├── OWASP_Web_Application_Testing_Cheat_Sheet.xml ├── README.md └── convert-cheat-sheet-to-dradis-pro.rb /OWASP_Web_Application_Testing_Cheat_Sheet.xml: -------------------------------------------------------------------------------- 1 | 2 | OWASP Web Application Testing Cheat Sheet 3 | 4 |

5 | Information Gathering 6 | 7 | Manually explore the site 8 | Spider 9 | Check for files that expose content 10 | Check the caches of major search engines for publicly accessible sites 11 | Check for differences in content based on User Agent 12 | Perform Web Application Fingerprinting 13 | Identify technologies used 14 | Identify user roles 15 | Identify application entry points 16 | Identify client-side code 17 | Identify multiple versions 18 | Identify co-hosted and related applications 19 | Identify all hostnames and ports 20 | Identify third-party hosted content 21 | 22 |

23 |

24 | Configuration Management 25 | 26 | Check for commonly used application and administrative URLs 27 | Check for old 28 | Check HTTP methods supported and Cross Site Tracing 29 | Test file extensions handling 30 | Test for security HTTP headers 31 | Test for policies 32 | Test for non-production data in live environment 33 | Check for sensitive data in client-side code 34 | 35 |

36 |

37 | Secure Transmission 38 | 39 | Check SSL Version 40 | Check for Digital Certificate Validity 41 | Check credentials only delivered over HTTPS 42 | Check session tokens only delivered over HTTPS 43 | Check if HTTP Strict Transport Security 44 | 45 |

46 |

47 | Authentication 48 | 49 | Test for user enumeration 50 | Test for authentication bypass 51 | Test for bruteforce protection 52 | Test password quality rules 53 | Test remember me functionality 54 | Test for autocomplete on password forms 55 | Test password reset and 56 | Test password change process 57 | Test CAPTCHA 58 | Test multi factor authentication 59 | Test for logout functionality presence 60 | Test for cache management on HTTP 61 | Test for default logins 62 | Test for user-accessible authentication history 63 | Test for out-of channel notification of account lockouts and successful password changes 64 | Test for consistent authentication across applications with shared authentication schema 65 | 66 |

67 |

68 | Session Management 69 | 70 | Establish how session management is handled in the application 71 | Check session tokens for cookie flags 72 | Check session cookie scope 73 | Check session cookie duration 74 | Check session termination after a maximum lifetime 75 | Check session termination after relative timeout 76 | Check session termination after logout 77 | Test to see if users can have multiple simultaneous sessions 78 | Test session cookies for randomness 79 | Confirm that new session tokens are issued on login 80 | Test for consistent session management across applications with shared session management 81 | Test for session puzzling 82 | Test for CSRF and clickjacking 83 | 84 |

85 |

86 | Authorization 87 | 88 | Test for path traversal 89 | Test for bypassing authorization schema 90 | Test for vertical Access control problems 91 | Test for horizontal Access control problems 92 | Test for missing authorization 93 | 94 |

95 |

96 | Data Validation 97 | 98 | Test for Reflected Cross Site Scripting 99 | Test for Stored Cross Site Scripting 100 | Test for DOM based Cross Site Scripting 101 | Test for Cross Site Flashing 102 | Test for HTML Injection 103 | Test for SQL Injection 104 | Test for LDAP Injection 105 | Test for ORM Injection 106 | Test for XML Injection 107 | Test for XXE Injection 108 | Test for SSI Injection 109 | Test for XPath Injection 110 | Test for XQuery Injection 111 | Test for IMAP 112 | Test for Code Injection 113 | Test for Command Injection 114 | Test for Overflow 115 | Test for Format String 116 | Test for incubated vulnerabilities 117 | Test for HTTP Splitting 118 | Test for HTTP Verb Tampering 119 | Test for Open Redirection 120 | Test for Local File Inclusion 121 | Test for Remote File Inclusion 122 | Compare client-side and server-side validation rules 123 | Test for NoSQL injection 124 | Test for HTTP parameter pollution 125 | Test for auto-binding 126 | 127 |

128 |

129 | Denial of Service 130 | 131 | Test for anti-automation 132 | Test for account lockout 133 | Test for HTTP protocol DoS 134 | 135 |

136 |

137 | Business Logic 138 | 139 | Test for feature misuse 140 | Test for lack of non-repudiation 141 | Test for trust relationships 142 | Test for integrity of data 143 | Test segregation of duties 144 | 145 |

146 |

147 | Cryptography 148 | 149 | Check if data which should be encrypted is not 150 | Check for wrong algorithms usage depending on context 151 | Check for weak algorithms usage 152 | Check for proper use of salting 153 | Check for randomness functions 154 | 155 |

156 |

157 | Risky Functionality - File Uploads 158 | 159 | Test that acceptable file types are whitelisted 160 | Test that file size limits 161 | Test that file contents match the defined file type 162 | Test that all file uploads have Anti-Virus scanning in-place 163 | Test that unsafe filenames are sanitised 164 | Test that uploaded files are not directly accessible within the web root 165 | Test that uploaded files are not served on the same hostname 166 | Test that files and other media are integrated with the authentication and authorisation schemas 167 | 168 |

169 |

170 | Risky Functionality - Card Payment 171 | 172 | Test whether card number are stored 173 | TBC 174 | 175 |

176 |

177 | HTML 5 178 | 179 | Test Web Messaging 180 | Test for Web Storage SQL injection 181 | 182 |

183 | 184 | 185 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | OWASP_Web_App_Testing_Cheatsheet_Converter 2 | ========================================== 3 | 4 | OWASP Web Application Testing Cheat Sheet converted to tool formats -------------------------------------------------------------------------------- /convert-cheat-sheet-to-dradis-pro.rb: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env ruby 2 | 3 | unless ARGV.length > 0 4 | puts "The syntax is convert-cheat-sheet-to-dradis-pro.rb " 5 | exit 6 | end 7 | 8 | input_file = File.open(ARGV[0],'r+').readlines 9 | 10 | output_file = File.new('OWASP_Web_Application_Testing_Cheat_Sheet.xml','w+') 11 | 12 | 13 | output_file.puts '' 14 | output_file.puts 'OWASP Web Application Testing Cheat Sheet' 15 | output_file.puts '' 16 | 17 | first_section = true 18 | input_file.each do |line| 19 | if line =~ /^==/ 20 | title = line.scan(/(==)([a-zA-Z0-9\-\_ ]+)(==)/)[0][1] 21 | if first_section 22 | first_section = false 23 | output_file.puts "

\n#{title}\n" 24 | else 25 | output_file.puts "\n

\n

\n#{title}\n" 26 | end 27 | end 28 | 29 | if line =~ /^\*/ 30 | check = line.scan(/(\*)([a-zA-Z0-9\-\_ ]+)/)[0][1] 31 | output_file.puts "#{check}" 32 | end 33 | 34 | end 35 | 36 | output_file.puts "" 37 | output_file.puts "

" 38 | output_file.puts "" 39 | output_file.puts "" 40 | --------------------------------------------------------------------------------