OWASP Common Numbering Project

Revision as of 11:40, 10 February 2011 by Wichers (talk | contribs)

Jump to: navigation, search


Common OWASP Numbering

An exciting development, a new numbering scheme that will be common across OWASP Guides and References is being developed. The numbering is loosely based on the OWASP ASVS section and detailed requirement numbering. OWASP ASVS, Guide, and Reference project leads and contributors as well as the OWASP leadership plan to work together to develop numbering that would allow for easy mapping between OWASP Guides and References, and that would allow for a period of transition as Guides and References are updated to reflect the new numbering. This project will provide a centralized clearinghouse for mapping information. For more information, please contact Dave Wichers.

This common numbering will be of requirements. A mapping of vulnerabilities to this requirements list will most likely be developed after the common requirements list is created. This common numbering scheme is intended to be independent of any particular OWASP project and is not intended to dictate how those projects are developed and organized. Its intent is to be a resource to facilitate cross referencing between related topics and to encourage, but not require, projects like the OWASP Guides to adopt a similar structure. But that decision is up to the respective project leads.

Common OWASP Numbering Scheme

Common OWASP Numbering Scheme

Common Numbering Scheme Proposed Requirement Areas:

  • OCN-AUTHN: Authentication
  • OCN-SESS: Session Management
  • OCN-INPVAL: Input Validation
  • OCN-OUTENC: Output Encoding
  • OCN-AUTHZ: Functional and Data Layer Access Control
  • OCN-BUS: Business Logic
  • OCN-CRYPST: Cryptographic Storage
  • OCN-CRYPTR: Crypto in Transit
  • OCN-ERROR: Error Handling
  • OCN-LOG: Logging
  • OCN-COMMS: Communication Security (Is this crypto or other stuff)
  • OCN-CONFIG: Secure System Configuration
  • OCN-DBASE: Secure Database Usage
  • OCN-FILE: Secure File Access
  • OCN-MEM: Memory Management
  • OCN-GEN: General Coding Practices
  • OCN-INTEG: Integrity
  • OCN-AVAIL: Availability
  • 1st Element - Document code (OCN=OWASP Common Number, ODG=OWASP Development Guide, OTG=OWASP Testing Guide, OCG=OWASP Code Review Guide, others reserved)
  • 2nd Element - Requirement Area (major)
  • 3rd Element - Detailed Requirement Identifier (minor with up to one sublevel (e.g., .01, .02)
  • 4th Element (Optional: DEPRECATED, or # for iterations, or legacy identifiers)

Mapping to Legacy Testing Guide IDs

Note: This is still a work in progress and is currently incomplete.

Ref. Number
Test Name
New Common Ref.
Information Gathering
OWASP-IG-001 Spiders, Robots and Crawlers OWASP-<put mapped ASVS 4 digit # here>-TG-IG-001
OWASP-IG-002 Search Engine Discovery/Reconnaissance
OWASP-IG-003 Identify application entry points
OWASP-IG-004 Testing for Web Application Fingerprint
OWASP-IG-005 Application Discovery
OWASP-IG-006 Analysis of Error Codes
Configuration Management Testing
OWASP-CM-001 SSL/TLS Testing (SSL Version, Algorithms, Key length, Digital Cert. Validity)
OWASP-CM-002 DB Listener Testing
OWASP-CM-003 Infrastructure Configuration Management Testing
OWASP-CM-004 Application Configuration Management Testing
OWASP-CM-005 Testing for File Extensions Handling
OWASP-CM-006 Old, backup and unreferenced files
OWASP-CM-007 Infrastructure and Application Admin Interfaces
OWASP-CM-008 Testing for HTTP Methods and XST
Authentication Testing
OWASP-AT-001 Credentials transport over an encrypted channel
OWASP-AT-002 Testing for user enumeration
OWASP-AT-003 Testing for Guessable (Dictionary) User Account
OWASP-AT-004 Brute Force Testing
OWASP-AT-005 Testing for bypassing authentication schema
OWASP-AT-006 Testing for vulnerable remember password and pwd reset
OWASP-AT-007 Testing for Logout and Browser Cache Management
OWASP-AT-008 Testing for CAPTCHA
OWASP-AT-009 Testing Multiple Factors Authentication
OWASP-AT-010 Testing for Race Conditions
Session Management
OWASP-SM-001 Testing for Session Management Schema
OWASP-SM-002 Testing for Cookies attributes
OWASP-SM-003 Testing for Session Fixation
OWASP-SM-004 Testing for Exposed Session Variables
OWASP-SM-005 Testing for CSRF
Authorization Testing
OWASP-AZ-001 Testing for Path Traversal
OWASP-AZ-002 Testing for bypassing authorization schema
OWASP-AZ-003 Testing for Privilege Escalation
Business logic testing
OWASP-BL-001 Testing for business logic
Data Validation Testing
OWASP-DV-001 Testing for Reflected Cross Site Scripting
OWASP-DV-002 Testing for Stored Cross Site Scripting
OWASP-DV-003 Testing for DOM based Cross Site Scripting
OWASP-DV-004 Testing for Cross Site Flashing
OWASP-DV-005 SQL Injection
OWASP-DV-006 LDAP Injection
OWASP-DV-007 ORM Injection
OWASP-DV-008 XML Injection
OWASP-DV-009 SSI Injection
OWASP-DV-010 XPath Injection
OWASP-DV-011 IMAP/SMTP Injection
OWASP-DV-012 Code Injection
OWASP-DV-013 OS Commanding
OWASP-DV-014 Buffer overflow
OWASP-DV-015 Incubated vulnerability Testing
OWASP-DV-016 Testing for HTTP Splitting/Smuggling
Denial of Service Testing
OWASP-DS-001 Testing for SQL Wildcard Attacks
OWASP-DS-002 Locking Customer Accounts
OWASP-DS-003 Testing for DoS Buffer Overflows
OWASP-DS-004 User Specified Object Allocation
OWASP-DS-005 User Input as a Loop Counter
OWASP-DS-006 Writing User Provided Data to Disk
OWASP-DS-007 Failure to Release Resources
OWASP-DS-008 Storing too Much Data in Session
Web Services Testing
OWASP-WS-001 WS Information Gathering
OWASP-WS-002 Testing WSDL
OWASP-WS-003 XML Structural Testing
OWASP-WS-004 XML content-level Testing
OWASP-WS-005 HTTP GET parameters/REST Testing
OWASP-WS-006 Naughty SOAP attachments
OWASP-WS-007 Replay Testing
AJAX Testing
OWASP-AJ-001 AJAX Vulnerabilities
OWASP-AJ-002 AJAX Testing

Mapping to Top 10 2010 IDs

Ref. Number
New Common Ref.
2010-A1 Injection









2010-A2 Cross Site Scripting (XSS) OWASP-0701




2010-A3 Broken Authentication and Session Management OWASP-0300


2010-A4 Insecure Direct Object References OWASP-0502
2010-A5 Cross Site Request Forgery OWASP-0405
2010-A6 Security Misconfiguration OWASP-0203


2010-A7 Failure to Restrict URL Access OWASP-0500
2010-A8 Unvalidated Redirects and Forwards OWASP-0717
2010-A9 Insecure Cryptographic Storage OWASP-0209
2010-A10 Insufficient Transport Layer Protection OWASP-0201


Project Leader

Project Contributors