Testing for configuration management
This article is part of the new OWASP Testing Guide v4.
Back to the OWASP Testing Guide v4 ToC: https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents Back to the OWASP Testing Guide Project: https://www.owasp.org/index.php/OWASP_Testing_Project
4.3 Testing for configuration management
Often analysis of the infrastructure and topology architecture can reveal a great deal about a web application. Information such as source code, HTTP methods permitted, administrative functionality, authentication methods, and infrastructural configurations can be obtained.
4.3.1 Test Network/Infrastructure Configuration (OTG-CONFIG-001) formerly "Testing for Infrastructure Configuration Management Testing weakness (OWASP-CM-001)"
4.3.2 Test Application Platform Configuration (OTG-CONFIG-002) formerly "Testing for Application Configuration Management weakness (OWASP-CM-002)" [Amro AlOlaqi] Ready to be reviewed
4.3.3 Test File Extensions Handling for Sensitive Information (OTG-CONFIG-003) formerly "Testing for File Extensions Handling (OWASP-CM-003)"
4.3.4 Review Old, Backup and Unreferenced Files for Sensitive Information (OTG-CONFIG-004) formerly "Old, Backup and Unreferenced Files (OWASP-CM-004)"
4.3.5 Enumerate Infrastructure and Application Admin Interfaces (OTG-CONFIG-005) formerly "Infrastructure and Application Admin Interfaces (OWASP-CM-005)" [Amro AlOlaqi] Ready to be reviewed
4.3.6 Test HTTP Methods (OTG-CONFIG-006) formerly "Testing for Bad HTTP Methods (OWASP-CM-006)"
4.3.7 Test HTTP Strict Transport Security (OTG-CONFIG-009) formerly "Testing for Missing HSTS header (OWASP-CM-009)"
4.3.8 Test RIA cross domain policy (OTG-CONFIG-011) formerly "Testing for RIA policy files weakness (OWASP-CM-010)"