This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Testing Checklist"
| Line 3: | Line 3: | ||
The following is the list of controls to test during the assessment: | The following is the list of controls to test during the assessment: | ||
| − | '''Category Ref. Number Test Name Vulnerability''' | + | '''Category - Ref. Number - Test Name - Vulnerability''' |
| − | Information Gathering | + | '''Information Gathering ''' <br> |
OWASP-IG-001 4.2.1 Spiders, Robots and Crawlers N.A. | OWASP-IG-001 4.2.1 Spiders, Robots and Crawlers N.A. | ||
| + | |||
OWASP-IG-002 4.2.2 Search Engine Discovery/Reconnaissance N.A. | OWASP-IG-002 4.2.2 Search Engine Discovery/Reconnaissance N.A. | ||
| + | |||
OWASP-IG-003 4.2.3 Identify application entry points N.A. | OWASP-IG-003 4.2.3 Identify application entry points N.A. | ||
| + | |||
OWASP-IG-004 4.2.3 Testing for Web Application Fingerprint N.A. | OWASP-IG-004 4.2.3 Testing for Web Application Fingerprint N.A. | ||
| + | |||
OWASP-IG-005 4.2.4 Application Discovery N.A. | OWASP-IG-005 4.2.4 Application Discovery N.A. | ||
| + | |||
OWASP-IG-006 4.2.5 Analysis of Error Codes Information Disclosure | OWASP-IG-006 4.2.5 Analysis of Error Codes Information Disclosure | ||
| − | Configuration Management Testing | + | ''Configuration Management Testing ''' |
| + | |||
OWASP-CM-001 4.3.1 SSL/TLS Testing (SSL Version, Alghoritms, Key lenght, Digital Cert. Validity) SSL Weakness | OWASP-CM-001 4.3.1 SSL/TLS Testing (SSL Version, Alghoritms, Key lenght, Digital Cert. Validity) SSL Weakness | ||
| + | |||
OWASP-CM-002 4.3.2 DB Listener Testing DB Listener weak | OWASP-CM-002 4.3.2 DB Listener Testing DB Listener weak | ||
| + | |||
OWASP-CM-003 4.3.3 Application Configuration Management Testing Configuration management weakness | OWASP-CM-003 4.3.3 Application Configuration Management Testing Configuration management weakness | ||
| + | |||
OWASP-CM-004 4.3.4 Testing for misconfiguration Misconfiguration | OWASP-CM-004 4.3.4 Testing for misconfiguration Misconfiguration | ||
| + | |||
OWASP-CM-005 4.3.5 Testing for File Extensions Handling File extensions handling | OWASP-CM-005 4.3.5 Testing for File Extensions Handling File extensions handling | ||
| + | |||
OWASP-CM-006 4.3.6 Old, backup and unreferenced files Old, backup and unreferenced files | OWASP-CM-006 4.3.6 Old, backup and unreferenced files Old, backup and unreferenced files | ||
| + | |||
OWASP-CM-007 4.3.7 Infrastructure and Application Admin Interfaces Access to Admin interfaces | OWASP-CM-007 4.3.7 Infrastructure and Application Admin Interfaces Access to Admin interfaces | ||
| + | |||
OWASP-CM-008 4.3.8 Testing for HTTP Methods and XST HTTP Methods enabled, XST permitted | OWASP-CM-008 4.3.8 Testing for HTTP Methods and XST HTTP Methods enabled, XST permitted | ||
| − | Business logic testing | + | |
| + | '''Business logic testing ''' | ||
| + | |||
OWASP-BL-001 Testing for Business Logic Bypassable business logic | OWASP-BL-001 Testing for Business Logic Bypassable business logic | ||
| − | Authentication Testing | + | |
| + | '''Authentication Testing ''' | ||
| + | |||
OWASP-AT-001 4.5.1 Credentials transport over an encrypted channel Credentials transport over an encrypted channel | OWASP-AT-001 4.5.1 Credentials transport over an encrypted channel Credentials transport over an encrypted channel | ||
| + | |||
OWASP-AT-002 4.5.2 Testing for user enumeration User enumeration | OWASP-AT-002 4.5.2 Testing for user enumeration User enumeration | ||
| + | |||
OWASP-AT-003 4.5.3 Testing for Guessable (Dictionary) User Account Guessable user account | OWASP-AT-003 4.5.3 Testing for Guessable (Dictionary) User Account Guessable user account | ||
| + | |||
OWASP-AT-004 4.5.3 Brute Force Testing Brute forcing | OWASP-AT-004 4.5.3 Brute Force Testing Brute forcing | ||
| + | |||
OWASP-AT-005 4.5.4 Testing for bypassing authentication schema bypassing authentication schema | OWASP-AT-005 4.5.4 Testing for bypassing authentication schema bypassing authentication schema | ||
| + | |||
OWASP-AT-006 4.5.5 Testing for directory traversal/file include directory traversal/file include | OWASP-AT-006 4.5.5 Testing for directory traversal/file include directory traversal/file include | ||
| + | |||
OWASP-AT-007 4.5.6 Testing for vulnerable remember password and pwd reset vulnerable remember password, weak pwd reset | OWASP-AT-007 4.5.6 Testing for vulnerable remember password and pwd reset vulnerable remember password, weak pwd reset | ||
| − | |||
| − | Authorization Testing | + | OWASP-AT-008 4.5.7 Testing for Logout and Browser Cache Management Testing Logout function not properly implemented, browser |
| + | cache weakness | ||
| + | |||
| + | |||
| + | '''Authorization Testing ''' | ||
| + | |||
OWASP-AZ-001 (new)4.6.1 Testing for Path Traversal Path Traversal | OWASP-AZ-001 (new)4.6.1 Testing for Path Traversal Path Traversal | ||
| + | |||
OWASP-AZ-002 (new)4.6.2 Testing for bypassing authorization schema Bypassing authorization schema | OWASP-AZ-002 (new)4.6.2 Testing for bypassing authorization schema Bypassing authorization schema | ||
| + | |||
OWASP-AZ-003 (new)4.6.3 Testing for Privilege Escalation Privilege Escalation | OWASP-AZ-003 (new)4.6.3 Testing for Privilege Escalation Privilege Escalation | ||
| − | Session Management | + | |
| + | '''Session Management ''' | ||
| + | |||
OWASP-SM-001 4.7.1 Testing for Session Management Schema Bypassing Session Management Schema | OWASP-SM-001 4.7.1 Testing for Session Management Schema Bypassing Session Management Schema | ||
| + | |||
OWASP-SM-002 4.7.2 Test the token strength Weak Session Token | OWASP-SM-002 4.7.2 Test the token strength Weak Session Token | ||
| + | |||
OWASP-SM-003 4.7.3 Testing for Cookies attributes Cookies are set not ‘HTTP Only’, ‘Secure’, and no time validity | OWASP-SM-003 4.7.3 Testing for Cookies attributes Cookies are set not ‘HTTP Only’, ‘Secure’, and no time validity | ||
| + | |||
OWASP-SM-004 4.7.4 Testing for Exposed Session Variables Exposed sensitive session variables | OWASP-SM-004 4.7.4 Testing for Exposed Session Variables Exposed sensitive session variables | ||
| + | |||
OWASP-SM-005 4.7.5 Testing for CSRF CSRF | OWASP-SM-005 4.7.5 Testing for CSRF CSRF | ||
| + | |||
OWASP-SM-006 4.7.6 Testing for HTTP Exploit HTTP Exploit | OWASP-SM-006 4.7.6 Testing for HTTP Exploit HTTP Exploit | ||
| − | Data Validation Testing | + | |
| + | '''Data Validation Testing ''' | ||
| + | |||
OWASP-DV-001 4.8.1 Testing for Reflected Cross Site Scripting Reflected XSS | OWASP-DV-001 4.8.1 Testing for Reflected Cross Site Scripting Reflected XSS | ||
| + | |||
OWASP-DV-002 4.8.2 Testing for Stored Cross Site Scripting Stored XSS | OWASP-DV-002 4.8.2 Testing for Stored Cross Site Scripting Stored XSS | ||
| + | |||
OWASP-DV-003 4.8.3 Testing for DOM based Cross Site Scripting DOM XSS | OWASP-DV-003 4.8.3 Testing for DOM based Cross Site Scripting DOM XSS | ||
| + | |||
OWASP-DV-004 4.8.4 Testing for Cross Site Flashing Cross Site Flashing | OWASP-DV-004 4.8.4 Testing for Cross Site Flashing Cross Site Flashing | ||
| + | |||
OWASP-DV-005 SQL Injection SQL Injection | OWASP-DV-005 SQL Injection SQL Injection | ||
| + | |||
OWASP-DV-006 LDAP Injection LDAP Injection | OWASP-DV-006 LDAP Injection LDAP Injection | ||
| + | |||
OWASP-DV-007 ORM Injection ORM Injection | OWASP-DV-007 ORM Injection ORM Injection | ||
| + | |||
OWASP-DV-008 XML Injection XML Injection | OWASP-DV-008 XML Injection XML Injection | ||
| + | |||
OWASP-DV-009 SSI Injection SSI Injection | OWASP-DV-009 SSI Injection SSI Injection | ||
| + | |||
OWASP-DV-010 XPath Injection XPath Injection | OWASP-DV-010 XPath Injection XPath Injection | ||
| + | |||
OWASP-DV-011 IMAP/SMTP Injection IMAP/SMTP Injection | OWASP-DV-011 IMAP/SMTP Injection IMAP/SMTP Injection | ||
| + | |||
OWASP-DV-012 Code Injection Code Injection | OWASP-DV-012 Code Injection Code Injection | ||
| + | |||
OWASP-DV-013 OS Commanding OS Commanding | OWASP-DV-013 OS Commanding OS Commanding | ||
| + | |||
OWASP-DV-014 Buffer overflow Buffer overflow | OWASP-DV-014 Buffer overflow Buffer overflow | ||
| + | |||
OWASP-DV-015 Incubated vulnerability Incubated vulnerability | OWASP-DV-015 Incubated vulnerability Incubated vulnerability | ||
| − | Denial of Service Testing | + | |
| + | '''Denial of Service Testing ''' | ||
| + | |||
OWASP-DS-001 Locking Customer Accounts Locking Customer Accounts | OWASP-DS-001 Locking Customer Accounts Locking Customer Accounts | ||
| + | |||
OWASP-DS-002 User Specified Object Allocation User Specified Object Allocation | OWASP-DS-002 User Specified Object Allocation User Specified Object Allocation | ||
| + | |||
OWASP-DS-003 User Input as a Loop Counter User Input as a Loop Counter | OWASP-DS-003 User Input as a Loop Counter User Input as a Loop Counter | ||
| + | |||
OWASP-DS-004 Writing User Provided Data to Disk Writing User Provided Data to Disk | OWASP-DS-004 Writing User Provided Data to Disk Writing User Provided Data to Disk | ||
| + | |||
OWASP-DS-005 Failure to Release Resources Failure to Release Resources | OWASP-DS-005 Failure to Release Resources Failure to Release Resources | ||
| + | |||
OWASP-DS-006 Storing too Much Data in Session Storing too Much Data in Session | OWASP-DS-006 Storing too Much Data in Session Storing too Much Data in Session | ||
| − | Web Services Testing | + | |
| + | '''Web Services Testing ''' | ||
| + | |||
OWASP-WS-001 XML Structural Testing Weak XML Structure | OWASP-WS-001 XML Structural Testing Weak XML Structure | ||
| + | |||
OWASP-WS-002 XML content-level Testing XML content-level | OWASP-WS-002 XML content-level Testing XML content-level | ||
| + | |||
OWASP-WS-003 HTTP GET parameters/REST Testing WS HTTP GET parameters/REST | OWASP-WS-003 HTTP GET parameters/REST Testing WS HTTP GET parameters/REST | ||
| + | |||
OWASP-WS-004 Naughty SOAP attachments WS Naughty SOAP attachments | OWASP-WS-004 Naughty SOAP attachments WS Naughty SOAP attachments | ||
| + | |||
OWASP-WS-005 Replay Testing WS Replay Testing | OWASP-WS-005 Replay Testing WS Replay Testing | ||
| − | Client Side Testing | + | |
| + | '''Client Side Testing ''' | ||
| + | |||
OWASP-CS-001 | OWASP-CS-001 | ||
Revision as of 15:00, 13 August 2008
OWASP Testing Guide v3 Table of Contents
This article is part of the OWASP Testing Guide v3. The entire OWASP Testing Guide v3 can be downloaded here.
OWASP at the moment is working at the OWASP Testing Guide v4: you can browse the Guide here
The following is the list of controls to test during the assessment:
Category - Ref. Number - Test Name - Vulnerability
Information Gathering
OWASP-IG-001 4.2.1 Spiders, Robots and Crawlers N.A.
OWASP-IG-002 4.2.2 Search Engine Discovery/Reconnaissance N.A.
OWASP-IG-003 4.2.3 Identify application entry points N.A.
OWASP-IG-004 4.2.3 Testing for Web Application Fingerprint N.A.
OWASP-IG-005 4.2.4 Application Discovery N.A.
OWASP-IG-006 4.2.5 Analysis of Error Codes Information Disclosure
Configuration Management Testing '
OWASP-CM-001 4.3.1 SSL/TLS Testing (SSL Version, Alghoritms, Key lenght, Digital Cert. Validity) SSL Weakness
OWASP-CM-002 4.3.2 DB Listener Testing DB Listener weak
OWASP-CM-003 4.3.3 Application Configuration Management Testing Configuration management weakness
OWASP-CM-004 4.3.4 Testing for misconfiguration Misconfiguration
OWASP-CM-005 4.3.5 Testing for File Extensions Handling File extensions handling
OWASP-CM-006 4.3.6 Old, backup and unreferenced files Old, backup and unreferenced files
OWASP-CM-007 4.3.7 Infrastructure and Application Admin Interfaces Access to Admin interfaces
OWASP-CM-008 4.3.8 Testing for HTTP Methods and XST HTTP Methods enabled, XST permitted
Business logic testing
OWASP-BL-001 Testing for Business Logic Bypassable business logic
Authentication Testing
OWASP-AT-001 4.5.1 Credentials transport over an encrypted channel Credentials transport over an encrypted channel
OWASP-AT-002 4.5.2 Testing for user enumeration User enumeration
OWASP-AT-003 4.5.3 Testing for Guessable (Dictionary) User Account Guessable user account
OWASP-AT-004 4.5.3 Brute Force Testing Brute forcing
OWASP-AT-005 4.5.4 Testing for bypassing authentication schema bypassing authentication schema
OWASP-AT-006 4.5.5 Testing for directory traversal/file include directory traversal/file include
OWASP-AT-007 4.5.6 Testing for vulnerable remember password and pwd reset vulnerable remember password, weak pwd reset
OWASP-AT-008 4.5.7 Testing for Logout and Browser Cache Management Testing Logout function not properly implemented, browser cache weakness
Authorization Testing
OWASP-AZ-001 (new)4.6.1 Testing for Path Traversal Path Traversal
OWASP-AZ-002 (new)4.6.2 Testing for bypassing authorization schema Bypassing authorization schema
OWASP-AZ-003 (new)4.6.3 Testing for Privilege Escalation Privilege Escalation
Session Management
OWASP-SM-001 4.7.1 Testing for Session Management Schema Bypassing Session Management Schema
OWASP-SM-002 4.7.2 Test the token strength Weak Session Token
OWASP-SM-003 4.7.3 Testing for Cookies attributes Cookies are set not ‘HTTP Only’, ‘Secure’, and no time validity
OWASP-SM-004 4.7.4 Testing for Exposed Session Variables Exposed sensitive session variables
OWASP-SM-005 4.7.5 Testing for CSRF CSRF
OWASP-SM-006 4.7.6 Testing for HTTP Exploit HTTP Exploit
Data Validation Testing
OWASP-DV-001 4.8.1 Testing for Reflected Cross Site Scripting Reflected XSS
OWASP-DV-002 4.8.2 Testing for Stored Cross Site Scripting Stored XSS
OWASP-DV-003 4.8.3 Testing for DOM based Cross Site Scripting DOM XSS
OWASP-DV-004 4.8.4 Testing for Cross Site Flashing Cross Site Flashing
OWASP-DV-005 SQL Injection SQL Injection
OWASP-DV-006 LDAP Injection LDAP Injection
OWASP-DV-007 ORM Injection ORM Injection
OWASP-DV-008 XML Injection XML Injection
OWASP-DV-009 SSI Injection SSI Injection
OWASP-DV-010 XPath Injection XPath Injection
OWASP-DV-011 IMAP/SMTP Injection IMAP/SMTP Injection
OWASP-DV-012 Code Injection Code Injection
OWASP-DV-013 OS Commanding OS Commanding
OWASP-DV-014 Buffer overflow Buffer overflow
OWASP-DV-015 Incubated vulnerability Incubated vulnerability
Denial of Service Testing
OWASP-DS-001 Locking Customer Accounts Locking Customer Accounts
OWASP-DS-002 User Specified Object Allocation User Specified Object Allocation
OWASP-DS-003 User Input as a Loop Counter User Input as a Loop Counter
OWASP-DS-004 Writing User Provided Data to Disk Writing User Provided Data to Disk
OWASP-DS-005 Failure to Release Resources Failure to Release Resources
OWASP-DS-006 Storing too Much Data in Session Storing too Much Data in Session
Web Services Testing
OWASP-WS-001 XML Structural Testing Weak XML Structure
OWASP-WS-002 XML content-level Testing XML content-level
OWASP-WS-003 HTTP GET parameters/REST Testing WS HTTP GET parameters/REST
OWASP-WS-004 Naughty SOAP attachments WS Naughty SOAP attachments
OWASP-WS-005 Replay Testing WS Replay Testing
Client Side Testing
OWASP-CS-001
