├── README.md
└── Reference_Guide.md


/README.md:
--------------------------------------------------------------------------------
1 | # OWASP-Testing-Guide
2 | Summation of the OWASP Testing Guide for reference.
3 | 
4 | Complete guide found here: https://www.owasp.org/images/1/19/OTGv4.pdf
5 | 
6 | This is a generic list of things to check for, it's completely dynamic and is going to change for each web application that you assess. Its good to have a basic guide to buld off of and to make sure you don't miss anythng. 
7 | 


--------------------------------------------------------------------------------
/Reference_Guide.md:
--------------------------------------------------------------------------------
 1 | # Security Assessment Cheat Sheet
 2 | 
 3 | *Not exactly to be used as a check list, just a rough guide.*
 4 | 	
 5 | *Character String= < ! # = / . “ - >*
 6 | 
 7 | ## Passive:	
 8 | - [ ] Click through entire website. Get a feel for the cookies, URLs and areas that require authorization. 	
 9 | - [ ] Identify web server type.	
10 | - [ ] Check robots.txt	
11 | - [ ] Check comments in source of all pages	
12 | - [ ] Identify all parameters. Document which parameters are used for GET and POST.	
13 | - [ ] Identify where cookies are set, modified or added to.	
14 | - [ ] Identify where redirects, 400 and 500 type responses are returned during normal operations.	
15 | - [ ] Note any strange headers.	
16 | - [ ] Use a spider and look for paths to important functions.	
17 | - [ ] Fingerprint the Application Framework	
18 |   * Look at x-powered-by: header, cookies, or source code, or ask the developer.	
19 |   * Run whatweb	
20 |   * dirb	
21 | - [ ] Map application architecture
22 | - [ ] Review logs from Splunk, access.log etc
23 | 
24 | ## Active:	
25 | - [ ] Append .old or .bak to files	
26 | - [ ] Run Nikto	
27 | - [ ] If possible, ask for file system access to view directories of web server	
28 |   *	If not possible, run word lists against web server with things like .jsp, .aspx etc and then again with .bak, .txt, .old etc appended to the end of those	
29 | - [ ] Check for directory listing (dirb should note this)	
30 | - [ ] Test HTTP Options, use arbitrary method names to attempt to bypass authentication pages	
31 | - [ ] Verify HSTS (HTTP Strict Transport Security)	
32 |   *	Look for Strict-Transport-Security header	
33 | - [ ] Check for crossdomain.xml and clientaccesspolicy.xml for overly permissive rules.	
34 | - [ ] Request or build a user roles vs permissions matrix	
35 | - [ ] Check user registration for alignment with business policies.	
36 |   * Can users register for different roles?	
37 |   * Can the same user register multiple times?	
38 |   * Can user info be manipulated on creation?	
39 | - [ ] Verify that only admins can provision accounts. 	
40 |   * Test for indirect resources etc.	
41 | - [ ] Check for messages upon failed logins, can an attacker enumerate usernames?	
42 | - [ ] Possible enumerate by URI probing	
43 | - [ ] Possible enumerate by forgot password function	
44 | - [ ] Test for default credentials.	
45 | - [ ] Check for account lock out mechanisms	
46 | - [ ] Check site map with no authentication vs authenticated. See if any internal pages are reachable through forced browsing.	
47 |   * Replay adduser requests etc as non-authenticated user and low priv user and verify whether or not the new user was created.	
48 |   * Check for privilege escalation this way as well.	
49 | - [ ] Check session cookie randomness.	
50 | - [ ] If any pages have sensitive information, check for no-cache directive	
51 | - [ ] Check password policy	
52 | - [ ] Check reset password functionality.	
53 |   * Make sure it requires previous password or information required is secret.	
54 | - [ ] Test for directory traversal in URI parameters and in cookies	
55 |   * Use Burp or dotdotpwn	
56 | - [ ] Test for session fixation. Does cookie change upon login? What about logout?	
57 | - [ ] Verify no session tokens are transmitted outside of the header	
58 | - [ ] Verify tokens are sent via https when making an http request	
59 | - [ ] Verify anti-CSRF functions are on sensitive pages.	
60 | - [ ] Check for XSS	
61 |   * Reflected	
62 |   * Stored	
63 |   * DOM	
64 | - [ ] Submit multiple URL parameters with the same name and investigate output.	
65 | - [ ] Make a list of all parameters that make use of SQL Queries and test for SQL injection	
66 | - [ ] Test for LDAP Injection	
67 |   * Look at Testing Guide for example	
68 | - [ ] Test for XML Injection	
69 | - [ ] Test for SSI Injection	
70 |   * In headers: <!--#include virtual=”/etc/passwd” -->	
71 | - [ ] Test for XPath Injection.	
72 | - [ ] Test for IMAP/SMTP Injection. 	
73 | - [ ] Test for code injection/command injection/LFI/RFI	
74 | - [ ] Test upload for malicious files	
75 | - [ ] Check URL redirects	
76 | - [ ] Decompile .swf and other client side scripts.	
77 | 
78 | **O. W. A. S. P., “OWASP Testing Guide v4 Table of Contents,” OWASP Testing Guide v4. [Online]. Available: https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents. [Accessed: 16-Jun-2017].**
79 | 


--------------------------------------------------------------------------------