Testing Checklist

The following is the list of controls to test during the assessment:

'''Category	Ref. Number	Test Name	Vulnerability''' Information Gathering OWASP-IG-001	4.2.1 Spiders, Robots and Crawlers 	N.A. OWASP-IG-002	4.2.2 Search Engine Discovery/Reconnaissance 	N.A. OWASP-IG-003	4.2.3 Identify application entry points 	N.A. OWASP-IG-004	4.2.3 Testing for Web Application Fingerprint 	N.A. OWASP-IG-005	4.2.4 Application Discovery 	N.A.	OWASP-IG-006	4.2.5 Analysis of Error Codes	Information Disclosure

Configuration Management Testing OWASP-CM-001	4.3.1 SSL/TLS Testing (SSL Version, Alghoritms, Key lenght, Digital Cert. Validity)	SSL Weakness OWASP-CM-002	4.3.2 DB Listener Testing 	DB Listener weak OWASP-CM-003	4.3.3 Application Configuration Management Testing 	Configuration management weakness OWASP-CM-004	4.3.4 Testing for misconfiguration 	Misconfiguration OWASP-CM-005	4.3.5 Testing for File Extensions Handling 	File extensions handling OWASP-CM-006	4.3.6 Old, backup and unreferenced files 	Old, backup and unreferenced files OWASP-CM-007	4.3.7 Infrastructure and Application Admin Interfaces 	Access to Admin interfaces OWASP-CM-008	4.3.8 Testing for HTTP Methods and XST	HTTP Methods enabled, XST permitted

Business logic testing OWASP-BL-001	Testing for Business Logic	Bypassable business logic

Authentication Testing OWASP-AT-001	4.5.1 Credentials transport over an encrypted channel 	Credentials transport over an encrypted channel OWASP-AT-002	4.5.2 Testing for user enumeration 	User enumeration OWASP-AT-003	4.5.3 Testing for Guessable (Dictionary) User Account 	Guessable user account OWASP-AT-004	4.5.3 Brute Force Testing 	Brute forcing OWASP-AT-005	4.5.4 Testing for bypassing authentication schema 	bypassing authentication schema OWASP-AT-006	4.5.5 Testing for directory traversal/file include 	directory traversal/file include OWASP-AT-007	4.5.6 Testing for vulnerable remember password and pwd reset 	vulnerable remember password, weak pwd reset OWASP-AT-008	4.5.7 Testing for Logout and Browser Cache Management Testing	Logout function not properly implemented, browser cache weakness

Authorization Testing OWASP-AZ-001	(new)4.6.1 Testing for Path Traversal 	Path Traversal OWASP-AZ-002	(new)4.6.2 Testing for bypassing authorization schema 	Bypassing authorization schema OWASP-AZ-003	(new)4.6.3 Testing for Privilege Escalation	Privilege Escalation

Session Management OWASP-SM-001	4.7.1 Testing for Session Management Schema	Bypassing Session Management Schema OWASP-SM-002	4.7.2 Test the token strength           	Weak Session Token OWASP-SM-003	4.7.3 Testing for Cookies attributes	       Cookies are set not ‘HTTP Only’, ‘Secure’, and no time validity OWASP-SM-004	4.7.4 Testing for Exposed Session Variables 	Exposed sensitive session variables OWASP-SM-005	4.7.5 Testing for CSRF 	                       CSRF OWASP-SM-006	4.7.6 Testing for HTTP Exploit	               HTTP Exploit

Data Validation Testing OWASP-DV-001	4.8.1 Testing for Reflected Cross Site Scripting 	Reflected XSS OWASP-DV-002	4.8.2 Testing for Stored Cross Site Scripting 	Stored XSS OWASP-DV-003	4.8.3 Testing for DOM based Cross Site Scripting 	DOM XSS OWASP-DV-004	4.8.4 Testing for Cross Site Flashing	Cross Site Flashing OWASP-DV-005	SQL Injection	SQL Injection OWASP-DV-006	LDAP Injection 	LDAP Injection OWASP-DV-007	ORM Injection	ORM Injection OWASP-DV-008	XML Injection	XML Injection OWASP-DV-009	SSI Injection	SSI Injection OWASP-DV-010	XPath Injection	XPath Injection OWASP-DV-011	IMAP/SMTP Injection	IMAP/SMTP Injection OWASP-DV-012	Code Injection	Code Injection OWASP-DV-013	OS Commanding	OS Commanding OWASP-DV-014	Buffer overflow	Buffer overflow OWASP-DV-015	Incubated vulnerability	Incubated vulnerability

Denial of Service Testing OWASP-DS-001	Locking Customer Accounts	Locking Customer Accounts OWASP-DS-002	User Specified Object Allocation	User Specified Object Allocation OWASP-DS-003	User Input as a Loop Counter	User Input as a Loop Counter OWASP-DS-004	Writing User Provided Data to Disk	Writing User Provided Data to Disk OWASP-DS-005	Failure to Release Resources	Failure to Release Resources OWASP-DS-006	Storing too Much Data in Session	Storing too Much Data in Session

Web Services Testing OWASP-WS-001	XML Structural Testing	Weak XML Structure OWASP-WS-002	XML content-level Testing	XML content-level OWASP-WS-003	HTTP GET parameters/REST Testing	WS HTTP GET parameters/REST OWASP-WS-004	Naughty SOAP attachments	WS Naughty SOAP attachments OWASP-WS-005	Replay Testing	WS Replay Testing

Client Side Testing OWASP-CS-001