Scribd
Upload
575 views

Testing Checklist - OWASP

The document is a testing checklist from OWASP that lists over 100 individual security tests across 12 categories to help identify vulnerabilities during a security assessment. The checklist includes tests for information gathering, configuration and deployment management, identity management, authentication, authorization, session management, data validation, error handling, cryptography, business logic, client-side issues, and web technologies. Each test listed provides a unique reference code to identify the specific type of test being performed.

Uploaded by

Sarang M Tumne
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
575 views

Testing Checklist - OWASP

The document is a testing checklist from OWASP that lists over 100 individual security tests across 12 categories to help identify vulnerabilities during a security assessment. The checklist includes tests for information gathering, configuration and deployment management, identity management, authentication, authorization, session management, data validation, error handling, cryptography, business logic, client-side issues, and web technologies. Each test listed provides a unique reference code to identify the specific type of test being performed.

Uploaded by

Sarang M Tumne
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 4

Testing Checklist - OWASP

1 of 4

https://www.owasp.org/index.php/Testing_Checklist

Testing Checklist
From OWASP
This article is part of the new OWASP Testing Guide v4.
Back to the OWASP Testing Guide v4 ToC:
https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents
Back to the OWASP Testing Guide Project:
https://www.owasp.org/index.php/OWASP_Testing_Project

The following is the list of controls to test during the assessment:


Ref.
No.

Category

4.2

Test Name

4.2.1

OTG-INFO-001

4.2.2
4.2.3
4.2.4
4.2.5
4.2.6
4.2.7
4.2.8
4.2.9
4.2.10

OTG-INFO-002
OTG-INFO-003
OTG-INFO-004
OTG-INFO-005
OTG-INFO-006
OTG-INFO-007
OTG-INFO-008
OTG-INFO-009
OTG-INFO-010

Information Gathering
Conduct Search Engine Discovery and Reconnaissance for Information
Leakage
Fingerprint Web Server
Review Webserver Metafiles for Information Leakage
Enumerate Applications on Webserver
Review Webpage Comments and Metadata for Information Leakage
Identify application entry points
Map execution paths through application
Fingerprint Web Application Framework
Fingerprint Web Application
Map Application Architecture

OTG-CONFIG-001
OTG-CONFIG-002
OTG-CONFIG-003
OTG-CONFIG-004
OTG-CONFIG-005
OTG-CONFIG-006
OTG-CONFIG-007
OTG-CONFIG-008

Configuration and Deploy Management Testing


Test Network/Infrastructure Configuration
Test Application Platform Configuration
Test File Extensions Handling for Sensitive Information
Backup and Unreferenced Files for Sensitive Information
Enumerate Infrastructure and Application Admin Interfaces
Test HTTP Methods
Test HTTP Strict Transport Security
Test RIA cross domain policy

OTG-IDENT-001
OTG-IDENT-002
OTG-IDENT-003
OTG-IDENT-004
OTG-IDENT-005

Identity Management Testing


Test Role Definitions
Test User Registration Process
Test Account Provisioning Process
Testing for Account Enumeration and Guessable User Account
Testing for Weak or unenforced username policy

4.3
4.3.1
4.3.2
4.3.3
4.3.4
4.3.5
4.3.6
4.3.7
4.3.8
4.4
4.4.1
4.4.2
4.4.3
4.4.4
4.4.5

9/30/2014 9:59 AM

Testing Checklist - OWASP

2 of 4

4.4.6
4.4.7
4.5
4.5.1
4.5.2
4.5.3
4.5.4
4.5.5
4.5.6
4.5.7
4.5.8
4.5.9
4.5.10
4.6
4.6.1
4.6.2
4.6.3
4.6.4
4.7
4.7.1
4.7.2
4.7.3
4.7.4
4.7.5
4.7.6
4.7.7
4.7.8
4.8
4.8.1
4.8.2
4.8.3
4.8.4
4.8.5
4.8.5.1
4.8.5.2
4.8.5.3
4.8.5.4
4.8.5.5
4.8.5.6
4.8.6
4.8.7

https://www.owasp.org/index.php/Testing_Checklist

OTG-IDENT-006
OTG-IDENT-007

Test Permissions of Guest/Training Accounts


Test Account Suspension/Resumption Process

OTG-AUTHN-001
OTG-AUTHN-002
OTG-AUTHN-003
OTG-AUTHN-004
OTG-AUTHN-005
OTG-AUTHN-006
OTG-AUTHN-007
OTG-AUTHN-008
OTG-AUTHN-009
OTG-AUTHN-010

Authentication Testing
Testing for Credentials Transported over an Encrypted Channel
Testing for default credentials
Testing for Weak lock out mechanism
Testing for bypassing authentication schema
Test remember password functionality
Testing for Browser cache weakness
Testing for Weak password policy
Testing for Weak security question/answer
Testing for weak password change or reset functionalities
Testing for Weaker authentication in alternative channel

OTG-AUTHZ-001
OTG-AUTHZ-002
OTG-AUTHZ-003
OTG-AUTHZ-004

Authorization Testing
Testing Directory traversal/file include
Testing for bypassing authorization schema
Testing for Privilege Escalation
Testing for Insecure Direct Object References

OTG-SESS-001
OTG-SESS-002
OTG-SESS-003
OTG-SESS-004
OTG-SESS-005
OTG-SESS-006
OTG-SESS-007
OTG-SESS-008

Session Management Testing


Testing for Bypassing Session Management Schema
Testing for Cookies attributes
Testing for Session Fixation
Testing for Exposed Session Variables
Testing for Cross Site Request Forgery
Testing for logout functionality
Test Session Timeout
Testing for Session puzzling

OTG-INPVAL-001
OTG-INPVAL-002
OTG-INPVAL-003
OTG-INPVAL-004
OTG-INPVAL-005

OTG-INPVAL-006
OTG-INPVAL-007

Data Validation Testing


Testing for Reflected Cross Site Scripting
Testing for Stored Cross Site Scripting
Testing for HTTP Verb Tampering
Testing for HTTP Parameter pollution
Testing for SQL Injection
Oracle Testing
MySQL Testing
SQL Server Testing
Testing PostgreSQL
MS Access Testing
Testing for NoSQL injection
Testing for LDAP Injection
Testing for ORM Injection

9/30/2014 9:59 AM

Testing Checklist - OWASP

3 of 4

4.8.8
4.8.9
4.8.10
4.8.11
4.8.12
4.8.12.1
4.8.12.2
4.8.13
4.8.14
4.8.14.1
4.8.14.2
4.8.14.3
4.8.15
4.8.16

OTG-INPVAL-015
OTG-INPVAL-016

Testing for XML Injection


Testing for SSI Injection
Testing for XPath Injection
IMAP/SMTP Injection
Testing for Code Injection
Testing for Local File Inclusion
Testing for Remote File Inclusion
Testing for Command Injection
Testing for Buffer overflow
Testing for Heap overflow
Testing for Stack overflow
Testing for Format string
Testing for incubated vulnerabilities
Testing for HTTP Splitting/Smuggling

OTG-ERR-001
OTG-ERR-002

Error Handling
Analysis of Error Codes
Analysis of Stack Traces

4.10
4.10.1
4.10.2
4.10.3

OTG-CRYPST-001
OTG-CRYPST-002
OTG-CRYPST-003

Cryptography
Testing for Weak SSL/TSL Ciphers, Insufficient Transport Layer Protection
Testing for Padding Oracle
Testing for Sensitive information sent via unencrypted channels

4.11
4.11.1
4.11.2
4.11.3
4.11.4
4.11.5
4.11.6
4.11.7
4.11.8
4.11.9

Business Logic Testing


OTG-BUSLOGIC-001 Test Business Logic Data Validation
OTG-BUSLOGIC-002 Test Ability to Forge Requests
OTG-BUSLOGIC-003 Test Integrity Checks
OTG-BUSLOGIC-004 Test for Process Timing
OTG-BUSLOGIC-005 Test Number of Times a Function Can be Used Limits
OTG-BUSLOGIC-006 Testing for the Circumvention of Work Flows
OTG-BUSLOGIC-007 Test Defenses Against Application Mis-use
OTG-BUSLOGIC-008 Test Upload of Unexpected File Types
OTG-BUSLOGIC-009 Test Upload of Malicious Files

4.9
4.9.1
4.9.2

4.12
4.12.1
4.12.2
4.12.3
4.12.4
4.12.5
4.12.6
4.12.7
4.12.8
4.12.9

OTG-INPVAL-008
OTG-INPVAL-009
OTG-INPVAL-010
OTG-INPVAL-011
OTG-INPVAL-012

https://www.owasp.org/index.php/Testing_Checklist

OTG-INPVAL-013
OTG-INPVAL-014

OTG-CLIENT-001
OTG-CLIENT-002
OTG-CLIENT-003
OTG-CLIENT-004
OTG-CLIENT-005
OTG-CLIENT-006
OTG-CLIENT-007
OTG-CLIENT-008
OTG-CLIENT-009

Client Side Testing


Testing for DOM based Cross Site Scripting
Testing for JavaScript Execution
Testing for HTML Injection
Testing for Client Side URL Redirect
Testing for CSS Injection
Testing for Client Side Resource Manipulation
Test Cross Origin Resource Sharing
Testing for Cross Site Flashing
Testing for Clickjacking

9/30/2014 9:59 AM

Testing Checklist - OWASP

4 of 4

4.12.10 OTG-CLIENT-010
4.12.11 OTG-CLIENT-011
4.12.12 OTG-CLIENT-012

https://www.owasp.org/index.php/Testing_Checklist

Testing WebSockets
Test Web Messaging
Test Local Storage

Retrieved from "https://www.owasp.org/index.php?title=Testing_Checklist&oldid=180280"


Categories: OWASP Testing Project Test
This page was last modified on 8 August 2014, at 07:10.
This page has been accessed 72,624 times.
Content is available under a Creative Commons 3.0 License unless otherwise noted.

9/30/2014 9:59 AM

You might also like