Testing Checklist

The following is the list of controls to test during the assessment:

'''Category	- Ref. Number	 - Test Name	-   Vulnerability'''

Information Gathering	 OWASP-IG-001	4.2.1 Spiders, Robots and Crawlers 	N.A.

OWASP-IG-002	4.2.2 Search Engine Discovery/Reconnaissance 	N.A.

OWASP-IG-003	4.2.3 Identify application entry points 	N.A.

OWASP-IG-004	4.2.3 Testing for Web Application Fingerprint 	N.A.

OWASP-IG-005	4.2.4 Application Discovery 	N.A.

OWASP-IG-006	4.2.5 Analysis of Error Codes	Information Disclosure

Configuration Management Testing	

OWASP-CM-001	4.3.1 SSL/TLS Testing (SSL Version, Alghoritms, Key lenght, Digital Cert. Validity)	SSL Weakness

OWASP-CM-002	4.3.2 DB Listener Testing 	DB Listener weak

OWASP-CM-003	4.3.3 Infrastructure Configuration Management Testing 	Infrastructure Configuration management weakness

OWASP-CM-003	4.3.4 Application Configuration Management Testing 	Application Configuration management weakness

OWASP-CM-005	4.3.5 Testing for File Extensions Handling 	File extensions handling

OWASP-CM-006	4.3.6 Old, backup and unreferenced files 	Old, backup and unreferenced files

OWASP-CM-007	4.3.7 Infrastructure and Application Admin Interfaces 	Access to Admin interfaces

OWASP-CM-008	4.3.8 Testing for HTTP Methods and XST	HTTP Methods enabled, XST permitted

Business logic testing	

OWASP-BL-001	Testing for Business Logic	Bypassable business logic

Authentication Testing	

OWASP-AT-001	4.5.1 Credentials transport over an encrypted channel 	Credentials transport over an encrypted channel

OWASP-AT-002	4.5.2 Testing for user enumeration 	User enumeration

OWASP-AT-003	4.5.3 Testing for Guessable (Dictionary) User Account 	Guessable user account

OWASP-AT-004	4.5.3 Brute Force Testing 	Brute forcing

OWASP-AT-005	4.5.4 Testing for bypassing authentication schema 	bypassing authentication schema

OWASP-AT-006	4.5.5 Testing for directory traversal/file include 	directory traversal/file include

OWASP-AT-007	4.5.6 Testing for vulnerable remember password and pwd reset 	vulnerable remember password, weak pwd reset

OWASP-AT-008	4.5.7 Testing for Logout and Browser Cache Management Testing	Logout function not properly implemented, browser cache weakness

OWASP-AT-009 4.5.8 Testing for CAPTCHA  Captcha implementation weakeness

Authorization Testing	

OWASP-AZ-001	(new)4.6.1 Testing for Path Traversal 	Path Traversal

OWASP-AZ-002	(new)4.6.2 Testing for bypassing authorization schema 	Bypassing authorization schema

OWASP-AZ-003	(new)4.6.3 Testing for Privilege Escalation	Privilege Escalation

Session Management	

OWASP-SM-001	4.7.1 Testing for Session Management Schema	Bypassing Session Management Schema, Weak Session Token

OWASP-SM-002	4.7.2 Testing for Cookies attributes	       Cookies are set not ‘HTTP Only’, ‘Secure’, and no time validity

OWASP-SM-003   4.7.3 Testing for Session Fixation              Session Fixation

OWASP-SM-004	4.7.4 Testing for Exposed Session Variables 	Exposed sensitive session variables

OWASP-SM-005	4.7.5 Testing for CSRF 	                       CSRF

OWASP-SM-006	4.7.6 Testing for HTTP Exploit	               HTTP Splitting, Smuggling, Verb

Data Validation Testing	

OWASP-DV-001	4.8.1 Testing for Reflected Cross Site Scripting 	Reflected XSS

OWASP-DV-002	4.8.2 Testing for Stored Cross Site Scripting 	Stored XSS

OWASP-DV-003	4.8.3 Testing for DOM based Cross Site Scripting 	DOM XSS

OWASP-DV-004	4.8.4 Testing for Cross Site Flashing	Cross Site Flashing

OWASP-DV-005	SQL Injection	SQL Injection

OWASP-DV-006	LDAP Injection 	LDAP Injection

OWASP-DV-007	ORM Injection	ORM Injection

OWASP-DV-008	XML Injection	XML Injection

OWASP-DV-009	SSI Injection	SSI Injection

OWASP-DV-010	XPath Injection	XPath Injection

OWASP-DV-011	IMAP/SMTP Injection	IMAP/SMTP Injection

OWASP-DV-012	Code Injection	Code Injection

OWASP-DV-013	OS Commanding	OS Commanding

OWASP-DV-014	Buffer overflow	Buffer overflow

OWASP-DV-015	Incubated vulnerability	Incubated vulnerability

Denial of Service Testing	

OWASP-DS-001	Locking Customer Accounts	Locking Customer Accounts

OWASP-DS-002	User Specified Object Allocation	User Specified Object Allocation

OWASP-DS-003	User Input as a Loop Counter	User Input as a Loop Counter

OWASP-DS-004	Writing User Provided Data to Disk	Writing User Provided Data to Disk

OWASP-DS-005	Failure to Release Resources	Failure to Release Resources

OWASP-DS-006	Storing too Much Data in Session	Storing too Much Data in Session

Web Services Testing	

OWASP-WS-001	XML Structural Testing	Weak XML Structure

OWASP-WS-002	XML content-level Testing	XML content-level

OWASP-WS-003	HTTP GET parameters/REST Testing	WS HTTP GET parameters/REST

OWASP-WS-004	Naughty SOAP attachments	WS Naughty SOAP attachments

OWASP-WS-005	Replay Testing	WS Replay Testing

Client Side Testing	

OWASP-CS-001