OWASP: Testing guide checklist
A checklist of OWASP Testing guide v4
OWASP Checklist EN.xlsx
24KB
Binary
OWASP Checklist EN
♻️ Update to february 4, 2020
- INFO-001 Conduct Search Engine Discovery and Reconnaissance Information Leakage
- INFO-002 Fingerprint Web Server
- INFO-003 Review Webserver Metafiles Information Leakage
- INFO-004 Enumerate Applications on Webserver
- INFO-005 Review Webpage Comments and Metadata Information Leakage
- INFO-006 Identify application entry points
- INFO-007 Map execution paths through application
- INFO-008 Fingerprint Web Application Framework
- INFO-009 Fingerprint Web Application
- INFO-010 Map Application Architecture
- CONFIG-001 Network/Infrastructure Configuration
- CONFIG-002 Application Platform Configuration
- CONFIG-003 File Extensions Handling for Sensitive Information
- CONFIG-004 Backup and Unreferenced Files for Sensitive Information
- CONFIG-005 Enumerate Infrastructure and Application Admin Interfaces
- CONFIG-006 HTTP Methods
- CONFIG-007 HTTP Strict Transport Security
- CONFIG-008 RIA cross domain policy
- CONFIG-009 File Permission
- CONFIG-010 Subdomain Takeover
- IDENT-001 Role Definitions
- IDENT-002 User Registration Process
- IDENT-003 Account Provisioning Process
- IDENT-004 Account Enumeration and Guessable User Account
- IDENT-005 Weak or unenforced username policy
- AUTHN-001 Credentials Transported over an Encrypted Channel
- AUTHN-002 Default credentials
- AUTHN-003 Weak lock out mechanism
- AUTHN-004 Bypassing authentication schema
- AUTHN-005 Remember password functionality
- AUTHN-006 Browser cache weakness
- AUTHN-007 Weak password policy
- AUTHN-008 Weak security question/answer
- AUTHN-009 Weak password change or reset functionalities
- AUTHN-010 Weaker authentication in alternative channel
- AUTHZ-001 Directory traversal/file include
- AUTHZ-002 Bypassing authorization schema
- AUTHZ-003 Privilege Escalation
- AUTHZ-004 Insecure Direct Object References
- SESS-001 Bypassing Session Management Schema
- SESS-002 Cookies attributes
- SESS-003 Session Fixation
- SESS-004 Exposed Session Variables
- SESS-005 Cross Site Request Forgery
- SESS-006 Logout functionality
- SESS-007 Session Timeout
- SESS-008 Session puzzling
- INPVAL-001 Reflected Cross Site Scripting
- INPVAL-002 Stored Cross Site Scripting
- INPVAL-003 HTTP Verb Tampering
- INPVAL-004 HTTP Parameter pollution
- INPVAL-005 SQL Injection
- INPVAL-006 LDAP Injection
- INPVAL-007 ORM Injection
- INPVAL-008 XML Injection
- INPVAL-009 SSI Injection
- INPVAL-010 XPath Injection
- INPVAL-011 IMAP/SMTP Injection
- INPVAL-012 Code Injection
- INPVAL-013 Command Injection
- INPVAL-014 Buffer overflow
- INPVAL-015 Incubated vulnerabilities
- INPVAL-016 HTTP Splitting/Smuggling
- INPVAL-017 HTTP Incoming Requests
- INPVAL-018 Host Header Injection
- INPVAL-019 Server Side Template Injection
- ERR-001 Analysis of Error Codes
- ERR-002 Analysis of Stack Traces
- CRYPST-001 Weak SSL/TSL Ciphers, Insufficient Transport Layer Protection
- CRYPST-002 Padding Oracle
- CRYPST-003 Sensitive information sent via unencrypted channels
- CRYPST-004 Weak Encryption
- BUSLOGIC-001 Business Logic Data Validation
- BUSLOGIC-002 Ability to Forge Requests
- BUSLOGIC-003 Integrity Checks
- BUSLOGIC-004 Process Timing
- BUSLOGIC-005 Number of Times a Function Can be Used Limits
- BUSLOGIC-006 Circumvention of Work Flows
- BUSLOGIC-007 Defenses Against Application Mis-use
- BUSLOGIC-008 Upload of Unexpected File Types
- BUSLOGIC-009 Upload of Malicious Files
- CLIENT-001 DOM based Cross Site Scripting
- CLIENT-002 JavaScript Execution
- CLIENT-003 HTML Injection
- CLIENT-004 Client Side URL Redirect
- CLIENT-005 CSS Injection
- CLIENT-006 Client Side Resource Manipulation
- CLIENT-007 Cross Origin Resource Sharing
- CLIENT-008 Cross Site Flashing
- CLIENT-009 Clickjacking
- CLIENT-010 WebSockets
- CLIENT-011 Web Messaging
- CLIENT-012 Local Storage
- CLIENT-013 Cross Site Script Inclusion
Last modified 3yr ago