Skip to content

owasp-test-method.md

Latest commit

 

History

History
82 lines (82 loc) · 2.46 KB

owasp-test-method.md

File metadata and controls

82 lines (82 loc) · 2.46 KB

Information Gathering

  • Spiders, Robots, and Crawlers
  • Search Engine Discovery/Reconnaissance
  • Identify application entry points
  • Testing for Web Application Fingerprint
  • Application Discovery
  • Analysis of Error Codes

Configuration Management Testing

  • SSL/TLS Testing (SSL Version, Algorithms, Key length, Digital Cert. Validity)
  • DB Listener Testing
  • Infrastructure Configuration Management Testing
  • Application Configuration Management Testing
  • Testing for File Extensions Handling
  • Old, backup and unreferenced files
  • Infrastructure and Application Admin Interfaces
  • Testing for HTTP Methods and XST

Authentication Testing

  • Credentials transport over an encrypted channel
  • Testing for user enumeration
  • Testing for Guessable (Dictionary) User Account
  • Brute Force Testing
  • Testing for bypassing authentication schema
  • Testing for vulnerable remember password and pwd reset
  • Testing for Logout and Browser Cache Management
  • Testing for CAPTCHA
  • Testing Multiple Factors Authentication
  • Testing for Race Conditions

Session Management

  • Testing for Session Management Schema
  • Testing for Cookies attributes
  • Testing for Session Fixation
  • Testing for Exposed Session Variables
  • Testing for CSRF

Authorization Testing

  • Testing for Business Logic

Business Logic Testing

  • Testing for Business Logic

Data Validation Testing

  • Testing for Reflected Cross Site Scripting
  • Testing for Stored Cross Site Scripting
  • Testing for DOM based Cross Site Scripting
  • Testing for Cross Site Flashing
  • SQL Injection
  • LDAP Injection
  • ORM Injection
  • XML Injection
  • SSI Injection
  • XPath Injection
  • IMAP/SMTP Injection
  • Code Injection
  • OS Commanding
  • Buffer overflow
  • Incubated vulnerability
  • Testing for HTTP Splitting/Smuggling

Denial of Service Testing

  • Testing for SQL Wildcard Attacks
  • Locking Customer Accounts
  • Testing for DoS Buffer Overflows
  • User Specified Object Allocation
  • User Input as a Loop Counter
  • Writing User Provided Data to Disk
  • Failure to Release Resources
  • Storing too Much Data in Session

Web Services Testing

  • WS Information Gathering
  • Testing WSDL
  • XML Structural Testing
  • XML content-level Testing
  • HTTP GET parameters/REST Testing
  • Naughty SOAP attachments
  • Replay Testing
  • Web Services Testing
  • WS Information Gathering
  • Testing WSDL
  • XML Structural Testing
  • XML content-level Testing
  • HTTP GET parameters/REST Testing
  • Naughty SOAP attachments
  • Replay Testing
  • Web Services Testing
  • AJAX Vulnerabilities
  • AJAX Testing