OWASP Testing and Assessment Guides

Testing Methodology Overview

Test Planning and Preparation

Test Execution Guidelines

Results Documentation

Conduct Search Engine Discovery

Fingerprint Web Server

Review Webserver Metafiles

Enumerate Applications on Webserver

Review Webpage Comments and Metadata

Identify Application Entry Points

Map Execution Paths Through Application

Fingerprint Web Application Framework

Fingerprint Web Application

Map Application Architecture

Test Network Infrastructure Configuration

Test Application Platform Configuration

Test File Extensions Handling

Review Old Backup and Unreferenced Files

Enumerate Infrastructure and Application Admin Interfaces

Test HTTP Methods

Test HTTP Strict Transport Security

Test RIA Cross Domain Policy

Test File Permission

Test for Subdomain Takeover

Test Cloud Storage

Test Role Definitions

Test User Registration Process

Test Account Provisioning Process

Test Account Enumeration and Guessable User Account

Test Weak or Unenforced Username Policy

Test for Credentials Transported over Encrypted Channel

Test for Default Credentials

Test for Weak Lock Out Mechanism

Test for Bypassing Authentication Schema

Test for Vulnerable Remember Password

Test for Browser Cache Weaknesses

Test for Weak Password Policy

Test for Weak Security Question Answer

Test for Weak Password Change or Reset Functionalities

Test for Weaker Authentication in Alternative Channel

Test Directory Traversal File Include

Test for Bypassing Authorization Schema

Test for Privilege Escalation

Test for Insecure Direct Object References

Test for Session Management Schema

Test for Cookies Attributes

Test for Session Fixation

Test for Exposed Session Variables

Test for Cross Site Request Forgery

Test for Logout Functionality

Test Session Timeout

Test for Session Puzzling

Test for Session Hijacking

Test for Reflected Cross Site Scripting

Test for Stored Cross Site Scripting

Test for HTTP Verb Tampering

Test for HTTP Parameter Pollution

Test for SQL Injection

Test for LDAP Injection

Test for XML Injection

Test for SSI Injection

Test for XPath Injection

Test for IMAP SMTP Injection

Test for Code Injection

Test for Command Injection

Test for Format String Injection

Test for Incubated Vulnerability

Test for HTTP Splitting Smuggling

Test for HTTP Incoming Requests

Test for Host Header Injection

Test for Server Side Template Injection

Test for Improper Error Handling

Test for Stack Traces

Test for Weak Transport Layer Security

Test for Padding Oracle

Test for Sensitive Information Sent via Unencrypted Channels

Test for Weak Encryption

Test Business Logic Data Validation

Test for Forged Requests

Test for Integrity Checks

Test for Process Timing

Test Number of Times a Function Can Be Used Limits

Test for Circumvention of Work Flows

Test Defenses Against Application Misuse

Test for Upload of Unexpected File Types

Test for Upload of Malicious Files

Test for DOM Based Cross Site Scripting

Test for JavaScript Execution

Test for HTML Injection

Test for Client Side URL Redirect

Test for CSS Injection

Test for Client Side Resource Manipulation

Test Cross Origin Resource Sharing

Test for Cross Site Flashing

Test for Clickjacking

Test WebSockets

Test Web Messaging

Test Browser Storage

Test for Cross Site Script Inclusion

Mobile Application Security Model

Mobile Application Taxonomies

Mobile Application Security Testing

Mobile Application Security Testing

Tampering and Reverse Engineering

Testing Code Quality

Testing Cryptography

Testing Authentication and Session Management

Testing Network Communication

Testing Platform Interaction

Testing User Privacy Protection

Platform Overview

Android Security Testing Basics

Data Storage on Android

Android Cryptographic APIs

Local Authentication on Android

Android Network Communication

Android Platform APIs

Code Quality and Build Settings for Android Apps

Tampering and Reverse Engineering on Android

Android Anti-Reversing Defenses

Platform Overview

iOS Security Testing Basics

Data Storage on iOS

iOS Cryptographic APIs

Local Authentication on iOS

iOS Network Communication

iOS Platform APIs

Code Quality and Build Settings for iOS Apps

Tampering and Reverse Engineering on iOS

iOS Anti-Reversing Defenses

API Security Landscape

Common API Vulnerabilities

API Testing Methodology

Authentication Testing

Authorization Testing

Input Validation Testing

Error Handling Testing

Query Complexity Analysis

Authorization Testing

Information Disclosure Testing

XML Security Testing

WS-Security Testing

Schema Validation Testing