Scribd Logo
Unggah

Selamat datang di Scribd!

  • Testing Checklist - OWASP

    Diunggah oleh

    Sarang M Tumne
    407 tayangan4 halaman
    OWASP Testing Checklist...

    Hak Cipta

    © © All Rights Reserved

    Format Tersedia

    PDF, TXT atau baca online dari Scribd

    Apakah menurut Anda dokumen ini bermanfaat?

    Apakah konten ini tidak pantas?

    Laporkan Dokumen Ini
    OWASP Testing Checklist...

    Hak Cipta:

    © All Rights Reserved
    Unduh sebagai PDF, TXT atau baca online dari Scribd
    Tandai sebagai konten tidak pantas
    407 tayangan4 halaman

    Testing Checklist - OWASP

    Diunggah oleh

    Sarang M Tumne
    OWASP Testing Checklist...

    Hak Cipta:

    © All Rights Reserved
    Unduh sebagai PDF, TXT atau baca online dari Scribd
    Tandai sebagai konten tidak pantas
    dari 4

    Testing Checklist - OWASP

    1 of 4

    https://www.owasp.org/index.php/Testing_Checklist

    Testing Checklist
    From OWASP
    This article is part of the new OWASP Testing Guide v4.
    Back to the OWASP Testing Guide v4 ToC:
    https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents
    Back to the OWASP Testing Guide Project:
    https://www.owasp.org/index.php/OWASP_Testing_Project

    The following is the list of controls to test during the assessment:


    Ref.
    No.

    Category

    4.2

    Test Name

    4.2.1

    OTG-INFO-001

    4.2.2
    4.2.3
    4.2.4
    4.2.5
    4.2.6
    4.2.7
    4.2.8
    4.2.9
    4.2.10

    OTG-INFO-002
    OTG-INFO-003
    OTG-INFO-004
    OTG-INFO-005
    OTG-INFO-006
    OTG-INFO-007
    OTG-INFO-008
    OTG-INFO-009
    OTG-INFO-010

    Information Gathering
    Conduct Search Engine Discovery and Reconnaissance for Information
    Leakage
    Fingerprint Web Server
    Review Webserver Metafiles for Information Leakage
    Enumerate Applications on Webserver
    Review Webpage Comments and Metadata for Information Leakage
    Identify application entry points
    Map execution paths through application
    Fingerprint Web Application Framework
    Fingerprint Web Application
    Map Application Architecture

    OTG-CONFIG-001
    OTG-CONFIG-002
    OTG-CONFIG-003
    OTG-CONFIG-004
    OTG-CONFIG-005
    OTG-CONFIG-006
    OTG-CONFIG-007
    OTG-CONFIG-008

    Configuration and Deploy Management Testing


    Test Network/Infrastructure Configuration
    Test Application Platform Configuration
    Test File Extensions Handling for Sensitive Information
    Backup and Unreferenced Files for Sensitive Information
    Enumerate Infrastructure and Application Admin Interfaces
    Test HTTP Methods
    Test HTTP Strict Transport Security
    Test RIA cross domain policy

    OTG-IDENT-001
    OTG-IDENT-002
    OTG-IDENT-003
    OTG-IDENT-004
    OTG-IDENT-005

    Identity Management Testing


    Test Role Definitions
    Test User Registration Process
    Test Account Provisioning Process
    Testing for Account Enumeration and Guessable User Account
    Testing for Weak or unenforced username policy

    4.3
    4.3.1
    4.3.2
    4.3.3
    4.3.4
    4.3.5
    4.3.6
    4.3.7
    4.3.8
    4.4
    4.4.1
    4.4.2
    4.4.3
    4.4.4
    4.4.5

    9/30/2014 9:59 AM

    Testing Checklist - OWASP

    2 of 4

    4.4.6
    4.4.7
    4.5
    4.5.1
    4.5.2
    4.5.3
    4.5.4
    4.5.5
    4.5.6
    4.5.7
    4.5.8
    4.5.9
    4.5.10
    4.6
    4.6.1
    4.6.2
    4.6.3
    4.6.4
    4.7
    4.7.1
    4.7.2
    4.7.3
    4.7.4
    4.7.5
    4.7.6
    4.7.7
    4.7.8
    4.8
    4.8.1
    4.8.2
    4.8.3
    4.8.4
    4.8.5
    4.8.5.1
    4.8.5.2
    4.8.5.3
    4.8.5.4
    4.8.5.5
    4.8.5.6
    4.8.6
    4.8.7

    https://www.owasp.org/index.php/Testing_Checklist

    OTG-IDENT-006
    OTG-IDENT-007

    Test Permissions of Guest/Training Accounts


    Test Account Suspension/Resumption Process

    OTG-AUTHN-001
    OTG-AUTHN-002
    OTG-AUTHN-003
    OTG-AUTHN-004
    OTG-AUTHN-005
    OTG-AUTHN-006
    OTG-AUTHN-007
    OTG-AUTHN-008
    OTG-AUTHN-009
    OTG-AUTHN-010

    Authentication Testing
    Testing for Credentials Transported over an Encrypted Channel
    Testing for default credentials
    Testing for Weak lock out mechanism
    Testing for bypassing authentication schema
    Test remember password functionality
    Testing for Browser cache weakness
    Testing for Weak password policy
    Testing for Weak security question/answer
    Testing for weak password change or reset functionalities
    Testing for Weaker authentication in alternative channel

    OTG-AUTHZ-001
    OTG-AUTHZ-002
    OTG-AUTHZ-003
    OTG-AUTHZ-004

    Authorization Testing
    Testing Directory traversal/file include
    Testing for bypassing authorization schema
    Testing for Privilege Escalation
    Testing for Insecure Direct Object References

    OTG-SESS-001
    OTG-SESS-002
    OTG-SESS-003
    OTG-SESS-004
    OTG-SESS-005
    OTG-SESS-006
    OTG-SESS-007
    OTG-SESS-008

    Session Management Testing


    Testing for Bypassing Session Management Schema
    Testing for Cookies attributes
    Testing for Session Fixation
    Testing for Exposed Session Variables
    Testing for Cross Site Request Forgery
    Testing for logout functionality
    Test Session Timeout
    Testing for Session puzzling

    OTG-INPVAL-001
    OTG-INPVAL-002
    OTG-INPVAL-003
    OTG-INPVAL-004
    OTG-INPVAL-005

    OTG-INPVAL-006
    OTG-INPVAL-007

    Data Validation Testing


    Testing for Reflected Cross Site Scripting
    Testing for Stored Cross Site Scripting
    Testing for HTTP Verb Tampering
    Testing for HTTP Parameter pollution
    Testing for SQL Injection
    Oracle Testing
    MySQL Testing
    SQL Server Testing
    Testing PostgreSQL
    MS Access Testing
    Testing for NoSQL injection
    Testing for LDAP Injection
    Testing for ORM Injection

    9/30/2014 9:59 AM

    Testing Checklist - OWASP

    3 of 4

    4.8.8
    4.8.9
    4.8.10
    4.8.11
    4.8.12
    4.8.12.1
    4.8.12.2
    4.8.13
    4.8.14
    4.8.14.1
    4.8.14.2
    4.8.14.3
    4.8.15
    4.8.16

    OTG-INPVAL-015
    OTG-INPVAL-016

    Testing for XML Injection


    Testing for SSI Injection
    Testing for XPath Injection
    IMAP/SMTP Injection
    Testing for Code Injection
    Testing for Local File Inclusion
    Testing for Remote File Inclusion
    Testing for Command Injection
    Testing for Buffer overflow
    Testing for Heap overflow
    Testing for Stack overflow
    Testing for Format string
    Testing for incubated vulnerabilities
    Testing for HTTP Splitting/Smuggling

    OTG-ERR-001
    OTG-ERR-002

    Error Handling
    Analysis of Error Codes
    Analysis of Stack Traces

    4.10
    4.10.1
    4.10.2
    4.10.3

    OTG-CRYPST-001
    OTG-CRYPST-002
    OTG-CRYPST-003

    Cryptography
    Testing for Weak SSL/TSL Ciphers, Insufficient Transport Layer Protection
    Testing for Padding Oracle
    Testing for Sensitive information sent via unencrypted channels

    4.11
    4.11.1
    4.11.2
    4.11.3
    4.11.4
    4.11.5
    4.11.6
    4.11.7
    4.11.8
    4.11.9

    Business Logic Testing


    OTG-BUSLOGIC-001 Test Business Logic Data Validation
    OTG-BUSLOGIC-002 Test Ability to Forge Requests
    OTG-BUSLOGIC-003 Test Integrity Checks
    OTG-BUSLOGIC-004 Test for Process Timing
    OTG-BUSLOGIC-005 Test Number of Times a Function Can be Used Limits
    OTG-BUSLOGIC-006 Testing for the Circumvention of Work Flows
    OTG-BUSLOGIC-007 Test Defenses Against Application Mis-use
    OTG-BUSLOGIC-008 Test Upload of Unexpected File Types
    OTG-BUSLOGIC-009 Test Upload of Malicious Files

    4.9
    4.9.1
    4.9.2

    4.12
    4.12.1
    4.12.2
    4.12.3
    4.12.4
    4.12.5
    4.12.6
    4.12.7
    4.12.8
    4.12.9

    OTG-INPVAL-008
    OTG-INPVAL-009
    OTG-INPVAL-010
    OTG-INPVAL-011
    OTG-INPVAL-012

    https://www.owasp.org/index.php/Testing_Checklist

    OTG-INPVAL-013
    OTG-INPVAL-014

    OTG-CLIENT-001
    OTG-CLIENT-002
    OTG-CLIENT-003
    OTG-CLIENT-004
    OTG-CLIENT-005
    OTG-CLIENT-006
    OTG-CLIENT-007
    OTG-CLIENT-008
    OTG-CLIENT-009

    Client Side Testing


    Testing for DOM based Cross Site Scripting
    Testing for JavaScript Execution
    Testing for HTML Injection
    Testing for Client Side URL Redirect
    Testing for CSS Injection
    Testing for Client Side Resource Manipulation
    Test Cross Origin Resource Sharing
    Testing for Cross Site Flashing
    Testing for Clickjacking

    9/30/2014 9:59 AM

    Testing Checklist - OWASP

    4 of 4

    4.12.10 OTG-CLIENT-010
    4.12.11 OTG-CLIENT-011
    4.12.12 OTG-CLIENT-012

    https://www.owasp.org/index.php/Testing_Checklist

    Testing WebSockets
    Test Web Messaging
    Test Local Storage

    Retrieved from "https://www.owasp.org/index.php?title=Testing_Checklist&oldid=180280"


    Categories: OWASP Testing Project Test
    This page was last modified on 8 August 2014, at 07:10.
    This page has been accessed 72,624 times.
    Content is available under a Creative Commons 3.0 License unless otherwise noted.

    9/30/2014 9:59 AM

    Anda mungkin juga menyukai