Scribd
Upload
8 views

OWASP Checklist v4

The document outlines a comprehensive list of tests categorized into various sections such as Information Gathering, Configuration and Deployment Management, Identity Management, Authentication, Authorization, Session Management, Data Validation, Error Handling, Cryptography, Business Logic Testing, and Client-Side Testing. Each category includes specific test names with reference numbers, indicating the focus areas for security assessments. The status of each test is also recorded, showing whether they are not started, ongoing, or completed.

Uploaded by

sahilkadecha1122
Copyright
© © All Rights Reserved
Available Formats
Download as XLSX, PDF, TXT or read online on Scribd
8 views

OWASP Checklist v4

The document outlines a comprehensive list of tests categorized into various sections such as Information Gathering, Configuration and Deployment Management, Identity Management, Authentication, Authorization, Session Management, Data Validation, Error Handling, Cryptography, Business Logic Testing, and Client-Side Testing. Each category includes specific test names with reference numbers, indicating the focus areas for security assessments. The status of each test is also recorded, showing whether they are not started, ongoing, or completed.

Uploaded by

sahilkadecha1122
Copyright
© © All Rights Reserved
Available Formats
Download as XLSX, PDF, TXT or read online on Scribd
You are on page 1/ 13

Category Ref.

Number Test Name


4.2.1 OTG-INFO-001
4.2.2 OTG-INFO-002
4.2.3 OTG-INFO-003
4.2.4 OTG-INFO-004
Info Gathering4.2.5
4.2.6
OTG-INFO-005
OTG-INFO-006
4.2.7 OTG-INFO-007
4.2.8 OTG-INFO-008
4.2.9 OTG-INFO-009
4.2.10 OTG-INFO-010

4.3.1 OTG-CONFIG-001
4.3.2 OTG-CONFIG-002
Configuration 4.3.3 OTG-CONFIG-003
and Deploy 4.3.4 OTG-CONFIG-004
Management 4.3.5 OTG-CONFIG-005
Testing 4.3.6 OTG-CONFIG-006
4.3.7 OTG-CONFIG-007
4.3.8 OTG-CONFIG-008

4.4.1 OTG-IDENT-001
4.4.2 OTG-IDENT-002
Identity 4.4.3 OTG-IDENT-003
Managemen 4.4.4 OTG-IDENT-004
t Testing 4.4.5 OTG-IDENT-005
4.4.6 OTG-IDENT-006
4.4.7 OTG-IDENT-007

4.5.1 OTG-AUTHN-001
4.5.2 OTG-AUTHN-002
4.5.3 OTG-AUTHN-003
4.5.4 OTG-AUTHN-004
Authenticatio 4.5.5 OTG-AUTHN-005
n Testing 4.5.6 OTG-AUTHN-006
4.5.7 OTG-AUTHN-007
4.5.8 OTG-AUTHN-008
4.5.9 OTG-AUTHN-009
4.5.10 OTG-AUTHN-010
4.6.1 OTG-AUTHZ-001
4.6.2 OTG-AUTHZ-002
Authorization
Testing 4.6.3 OTG-AUTHZ-003

4.6.4 OTG-AUTHZ-004

4.7.1 OTG-SESS-001
4.7.2 OTG-SESS-002
Session 4.7.3 OTG-SESS-003
Managemen 4.7.4
4.7.5
OTG-SESS-004
OTG-SESS-005
t Testing 4.7.6 OTG-SESS-006
4.7.7 OTG-SESS-007
4.7.8 OTG-SESS-008

4.8.1 OTG-INPVAL-001
4.8.2 OTG-INPVAL-002
4.8.3 OTG-INPVAL-003
4.8.4 OTG-INPVAL-004
4.8.5 OTG-INPVAL-005
4.8.5.1
4.8.5.2
4.8.5.3
4.8.5.4
4.8.5.5
4.8.5.6
4.8.6 OTG-INPVAL-006
4.8.7 OTG-INPVAL-007
Data Validation Testing
4.8.8 OTG-INPVAL-008
4.8.9 OTG-INPVAL-009
4.8.10 OTG-INPVAL-010
4.8.11 OTG-INPVAL-011
4.8.12 OTG-INPVAL-012
4.8.12.1
4.8.12.2
4.8.13 OTG-INPVAL-013
4.8.14 OTG-INPVAL-014
4.8.14.1
4.8.14.2
4.8.14.3
4.8.15 OTG-INPVAL-015
4.8.16 OTG-INPVAL-016

Error Handling
4.9.1 OTG-ERR-001
4.9.2 OTG-ERR-002

4.10.1 OTG-CRYPST-001
Cryptography 4.10.2 OTG-CRYPST-002
4.10.3 OTG-CRYPST-003

4.11.1 OTG-BUSLOGIC-001
4.11.2 OTG-BUSLOGIC-002
4.11.3 OTG-BUSLOGIC-003
4.11.4 OTG-BUSLOGIC-004
Business Logic
4.11.5 OTG-BUSLOGIC-005
Testing
4.11.6 OTG-BUSLOGIC-006
4.11.7 OTG-BUSLOGIC-007
4.11.8 OTG-BUSLOGIC-008
4.11.9 OTG-BUSLOGIC-009

4.12.1 OTG-CLIENT-001
4.12.2 OTG-CLIENT-002
4.12.3 OTG-CLIENT-003
4.12.4 OTG-CLIENT-004
4.12.5 OTG-CLIENT-005
Client Side 4.12.6 OTG-CLIENT-006
Testing 4.12.7 OTG-CLIENT-007
4.12.8 OTG-CLIENT-008
4.12.9 OTG-CLIENT-009
4.12.10 OTG-CLIENT-010
4.12.11 OTG-CLIENT-011
4.12.12 OTG-CLIENT-012
Test Name
Conduct Search Engine Discovery and Reconnaissance for Information Leakage
Fingerprint Web Server
Review Webserver Metafiles for Information Leakage
Enumerate Applications on Webserver
Review Webpage Comments and Metadata for Information Leakage
Identify application entry points
Map execution paths through application
Fingerprint Web Application Framework
Fingerprint Web Application
Map Application Architecture

Test Network/Infrastructure Configuration


Test Application Platform Configuration
Test File Extensions Handling for Sensitive Information
Backup and Unreferenced Files for Sensitive Information
Enumerate Infrastructure and Application Admin Interfaces
Test HTTP Methods
Test HTTP Strict Transport Security
Test RIA cross domain policy

Test Role Definitions


Test User Registration Process
Test Account Provisioning Process
Testing for Account Enumeration and Guessable User Account
Testing for Weak or unenforced username policy
Test Permissions of Guest/Training Accounts
Test Account Suspension/Resumption Process

Testing for Credentials Transported over an Encrypted Channel


Testing for default credentials
Testing for Weak lock out mechanism
Testing for bypassing authentication schema
Test remember password functionality
Testing for Browser cache weakness
Testing for Weak password policy
Testing for Weak security question/answer
Testing for weak password change or reset functionalities
Testing for Weaker authentication in alternative channel
Testing Directory traversal/file include
Testing for bypassing authorization schema

Testing for Privilege Escalation

Testing for Insecure Direct Object References

Testing for Bypassing Session Management Schema


Testing for Cookies attributes
Testing for Session Fixation
Testing for Exposed Session Variables
Testing for Cross Site Request Forgery
Testing for logout functionality
Test Session Timeout
Testing for Session puzzling

Testing for Reflected Cross Site Scripting


Testing for Stored Cross Site Scripting
Testing for HTTP Verb Tampering
Testing for HTTP Parameter pollution
Testing for SQL Injection
Oracle Testing
MySQL Testing
SQL Server Testing
Testing PostgreSQL
MS Access Testing
Testing for NoSQL injection
Testing for LDAP Injection
Testing for ORM Injection
Testing for XML Injection
Testing for SSI Injection
Testing for XPath Injection
IMAP/SMTP Injection
Testing for Code Injection
Testing for Local File Inclusion
Testing for Remote File Inclusion
Testing for Command Injection
Testing for Buffer overflow
Testing for Heap overflow
Testing for Stack overflow
Testing for Format string
Testing for incubated vulnerabilities
Testing for HTTP Splitting/Smuggling

Analysis of Error Codes


Analysis of Stack Traces

Testing for Weak SSL/TSL Ciphers, Insufficient Transport Layer Protection


Testing for Padding Oracle
Testing for Sensitive information sent via unencrypted channels

Test Business Logic Data Validation


Test Ability to Forge Requests
Test Integrity Checks
Test for Process Timing
Test Number of Times a Function Can be Used Limits
Testing for the Circumvention of Work Flows
Test Defenses Against Application Mis-use
Test Upload of Unexpected File Types
Test Upload of Malicious Files

Testing for DOM based Cross Site Scripting


Testing for JavaScript Execution
Testing for HTML Injection
Testing for Client Side URL Redirect
Testing for CSS Injection
Testing for Client Side Resource Manipulation
Test Cross Origin Resource Sharing
Testing for Cross Site Flashing
Testing for Clickjacking
Testing WebSockets
Test Web Messaging
Test Local Storage
Status Risk Link to Evidence Outcome
Not Started
Not Started
Not Started
Not Started
Not Started
Not Started
Not Started
Not Started
Not Started
Not Started

Not Started
Not Started
Not Started
Not Started
Not Started
Not Started
Not Started
Not Started

Not Started
Not Started
Not Started
Not Started
Not Started
Not Started
Not Started

Not Started
Not Started
Not Started
Not Started
Not Started
Not Started
Not Started
Not Started
Not Started
Not Started
Not Started
Not Started

Not Started

Not Started

Not Started
Not Started
Not Started
Not Started
Not Started
Not Started
Not Started
Not Started

Not Started
Not Started
Not Started
Not Started
Not Started
Not Started
Not Started
Not Started
Not Started
Not Started
Not Started
Not Started
Not Started
Not Started
Not Started
Not Started
Not Started
Not Started
Not Started
Not Started
Not Started
Not Started
Not Started
Not Started
Not Started
Not Started
Not Started

Not Started
Not Started

Not Started
Not Started
Not Started

Not Started
Not Started
Not Started
Not Started
Not Started
Not Started
Not Started
Not Started
Not Started

Not Started
Not Started
Not Started
Not Started
Not Started
Not Started
Not Started
Not Started
Not Started
Not Started
Not Started
Not Started
Notes
Status Outcome
Not Started Pass
Ongoing Fail
Completed Not Applicable
Not Applicable

You might also like