This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "OWASP Common Numbering Project"
From OWASP
Bradcausey (talk | contribs) (Undo revision 76165 by Bradcausey (Talk)) |
Bradcausey (talk | contribs) |
||
Line 34: | Line 34: | ||
|- | |- | ||
| <center>'''Information Gathering'''</center> | | <center>'''Information Gathering'''</center> | ||
+ | |- | ||
| OWASP-IG-001 | | OWASP-IG-001 | ||
| Spiders, Robots and Crawlers - | | Spiders, Robots and Crawlers - | ||
− | |||
− | |||
| | | | ||
+ | | | ||
|- | |- | ||
| OWASP-IG-002 | | OWASP-IG-002 | ||
| Search Engine Discovery/Reconnaissance | | Search Engine Discovery/Reconnaissance | ||
| | | | ||
+ | | | ||
|- | |- | ||
| OWASP-IG-003 | | OWASP-IG-003 | ||
| Identify application entry points | | Identify application entry points | ||
| | | | ||
+ | | | ||
|- | |- | ||
| OWASP-IG-004 | | OWASP-IG-004 | ||
| Testing for Web Application Fingerprint | | Testing for Web Application Fingerprint | ||
| | | | ||
+ | | | ||
|- | |- | ||
| OWASP-IG-005 | | OWASP-IG-005 | ||
| Application Discovery | | Application Discovery | ||
| | | | ||
+ | | | ||
|- | |- | ||
| OWASP-IG-006 | | OWASP-IG-006 | ||
| Analysis of Error Codes | | Analysis of Error Codes | ||
| | | | ||
+ | | | ||
|- | |- | ||
| <center>'''Configuration Management Testing'''</center> | | <center>'''Configuration Management Testing'''</center> | ||
Line 64: | Line 69: | ||
| SSL/TLS Testing (SSL Version, Algorithms, Key length, Digital Cert. Validity) | | SSL/TLS Testing (SSL Version, Algorithms, Key length, Digital Cert. Validity) | ||
| | | | ||
+ | | | ||
|- | |- | ||
| OWASP-CM-002 | | OWASP-CM-002 | ||
| DB Listener Testing | | DB Listener Testing | ||
| | | | ||
+ | | | ||
|- | |- | ||
| OWASP-CM-003 | | OWASP-CM-003 | ||
| Infrastructure Configuration Management Testing | | Infrastructure Configuration Management Testing | ||
| | | | ||
+ | | | ||
|- | |- | ||
| OWASP-CM-004 | | OWASP-CM-004 | ||
| Application Configuration Management Testing | | Application Configuration Management Testing | ||
| | | | ||
+ | | | ||
|- | |- | ||
| OWASP-CM-005 | | OWASP-CM-005 | ||
| Testing for File Extensions Handling | | Testing for File Extensions Handling | ||
| | | | ||
+ | | | ||
|- | |- | ||
| OWASP-CM-006 | | OWASP-CM-006 | ||
| Old, backup and unreferenced files | | Old, backup and unreferenced files | ||
| | | | ||
+ | | | ||
|- | |- | ||
| OWASP-CM-007 | | OWASP-CM-007 | ||
| Infrastructure and Application Admin Interfaces | | Infrastructure and Application Admin Interfaces | ||
| | | | ||
+ | | | ||
|- | |- | ||
| OWASP-CM-008 | | OWASP-CM-008 | ||
| Testing for HTTP Methods and XST | | Testing for HTTP Methods and XST | ||
| | | | ||
+ | | | ||
|- | |- | ||
| '''Authentication Testing''' | | '''Authentication Testing''' | ||
Line 97: | Line 110: | ||
| Credentials transport over an encrypted channel | | Credentials transport over an encrypted channel | ||
| | | | ||
+ | | | ||
|- | |- | ||
| OWASP-AT-002 | | OWASP-AT-002 | ||
| Testing for user enumeration | | Testing for user enumeration | ||
| | | | ||
+ | | | ||
|- | |- | ||
| OWASP-AT-003 | | OWASP-AT-003 | ||
| Testing for Guessable (Dictionary) User Account | | Testing for Guessable (Dictionary) User Account | ||
− | | | + | | |
+ | | | ||
|- | |- | ||
| OWASP-AT-004 | | OWASP-AT-004 | ||
| Brute Force Testing | | Brute Force Testing | ||
− | | | + | | |
+ | | | ||
|- | |- | ||
| OWASP-AT-005 | | OWASP-AT-005 | ||
| Testing for bypassing authentication schema | | Testing for bypassing authentication schema | ||
− | | | + | | |
+ | | | ||
|- | |- | ||
| OWASP-AT-006 | | OWASP-AT-006 | ||
| Testing for vulnerable remember password and pwd reset | | Testing for vulnerable remember password and pwd reset | ||
− | | | + | | |
+ | | | ||
|- | |- | ||
| OWASP-AT-007 | | OWASP-AT-007 | ||
| Testing for Logout and Browser Cache Management | | Testing for Logout and Browser Cache Management | ||
− | | | + | | |
+ | | | ||
|- | |- | ||
| OWASP-AT-008 | | OWASP-AT-008 | ||
| Testing for CAPTCHA | | Testing for CAPTCHA | ||
− | | | + | | |
+ | | | ||
|- | |- | ||
| OWASP-AT-009 | | OWASP-AT-009 | ||
| Testing Multiple Factors Authentication | | Testing Multiple Factors Authentication | ||
− | | | + | | |
+ | | | ||
|- | |- | ||
| OWASP-AT-010 | | OWASP-AT-010 | ||
| Testing for Race Conditions | | Testing for Race Conditions | ||
− | | | + | | |
+ | | | ||
|- | |- | ||
| '''Session Management''' | | '''Session Management''' | ||
| OWASP-SM-001 | | OWASP-SM-001 | ||
| Testing for Session Management Schema | | Testing for Session Management Schema | ||
− | | | + | | |
+ | | | ||
|- | |- | ||
| OWASP-SM-002 | | OWASP-SM-002 | ||
Line 143: | Line 167: | ||
<br> | <br> | ||
− | | | + | | |
+ | | | ||
|- | |- | ||
| OWASP-SM-003 | | OWASP-SM-003 | ||
| Testing for Session Fixation | | Testing for Session Fixation | ||
− | | | + | | |
+ | | | ||
|- | |- | ||
| OWASP-SM-004 | | OWASP-SM-004 | ||
| Testing for Exposed Session Variables | | Testing for Exposed Session Variables | ||
− | | | + | | |
+ | | | ||
|- | |- | ||
| OWASP-SM-005 | | OWASP-SM-005 | ||
| Testing for CSRF | | Testing for CSRF | ||
− | | | + | | |
+ | | | ||
|- | |- | ||
| <center>'''Authorization Testing'''</center> | | <center>'''Authorization Testing'''</center> | ||
Line 162: | Line 190: | ||
<br> | <br> | ||
− | | | + | | |
+ | | | ||
|- | |- | ||
| OWASP-AZ-002 | | OWASP-AZ-002 | ||
Line 168: | Line 197: | ||
<br> | <br> | ||
− | | | + | | |
+ | | | ||
|- | |- | ||
| OWASP-AZ-003 | | OWASP-AZ-003 | ||
| Testing for Privilege Escalation | | Testing for Privilege Escalation | ||
− | | | + | | |
+ | | | ||
|- | |- | ||
| <center>'''Business logic testing'''</center> | | <center>'''Business logic testing'''</center> | ||
| OWASP-BL-001 | | OWASP-BL-001 | ||
| Testing for business logic | | Testing for business logic | ||
− | | | + | | |
+ | | | ||
|- | |- | ||
| <center>'''Data Validation Testing'''</center> | | <center>'''Data Validation Testing'''</center> | ||
| OWASP-DV-001 | | OWASP-DV-001 | ||
| Testing for Reflected Cross Site Scripting | | Testing for Reflected Cross Site Scripting | ||
− | | | + | | |
+ | | | ||
|- | |- | ||
| OWASP-DV-002 | | OWASP-DV-002 | ||
| Testing for Stored Cross Site Scripting | | Testing for Stored Cross Site Scripting | ||
− | | | + | | |
+ | | | ||
|- | |- | ||
| OWASP-DV-003 | | OWASP-DV-003 | ||
| Testing for DOM based Cross Site Scripting | | Testing for DOM based Cross Site Scripting | ||
− | | | + | | |
+ | | | ||
|- | |- | ||
| OWASP-DV-004 | | OWASP-DV-004 | ||
| Testing for Cross Site Flashing | | Testing for Cross Site Flashing | ||
− | | | + | | |
+ | | | ||
|- | |- | ||
| OWASP-DV-005 | | OWASP-DV-005 | ||
| SQL Injection | | SQL Injection | ||
− | | | + | | |
+ | | | ||
|- | |- | ||
| OWASP-DV-006 | | OWASP-DV-006 | ||
| LDAP Injection | | LDAP Injection | ||
− | | | + | | |
+ | | | ||
|- | |- | ||
| OWASP-DV-007 | | OWASP-DV-007 | ||
| ORM Injection | | ORM Injection | ||
− | | | + | | |
+ | | | ||
|- | |- | ||
| OWASP-DV-008 | | OWASP-DV-008 | ||
| XML Injection | | XML Injection | ||
− | | | + | | |
+ | | | ||
|- | |- | ||
| OWASP-DV-009 | | OWASP-DV-009 | ||
| SSI Injection | | SSI Injection | ||
− | | | + | | |
+ | | | ||
|- | |- | ||
| OWASP-DV-010 | | OWASP-DV-010 | ||
| XPath Injection | | XPath Injection | ||
− | | | + | | |
+ | | | ||
|- | |- | ||
| OWASP-DV-011 | | OWASP-DV-011 | ||
| IMAP/SMTP Injection | | IMAP/SMTP Injection | ||
− | | | + | | |
+ | | | ||
|- | |- | ||
| OWASP-DV-012 | | OWASP-DV-012 | ||
| Code Injection | | Code Injection | ||
− | | | + | | |
+ | | | ||
|- | |- | ||
| OWASP-DV-013 | | OWASP-DV-013 | ||
| OS Commanding | | OS Commanding | ||
− | | | + | | |
+ | | | ||
|- | |- | ||
| OWASP-DV-014 | | OWASP-DV-014 | ||
| Buffer overflow | | Buffer overflow | ||
− | | | + | | |
+ | | | ||
|- | |- | ||
| OWASP-DV-015 | | OWASP-DV-015 | ||
| Incubated vulnerability Testing | | Incubated vulnerability Testing | ||
− | | | + | | |
+ | | | ||
|- | |- | ||
| OWASP-DV-016 | | OWASP-DV-016 | ||
Line 244: | Line 291: | ||
<br> | <br> | ||
− | | | + | | |
+ | | | ||
|- | |- | ||
| <center>'''Denial of Service Testing'''</center> | | <center>'''Denial of Service Testing'''</center> | ||
| OWASP-DS-001 | | OWASP-DS-001 | ||
| Testing for SQL Wildcard Attacks | | Testing for SQL Wildcard Attacks | ||
− | | | + | | |
+ | | | ||
|- | |- | ||
| OWASP-DS-002 | | OWASP-DS-002 | ||
| Locking Customer Accounts | | Locking Customer Accounts | ||
− | | | + | | |
+ | | | ||
|- | |- | ||
| OWASP-DS-003 | | OWASP-DS-003 | ||
| Testing for DoS Buffer Overflows | | Testing for DoS Buffer Overflows | ||
− | | | + | | |
+ | | | ||
|- | |- | ||
| OWASP-DS-004 | | OWASP-DS-004 | ||
| User Specified Object Allocation | | User Specified Object Allocation | ||
− | | | + | | |
+ | | | ||
|- | |- | ||
| OWASP-DS-005 | | OWASP-DS-005 | ||
| User Input as a Loop Counter | | User Input as a Loop Counter | ||
− | | | + | | |
+ | | | ||
|- | |- | ||
| OWASP-DS-006 | | OWASP-DS-006 | ||
| Writing User Provided Data to Disk | | Writing User Provided Data to Disk | ||
− | | | + | | |
+ | | | ||
|- | |- | ||
| OWASP-DS-007 | | OWASP-DS-007 | ||
| Failure to Release Resources | | Failure to Release Resources | ||
− | | | + | | |
+ | | | ||
|- | |- | ||
| OWASP-DS-008 | | OWASP-DS-008 | ||
| Storing too Much Data in Session | | Storing too Much Data in Session | ||
− | | | + | | |
+ | | | ||
|- | |- | ||
| <center>'''Web Services Testing'''</center> | | <center>'''Web Services Testing'''</center> | ||
| OWASP-WS-001 | | OWASP-WS-001 | ||
| WS Information Gathering | | WS Information Gathering | ||
− | | | + | | |
+ | | | ||
|- | |- | ||
| OWASP-WS-002 | | OWASP-WS-002 | ||
| Testing WSDL | | Testing WSDL | ||
− | | | + | | |
+ | | | ||
|- | |- | ||
| OWASP-WS-003 | | OWASP-WS-003 | ||
| XML Structural Testing | | XML Structural Testing | ||
− | | | + | | |
+ | | | ||
|- | |- | ||
| OWASP-WS-004 | | OWASP-WS-004 | ||
| XML content-level Testing | | XML content-level Testing | ||
− | | | + | | |
+ | | | ||
|- | |- | ||
| OWASP-WS-005 | | OWASP-WS-005 | ||
| HTTP GET parameters/REST Testing | | HTTP GET parameters/REST Testing | ||
− | | | + | | |
+ | | | ||
|- | |- | ||
| OWASP-WS-006 | | OWASP-WS-006 | ||
| Naughty SOAP attachments | | Naughty SOAP attachments | ||
− | | | + | | |
+ | | | ||
|- | |- | ||
| OWASP-WS-007 | | OWASP-WS-007 | ||
| Replay Testing | | Replay Testing | ||
− | | | + | | |
+ | | | ||
|- | |- | ||
| <center>'''AJAX Testing'''</center> | | <center>'''AJAX Testing'''</center> | ||
| OWASP-AJ-001 | | OWASP-AJ-001 | ||
| AJAX Vulnerabilities | | AJAX Vulnerabilities | ||
− | | | + | | |
+ | | | ||
|- | |- | ||
| OWASP-AJ-002 | | OWASP-AJ-002 | ||
| AJAX Testing | | AJAX Testing | ||
− | | | + | | |
+ | | | ||
|} | |} | ||
Revision as of 16:11, 13 January 2010
Introduction
Here is the generally agreed-upon new numbering scheme. Additional explanatory text coming soon. Questions/Comments? Email Mike.
OWASP-06 OWASP-06-DEPRECATED OWASP-0604 OWASP-0604-DEPRECATED OWASP-0604-DG OWASP-0604-DG-01 OWASP-0604-TG OWASP-0604-TG-DV-005 OWASP-0604-TG-DV-005-DEPRECATED
0123456789012345678901234567890123456789 1 2 3
- 0-4 OWASP
- 6-7 Detailed requirement identifier (major)
- 8-9 Detailed requirement identifier (minor)
- 11-12 Document code (DG=Development Guide, TG=Testing Guide, CG=Code Review Guide, AR, ED, RM, OR, others reserved)
- 14-40 (Optional: DEPRECATED, or # for iterations, or legacy identifiers)
Mapping to Legacy Testing Guide IDs
|
|
|
| |
| ||||
OWASP-IG-001 | Spiders, Robots and Crawlers - | |||
OWASP-IG-002 | Search Engine Discovery/Reconnaissance | |||
OWASP-IG-003 | Identify application entry points | |||
OWASP-IG-004 | Testing for Web Application Fingerprint | |||
OWASP-IG-005 | Application Discovery | |||
OWASP-IG-006 | Analysis of Error Codes | |||
|
OWASP-CM-001 | SSL/TLS Testing (SSL Version, Algorithms, Key length, Digital Cert. Validity) | ||
OWASP-CM-002 | DB Listener Testing | |||
OWASP-CM-003 | Infrastructure Configuration Management Testing | |||
OWASP-CM-004 | Application Configuration Management Testing | |||
OWASP-CM-005 | Testing for File Extensions Handling | |||
OWASP-CM-006 | Old, backup and unreferenced files | |||
OWASP-CM-007 | Infrastructure and Application Admin Interfaces | |||
OWASP-CM-008 | Testing for HTTP Methods and XST | |||
Authentication Testing | OWASP-AT-001 | Credentials transport over an encrypted channel | ||
OWASP-AT-002 | Testing for user enumeration | |||
OWASP-AT-003 | Testing for Guessable (Dictionary) User Account | |||
OWASP-AT-004 | Brute Force Testing | |||
OWASP-AT-005 | Testing for bypassing authentication schema | |||
OWASP-AT-006 | Testing for vulnerable remember password and pwd reset | |||
OWASP-AT-007 | Testing for Logout and Browser Cache Management | |||
OWASP-AT-008 | Testing for CAPTCHA | |||
OWASP-AT-009 | Testing Multiple Factors Authentication | |||
OWASP-AT-010 | Testing for Race Conditions | |||
Session Management | OWASP-SM-001 | Testing for Session Management Schema | ||
OWASP-SM-002 | Testing for Cookies attributes
|
|||
OWASP-SM-003 | Testing for Session Fixation | |||
OWASP-SM-004 | Testing for Exposed Session Variables | |||
OWASP-SM-005 | Testing for CSRF | |||
|
OWASP-AZ-001 | Testing for Path Traversal
|
||
OWASP-AZ-002 | Testing for bypassing authorization schema
|
|||
OWASP-AZ-003 | Testing for Privilege Escalation | |||
|
OWASP-BL-001 | Testing for business logic | ||
|
OWASP-DV-001 | Testing for Reflected Cross Site Scripting | ||
OWASP-DV-002 | Testing for Stored Cross Site Scripting | |||
OWASP-DV-003 | Testing for DOM based Cross Site Scripting | |||
OWASP-DV-004 | Testing for Cross Site Flashing | |||
OWASP-DV-005 | SQL Injection | |||
OWASP-DV-006 | LDAP Injection | |||
OWASP-DV-007 | ORM Injection | |||
OWASP-DV-008 | XML Injection | |||
OWASP-DV-009 | SSI Injection | |||
OWASP-DV-010 | XPath Injection | |||
OWASP-DV-011 | IMAP/SMTP Injection | |||
OWASP-DV-012 | Code Injection | |||
OWASP-DV-013 | OS Commanding | |||
OWASP-DV-014 | Buffer overflow | |||
OWASP-DV-015 | Incubated vulnerability Testing | |||
OWASP-DV-016 | Testing for HTTP Splitting/Smuggling
|
|||
|
OWASP-DS-001 | Testing for SQL Wildcard Attacks | ||
OWASP-DS-002 | Locking Customer Accounts | |||
OWASP-DS-003 | Testing for DoS Buffer Overflows | |||
OWASP-DS-004 | User Specified Object Allocation | |||
OWASP-DS-005 | User Input as a Loop Counter | |||
OWASP-DS-006 | Writing User Provided Data to Disk | |||
OWASP-DS-007 | Failure to Release Resources | |||
OWASP-DS-008 | Storing too Much Data in Session | |||
|
OWASP-WS-001 | WS Information Gathering | ||
OWASP-WS-002 | Testing WSDL | |||
OWASP-WS-003 | XML Structural Testing | |||
OWASP-WS-004 | XML content-level Testing | |||
OWASP-WS-005 | HTTP GET parameters/REST Testing | |||
OWASP-WS-006 | Naughty SOAP attachments | |||
OWASP-WS-007 | Replay Testing | |||
|
OWASP-AJ-001 | AJAX Vulnerabilities | ||
OWASP-AJ-002 | AJAX Testing |
References
- adding the (release) year into the numbering scheme can be problematic, because the document has a life cycle that goes over years ....
- One should rather try to accommodate a versioning scheme that is human readable in the reference number as well (e.g. V02, or RevA, or...)
- don't try to encode any information into the ID that is likely to change or be subject to debate. In the olden days of CVE, we used to have "CAN-1999-0067" which would change into "CVE-1999-0067" once the item was considered stable and sufficiently verified. That made the ID hard to use. Right now, OWASP-DV-001 encodes the term "data validation" in the DV acronym, but what happens if in a couple of years, some new and better term occurs, or the focus changes from validation to something else? (As an example, it's only recently that the "data validation" term itself has become popular.)
- carefully consider the range of values that your ID space supports, and if possible, allow it to expand. CVE has a "CVE-10K" problem because we never expected that we would ever come close to tracking 10,000 vulnerabilities a year. Red Hat had to change their advisory numbering scheme a couple years ago. etc.
- don't change the fundamental meaning of the ID once you've assigned it. This causes confusion, and more importantly, it immediately invalidates almost everyone's mappings to that ID - including people who you don't even know are using that ID.
- closely monitor the mappings that get made. Typos and misunderstandings are rarely caught. People may make assumptions about what "the item" really is, based only on a quick scan of a short name or title. Since you're dealing with diverse sources, there are likely to be many-to-many relationships in dealing with mappings.
- determine some kind of procedure for handling duplicates. They're gonna happen.
- the more you distribute the process of creating and assigning IDs between multiple people, the more inconsistencies and duplicates you will wind up with. This may be unavoidable, since the job is usually bigger than one person.
- determine some kind of procedure for deprecating IDs, i.e., "retiring" them and discouraging their use by others. This will probably happen for reasons other than duplicates. There should be some final record, somewhere, of what happened to the deprecated item - i.e., it shouldn't just disappear off the face of the earth.
Much of the discussion surrounding the establishment of "Common OWASP Numbering" can be found on the various OWASP mailing lists. (For your convenience here is a direct link to the OWASP Testing Guide Mailing List Archive.)