OWASP: Testing guide checklist
A checklist of OWASP Testing guide v4
OWASP Checklist EN.xlsx
OWASP Checklist EN
♻️ Update to february 4, 2020


  • INFO-001 Conduct Search Engine Discovery and Reconnaissance Information Leakage
  • INFO-002 Fingerprint Web Server
  • INFO-003 Review Webserver Metafiles Information Leakage
  • INFO-004 Enumerate Applications on Webserver
  • INFO-005 Review Webpage Comments and Metadata Information Leakage
  • INFO-006 Identify application entry points
  • INFO-007 Map execution paths through application
  • INFO-008 Fingerprint Web Application Framework
  • INFO-009 Fingerprint Web Application
  • INFO-010 Map Application Architecture


  • CONFIG-001 Network/Infrastructure Configuration
  • CONFIG-002 Application Platform Configuration
  • CONFIG-003 File Extensions Handling for Sensitive Information
  • CONFIG-004 Backup and Unreferenced Files for Sensitive Information
  • CONFIG-005 Enumerate Infrastructure and Application Admin Interfaces
  • CONFIG-006 HTTP Methods
  • CONFIG-007 HTTP Strict Transport Security
  • CONFIG-008 RIA cross domain policy
  • CONFIG-009 File Permission
  • CONFIG-010 Subdomain Takeover


  • IDENT-001 Role Definitions
  • IDENT-002 User Registration Process
  • IDENT-003 Account Provisioning Process
  • IDENT-004 Account Enumeration and Guessable User Account
  • IDENT-005 Weak or unenforced username policy


  • AUTHN-001 Credentials Transported over an Encrypted Channel
  • AUTHN-002 Default credentials
  • AUTHN-003 Weak lock out mechanism
  • AUTHN-004 Bypassing authentication schema
  • AUTHN-005 Remember password functionality
  • AUTHN-006 Browser cache weakness
  • AUTHN-007 Weak password policy
  • AUTHN-008 Weak security question/answer
  • AUTHN-009 Weak password change or reset functionalities
  • AUTHN-010 Weaker authentication in alternative channel


  • AUTHZ-001 Directory traversal/file include
  • AUTHZ-002 Bypassing authorization schema
  • AUTHZ-003 Privilege Escalation
  • AUTHZ-004 Insecure Direct Object References


  • SESS-001 Bypassing Session Management Schema
  • SESS-002 Cookies attributes
  • SESS-003 Session Fixation
  • SESS-004 Exposed Session Variables
  • SESS-005 Cross Site Request Forgery
  • SESS-006 Logout functionality
  • SESS-007 Session Timeout
  • SESS-008 Session puzzling


  • INPVAL-001 Reflected Cross Site Scripting
  • INPVAL-002 Stored Cross Site Scripting
  • INPVAL-003 HTTP Verb Tampering
  • INPVAL-004 HTTP Parameter pollution
  • INPVAL-005 SQL Injection
  • INPVAL-006 LDAP Injection
  • INPVAL-007 ORM Injection
  • INPVAL-008 XML Injection
  • INPVAL-009 SSI Injection
  • INPVAL-010 XPath Injection
  • INPVAL-011 IMAP/SMTP Injection
  • INPVAL-012 Code Injection
  • INPVAL-013 Command Injection
  • INPVAL-014 Buffer overflow
  • INPVAL-015 Incubated vulnerabilities
  • INPVAL-016 HTTP Splitting/Smuggling
  • INPVAL-017 HTTP Incoming Requests
  • INPVAL-018 Host Header Injection
  • INPVAL-019 Server Side Template Injection


  • ERR-001 Analysis of Error Codes
  • ERR-002 Analysis of Stack Traces


  • CRYPST-001 Weak SSL/TSL Ciphers, Insufficient Transport Layer Protection
  • CRYPST-002 Padding Oracle
  • CRYPST-003 Sensitive information sent via unencrypted channels
  • CRYPST-004 Weak Encryption


  • BUSLOGIC-001 Business Logic Data Validation
  • BUSLOGIC-002 Ability to Forge Requests
  • BUSLOGIC-003 Integrity Checks
  • BUSLOGIC-004 Process Timing
  • BUSLOGIC-005 Number of Times a Function Can be Used Limits
  • BUSLOGIC-006 Circumvention of Work Flows
  • BUSLOGIC-007 Defenses Against Application Mis-use
  • BUSLOGIC-008 Upload of Unexpected File Types
  • BUSLOGIC-009 Upload of Malicious Files


  • CLIENT-001 DOM based Cross Site Scripting
  • CLIENT-002 JavaScript Execution
  • CLIENT-003 HTML Injection
  • CLIENT-004 Client Side URL Redirect
  • CLIENT-005 CSS Injection
  • CLIENT-006 Client Side Resource Manipulation
  • CLIENT-007 Cross Origin Resource Sharing
  • CLIENT-008 Cross Site Flashing
  • CLIENT-009 Clickjacking
  • CLIENT-010 WebSockets
  • CLIENT-011 Web Messaging
  • CLIENT-012 Local Storage
  • CLIENT-013 Cross Site Script Inclusion