | | 4.8.6.2||||MySQL Testing | ||
+ | |- | ||
+ | | 4.8.6.3||||SQL Server Testing | ||
+ | |- | ||
+ | | 4.8.6.4||||Testing PostgreSQL | ||
+ | |- | ||
+ | | 4.8.6.5||||MS Access Testing | ||
+ | |- | ||
+ | | 4.8.6.6||||Testing for NoSQL injection | ||
+ | |- | ||
+ | | 4.8.7||OTG-INPVAL-007||Testing for LDAP Injection | ||
+ | |- | ||
+ | | 4.8.8||OTG-INPVAL-008||Testing for ORM Injection | ||
+ | |- | ||
+ | | 4.8.9||OTG-INPVAL-009||Testing for XML Injection | ||
+ | |- | ||
+ | | 4.8.10||OTG-INPVAL-010||Testing for SSI Injection | ||
+ | |- | ||
+ | | 4.8.11||OTG-INPVAL-011||Testing for XPath Injection | ||
+ | |- | ||
+ | | 4.8.12||OTG-INPVAL-012||IMAP/SMTP Injection | ||
+ | |- | ||
+ | | 4.8.13||OTG-INPVAL-013||Testing for Code Injection | ||
+ | |- | ||
+ | | 4.8.13.1||||Testing for Local File Inclusion | ||
+ | |- | ||
+ | | 4.8.13.2||||Testing for Remote File Inclusion | ||
+ | |- | ||
+ | | 4.8.14||OTG-INPVAL-014||Testing for Command Injection | ||
+ | |- | ||
+ | | 4.8.15||OTG-INPVAL-015||Testing for Buffer overflow | ||
+ | |- | ||
+ | | 4.8.15.1||||Testing for Heap overflow | ||
+ | |- | ||
+ | | 4.8.15.2||||Testing for Stack overflow | ||
+ | |- | ||
+ | | 4.8.15.3||||Testing for Format string | ||
+ | |- | ||
+ | | 4.8.16||OTG-INPVAL-016||Testing for incubated vulnerabilities | ||
+ | |- | ||
+ | | 4.8.17||OTG-INPVAL-017||Testing for HTTP Splitting/Smuggling | ||
+ | |- | ||
+ | | |||| | ||
+ | |- | ||
+ | | 4.9||||'''Error Handling''' | ||
+ | |- | ||
+ | | 4.9.1||OTG-ERR-001||Analysis of Error Codes | ||
+ | |- | ||
+ | | 4.9.2||OTG-ERR-002||Analysis of Stack Traces | ||
+ | |- | ||
+ | | |||| | ||
+ | |- | ||
+ | | 4.1||||'''Cryptography''' | ||
+ | |- | ||
+ | | 4.10.1||OTG-CRYPST-001||Testing for Insecure encryption usage | ||
+ | |- | ||
+ | | 4.10.2||OTG-CRYPST-001||Testing for Weak SSL/TSL Ciphers, Insufficient Transport Layer Protection | ||
+ | |- | ||
+ | | 4.10.3||OTG-CRYPST-003||Testing for Padding Oracle | ||
+ | |- | ||
+ | | 4.10.4||OTG-CRYPST-004||Testing for Cacheable HTTPS Response | ||
+ | |- | ||
+ | | 4.10.5||OTG-CRYPST-005||Test Cache Directives | ||
+ | |- | ||
+ | | 4.10.6||OTG-CRYPST-006||Testing for Insecure Cryptographic Storage | ||
+ | |- | ||
+ | | 4.10.7||OTG-CRYPST-007||Testing for Sensitive information sent via unencrypted channels | ||
+ | |- | ||
+ | | 4.10.8||OTG-CRYPST-008||Test Cryptographic Key Management | ||
+ | |- | ||
+ | | |||| | ||
+ | |- | ||
+ | | 4.11||||'''Logging''' | ||
+ | |- | ||
+ | | 4.11.1||OTG-LOG-001||Test time synchronisation | ||
+ | |- | ||
+ | | 4.11.2||OTG-LOG-002||Test user-viewable log of authentication events | ||
+ | |- | ||
+ | | |||| | ||
+ | |- | ||
+ | | 4.12||OWASP-BL-001||'''Business Logic Testing''' | ||
+ | |- | ||
+ | | 4.12.1||OTG-BUSLOGIC-001||Test Business Logic Data Validation | ||
+ | |- | ||
+ | | 4.12.2||OTG-BUSLOGIC-002||Test Ability to Forge Requests | ||
+ | |- | ||
+ | | 4.12.3||OTG-BUSLOGIC-003||Test Integrity Checks | ||
+ | |- | ||
+ | | 4.12.4||OTG-BUSLOGIC-004||Test for Process Timing | ||
+ | |- | ||
+ | | 4.12.5||OTG-BUSLOGIC-005||Test Number of Times a Function Can be Used Limits | ||
+ | |- | ||
+ | | 4.12.6||OTG-BUSLOGIC-006||Testing for the Circumvention of Work Flows | ||
+ | |- | ||
+ | | 4.12.7||OTG-BUSLOGIC-007||Test Defenses Against Application Mis-use | ||
+ | |- | ||
+ | | 4.12.8||OTG-BUSLOGIC-008||Test Upload of Unexpected File Types | ||
+ | |- | ||
+ | | 4.12.9||OTG-BUSLOGIC-009||Test Upload of Malicious Files | ||
+ | |- | ||
+ | | |||| | ||
+ | |- | ||
+ | | 4.15||||'''Client Side Testing''' | ||
+ | |- | ||
+ | | 4.15.1||OTG-CLIENT-001||Testing for DOM based Cross Site Scripting | ||
+ | |- | ||
+ | | 4.15.2||OWASP-CS-002||Testing for JavaScript Execution | ||
+ | |- | ||
+ | | 4.15.3||OWASP-CS-003||Testing for HTML Injection | ||
+ | |- | ||
+ | | 4.15.4||OWASP-CS-004 ||Testing for Client Side URL Redirect | ||
+ | |- | ||
+ | | 4.15.5||OWASP-CS-005||Testing for CSS Injection | ||
+ | |- | ||
+ | | 4.15.6||OWASP-CS-006||Testing for Client Side Resource Manipulation | ||
+ | |- | ||
+ | | 4.15.7||OTG-CLIENT-007||Test Cross Origin Resource Sharing | ||
+ | |- | ||
+ | | 4.15.8||OTG-CLIENT-008||Testing for Cross Site Flashing | ||
+ | |- | ||
+ | | 4.15.9||OTG-CLIENT-009||Testing for Clickjacking | ||
+ | |- | ||
+ | | 4.15.10||OTG-CLIENT-010||Testing WebSockets | ||
+ | |- | ||
+ | | 4.15.11||OTG-CLIENT-011||Test Web Messaging | ||
+ | |- | ||
+ | | 4.15.12||OTG-CLIENT-012||Test Local Storage | ||
+ | |- | ||
+ | | | ||
|} | |} | ||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− |
Revision as of 14:57, 16 January 2014
This article is part of the new OWASP Testing Guide v4.
Back to the OWASP Testing Guide v4 ToC: https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents Back to the OWASP Testing Guide Project: https://www.owasp.org/index.php/OWASP_Testing_Project
The following is the list of controls to test during the assessment:
Ref. No. | Category | Test Name |
4.2 | Information Gathering | |
4.2.1 | OTG-INFO-001 | Conduct Search Engine Discovery and Reconnaissance for Information Leakage |
4.2.2 | OTG-INFO-002 | Fingerprint Web Server |
4.2.3 | OTG-INFO-003 | Review Webserver Metafiles for Information Leakage |
4.2.4 | OTG-INFO-004 | Enumerate Applications on Webserver |
4.2.5 | OTG-INFO-005 | Review Webpage Comments and Metadata for Information Leakage |
4.2.6 | OTG-INFO-006 | Identify application entry points |
4.2.8 | OTG-INFO-008 | Map execution paths through application |
4.2.9 | OTG-INFO-009 | Fingerprint Web Application Framework |
4.2.10 | OTG-INFO-010 | Fingerprint Web Application |
4.2.11 | OTG-INFO-011 | Map Network and Application Architecture |
4.3 | Configuration and Deploy Management Testing | |
4.3.1 | OTG-CONFIG-001 | Test Network/Infrastructure Configuration |
4.3.2 | OTG-CONFIG-002 | Test Application Platform Configuration |
4.3.3 | OTG-CONFIG-003 | Test File Extensions Handling for Sensitive Information |
4.3.4 | OTG-CONFIG-003 | Backup and Unreferenced Files for Sensitive Information |
4.3.5 | OTG-CONFIG-005 | Enumerate Infrastructure and Application Admin Interfaces |
4.3.6 | OTG-CONFIG-006 | Test HTTP Methods |
4.3.7 | OTG-CONFIG-007 | Testing for Database credentials/connection strings available |
4.3.8 | OTG-CONFIG-008 | Test Content Security Policy |
4.3.9 | OTG-CONFIG-009 | Test HTTP Strict Transport Security |
4.3.10 | OTG-CONFIG-010 | Test Frame Options |
4.3.11 | OTG-CONFIG-011 | Test RIA cross domain policy |
4.3.12 | OTG-CONFIG-012 | Test Content Type Options |
4.4 | Identity Management Testing | |
4.4.1 | OTG-IDENT-001 | Test Role Definitions |
4.4.2 | OTG-IDENT-002 | Test User Registration Process |
4.4.3 | OTG-IDENT-003 | Test Account Provisioning Process |
4.4.4 | OTG-IDENT-004 | Testing for Account Enumeration and Guessable User Account |
4.4.5 | OTG-IDENT-005 | Testing for Weak or unenforced username policy |
4.4.6 | OTG-IDENT-006 | Test Permissions of Guest/Training Accounts |
4.4.7 | OTG-IDENT-007 | Test Account Suspension/Resumption Process |
4.4.8 | OTG-IDENT-008 | Test User Deregistration Process |
4.4.9 | OTG-IDENT-009 | Test Account Deregistration Process |
4.5 | Authentication Testing | |
4.5.1 | OTG-AUTHN-001 | Testing for Credentials Transported over an Encrypted Channel |
4.5.2 | OTG-AUTHN-002 | Testing for default credentials |
4.5.3 | OTG-AUTHN-003 | Testing for Weak lock out mechanism |
4.5.4 | OTG-AUTHN-004 | Testing for bypassing authentication schema |
4.5.5 | OTG-AUTHN-005 | Test remember password functionality |
4.5.6 | OTG-AUTHN-006 | Testing for Browser cache weakness |
4.5.7 | OTG-AUTHN-007 | Testing for Weak password policy |
4.5.8 | OTG-AUTHN-008 | Testing for Weak security question/answer |
4.5.9 | OTG-AUTHN-009 | Testing for weak password change or reset functionalities |
4.5.10 | OTG-AUTHN-010 | Testing for Weaker authentication in alternative channel |
4.6 | Authorization Testing | |
4.6.1 | OTG-AUTHZ-001 | Test Management of Account Permissions |
4.6.2 | OTG-AUTHZ-002 | Testing Directory traversal/file include |
4.6.3 | OTG-AUTHZ-003 | Testing for bypassing authorization schema |
4.6.4 | OTG-AUTHZ-004 | Testing for Privilege Escalation |
4.6.5 | OTG-AUTHZ-005 | Testing for Insecure Direct Object References |
4.6.6 | OTG-AUTHZ-006 | Testing for Failure to Restrict access to authorized resource |
4.6.7 | OTG-AUTHZ-007 | Test privileges of server components |
4.6.8 | OTG-AUTHZ-008 | Test enforcement of application entry points |
4.6.9 | OTG-AUTHZ-009 | Testing for failure to restrict access to authenticated resource |
4.7 | Session Management Testing | |
4.7.1 | OTG-SESS-001 | Testing for Bypassing Session Management Schema |
4.7.2 | OTG-SESS-002 | Testing for Cookies attributes |
4.7.3 | OTG-SESS-003 | Testing for Session Fixation |
4.7.4 | OTG-SESS-004 | Testing for Exposed Session Variables |
4.7.5 | OTG-SESS-005 | Testing for Cross Site Request Forgery |
4.7.6 | OTG-SESS-006 | Test Session Token Strength |
4.7.7 | OTG-SESS-007 | Testing for logout functionality |
4.7.8 | OTG-SESS-008 | Test Session Timeout |
4.7.9 | OTG-SESS-009 | Test multiple concurrent sessions |
4.7.10 | OTG-SESS-010 | Testing for Session puzzling |
4.8 | Data Validation Testing | |
4.8.1 | OTG-INPVAL-001 | Testing for Reflected Cross Site Scripting |
4.8.2 | OTG-INPVAL-002 | Testing for Stored Cross Site Scripting |
4.8.3 | OTG-INPVAL-003 | Testing for HTTP Verb Tampering |
4.8.4 | OTG-INPVAL-004 | Testing for HTTP Parameter pollution |
4.8.5 | OTG-INPVAL-005 | Testing for Unvalidated Redirects and Forwards |
4.8.6 | OTG-INPVAL-006 | Testing for SQL Injection |
4.8.6.1 | Oracle Testing | |
4.8.6.2 | MySQL Testing | |
4.8.6.3 | SQL Server Testing | |
4.8.6.4 | Testing PostgreSQL | |
4.8.6.5 | MS Access Testing | |
4.8.6.6 | Testing for NoSQL injection | |
4.8.7 | OTG-INPVAL-007 | Testing for LDAP Injection |
4.8.8 | OTG-INPVAL-008 | Testing for ORM Injection |
4.8.9 | OTG-INPVAL-009 | Testing for XML Injection |
4.8.10 | OTG-INPVAL-010 | Testing for SSI Injection |
4.8.11 | OTG-INPVAL-011 | Testing for XPath Injection |
4.8.12 | OTG-INPVAL-012 | IMAP/SMTP Injection |
4.8.13 | OTG-INPVAL-013 | Testing for Code Injection |
4.8.13.1 | Testing for Local File Inclusion | |
4.8.13.2 | Testing for Remote File Inclusion | |
4.8.14 | OTG-INPVAL-014 | Testing for Command Injection |
4.8.15 | OTG-INPVAL-015 | Testing for Buffer overflow |
4.8.15.1 | Testing for Heap overflow | |
4.8.15.2 | Testing for Stack overflow | |
4.8.15.3 | Testing for Format string | |
4.8.16 | OTG-INPVAL-016 | Testing for incubated vulnerabilities |
4.8.17 | OTG-INPVAL-017 | Testing for HTTP Splitting/Smuggling |
4.9 | Error Handling | |
4.9.1 | OTG-ERR-001 | Analysis of Error Codes |
4.9.2 | OTG-ERR-002 | Analysis of Stack Traces |
4.1 | Cryptography | |
4.10.1 | OTG-CRYPST-001 | Testing for Insecure encryption usage |
4.10.2 | OTG-CRYPST-001 | Testing for Weak SSL/TSL Ciphers, Insufficient Transport Layer Protection |
4.10.3 | OTG-CRYPST-003 | Testing for Padding Oracle |
4.10.4 | OTG-CRYPST-004 | Testing for Cacheable HTTPS Response |
4.10.5 | OTG-CRYPST-005 | Test Cache Directives |
4.10.6 | OTG-CRYPST-006 | Testing for Insecure Cryptographic Storage |
4.10.7 | OTG-CRYPST-007 | Testing for Sensitive information sent via unencrypted channels |
4.10.8 | OTG-CRYPST-008 | Test Cryptographic Key Management |
4.11 | Logging | |
4.11.1 | OTG-LOG-001 | Test time synchronisation |
4.11.2 | OTG-LOG-002 | Test user-viewable log of authentication events |
4.12 | OWASP-BL-001 | Business Logic Testing |
4.12.1 | OTG-BUSLOGIC-001 | Test Business Logic Data Validation |
4.12.2 | OTG-BUSLOGIC-002 | Test Ability to Forge Requests |
4.12.3 | OTG-BUSLOGIC-003 | Test Integrity Checks |
4.12.4 | OTG-BUSLOGIC-004 | Test for Process Timing |
4.12.5 | OTG-BUSLOGIC-005 | Test Number of Times a Function Can be Used Limits |
4.12.6 | OTG-BUSLOGIC-006 | Testing for the Circumvention of Work Flows |
4.12.7 | OTG-BUSLOGIC-007 | Test Defenses Against Application Mis-use |
4.12.8 | OTG-BUSLOGIC-008 | Test Upload of Unexpected File Types |
4.12.9 | OTG-BUSLOGIC-009 | Test Upload of Malicious Files |
4.15 | Client Side Testing | |
4.15.1 | OTG-CLIENT-001 | Testing for DOM based Cross Site Scripting |
4.15.2 | OWASP-CS-002 | Testing for JavaScript Execution |
4.15.3 | OWASP-CS-003 | Testing for HTML Injection |
4.15.4 | OWASP-CS-004 | Testing for Client Side URL Redirect |
4.15.5 | OWASP-CS-005 | Testing for CSS Injection |
4.15.6 | OWASP-CS-006 | Testing for Client Side Resource Manipulation |
4.15.7 | OTG-CLIENT-007 | Test Cross Origin Resource Sharing |
4.15.8 | OTG-CLIENT-008 | Testing for Cross Site Flashing |
4.15.9 | OTG-CLIENT-009 | Testing for Clickjacking |
4.15.10 | OTG-CLIENT-010 | Testing WebSockets |
4.15.11 | OTG-CLIENT-011 | Test Web Messaging |
4.15.12 | OTG-CLIENT-012 | Test Local Storage |