Difference between revisions of "Testing Checklist"

From OWASP
Jump to: navigation, search
(Converted 'Information Gathering' to use wiki table style (initial))
Line 3: Line 3:
 
The following is the list of controls to test during the assessment:
 
The following is the list of controls to test during the assessment:
  
'''Category -  Ref. Number - Test Name -   Vulnerability'''
+
{|
 
+
|colspan="4" style="text-align:center; font-weight: bold;"| Information Gathering
 
+
|-
'''Information Gathering ''' <br>
+
! Category !! Ref. Number !! Test Name !!   Vulnerability
OWASP-IG-001 - 4.2.1 Spiders, Robots and Crawlers - N.A.
+
|-
 
+
| OWASP-IG-001 || 4.2.1 || Spiders, Robots and Crawlers           || N.A.
OWASP-IG-002 - 4.2.2 Search Engine Discovery/Reconnaissance - N.A.
+
|-
 
+
| OWASP-IG-002 || 4.2.2 || Search Engine Discovery/Reconnaissance || N.A.
OWASP-IG-003 - 4.2.3 Identify application entry points - N.A.
+
|-
 
+
| OWASP-IG-003 || 4.2.3 || Identify application entry points       || N.A.
OWASP-IG-004 - 4.2.4 Testing for Web Application Fingerprint - N.A.
+
|-
 
+
| OWASP-IG-004 || 4.2.4 || Testing for Web Application Fingerprint || N.A.
OWASP-IG-005 - 4.2.5 Application Discovery - N.A.
+
|-
 
+
| OWASP-IG-005 || 4.2.5 || Application Discovery                   || N.A.
OWASP-IG-006 - 4.2.6 Analysis of Error Codes - Information Disclosure
+
|-
 
+
| OWASP-IG-006 || 4.2.6 || Analysis of Error Codes                 || Information Disclosure
 +
|}
  
 
'''Configuration Management Testing '''
 
'''Configuration Management Testing '''

Revision as of 18:41, 17 September 2013

This article is part of the new OWASP Testing Guide v4. 
At the moment the project is in the REVIEW phase.

Back to the OWASP Testing Guide v4 ToC: https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents Back to the OWASP Testing Guide Project: http://www.owasp.org/index.php/OWASP_Testing_Project


The following is the list of controls to test during the assessment:

Information Gathering
Category Ref. Number Test Name Vulnerability
OWASP-IG-001 4.2.1 Spiders, Robots and Crawlers N.A.
OWASP-IG-002 4.2.2 Search Engine Discovery/Reconnaissance N.A.
OWASP-IG-003 4.2.3 Identify application entry points N.A.
OWASP-IG-004 4.2.4 Testing for Web Application Fingerprint N.A.
OWASP-IG-005 4.2.5 Application Discovery N.A.
OWASP-IG-006 4.2.6 Analysis of Error Codes Information Disclosure

Configuration Management Testing

OWASP-CM-001 - 4.3.1 SSL/TLS Testing (SSL Version, Algorithms, Key length, Digital Cert. Validity) - SSL Weakness

OWASP-CM-002 - 4.3.2 DB Listener Testing - DB Listener weak

OWASP-CM-003 - 4.3.3 Infrastructure Configuration Management Testing - Infrastructure Configuration management weakness

OWASP-CM-004 - 4.3.4 Application Configuration Management Testing - Application Configuration management weakness

OWASP-CM-005 - 4.3.5 Testing for File Extensions Handling - File extensions handling

OWASP-CM-006 - 4.3.6 Old, backup and unreferenced files - Old, backup and unreferenced files

OWASP-CM-007 - 4.3.7 Infrastructure and Application Admin Interfaces - Access to Admin interfaces

OWASP-CM-008 - 4.3.8 Testing for HTTP Methods and XST - HTTP Methods enabled, XST permitted, HTTP Verb


Authentication Testing

OWASP-AT-001 - 4.4.1 Credentials transport over an encrypted channel - Credentials transport over an encrypted channel

OWASP-AT-002 - 4.4.2 Testing for user enumeration - User enumeration

OWASP-AT-003 - 4.4.3 Testing for Guessable (Dictionary) User Account - Guessable user account

OWASP-AT-004 - 4.4.4 Brute Force Testing - Credentials Brute forcing

OWASP-AT-005 - 4.4.5 Testing for bypassing authentication schema - Bypassing authentication schema

OWASP-AT-006 - 4.4.6 Testing for vulnerable remember password and pwd reset - Vulnerable remember password, weak pwd reset

OWASP-AT-007 - 4.4.7 Testing for Logout and Browser Cache Management - - Logout function not properly implemented, browser cache weakness

OWASP-AT-008 - 4.4.8 Testing for CAPTCHA - Weak Captcha implementation

OWASP-AT-009 - 4.4.9 Testing Multiple Factors Authentication - Weak Multiple Factors Authentication

OWASP-AT-010 - 4.4.10 Testing for Race Conditions - Race Conditions vulnerability


Session Management

OWASP-SM-001 - 4.5.1 Testing for Session Management Schema - Bypassing Session Management Schema, Weak Session Token

OWASP-SM-002 - 4.5.2 Testing for Cookies attributes - Cookies are set not ‘HTTP Only’, ‘Secure’, and no time validity

OWASP-SM-003 - 4.5.3 Testing for Session Fixation - Session Fixation

OWASP-SM-004 - 4.5.4 Testing for Exposed Session Variables - Exposed sensitive session variables

OWASP-SM-005 - 4.5.5 Testing for CSRF - CSRF


Authorization Testing

OWASP-AZ-001 - 4.6.1 Testing for Path Traversal - Path Traversal

OWASP-AZ-002 - 4.6.2 Testing for bypassing authorization schema - Bypassing authorization schema

OWASP-AZ-003 - 4.6.3 Testing for Privilege Escalation - Privilege Escalation


Business logic testing

OWASP-BL-001 - 4.7 Testing for Business Logic - Bypassable business logic


Data Validation Testing

OWASP-DV-001 - 4.8.1 Testing for Reflected Cross Site Scripting - Reflected XSS

OWASP-DV-002 - 4.8.2 Testing for Stored Cross Site Scripting - Stored XSS

OWASP-DV-003 - 4.8.3 Testing for DOM based Cross Site Scripting - DOM XSS

OWASP-DV-004 - 4.8.4 Testing for Cross Site Flashing - Cross Site Flashing

OWASP-DV-005 - 4.8.5 SQL Injection - SQL Injection

OWASP-DV-006 - 4.8.6 LDAP Injection - LDAP Injection

OWASP-DV-007 - 4.8.7 ORM Injection - ORM Injection

OWASP-DV-008 - 4.8.8 XML Injection - XML Injection

OWASP-DV-009 - 4.8.9 SSI Injection - SSI Injection

OWASP-DV-010 - 4.8.10 XPath Injection - XPath Injection

OWASP-DV-011 - 4.8.11 IMAP/SMTP Injection - IMAP/SMTP Injection

OWASP-DV-012 - 4.8.12 Code Injection - Code Injection

OWASP-DV-013 - 4.8.13 OS Commanding - OS Commanding

OWASP-DV-014 - 4.8.14 Buffer overflow - Buffer overflow

OWASP-DV-015 - 4.8.15 Incubated vulnerability - Incubated vulnerability

OWASP-DV-016 - 4.8.16 Testing for HTTP Splitting/Smuggling - HTTP Splitting, Smuggling


Denial of Service Testing

OWASP-DS-001 - 4.9.1 Testing for SQL Wildcard Attacks - SQL Wildcard vulnerability

OWASP-DS-002 - 4.9.2 Locking Customer Accounts - Locking Customer Accounts

OWASP-DS-003 - 4.9.3 Testing for DoS Buffer Overflows - Buffer Overflows

OWASP-DS-004 - 4.9.4 User Specified Object Allocation - User Specified Object Allocation

OWASP-DS-005 - 4.9.5 User Input as a Loop Counter - User Input as a Loop Counter

OWASP-DS-006 - 4.9.6 Writing User Provided Data to Disk - Writing User Provided Data to Disk

OWASP-DS-007 - 4.9.7 Failure to Release Resources - Failure to Release Resources

OWASP-DS-008 - 4.9.8 Storing too Much Data in Session - Storing too Much Data in Session


Web Services Testing

OWASP-WS-001 - 4.10.1 WS Information Gathering - N.A.

OWASP-WS-002 - 4.10.2 Testing WSDL - WSDL Weakness

OWASP-WS-003 - 4.10.3 XML Structural Testing - Weak XML Structure

OWASP-WS-004 - 4.10.4 XML content-level Testing - XML content-level

OWASP-WS-005 - 4.10.5 HTTP GET parameters/REST Testing - WS HTTP GET parameters/REST

OWASP-WS-006 - 4.10.6 Naughty SOAP attachments - WS Naughty SOAP attachments

OWASP-WS-007 - 4.10.7 Replay Testing - WS Replay Testing


Ajax Testing

OWASP-AJ-001 - 4.11.1 AJAX Vulnerabilities - N.A.

OWASP-AJ-002 - 4.11.2 AJAX Testing - AJAX weakness