Check list OWASP

check_list_owasp.md

Check list OWASP

Information Gathering

• Conduct Search Engine Discovery and Reconnaissance for Information Leakage
• Fingerprint Web Server
• Review Webserver Metafiles for Information Leakage
• Enumerate Applications on Webserver
• Review Webpage Comments and Metadata for Information Leakage
• Identify application entry points
• Map execution paths through application
• Fingerprint Web Application Framework
• Fingerprint Web Application
• Map Application Architecture

Configuration and Deploy Management Testing

• Test Network/Infrastructure Configuration
• Test Application Platform Configuration
• Test File Extensions Handling for Sensitive Information
• Backup and Unreferenced Files for Sensitive Information
• Enumerate Infrastructure and Application Admin Interfaces
• Test HTTP Methods
• Test HTTP Strict Transport Security
• Test RIA cross domain policy

Identity Management Testing

• Test Role Definitions
• Test User Registration Process
• Test Account Provisioning Process
• Testing for Account Enumeration and Guessable User Account
• Testing for Weak or unenforced username policy
• Test Permissions of Guest/Training Accounts
• Test Account Suspension/Resumption Process

I Authentication Testing

• Testing for Credentials Transported over an Encrypted Channel
• Testing for default credentials
• Testing for Weak lock out mechanism
• Testing for bypassing authentication schema
• Test remember password functionality
• Testing for Browser cache weakness
• Testing for Weak password policy
• Testing for Weak security question/answer
• Testing for weak password change or reset functionalities
• Testing for Weaker authentication in alternative channel

Authorization Testing

• Testing Directory traversal/file include
• Testing for bypassing authorization schema
• Testing for Privilege Escalation
• Testing for Insecure Direct Object References

Session Management Testing

• Testing for Bypassing Session Management Schema
• Testing for Cookies attributes
• Testing for Session Fixation
• Testing for Exposed Session Variables
• Testing for Cross Site Request Forgery
• Testing for logout functionality
• Test Session Timeout
• Testing for Session puzzling

Validation Testing

• Testing for Reflected Cross Site Scripting
• Testing for Stored Cross Site Scripting
• Testing for HTTP Verb Tampering
• Testing for HTTP Parameter pollution
• Testing for SQL Injection
  • Oracle Testing
  • MySQL Testing
  • SQL Server Testing
  • Testing PostgreSQL
  • MS Access Testing
• Testing for NoSQL injection
  • Testing for LDAP Injection
  • Testing for ORM Injection
  • Testing for XML Injection
  • Testing for SSI Injection
• Testing for XPath Injection
• IMAP/SMTP Injection
• Testing for Code Injection
• Testing for Local File Inclusion
• Testing for Remote File Inclusion
• Testing for Command Injection
• Testing for Buffer overflow
• Testing for Heap overflow
• Testing for Stack overflow
• Testing for Format string
• Testing for incubated vulnerabilities
• Testing for HTTP Splitting/Smuggling

Error Handling

• Analysis of Error Codes
• Analysis of Stack Traces

Cryptography

• Testing for Weak SSL/TSL Ciphers, Insufficient Transport Layer Protection
• Testing for Padding Oracle
• Testing for Sensitive information sent via unencrypted channels.

Business Logic Testing

• Test Business Logic Data Validation
• Test Ability to Forge Requests
• Test Integrity Checks
• Test for Process Timing
• Test Number of Times a Function Can be Used Limits
• Testing for the Circumvention of Work Flows
• Test Defenses Against Application Mis-use
• Test Upload of Unexpected File Types
• Test Upload of Malicious Files

Client Side Testing

• Testing for DOM based Cross Site Scripting
• Testing for JavaScript Execution
• Testing for HTML Injection
• Testing for Client Side URL Redirect
• Testing for CSS Injection
• Testing for Client Side Resource Manipulation
• Test Cross Origin Resource Sharing
• Testing for Cross Site Flashing
• Testing for Clickjacking
• Testing WebSockets
• Test Web Messaging
• Test Local Storage*

:'(