This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Testing Checklist"

From OWASP
Jump to: navigation, search
Line 1: Line 1:
 
{{Template:OWASP Testing Guide v3}}
 
{{Template:OWASP Testing Guide v3}}
  
'''This is a draft of a section of the new Testing Guide v3'''
+
The following is the list of controls to test during the assessment:
  
 +
'''Category Ref. Number Test Name Vulnerability'''
 +
Information Gathering
 +
        OWASP-IG-001 4.2.1 Spiders, Robots and Crawlers N.A.
 +
OWASP-IG-002 4.2.2 Search Engine Discovery/Reconnaissance N.A.
 +
OWASP-IG-003 4.2.3 Identify application entry points N.A.
 +
OWASP-IG-004 4.2.3 Testing for Web Application Fingerprint N.A.
 +
OWASP-IG-005 4.2.4 Application Discovery N.A.
 +
OWASP-IG-006 4.2.5 Analysis of Error Codes Information Disclosure
  
For version 3, we are going to branch out into 3 checklists as suggested by Mat.
 
  
They will be:
+
Configuration Management Testing
 +
        OWASP-CM-001 4.3.1 SSL/TLS Testing (SSL Version, Alghoritms, Key lenght, Digital Cert. Validity) SSL Weakness
 +
OWASP-CM-002 4.3.2 DB Listener Testing DB Listener weak
 +
OWASP-CM-003 4.3.3 Application Configuration Management Testing Configuration management weakness
 +
OWASP-CM-004 4.3.4 Testing for misconfiguration Misconfiguration
 +
OWASP-CM-005 4.3.5 Testing for File Extensions Handling File extensions handling
 +
OWASP-CM-006 4.3.6 Old, backup and unreferenced files Old, backup and unreferenced files
 +
OWASP-CM-007 4.3.7 Infrastructure and Application Admin Interfaces Access to Admin interfaces
 +
OWASP-CM-008 4.3.8 Testing for HTTP Methods and XST HTTP Methods enabled, XST permitted
  
- Application Development Checklist (or SDLC checklist?) (Define your security requirements)
+
Business logic testing
+
        OWASP-BL-001 Testing for Business Logic Bypassable business logic
- Application Review(?) Checklist.  (Ensure you met your requirements)
 
  
- Application Testing Checklist.  (Pen test the application)
 
The current testing checklist can be found here:
 
https://www.owasp.org/index.php/Image:OWASP_Testing_Guide_Checklist_v3.20.xls.zip
 
  
 +
Authentication Testing
 +
        OWASP-AT-001 4.5.1 Credentials transport over an encrypted channel Credentials transport over an encrypted channel
 +
OWASP-AT-002 4.5.2 Testing for user enumeration User enumeration
 +
OWASP-AT-003 4.5.3 Testing for Guessable (Dictionary) User Account Guessable user account
 +
OWASP-AT-004 4.5.3 Brute Force Testing Brute forcing
 +
OWASP-AT-005 4.5.4 Testing for bypassing authentication schema bypassing authentication schema
 +
OWASP-AT-006 4.5.5 Testing for directory traversal/file include directory traversal/file include
 +
OWASP-AT-007 4.5.6 Testing for vulnerable remember password and pwd reset vulnerable remember password, weak pwd reset
 +
OWASP-AT-008 4.5.7 Testing for Logout and Browser Cache Management Testing Logout function not properly implemented, browser cache weakness
  
 +
Authorization Testing
 +
        OWASP-AZ-001 (new)4.6.1 Testing for Path Traversal Path Traversal
 +
OWASP-AZ-002 (new)4.6.2 Testing for bypassing authorization schema Bypassing authorization schema
 +
OWASP-AZ-003 (new)4.6.3 Testing for Privilege Escalation Privilege Escalation
  
 +
Session Management
 +
        OWASP-SM-001 4.7.1 Testing for Session Management Schema Bypassing Session Management Schema
 +
OWASP-SM-002 4.7.2 Test the token strength            Weak Session Token
 +
OWASP-SM-003 4.7.3 Testing for Cookies attributes         Cookies are set not ‘HTTP Only’, ‘Secure’, and no time validity
 +
OWASP-SM-004 4.7.4 Testing for Exposed Session Variables Exposed sensitive session variables
 +
OWASP-SM-005 4.7.5 Testing for CSRF                         CSRF
 +
OWASP-SM-006 4.7.6 Testing for HTTP Exploit                 HTTP Exploit
  
Old versions (will be integrated into the current version):
+
Data Validation Testing
* Here is a draft of the OWASP Testing Guide v3 [http://www.owasp.org/images/4/43/WebAppTest_v3_Checklist.doc Checklist]
+
        OWASP-DV-001 4.8.1 Testing for Reflected Cross Site Scripting Reflected XSS
 +
OWASP-DV-002 4.8.2 Testing for Stored Cross Site Scripting Stored XSS
 +
OWASP-DV-003 4.8.3 Testing for DOM based Cross Site Scripting DOM XSS
 +
OWASP-DV-004 4.8.4 Testing for Cross Site Flashing Cross Site Flashing
 +
OWASP-DV-005 SQL Injection SQL Injection
 +
OWASP-DV-006 LDAP Injection  LDAP Injection 
 +
OWASP-DV-007 ORM Injection ORM Injection
 +
OWASP-DV-008 XML Injection XML Injection
 +
OWASP-DV-009 SSI Injection SSI Injection
 +
OWASP-DV-010 XPath Injection XPath Injection
 +
OWASP-DV-011 IMAP/SMTP Injection IMAP/SMTP Injection
 +
OWASP-DV-012 Code Injection Code Injection
 +
OWASP-DV-013 OS Commanding OS Commanding
 +
OWASP-DV-014 Buffer overflow Buffer overflow
 +
OWASP-DV-015 Incubated vulnerability Incubated vulnerability
  
https://www.owasp.org/index.php/Testing:_Introduction_and_objectives
+
Denial of Service Testing
 +
        OWASP-DS-001 Locking Customer Accounts Locking Customer Accounts
 +
OWASP-DS-002 User Specified Object Allocation User Specified Object Allocation
 +
OWASP-DS-003 User Input as a Loop Counter User Input as a Loop Counter
 +
OWASP-DS-004 Writing User Provided Data to Disk Writing User Provided Data to Disk
 +
OWASP-DS-005 Failure to Release Resources Failure to Release Resources
 +
OWASP-DS-006 Storing too Much Data in Session Storing too Much Data in Session
 +
 
 +
Web Services Testing
 +
        OWASP-WS-001 XML Structural Testing Weak XML Structure
 +
OWASP-WS-002 XML content-level Testing XML content-level
 +
OWASP-WS-003 HTTP GET parameters/REST Testing WS HTTP GET parameters/REST
 +
OWASP-WS-004 Naughty SOAP attachments WS Naughty SOAP attachments
 +
OWASP-WS-005 Replay Testing WS Replay Testing
 +
 
 +
Client Side Testing
 +
        OWASP-CS-001

Revision as of 14:55, 13 August 2008

OWASP Testing Guide v3 Table of Contents

This article is part of the OWASP Testing Guide v3. The entire OWASP Testing Guide v3 can be downloaded here.

OWASP at the moment is working at the OWASP Testing Guide v4: you can browse the Guide here


The following is the list of controls to test during the assessment:

Category Ref. Number Test Name Vulnerability Information Gathering 

       OWASP-IG-001	4.2.1 Spiders, Robots and Crawlers 	N.A.

OWASP-IG-002 4.2.2 Search Engine Discovery/Reconnaissance N.A. OWASP-IG-003 4.2.3 Identify application entry points N.A. OWASP-IG-004 4.2.3 Testing for Web Application Fingerprint N.A. OWASP-IG-005 4.2.4 Application Discovery N.A. OWASP-IG-006 4.2.5 Analysis of Error Codes Information Disclosure


Configuration Management Testing 

       OWASP-CM-001	4.3.1 SSL/TLS Testing (SSL Version, Alghoritms, Key lenght, Digital Cert. Validity)	SSL Weakness

OWASP-CM-002 4.3.2 DB Listener Testing DB Listener weak OWASP-CM-003 4.3.3 Application Configuration Management Testing Configuration management weakness OWASP-CM-004 4.3.4 Testing for misconfiguration Misconfiguration OWASP-CM-005 4.3.5 Testing for File Extensions Handling File extensions handling OWASP-CM-006 4.3.6 Old, backup and unreferenced files Old, backup and unreferenced files OWASP-CM-007 4.3.7 Infrastructure and Application Admin Interfaces Access to Admin interfaces OWASP-CM-008 4.3.8 Testing for HTTP Methods and XST HTTP Methods enabled, XST permitted

Business logic testing 

       OWASP-BL-001	Testing for Business Logic	Bypassable business logic


Authentication Testing 

       OWASP-AT-001	4.5.1 Credentials transport over an encrypted channel 	Credentials transport over an encrypted channel

OWASP-AT-002 4.5.2 Testing for user enumeration User enumeration OWASP-AT-003 4.5.3 Testing for Guessable (Dictionary) User Account Guessable user account OWASP-AT-004 4.5.3 Brute Force Testing Brute forcing OWASP-AT-005 4.5.4 Testing for bypassing authentication schema bypassing authentication schema OWASP-AT-006 4.5.5 Testing for directory traversal/file include directory traversal/file include OWASP-AT-007 4.5.6 Testing for vulnerable remember password and pwd reset vulnerable remember password, weak pwd reset OWASP-AT-008 4.5.7 Testing for Logout and Browser Cache Management Testing Logout function not properly implemented, browser cache weakness

Authorization Testing 

       OWASP-AZ-001	(new)4.6.1 Testing for Path Traversal 	Path Traversal

OWASP-AZ-002 (new)4.6.2 Testing for bypassing authorization schema Bypassing authorization schema OWASP-AZ-003 (new)4.6.3 Testing for Privilege Escalation Privilege Escalation

Session Management 

       OWASP-SM-001	4.7.1 Testing for Session Management Schema	Bypassing Session Management Schema

OWASP-SM-002 4.7.2 Test the token strength Weak Session Token OWASP-SM-003 4.7.3 Testing for Cookies attributes Cookies are set not ‘HTTP Only’, ‘Secure’, and no time validity OWASP-SM-004 4.7.4 Testing for Exposed Session Variables Exposed sensitive session variables OWASP-SM-005 4.7.5 Testing for CSRF CSRF OWASP-SM-006 4.7.6 Testing for HTTP Exploit HTTP Exploit

Data Validation Testing 

       OWASP-DV-001	4.8.1 Testing for Reflected Cross Site Scripting 	Reflected XSS

OWASP-DV-002 4.8.2 Testing for Stored Cross Site Scripting Stored XSS OWASP-DV-003 4.8.3 Testing for DOM based Cross Site Scripting DOM XSS OWASP-DV-004 4.8.4 Testing for Cross Site Flashing Cross Site Flashing OWASP-DV-005 SQL Injection SQL Injection OWASP-DV-006 LDAP Injection LDAP Injection OWASP-DV-007 ORM Injection ORM Injection OWASP-DV-008 XML Injection XML Injection OWASP-DV-009 SSI Injection SSI Injection OWASP-DV-010 XPath Injection XPath Injection OWASP-DV-011 IMAP/SMTP Injection IMAP/SMTP Injection OWASP-DV-012 Code Injection Code Injection OWASP-DV-013 OS Commanding OS Commanding OWASP-DV-014 Buffer overflow Buffer overflow OWASP-DV-015 Incubated vulnerability Incubated vulnerability

Denial of Service Testing 

       OWASP-DS-001	Locking Customer Accounts	Locking Customer Accounts

OWASP-DS-002 User Specified Object Allocation User Specified Object Allocation OWASP-DS-003 User Input as a Loop Counter User Input as a Loop Counter OWASP-DS-004 Writing User Provided Data to Disk Writing User Provided Data to Disk OWASP-DS-005 Failure to Release Resources Failure to Release Resources OWASP-DS-006 Storing too Much Data in Session Storing too Much Data in Session

Web Services Testing 

       OWASP-WS-001	XML Structural Testing	Weak XML Structure

OWASP-WS-002 XML content-level Testing XML content-level OWASP-WS-003 HTTP GET parameters/REST Testing WS HTTP GET parameters/REST OWASP-WS-004 Naughty SOAP attachments WS Naughty SOAP attachments OWASP-WS-005 Replay Testing WS Replay Testing

Client Side Testing 

       OWASP-CS-001
Retrieved from "https://wiki.owasp.org/index.php?title=Testing_Checklist&oldid=35940"