This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Testing Checklist"

From OWASP
Jump to: navigation, search
Line 24: Line 24:
 
| 4.2.6||OTG-INFO-006||Identify application entry points
 
| 4.2.6||OTG-INFO-006||Identify application entry points
 
|-
 
|-
| 4.2.8||OTG-INFO-008||Map execution paths through application
+
| 4.2.7||OTG-INFO-008||Map execution paths through application
 
|-
 
|-
| 4.2.9||OTG-INFO-009||Fingerprint Web Application Framework
+
| 4.2.8||OTG-INFO-009||Fingerprint Web Application Framework
 
|-
 
|-
| 4.2.10||OTG-INFO-010||Fingerprint Web Application
+
| 4.2.9||OTG-INFO-010||Fingerprint Web Application
 
|-
 
|-
| 4.2.11||OTG-INFO-011||Map Network and Application Architecture
+
| 4.2.10||OTG-INFO-011||Map Network and Application Architecture
 
|-
 
|-
 
| ||||
 
| ||||
Line 42: Line 42:
 
| 4.3.3||OTG-CONFIG-003||Test File Extensions Handling for Sensitive Information
 
| 4.3.3||OTG-CONFIG-003||Test File Extensions Handling for Sensitive Information
 
|-
 
|-
| 4.3.4||OTG-CONFIG-003|| Backup and Unreferenced Files for Sensitive Information
+
| 4.3.4||OTG-CONFIG-004|| Backup and Unreferenced Files for Sensitive Information
 
|-
 
|-
 
| 4.3.5||OTG-CONFIG-005||Enumerate Infrastructure and Application Admin Interfaces
 
| 4.3.5||OTG-CONFIG-005||Enumerate Infrastructure and Application Admin Interfaces
Line 48: Line 48:
 
| 4.3.6||OTG-CONFIG-006||Test HTTP Methods
 
| 4.3.6||OTG-CONFIG-006||Test HTTP Methods
 
|-
 
|-
| 4.3.7||OTG-CONFIG-007||Testing for Database credentials/connection strings available
+
| 4.3.7||OTG-CONFIG-009||Test HTTP Strict Transport Security
 
|-
 
|-
| 4.3.8||OTG-CONFIG-008||Test Content Security Policy
+
| 4.3.8||OTG-CONFIG-011||Test RIA cross domain policy
|-
 
| 4.3.9||OTG-CONFIG-009||Test HTTP Strict Transport Security
 
|-
 
| 4.3.10||OTG-CONFIG-010||Test Frame Options
 
|-
 
| 4.3.11||OTG-CONFIG-011||Test RIA cross domain policy
 
|-
 
| 4.3.12||OTG-CONFIG-012||Test Content Type Options
 
 
|-
 
|-
 
| ||||
 
| ||||
Line 77: Line 69:
 
|-
 
|-
 
| 4.4.7||OTG-IDENT-007||Test Account Suspension/Resumption Process
 
| 4.4.7||OTG-IDENT-007||Test Account Suspension/Resumption Process
|-
 
| 4.4.8||OTG-IDENT-008||Test User Deregistration Process
 
|-
 
| 4.4.9||OTG-IDENT-009 ||Test Account Deregistration Process
 
 
|-
 
|-
 
| ||||
 
| ||||
Line 110: Line 98:
 
| 4.6||||'''Authorization Testing'''
 
| 4.6||||'''Authorization Testing'''
 
|-
 
|-
| 4.6.1||OTG-AUTHZ-001||Test Management of Account Permissions
+
| 4.6.1||OTG-AUTHZ-002||Testing Directory traversal/file include
 
|-
 
|-
| 4.6.2||OTG-AUTHZ-002||Testing Directory traversal/file include
+
| 4.6.2||OTG-AUTHZ-003||Testing for bypassing authorization schema
 
|-
 
|-
| 4.6.3||OTG-AUTHZ-003||Testing for bypassing authorization schema
+
| 4.6.3||OTG-AUTHZ-004||Testing for Privilege Escalation
 
|-
 
|-
| 4.6.4||OTG-AUTHZ-004||Testing for Privilege Escalation
+
| 4.6.4||OTG-AUTHZ-005||Testing for Insecure Direct Object References
|-
 
| 4.6.5||OTG-AUTHZ-005||Testing for Insecure Direct Object References
 
|-
 
| 4.6.6||OTG-AUTHZ-006||Testing for Failure to Restrict access to authorized resource
 
|-
 
| 4.6.7||OTG-AUTHZ-007||Test privileges of server components
 
|-
 
| 4.6.8||OTG-AUTHZ-008||Test enforcement of application entry points
 
|-
 
| 4.6.9||OTG-AUTHZ-009||Testing for failure to restrict access to authenticated resource
 
 
|-
 
|-
 
| ||||
 
| ||||
Line 142: Line 120:
 
| 4.7.5||OTG-SESS-005||Testing for Cross Site Request Forgery
 
| 4.7.5||OTG-SESS-005||Testing for Cross Site Request Forgery
 
|-
 
|-
| 4.7.6||OTG-SESS-006||Test Session Token Strength
+
| 4.7.6||OTG-SESS-007 ||Testing for logout functionality
 
|-
 
|-
| 4.7.7||OTG-SESS-007 ||Testing for logout functionality
+
| 4.7.7||OTG-SESS-008||Test Session Timeout
 
|-
 
|-
| 4.7.8||OTG-SESS-008||Test Session Timeout
+
| 4.7.8||OTG-SESS-010||Testing for Session puzzling
|-
 
| 4.7.9||OTG-SESS-009||Test multiple concurrent sessions
 
|-
 
| 4.7.10||OTG-SESS-010||Testing for Session puzzling
 
 
|-
 
|-
 
| ||||
 
| ||||
Line 164: Line 138:
 
| 4.8.4||OTG-INPVAL-004||Testing for HTTP Parameter pollution
 
| 4.8.4||OTG-INPVAL-004||Testing for HTTP Parameter pollution
 
|-
 
|-
| 4.8.5||OTG-INPVAL-005 ||Testing for Unvalidated Redirects and Forwards
+
| 4.8.5||OTG-INPVAL-006||Testing for SQL Injection
 
|-
 
|-
| 4.8.6||OTG-INPVAL-006||Testing for SQL Injection
+
| 4.8.5.1||||Oracle Testing
 
|-
 
|-
| 4.8.6.1||||Oracle Testing
+
| 4.8.5.2||||MySQL Testing
 
|-
 
|-
| 4.8.6.2||||MySQL Testing
+
| 4.8.5.3||||SQL Server Testing
 
|-
 
|-
| 4.8.6.3||||SQL Server Testing
+
| 4.8.5.4||||Testing PostgreSQL
 
|-
 
|-
| 4.8.6.4||||Testing PostgreSQL
+
| 4.8.5.5||||MS Access Testing
 
|-
 
|-
| 4.8.6.5||||MS Access Testing
+
| 4.8.5.6||||Testing for NoSQL injection
 
|-
 
|-
| 4.8.6.6||||Testing for NoSQL injection
+
| 4.8.6||OTG-INPVAL-007||Testing for LDAP Injection
 
|-
 
|-
| 4.8.7||OTG-INPVAL-007||Testing for LDAP Injection
+
| 4.8.7||OTG-INPVAL-008||Testing for ORM Injection
 
|-
 
|-
| 4.8.8||OTG-INPVAL-008||Testing for ORM Injection
+
| 4.8.8||OTG-INPVAL-009||Testing for XML Injection
 
|-
 
|-
| 4.8.9||OTG-INPVAL-009||Testing for XML Injection
+
| 4.8.9||OTG-INPVAL-010||Testing for SSI Injection
 
|-
 
|-
| 4.8.10||OTG-INPVAL-010||Testing for SSI Injection
+
| 4.8.10||OTG-INPVAL-011||Testing for XPath Injection
 
|-
 
|-
| 4.8.11||OTG-INPVAL-011||Testing for XPath Injection
+
| 4.8.11||OTG-INPVAL-012||IMAP/SMTP Injection
 
|-
 
|-
| 4.8.12||OTG-INPVAL-012||IMAP/SMTP Injection
+
| 4.8.12||OTG-INPVAL-013||Testing for Code Injection
 
|-
 
|-
| 4.8.13||OTG-INPVAL-013||Testing for Code Injection
+
| 4.8.12.1||||Testing for Local File Inclusion
 
|-
 
|-
| 4.8.13.1||||Testing for Local File Inclusion
+
| 4.8.12.2||||Testing for Remote File Inclusion
 
|-
 
|-
| 4.8.13.2||||Testing for Remote File Inclusion
+
| 4.8.13||OTG-INPVAL-014||Testing for Command Injection
 
|-
 
|-
| 4.8.14||OTG-INPVAL-014||Testing for Command Injection
+
| 4.8.14||OTG-INPVAL-015||Testing for Buffer overflow
 
|-
 
|-
| 4.8.15||OTG-INPVAL-015||Testing for Buffer overflow
+
| 4.8.14.1||||Testing for Heap overflow
 
|-
 
|-
| 4.8.15.1||||Testing for Heap overflow
+
| 4.8.14.2||||Testing for Stack overflow
 
|-
 
|-
| 4.8.15.2||||Testing for Stack overflow
+
| 4.8.14.3||||Testing for Format string
 
|-
 
|-
| 4.8.15.3||||Testing for Format string
+
| 4.8.15||OTG-INPVAL-016||Testing for incubated vulnerabilities
 
|-
 
|-
| 4.8.16||OTG-INPVAL-016||Testing for incubated vulnerabilities
+
| 4.8.16||OTG-INPVAL-017||Testing for HTTP Splitting/Smuggling
|-
 
| 4.8.17||OTG-INPVAL-017||Testing for HTTP Splitting/Smuggling
 
 
|-
 
|-
 
| ||||
 
| ||||
Line 224: Line 196:
 
| 4.1||||'''Cryptography'''
 
| 4.1||||'''Cryptography'''
 
|-
 
|-
| 4.10.1||OTG-CRYPST-001||Testing for Insecure encryption usage
+
| 4.10.1||OTG-CRYPST-001||Testing for Weak SSL/TSL Ciphers,  Insufficient Transport Layer Protection
|-
 
| 4.10.2||OTG-CRYPST-001||Testing for Weak SSL/TSL Ciphers,  Insufficient Transport Layer Protection
 
|-
 
| 4.10.3||OTG-CRYPST-003||Testing for Padding Oracle
 
|-
 
| 4.10.4||OTG-CRYPST-004||Testing for Cacheable HTTPS Response
 
|-
 
| 4.10.5||OTG-CRYPST-005||Test Cache Directives
 
|-
 
| 4.10.6||OTG-CRYPST-006||Testing for Insecure Cryptographic Storage
 
 
|-
 
|-
| 4.10.7||OTG-CRYPST-007||Testing for Sensitive information sent via unencrypted channels
+
| 4.10.2||OTG-CRYPST-003||Testing for Padding Oracle
 
|-
 
|-
| 4.10.8||OTG-CRYPST-008||Test Cryptographic Key Management
+
| 4.10.3||OTG-CRYPST-007||Testing for Sensitive information sent via unencrypted channels
 
|-
 
|-
 
| ||||
 
| ||||

Revision as of 17:41, 4 March 2014

This article is part of the new OWASP Testing Guide v4.
Back to the OWASP Testing Guide v4 ToC: https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents Back to the OWASP Testing Guide Project: https://www.owasp.org/index.php/OWASP_Testing_Project


The following is the list of controls to test during the assessment:

Ref. No. Category Test Name
4.2 Information Gathering
4.2.1 OTG-INFO-001 Conduct Search Engine Discovery and Reconnaissance for Information Leakage
4.2.2 OTG-INFO-002 Fingerprint Web Server
4.2.3 OTG-INFO-003 Review Webserver Metafiles for Information Leakage
4.2.4 OTG-INFO-004 Enumerate Applications on Webserver
4.2.5 OTG-INFO-005 Review Webpage Comments and Metadata for Information Leakage
4.2.6 OTG-INFO-006 Identify application entry points
4.2.7 OTG-INFO-008 Map execution paths through application
4.2.8 OTG-INFO-009 Fingerprint Web Application Framework
4.2.9 OTG-INFO-010 Fingerprint Web Application
4.2.10 OTG-INFO-011 Map Network and Application Architecture
4.3 Configuration and Deploy Management Testing
4.3.1 OTG-CONFIG-001 Test Network/Infrastructure Configuration
4.3.2 OTG-CONFIG-002 Test Application Platform Configuration
4.3.3 OTG-CONFIG-003 Test File Extensions Handling for Sensitive Information
4.3.4 OTG-CONFIG-004 Backup and Unreferenced Files for Sensitive Information
4.3.5 OTG-CONFIG-005 Enumerate Infrastructure and Application Admin Interfaces
4.3.6 OTG-CONFIG-006 Test HTTP Methods
4.3.7 OTG-CONFIG-009 Test HTTP Strict Transport Security
4.3.8 OTG-CONFIG-011 Test RIA cross domain policy
4.4 Identity Management Testing
4.4.1 OTG-IDENT-001 Test Role Definitions
4.4.2 OTG-IDENT-002 Test User Registration Process
4.4.3 OTG-IDENT-003 Test Account Provisioning Process
4.4.4 OTG-IDENT-004 Testing for Account Enumeration and Guessable User Account
4.4.5 OTG-IDENT-005 Testing for Weak or unenforced username policy
4.4.6 OTG-IDENT-006 Test Permissions of Guest/Training Accounts
4.4.7 OTG-IDENT-007 Test Account Suspension/Resumption Process
4.5 Authentication Testing
4.5.1 OTG-AUTHN-001 Testing for Credentials Transported over an Encrypted Channel
4.5.2 OTG-AUTHN-002 Testing for default credentials
4.5.3 OTG-AUTHN-003 Testing for Weak lock out mechanism
4.5.4 OTG-AUTHN-004 Testing for bypassing authentication schema
4.5.5 OTG-AUTHN-005 Test remember password functionality
4.5.6 OTG-AUTHN-006 Testing for Browser cache weakness
4.5.7 OTG-AUTHN-007 Testing for Weak password policy
4.5.8 OTG-AUTHN-008 Testing for Weak security question/answer
4.5.9 OTG-AUTHN-009 Testing for weak password change or reset functionalities
4.5.10 OTG-AUTHN-010 Testing for Weaker authentication in alternative channel
4.6 Authorization Testing
4.6.1 OTG-AUTHZ-002 Testing Directory traversal/file include
4.6.2 OTG-AUTHZ-003 Testing for bypassing authorization schema
4.6.3 OTG-AUTHZ-004 Testing for Privilege Escalation
4.6.4 OTG-AUTHZ-005 Testing for Insecure Direct Object References
4.7 Session Management Testing
4.7.1 OTG-SESS-001 Testing for Bypassing Session Management Schema
4.7.2 OTG-SESS-002 Testing for Cookies attributes
4.7.3 OTG-SESS-003 Testing for Session Fixation
4.7.4 OTG-SESS-004 Testing for Exposed Session Variables
4.7.5 OTG-SESS-005 Testing for Cross Site Request Forgery
4.7.6 OTG-SESS-007 Testing for logout functionality
4.7.7 OTG-SESS-008 Test Session Timeout
4.7.8 OTG-SESS-010 Testing for Session puzzling
4.8 Data Validation Testing
4.8.1 OTG-INPVAL-001 Testing for Reflected Cross Site Scripting
4.8.2 OTG-INPVAL-002 Testing for Stored Cross Site Scripting
4.8.3 OTG-INPVAL-003 Testing for HTTP Verb Tampering
4.8.4 OTG-INPVAL-004 Testing for HTTP Parameter pollution
4.8.5 OTG-INPVAL-006 Testing for SQL Injection
4.8.5.1 Oracle Testing
4.8.5.2 MySQL Testing
4.8.5.3 SQL Server Testing
4.8.5.4 Testing PostgreSQL
4.8.5.5 MS Access Testing
4.8.5.6 Testing for NoSQL injection
4.8.6 OTG-INPVAL-007 Testing for LDAP Injection
4.8.7 OTG-INPVAL-008 Testing for ORM Injection
4.8.8 OTG-INPVAL-009 Testing for XML Injection
4.8.9 OTG-INPVAL-010 Testing for SSI Injection
4.8.10 OTG-INPVAL-011 Testing for XPath Injection
4.8.11 OTG-INPVAL-012 IMAP/SMTP Injection
4.8.12 OTG-INPVAL-013 Testing for Code Injection
4.8.12.1 Testing for Local File Inclusion
4.8.12.2 Testing for Remote File Inclusion
4.8.13 OTG-INPVAL-014 Testing for Command Injection
4.8.14 OTG-INPVAL-015 Testing for Buffer overflow
4.8.14.1 Testing for Heap overflow
4.8.14.2 Testing for Stack overflow
4.8.14.3 Testing for Format string
4.8.15 OTG-INPVAL-016 Testing for incubated vulnerabilities
4.8.16 OTG-INPVAL-017 Testing for HTTP Splitting/Smuggling
4.9 Error Handling
4.9.1 OTG-ERR-001 Analysis of Error Codes
4.9.2 OTG-ERR-002 Analysis of Stack Traces
4.1 Cryptography
4.10.1 OTG-CRYPST-001 Testing for Weak SSL/TSL Ciphers, Insufficient Transport Layer Protection
4.10.2 OTG-CRYPST-003 Testing for Padding Oracle
4.10.3 OTG-CRYPST-007 Testing for Sensitive information sent via unencrypted channels
4.11 Logging
4.11.1 OTG-LOG-001 Test time synchronisation
4.11.2 OTG-LOG-002 Test user-viewable log of authentication events
4.12 OWASP-BL-001 Business Logic Testing
4.12.1 OTG-BUSLOGIC-001 Test Business Logic Data Validation
4.12.2 OTG-BUSLOGIC-002 Test Ability to Forge Requests
4.12.3 OTG-BUSLOGIC-003 Test Integrity Checks
4.12.4 OTG-BUSLOGIC-004 Test for Process Timing
4.12.5 OTG-BUSLOGIC-005 Test Number of Times a Function Can be Used Limits
4.12.6 OTG-BUSLOGIC-006 Testing for the Circumvention of Work Flows
4.12.7 OTG-BUSLOGIC-007 Test Defenses Against Application Mis-use
4.12.8 OTG-BUSLOGIC-008 Test Upload of Unexpected File Types
4.12.9 OTG-BUSLOGIC-009 Test Upload of Malicious Files
4.15 Client Side Testing
4.15.1 OTG-CLIENT-001 Testing for DOM based Cross Site Scripting
4.15.2 OWASP-CS-002 Testing for JavaScript Execution
4.15.3 OWASP-CS-003 Testing for HTML Injection
4.15.4 OWASP-CS-004 Testing for Client Side URL Redirect
4.15.5 OWASP-CS-005 Testing for CSS Injection
4.15.6 OWASP-CS-006 Testing for Client Side Resource Manipulation
4.15.7 OTG-CLIENT-007 Test Cross Origin Resource Sharing
4.15.8 OTG-CLIENT-008 Testing for Cross Site Flashing
4.15.9 OTG-CLIENT-009 Testing for Clickjacking
4.15.10 OTG-CLIENT-010 Testing WebSockets
4.15.11 OTG-CLIENT-011 Test Web Messaging
4.15.12 OTG-CLIENT-012 Test Local Storage