This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Testing Checklist
OWASP Testing Guide v3 Table of Contents
This article is part of the OWASP Testing Guide v3. The entire OWASP Testing Guide v3 can be downloaded here.
OWASP at the moment is working at the OWASP Testing Guide v4: you can browse the Guide here
The following is the list of controls to test during the assessment:
Category - Ref. Number - Test Name - Vulnerability
Information Gathering
OWASP-IG-001 - 4.2.1 Spiders, Robots and Crawlers - N.A.
OWASP-IG-002 - 4.2.2 Search Engine Discovery/Reconnaissance - N.A.
OWASP-IG-003 - 4.2.3 Identify application entry points - N.A.
OWASP-IG-004 - 4.2.3 Testing for Web Application Fingerprint - N.A.
OWASP-IG-005 - 4.2.4 Application Discovery - N.A.
OWASP-IG-006 - 4.2.5 Analysis of Error Codes - Information Disclosure
Configuration Management Testing
OWASP-CM-001 - 4.3.1 SSL/TLS Testing (SSL Version, Alghoritms, Key lenght, Digital Cert. Validity) - SSL Weakness
OWASP-CM-002 - 4.3.2 DB Listener Testing - DB Listener weak
OWASP-CM-003 - 4.3.3 Infrastructure Configuration Management Testing - Infrastructure Configuration management weakness
OWASP-CM-004 - 4.3.4 Application Configuration Management Testing - Application Configuration management weakness
OWASP-CM-005 - 4.3.5 Testing for File Extensions Handling - File extensions handling
OWASP-CM-006 - 4.3.6 Old, backup and unreferenced files - Old, backup and unreferenced files
OWASP-CM-007 - 4.3.7 Infrastructure and Application Admin Interfaces - Access to Admin interfaces
OWASP-CM-008 - 4.3.8 Testing for HTTP Methods and XST - HTTP Methods enabled, XST permitted, HTTP Verb
Business logic testing
OWASP-BL-001 - 4.4 Testing for Business Logic - Bypassable business logic
Authentication Testing
OWASP-AT-001 - 4.5.1 Credentials transport over an encrypted channel - Credentials transport over an encrypted channel
OWASP-AT-002 - 4.5.2 Testing for user enumeration - User enumeration
OWASP-AT-003 - 4.5.3 Testing for Guessable (Dictionary) User Account - Guessable user account
OWASP-AT-004 - 4.5.4 Brute Force Testing - Credentials Brute forcing
OWASP-AT-005 - 4.5.5 Testing for bypassing authentication schema - Bypassing authentication schema
OWASP-AT-006 - 4.5.6 Testing for vulnerable remember password and pwd reset - Vulnerable remember password, weak pwd reset
OWASP-AT-007 - 4.5.7 Testing for Logout and Browser Cache Management - - Logout function not properly implemented, browser cache weakness
OWASP-AT-008 - 4.5.8 Testing for CAPTCHA - Weak Captcha implementation
OWASP-AT-009 - 4.5.9 Testing Multiple Factors Authentication - Weak Multiple Factors Authentication
OWASP-AT-010 - 4.5.10 Testing for Race Conditions - Race Conditions vulnerability
Authorization Testing
OWASP-AZ-001 - 4.6.1 Testing for Path Traversal - Path Traversal
OWASP-AZ-002 - 4.6.2 Testing for bypassing authorization schema - Bypassing authorization schema
OWASP-AZ-003 - 4.6.3 Testing for Privilege Escalation - Privilege Escalation
Session Management
OWASP-SM-001 - 4.7.1 Testing for Session Management Schema - Bypassing Session Management Schema, Weak Session Token
OWASP-SM-002 - 4.7.2 Testing for Cookies attributes - Cookies are set not ‘HTTP Only’, ‘Secure’, and no time validity
OWASP-SM-003 - 4.7.3 Testing for Session Fixation - Session Fixation
OWASP-SM-004 - 4.7.4 Testing for Exposed Session Variables - Exposed sensitive session variables
OWASP-SM-005 - 4.7.5 Testing for CSRF - CSRF
OWASP-SM-006 - 4.7.6 Testing for HTTP Exploit - HTTP Splitting, Smuggling
Data Validation Testing
OWASP-DV-001 - 4.8.1 Testing for Reflected Cross Site Scripting - Reflected XSS
OWASP-DV-002 - 4.8.2 Testing for Stored Cross Site Scripting - Stored XSS
OWASP-DV-003 - 4.8.3 Testing for DOM based Cross Site Scripting - DOM XSS
OWASP-DV-004 - 4.8.4 Testing for Cross Site Flashing - Cross Site Flashing
OWASP-DV-005 - 4.8.5 SQL Injection - SQL Injection
OWASP-DV-006 - 4.8.6 LDAP Injection - LDAP Injection
OWASP-DV-007 - 4.8.7 ORM Injection - ORM Injection
OWASP-DV-008 - 4.8.8 XML Injection - XML Injection
OWASP-DV-009 - 4.8.9 SSI Injection - SSI Injection
OWASP-DV-010 - 4.8.10 XPath Injection - XPath Injection
OWASP-DV-011 - 4.8.11 IMAP/SMTP Injection - IMAP/SMTP Injection
OWASP-DV-012 - 4.8.12 Code Injection - Code Injection
OWASP-DV-013 - 4.8.13 OS Commanding - OS Commanding
OWASP-DV-014 - 4.8.14 Buffer overflow - Buffer overflow
OWASP-DV-015 - 4.8.15 Incubated vulnerability - Incubated vulnerability
Denial of Service Testing
OWASP-DS-001 - 4.9.1 Testing for SQL Wildcard Attacks - SQL Wildcard vulnerability
OWASP-DS-002 - 4.9.2 Locking Customer Accounts - Locking Customer Accounts
OWASP-DS-003 - 4.9.3 Testing for DoS Buffer Overflows - Buffer Overflows
OWASP-DS-004 - 4.9.4 User Specified Object Allocation - User Specified Object Allocation
OWASP-DS-005 - 4.9.5 User Input as a Loop Counter - User Input as a Loop Counter
OWASP-DS-006 - 4.9.6 Writing User Provided Data to Disk - Writing User Provided Data to Disk
OWASP-DS-007 - 4.9.7 Failure to Release Resources - Failure to Release Resources
OWASP-DS-008 - 4.9.8 Storing too Much Data in Session - Storing too Much Data in Session
Web Services Testing
OWASP-WS-001 - 4.10.1 WS Information Gathering - N.A.
OWASP-WS-002 - 4.10.2 Testing WSDL - WSDL Weakness
OWASP-WS-003 - 4.10.3 XML Structural Testing - Weak XML Structure
OWASP-WS-004 - 4.10.4 XML content-level Testing - XML content-level
OWASP-WS-005 - 4.10.5 HTTP GET parameters/REST Testing - WS HTTP GET parameters/REST
OWASP-WS-006 - 4.10.6 Naughty SOAP attachments - WS Naughty SOAP attachments
OWASP-WS-007 - 4.10.7 Replay Testing - WS Replay Testing
Ajax Testing
OWASP-AJ-001 - 4.11.1 AJAX Vulnerabilities - N.A.
OWASP-AJ-002 - 4.11.2 AJAX Testing - AJAX weakness
