Scribd
Upload
406 views

OWASP Mobile App Checklist v1.0

The document lists 64 client-side and server-side security checks for a mobile or web application. These checks cover a wide range of issues including vulnerabilities like SQL injection, XSS, insecure authentication, sensitive data exposure, weak cryptography, and more. Each check lists the applicable platform, vulnerability name, and whether the application is compliant or not.

Uploaded by

Sam Kumar
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
406 views

OWASP Mobile App Checklist v1.0

The document lists 64 client-side and server-side security checks for a mobile or web application. These checks cover a wide range of issues including vulnerabilities like SQL injection, XSS, insecure authentication, sensitive data exposure, weak cryptography, and more. Each check lists the applicable platform, vulnerability name, and whether the application is compliant or not.

Uploaded by

Sam Kumar
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 3

CLIENT SIDE CHECKS

Sr.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23

Vulnerability Name

Applicable
Platform

Application is Vulnerable to Reverse Engineering Attack


Account Lockout not Implemented
Application is Vulnerable to XSS
Authentication bypassed
Hard coded sensitive information in Application Code
Malicious File Upload
Session Fixation
Application does not Verify MSISDN
Privilege Escalation
SQL Injection
Attacker can bypass Second Level Authentication
Application is vulnerable to LDAP Injection
Application is vulnerable to OS Command Injection
iOS snapshot/backgrounding Vulnerability
Debug is set to TRUE
Application makes use of Weak Cryptography
Cleartext information under SSL Tunnel
Client Side Validation can be bypassed
Invalid SSL Certificate
Sensitive Information is sent as Clear Text over network
CAPTCHA is not implemented on Public Pages/Login Pages
Improper or NO implementation of Change Password Page
Application does not have Logout Functionality

All
All
All
All
All
All
All
WAP
All
All
All
All
All
iOS
Android
All
All
All
All
All
All
All
All

Compliant?
Yes/No/NA

24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49

Sensitive information in Application Log Files


Sensitive information sent as a querystring parameter
URL Modification
Sensitive information in Memory Dump
Weak Password Policy
Autocomplete is not set to OFF
Application is accessible on Rooted or Jail Broken Device
Back-and-Refresh attack
Directory Browsing
Usage of Persistent Cookies
Open URL Redirects are possible
Improper exception Handling: In code
Insecure Application Permissions
Application build contains Obsolete Files
Certificate Chain is not Validated
Last Login information is not displayed
Private IP Disclosure
UI Impersonation through RMS file modification
UI Impersonation through JAR file modification
Operation on a resource after expiration or release
No Certificate Pinning
Cached Cookies or information not cleaned after application removal/Clos
ASLR Not Used
Clipboard is not disabled
Cache smashing protection is not enabled
Android Backup Vulnerability

All
All
All
All
All
All
All
All
All
All
All
All
All
All
All
All
All
JAVA
Android
All
All
All
iOS
All
iOS
Android

SERVER SIDE CHECKS


Sr.

Vulnerability Name
50 Cleartext password in Response
51 Direct Reference to internal resource without authentication

Applicable
Platform
All
All

Compliant?
Yes/No/NA

52
53
54
55
56
57
58
59
60
61
62
63
64

Application has NO or improper Session Management


Cross Domain Scripting Vulnerability
Cross Origin Resource Sharing
Improper Input Validation - Server Side
Detailed Error page shows internal sensitive information
Application allows HTTP Methods besides GET and POST
Cross Site Request Forgery (CSRF)/SSRF
Cacheable HTTPS Responses
Path Attribute not set on a Cookie
HttpOnly Attribute not set for a cookie
Secure Attribute not set for a cookie
Application is Vulnerable to Clickjacking/Tapjacking attack
Server/OS fingerprinting is possible

All
All
All
All
All
All
All
All
All
All
All
All
All

You might also like