This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Testing Checklist
This article is part of the new OWASP Testing Guide v4.
Back to the OWASP Testing Guide v4 ToC: https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents Back to the OWASP Testing Guide Project: https://www.owasp.org/index.php/OWASP_Testing_Project
The following is the list of controls to test during the assessment:
| Information Gathering | |||
| Category | Ref. Number | Test Name | Vulnerability |
|---|---|---|---|
| OWASP-IG-001 | 4.2.1 | Spiders, Robots and Crawlers | N.A. |
| OWASP-IG-002 | 4.2.2 | Search Engine Discovery/Reconnaissance | N.A. |
| OWASP-IG-003 | 4.2.3 | Identify application entry points | N.A. |
| OWASP-IG-004 | 4.2.4 | Testing for Web Application Fingerprint | N.A. |
| OWASP-IG-005 | 4.2.5 | Application Discovery | N.A. |
| OWASP-IG-006 | 4.2.6 | Analysis of Error Codes | Information Disclosure |
Configuration Management Testing
OWASP-CM-001 - 4.3.1 SSL/TLS Testing (SSL Version, Algorithms, Key length, Digital Cert. Validity) - SSL Weakness
OWASP-CM-002 - 4.3.2 DB Listener Testing - DB Listener weak
OWASP-CM-003 - 4.3.3 Infrastructure Configuration Management Testing - Infrastructure Configuration management weakness
OWASP-CM-004 - 4.3.4 Application Configuration Management Testing - Application Configuration management weakness
OWASP-CM-005 - 4.3.5 Testing for File Extensions Handling - File extensions handling
OWASP-CM-006 - 4.3.6 Old, backup and unreferenced files - Old, backup and unreferenced files
OWASP-CM-007 - 4.3.7 Infrastructure and Application Admin Interfaces - Access to Admin interfaces
OWASP-CM-008 - 4.3.8 Testing for HTTP Methods and XST - HTTP Methods enabled, XST permitted, HTTP Verb
Authentication Testing
OWASP-AT-001 - 4.4.1 Credentials transport over an encrypted channel - Credentials transport over an encrypted channel
OWASP-AT-002 - 4.4.2 Testing for user enumeration - User enumeration
OWASP-AT-003 - 4.4.3 Testing for Guessable (Dictionary) User Account - Guessable user account
OWASP-AT-004 - 4.4.4 Brute Force Testing - Credentials Brute forcing
OWASP-AT-005 - 4.4.5 Testing for bypassing authentication schema - Bypassing authentication schema
OWASP-AT-006 - 4.4.6 Testing for vulnerable remember password and pwd reset - Vulnerable remember password, weak pwd reset
OWASP-AT-007 - 4.4.7 Testing for Logout and Browser Cache Management - - Logout function not properly implemented, browser cache weakness
OWASP-AT-008 - 4.4.8 Testing for CAPTCHA - Weak Captcha implementation
OWASP-AT-009 - 4.4.9 Testing Multiple Factors Authentication - Weak Multiple Factors Authentication
OWASP-AT-010 - 4.4.10 Testing for Race Conditions - Race Conditions vulnerability
Session Management
OWASP-SM-001 - 4.5.1 Testing for Session Management Schema - Bypassing Session Management Schema, Weak Session Token
OWASP-SM-002 - 4.5.2 Testing for Cookies attributes - Cookies are set not ‘HTTP Only’, ‘Secure’, and no time validity
OWASP-SM-003 - 4.5.3 Testing for Session Fixation - Session Fixation
OWASP-SM-004 - 4.5.4 Testing for Exposed Session Variables - Exposed sensitive session variables
OWASP-SM-005 - 4.5.5 Testing for CSRF - CSRF
Authorization Testing
OWASP-AZ-001 - 4.6.1 Testing for Path Traversal - Path Traversal
OWASP-AZ-002 - 4.6.2 Testing for bypassing authorization schema - Bypassing authorization schema
OWASP-AZ-003 - 4.6.3 Testing for Privilege Escalation - Privilege Escalation
Business logic testing
OWASP-BL-001 - 4.7 Testing for Business Logic - Bypassable business logic
Data Validation Testing
OWASP-DV-001 - 4.8.1 Testing for Reflected Cross Site Scripting - Reflected XSS
OWASP-DV-002 - 4.8.2 Testing for Stored Cross Site Scripting - Stored XSS
OWASP-DV-003 - 4.8.3 Testing for DOM based Cross Site Scripting - DOM XSS
OWASP-DV-004 - 4.8.4 Testing for Cross Site Flashing - Cross Site Flashing
OWASP-DV-005 - 4.8.5 SQL Injection - SQL Injection
OWASP-DV-006 - 4.8.6 LDAP Injection - LDAP Injection
OWASP-DV-007 - 4.8.7 ORM Injection - ORM Injection
OWASP-DV-008 - 4.8.8 XML Injection - XML Injection
OWASP-DV-009 - 4.8.9 SSI Injection - SSI Injection
OWASP-DV-010 - 4.8.10 XPath Injection - XPath Injection
OWASP-DV-011 - 4.8.11 IMAP/SMTP Injection - IMAP/SMTP Injection
OWASP-DV-012 - 4.8.12 Code Injection - Code Injection
OWASP-DV-013 - 4.8.13 OS Commanding - OS Commanding
OWASP-DV-014 - 4.8.14 Buffer overflow - Buffer overflow
OWASP-DV-015 - 4.8.15 Incubated vulnerability - Incubated vulnerability
OWASP-DV-016 - 4.8.16 Testing for HTTP Splitting/Smuggling - HTTP Splitting, Smuggling
Denial of Service Testing
OWASP-DS-001 - 4.9.1 Testing for SQL Wildcard Attacks - SQL Wildcard vulnerability
OWASP-DS-002 - 4.9.2 Locking Customer Accounts - Locking Customer Accounts
OWASP-DS-003 - 4.9.3 Testing for DoS Buffer Overflows - Buffer Overflows
OWASP-DS-004 - 4.9.4 User Specified Object Allocation - User Specified Object Allocation
OWASP-DS-005 - 4.9.5 User Input as a Loop Counter - User Input as a Loop Counter
OWASP-DS-006 - 4.9.6 Writing User Provided Data to Disk - Writing User Provided Data to Disk
OWASP-DS-007 - 4.9.7 Failure to Release Resources - Failure to Release Resources
OWASP-DS-008 - 4.9.8 Storing too Much Data in Session - Storing too Much Data in Session
Web Services Testing
OWASP-WS-001 - 4.10.1 WS Information Gathering - N.A.
OWASP-WS-002 - 4.10.2 Testing WSDL - WSDL Weakness
OWASP-WS-003 - 4.10.3 XML Structural Testing - Weak XML Structure
OWASP-WS-004 - 4.10.4 XML content-level Testing - XML content-level
OWASP-WS-005 - 4.10.5 HTTP GET parameters/REST Testing - WS HTTP GET parameters/REST
OWASP-WS-006 - 4.10.6 Naughty SOAP attachments - WS Naughty SOAP attachments
OWASP-WS-007 - 4.10.7 Replay Testing - WS Replay Testing
Ajax Testing
OWASP-AJ-001 - 4.11.1 AJAX Vulnerabilities - N.A.
OWASP-AJ-002 - 4.11.2 AJAX Testing - AJAX weakness
