# OWASP v4 Checklist ## Testing Checklist The following is the list of controls to test during the assessment: | Ref. No. | Category | Test Name | | -------- | ---------------- | -------------------------------------------------------------------------- | | 4.2 | | **Information Gathering** | | 4.2.1 | OTG-INFO-001 | Conduct Search Engine Discovery and Reconnaissance for Information Leakage | | 4.2.2 | OTG-INFO-002 | Fingerprint Web Server | | 4.2.3 | OTG-INFO-003 | Review Webserver Metafiles for Information Leakage | | 4.2.4 | OTG-INFO-004 | Enumerate Applications on Webserver | | 4.2.5 | OTG-INFO-005 | Review Webpage Comments and Metadata for Information Leakage | | 4.2.6 | OTG-INFO-006 | Identify application entry points | | 4.2.7 | OTG-INFO-007 | Map execution paths through application | | 4.2.8 | OTG-INFO-008 | Fingerprint Web Application Framework | | 4.2.9 | OTG-INFO-009 | Fingerprint Web Application | | 4.2.10 | OTG-INFO-010 | Map Application Architecture | | | | | | 4.3 | | **Configuration and Deploy** Management Testing | | 4.3.1 | OTG-CONFIG-001 | Test Network/Infrastructure Configuration | | 4.3.2 | OTG-CONFIG-002 | Test Application Platform Configuration | | 4.3.3 | OTG-CONFIG-003 | Test File Extensions Handling for Sensitive Information | | 4.3.4 | OTG-CONFIG-004 | Backup and Unreferenced Files for Sensitive Information | | 4.3.5 | OTG-CONFIG-005 | Enumerate Infrastructure and Application Admin Interfaces | | 4.3.6 | OTG-CONFIG-006 | Test HTTP Methods | | 4.3.7 | OTG-CONFIG-007 | Test HTTP Strict Transport Security | | 4.3.8 | OTG-CONFIG-008 | Test RIA cross domain policy | | | | | | 4.4 | | **Identity Management** Testing | | 4.4.1 | OTG-IDENT-001 | Test Role Definitions | | 4.4.2 | OTG-IDENT-002 | Test User Registration Process | | 4.4.3 | OTG-IDENT-003 | Test Account Provisioning Process | | 4.4.4 | OTG-IDENT-004 | Testing for Account Enumeration and Guessable User Account | | 4.4.5 | OTG-IDENT-005 | Testing for Weak or unenforced username policy | | 4.4.6 | OTG-IDENT-006 | Test Permissions of Guest/Training Accounts | | 4.4.7 | OTG-IDENT-007 | Test Account Suspension/Resumption Process | | | | | | 4.5 | | **Authentication Testing** | | 4.5.1 | OTG-AUTHN-001 | Testing for Credentials Transported over an Encrypted Channel | | 4.5.2 | OTG-AUTHN-002 | Testing for default credentials | | 4.5.3 | OTG-AUTHN-003 | Testing for Weak lock out mechanism | | 4.5.4 | OTG-AUTHN-004 | Testing for bypassing authentication schema | | 4.5.5 | OTG-AUTHN-005 | Test remember password functionality | | 4.5.6 | OTG-AUTHN-006 | Testing for Browser cache weakness | | 4.5.7 | OTG-AUTHN-007 | Testing for Weak password policy | | 4.5.8 | OTG-AUTHN-008 | Testing for Weak security question/answer | | 4.5.9 | OTG-AUTHN-009 | Testing for weak password change or reset functionalities | | 4.5.10 | OTG-AUTHN-010 | Testing for Weaker authentication in alternative channel | | | | | | 4.6 | | **Authorization Testing** | | 4.6.1 | OTG-AUTHZ-001 | Testing Directory traversal/file include | | 4.6.2 | OTG-AUTHZ-002 | Testing for bypassing authorization schema | | 4.6.3 | OTG-AUTHZ-003 | Testing for Privilege Escalation | | 4.6.4 | OTG-AUTHZ-004 | Testing for Insecure Direct Object References | | | | | | 4.7 | | **Session Management Testing** | | 4.7.1 | OTG-SESS-001 | Testing for Bypassing Session Management Schema | | 4.7.2 | OTG-SESS-002 | Testing for Cookies attributes | | 4.7.3 | OTG-SESS-003 | Testing for Session Fixation | | 4.7.4 | OTG-SESS-004 | Testing for Exposed Session Variables | | 4.7.5 | OTG-SESS-005 | Testing for Cross Site Request Forgery | | 4.7.6 | OTG-SESS-006 | Testing for logout functionality | | 4.7.7 | OTG-SESS-007 | Test Session Timeout | | 4.7.8 | OTG-SESS-008 | Testing for Session puzzling | | | | | | 4.8 | | **Data Validation Testing** | | 4.8.1 | OTG-INPVAL-001 | Testing for Reflected Cross Site Scripting | | 4.8.2 | OTG-INPVAL-002 | Testing for Stored Cross Site Scripting | | 4.8.3 | OTG-INPVAL-003 | Testing for HTTP Verb Tampering | | 4.8.4 | OTG-INPVAL-004 | Testing for HTTP Parameter pollution | | 4.8.5 | OTG-INPVAL-005 | Testing for SQL Injection | | 4.8.5.1 | | Oracle Testing | | 4.8.5.2 | | MySQL Testing | | 4.8.5.3 | | SQL Server Testing | | 4.8.5.4 | | Testing PostgreSQL | | 4.8.5.5 | | MS Access Testing | | 4.8.5.6 | | Testing for NoSQL injection | | 4.8.6 | OTG-INPVAL-006 | Testing for LDAP Injection | | 4.8.7 | OTG-INPVAL-007 | Testing for ORM Injection | | 4.8.8 | OTG-INPVAL-008 | Testing for XML Injection | | 4.8.9 | OTG-INPVAL-009 | Testing for SSI Injection | | 4.8.10 | OTG-INPVAL-010 | Testing for XPath Injection | | 4.8.11 | OTG-INPVAL-011 | IMAP/SMTP Injection | | 4.8.12 | OTG-INPVAL-012 | Testing for Code Injection | | 4.8.12.1 | | Testing for Local File Inclusion | | 4.8.12.2 | | Testing for Remote File Inclusion | | 4.8.13 | OTG-INPVAL-013 | Testing for Command Injection | | 4.8.14 | OTG-INPVAL-014 | Testing for Buffer overflow | | 4.8.14.1 | | Testing for Heap overflow | | 4.8.14.2 | | Testing for Stack overflow | | 4.8.14.3 | | Testing for Format string | | 4.8.15 | OTG-INPVAL-015 | Testing for incubated vulnerabilities | | 4.8.16 | OTG-INPVAL-016 | Testing for HTTP Splitting/Smuggling | | | | | | 4.9 | | **Error Handling** | | 4.9.1 | OTG-ERR-001 | Analysis of Error Codes | | 4.9.2 | OTG-ERR-002 | Analysis of Stack Traces | | | | | | 4.10 | | **Cryptography** | | 4.10.1 | OTG-CRYPST-001 | Testing for Weak SSL/TSL Ciphers, Insufficient Transport Layer Protection | | 4.10.2 | OTG-CRYPST-002 | Testing for Padding Oracle | | 4.10.3 | OTG-CRYPST-003 | Testing for Sensitive information sent via unencrypted channels | | | | | | 4.11 | | **Business Logic Testing** | | 4.11.1 | OTG-BUSLOGIC-001 | Test Business Logic Data Validation | | 4.11.2 | OTG-BUSLOGIC-002 | Test Ability to Forge Requests | | 4.11.3 | OTG-BUSLOGIC-003 | Test Integrity Checks | | 4.11.4 | OTG-BUSLOGIC-004 | Test for Process Timing | | 4.11.5 | OTG-BUSLOGIC-005 | Test Number of Times a Function Can be Used Limits | | 4.11.6 | OTG-BUSLOGIC-006 | Testing for the Circumvention of Work Flows | | 4.11.7 | OTG-BUSLOGIC-007 | Test Defenses Against Application Mis-use | | 4.11.8 | OTG-BUSLOGIC-008 | Test Upload of Unexpected File Types | | 4.11.9 | OTG-BUSLOGIC-009 | Test Upload of Malicious Files | | | | | | 4.12 | | **Client Side Testing** | | 4.12.1 | OTG-CLIENT-001 | Testing for DOM based Cross Site Scripting | | 4.12.2 | OTG-CLIENT-002 | Testing for JavaScript Execution | | 4.12.3 | OTG-CLIENT-003 | Testing for HTML Injection | | 4.12.4 | OTG-CLIENT-004 | Testing for Client Side URL Redirect | | 4.12.5 | OTG-CLIENT-005 | Testing for CSS Injection | | 4.12.6 | OTG-CLIENT-006 | Testing for Client Side Resource Manipulation | | 4.12.7 | OTG-CLIENT-007 | Test Cross Origin Resource Sharing | | 4.12.8 | OTG-CLIENT-008 | Testing for Cross Site Flashing | | 4.12.9 | OTG-CLIENT-009 | Testing for Clickjacking | | 4.12.10 | OTG-CLIENT-010 | Testing WebSockets | | 4.12.11 | OTG-CLIENT-011 | Test Web Messaging | | 4.12.12 | OTG-CLIENT-012 | Test Local Storage |