Difference between revisions of "Testing Checklist"

From OWASP
Jump to: navigation, search
(Converted 'Information Gathering' to use wiki table style (initial))
Line 3: Line 3:
 
The following is the list of controls to test during the assessment:
 
The following is the list of controls to test during the assessment:
  
'''Category -  Ref. Number - Test Name -   Vulnerability'''
+
{|
 
+
|colspan="4" style="text-align:center; font-weight: bold;"| Information Gathering
 
+
|-
'''Information Gathering ''' <br>
+
! Category !! Ref. Number !! Test Name !!   Vulnerability
OWASP-IG-001 - 4.2.1 Spiders, Robots and Crawlers - N.A.
+
|-
 
+
| OWASP-IG-001 || 4.2.1 || Spiders, Robots and Crawlers           || N.A.
OWASP-IG-002 - 4.2.2 Search Engine Discovery/Reconnaissance - N.A.
+
|-
 
+
| OWASP-IG-002 || 4.2.2 || Search Engine Discovery/Reconnaissance || N.A.
OWASP-IG-003 - 4.2.3 Identify application entry points - N.A.
+
|-
 
+
| OWASP-IG-003 || 4.2.3 || Identify application entry points       || N.A.
OWASP-IG-004 - 4.2.4 Testing for Web Application Fingerprint - N.A.
+
|-
 
+
| OWASP-IG-004 || 4.2.4 || Testing for Web Application Fingerprint || N.A.
OWASP-IG-005 - 4.2.5 Application Discovery - N.A.
+
|-
 
+
| OWASP-IG-005 || 4.2.5 || Application Discovery                   || N.A.
OWASP-IG-006 - 4.2.6 Analysis of Error Codes - Information Disclosure
+
|-
 
+
| OWASP-IG-006 || 4.2.6 || Analysis of Error Codes                 || Information Disclosure
 +
|}
  
 
'''Configuration Management Testing '''
 
'''Configuration Management Testing '''

Revision as of 18:41, 17 September 2013

This article is part of the new OWASP Testing Guide v4.
Back to the OWASP Testing Guide v4 ToC: https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents Back to the OWASP Testing Guide Project: https://www.owasp.org/index.php/OWASP_Testing_Project


The following is the list of controls to test during the assessment:

Information Gathering
Category Ref. Number Test Name Vulnerability
OWASP-IG-001 4.2.1 Spiders, Robots and Crawlers N.A.
OWASP-IG-002 4.2.2 Search Engine Discovery/Reconnaissance N.A.
OWASP-IG-003 4.2.3 Identify application entry points N.A.
OWASP-IG-004 4.2.4 Testing for Web Application Fingerprint N.A.
OWASP-IG-005 4.2.5 Application Discovery N.A.
OWASP-IG-006 4.2.6 Analysis of Error Codes Information Disclosure

Configuration Management Testing

OWASP-CM-001 - 4.3.1 SSL/TLS Testing (SSL Version, Algorithms, Key length, Digital Cert. Validity) - SSL Weakness

OWASP-CM-002 - 4.3.2 DB Listener Testing - DB Listener weak

OWASP-CM-003 - 4.3.3 Infrastructure Configuration Management Testing - Infrastructure Configuration management weakness

OWASP-CM-004 - 4.3.4 Application Configuration Management Testing - Application Configuration management weakness

OWASP-CM-005 - 4.3.5 Testing for File Extensions Handling - File extensions handling

OWASP-CM-006 - 4.3.6 Old, backup and unreferenced files - Old, backup and unreferenced files

OWASP-CM-007 - 4.3.7 Infrastructure and Application Admin Interfaces - Access to Admin interfaces

OWASP-CM-008 - 4.3.8 Testing for HTTP Methods and XST - HTTP Methods enabled, XST permitted, HTTP Verb


Authentication Testing

OWASP-AT-001 - 4.4.1 Credentials transport over an encrypted channel - Credentials transport over an encrypted channel

OWASP-AT-002 - 4.4.2 Testing for user enumeration - User enumeration

OWASP-AT-003 - 4.4.3 Testing for Guessable (Dictionary) User Account - Guessable user account

OWASP-AT-004 - 4.4.4 Brute Force Testing - Credentials Brute forcing

OWASP-AT-005 - 4.4.5 Testing for bypassing authentication schema - Bypassing authentication schema

OWASP-AT-006 - 4.4.6 Testing for vulnerable remember password and pwd reset - Vulnerable remember password, weak pwd reset

OWASP-AT-007 - 4.4.7 Testing for Logout and Browser Cache Management - - Logout function not properly implemented, browser cache weakness

OWASP-AT-008 - 4.4.8 Testing for CAPTCHA - Weak Captcha implementation

OWASP-AT-009 - 4.4.9 Testing Multiple Factors Authentication - Weak Multiple Factors Authentication

OWASP-AT-010 - 4.4.10 Testing for Race Conditions - Race Conditions vulnerability


Session Management

OWASP-SM-001 - 4.5.1 Testing for Session Management Schema - Bypassing Session Management Schema, Weak Session Token

OWASP-SM-002 - 4.5.2 Testing for Cookies attributes - Cookies are set not ‘HTTP Only’, ‘Secure’, and no time validity

OWASP-SM-003 - 4.5.3 Testing for Session Fixation - Session Fixation

OWASP-SM-004 - 4.5.4 Testing for Exposed Session Variables - Exposed sensitive session variables

OWASP-SM-005 - 4.5.5 Testing for CSRF - CSRF


Authorization Testing

OWASP-AZ-001 - 4.6.1 Testing for Path Traversal - Path Traversal

OWASP-AZ-002 - 4.6.2 Testing for bypassing authorization schema - Bypassing authorization schema

OWASP-AZ-003 - 4.6.3 Testing for Privilege Escalation - Privilege Escalation


Business logic testing

OWASP-BL-001 - 4.7 Testing for Business Logic - Bypassable business logic


Data Validation Testing

OWASP-DV-001 - 4.8.1 Testing for Reflected Cross Site Scripting - Reflected XSS

OWASP-DV-002 - 4.8.2 Testing for Stored Cross Site Scripting - Stored XSS

OWASP-DV-003 - 4.8.3 Testing for DOM based Cross Site Scripting - DOM XSS

OWASP-DV-004 - 4.8.4 Testing for Cross Site Flashing - Cross Site Flashing

OWASP-DV-005 - 4.8.5 SQL Injection - SQL Injection

OWASP-DV-006 - 4.8.6 LDAP Injection - LDAP Injection

OWASP-DV-007 - 4.8.7 ORM Injection - ORM Injection

OWASP-DV-008 - 4.8.8 XML Injection - XML Injection

OWASP-DV-009 - 4.8.9 SSI Injection - SSI Injection

OWASP-DV-010 - 4.8.10 XPath Injection - XPath Injection

OWASP-DV-011 - 4.8.11 IMAP/SMTP Injection - IMAP/SMTP Injection

OWASP-DV-012 - 4.8.12 Code Injection - Code Injection

OWASP-DV-013 - 4.8.13 OS Commanding - OS Commanding

OWASP-DV-014 - 4.8.14 Buffer overflow - Buffer overflow

OWASP-DV-015 - 4.8.15 Incubated vulnerability - Incubated vulnerability

OWASP-DV-016 - 4.8.16 Testing for HTTP Splitting/Smuggling - HTTP Splitting, Smuggling


Denial of Service Testing

OWASP-DS-001 - 4.9.1 Testing for SQL Wildcard Attacks - SQL Wildcard vulnerability

OWASP-DS-002 - 4.9.2 Locking Customer Accounts - Locking Customer Accounts

OWASP-DS-003 - 4.9.3 Testing for DoS Buffer Overflows - Buffer Overflows

OWASP-DS-004 - 4.9.4 User Specified Object Allocation - User Specified Object Allocation

OWASP-DS-005 - 4.9.5 User Input as a Loop Counter - User Input as a Loop Counter

OWASP-DS-006 - 4.9.6 Writing User Provided Data to Disk - Writing User Provided Data to Disk

OWASP-DS-007 - 4.9.7 Failure to Release Resources - Failure to Release Resources

OWASP-DS-008 - 4.9.8 Storing too Much Data in Session - Storing too Much Data in Session


Web Services Testing

OWASP-WS-001 - 4.10.1 WS Information Gathering - N.A.

OWASP-WS-002 - 4.10.2 Testing WSDL - WSDL Weakness

OWASP-WS-003 - 4.10.3 XML Structural Testing - Weak XML Structure

OWASP-WS-004 - 4.10.4 XML content-level Testing - XML content-level

OWASP-WS-005 - 4.10.5 HTTP GET parameters/REST Testing - WS HTTP GET parameters/REST

OWASP-WS-006 - 4.10.6 Naughty SOAP attachments - WS Naughty SOAP attachments

OWASP-WS-007 - 4.10.7 Replay Testing - WS Replay Testing


Ajax Testing

OWASP-AJ-001 - 4.11.1 AJAX Vulnerabilities - N.A.

OWASP-AJ-002 - 4.11.2 AJAX Testing - AJAX weakness