安全体系建设-OWASP

OWASP Checklist

Spiders, Robots and Crawlers    IG-

Search Engine Discovery/Reconnaissance    IG-

Identify application entry points    IG-

Testing for Web Application Fingerprint    IG-

Application Discovery    IG-

Analysis of Error Codes    IG-

SSL/TLS Testing (SSL Version, Algorithms, Key length, Digital Cert. Validity) - SSL Weakness    CM‐

DB Listener Testing - DB Listener weak    CM‐

Infrastructure Configuration Management Testing - Infrastructure Configuration management weakness    CM‐

Application Configuration Management Testing - Application Configuration management weakness    CM‐

Testing for File Extensions Handling - File extensions handling    CM‐

Old, backup and unreferenced files - Old, backup and unreferenced files    CM‐

Infrastructure and Application Admin Interfaces - Access to Admin interfaces    CM‐

Testing for HTTP Methods and XST - HTTP Methods enabled, XST permitted, HTTP Verb    CM‐

Credentials transport over an encrypted channel - Credentials transport over an encrypted channel    AT-

Testing for user enumeration - User enumeration    AT-

Testing for Guessable (Dictionary) User Account - Guessable user account    AT-

Brute Force Testing - Credentials Brute forcing    AT-

Testing for bypassing authentication schema - Bypassing authentication schema    AT-

Testing for vulnerable remember password and pwd reset - Vulnerable remember password, weak pwd reset    AT-

Testing for Logout and Browser Cache Management - - Logout function not properly implemented, browser cache weakness    AT-

Testing for CAPTCHA - Weak Captcha implementation    AT-

Testing Multiple Factors Authentication - Weak Multiple Factors Authentication    AT-

Testing for Race Conditions - Race Conditions vulnerability    AT-

Testing for Session Management Schema - Bypassing Session Management Schema, Weak Session Token    SM-

Testing for Cookies attributes - Cookies are set not ‘HTTP Only’, ‘Secure’, and no time validity    SM-

Testing for Session Fixation - Session Fixation    SM-

Testing for Exposed Session Variables - Exposed sensitive session variables    SM-

Testing for CSRF - CSRF    SM-

Testing for Path Traversal - Path Traversal    AZ-

Testing for bypassing authorization schema - Bypassing authorization schema    AZ-

Testing for Privilege Escalation - Privilege Escalation    AZ-

Testing for Business Logic - Bypassable business logic    BL-

Testing for Reflected Cross Site Scripting - Reflected XSS    DV-

Testing for Stored Cross Site Scripting - Stored XSS    DV-

Testing for DOM based Cross Site Scripting - DOM XSS    DV-

Testing for Cross Site Flashing - Cross Site Flashing    DV-

SQL Injection - SQL Injection    DV-

LDAP Injection - LDAP Injection    DV-

ORM Injection - ORM Injection    DV-

XML Injection - XML Injection    DV-

SSI Injection - SSI Injection    DV-

XPath Injection - XPath Injection    DV-

IMAP/SMTP Injection - IMAP/SMTP Injection    DV-

Code Injection - Code Injection    DV-

OS Commanding - OS Commanding    DV-

Buffer overflow - Buffer overflow    DV-

Incubated vulnerability - Incubated vulnerability    DV-

Testing for HTTP Splitting/Smuggling - HTTP Splitting, Smuggling    DV-

Testing for SQL Wildcard Attacks - SQL Wildcard vulnerability    DS-

Locking Customer Accounts - Locking Customer Accounts    DS-

Testing for DoS Buffer Overflows - Buffer Overflows    DS-

User Specified Object Allocation - User Specified Object Allocation    DS-

User Input as a Loop Counter - User Input as a Loop Counter    DS-

Writing User Provided Data to Disk - Writing User Provided Data to Disk    DS-

Failure to Release Resources - Failure to Release Resources    DS-

Storing too Much Data in Session - Storing too Much Data in Session    DS-

WS Information Gathering - N.A.    WS-

Testing WSDL - WSDL Weakness    WS-

XML Structural Testing - Weak XML Structure    WS-

XML content-level Testing - XML content-level    WS-

HTTP GET parameters/REST Testing - WS HTTP GET parameters/REST    WS-

Naughty SOAP attachments - WS Naughty SOAP attachments    WS-

Replay Testing - WS Replay Testing    WS-

AJAX Vulnerabilities - N.A.    AJ-

AJAX Testing - AJAX weakness    AJ-

Check Tools

Wikto

Nikto

Paros

TamperIE

Nessus

Nmap

Wget

SamSpade

Spike Proxy

Xenu

Curl

OpenSSL

BURP Proxy

SSLDigger

HTTrack

HTTPrint

Webscarab

Foundstone Cookie Digger

安全体系建设-OWASP的更多相关文章

Atitit 项目中的勋章体系，，mvp建设，荣典体系建设
Atitit 项目中的勋章体系,,mvp建设 ,荣典体系建设 1. 荣典体系的标准1 2. 勋章称号1 2.1.1. 授予标准1 3. 政出多门统一的荣誉制度 2 3.1. 法则规定2 3.2. ...
Hi，这有一份风控体系建设干货
互联网.移动互联网.云计算.大数据.人工智能.物联网.区块链等技术已经在人类经济生活中扮演越来越重要的角色,技术给人类带来各种便利的同时,很多企业也饱受"硬币"另一面的伤害,并且形 ...
如何推进企业流程体系建设？_K2 BPM
推进全集团统一的流程体系为什么比想象的难? 很多企业在推进全集团的流程管理过程中,经常会有一种“望山跑死马”的感觉.“各成员公司都建立起与集团公司统一的流程管理体系”,看似很简单一件事情,但没有经过良 ...
Atitit 快速开发体系建设路线图
Atitit 快速开发体系建设路线图 1.1. 项目类型划分哑铃型橄榄型直板型(可以立即实行)1 1.2. 解决方案知识库最佳实践库最佳流程优化(已成,需要一些整理)2 1.3. 功能模板 ...
Atitit 提升效率界面gui方面的前后端分离与cbb体系建设规范与推荐标准
Atitit 提升效率界面gui方面的前后端分离与cbb体系建设规范与推荐标准 1. 界面gui方面的前后端分离重大意义1 2. 业务逻辑也适当的迁移js化1 3. 常用分离方法2 3.1. 页面 ...
民生银行十五年的数据体系建设，深入解读阿拉丁大数据生态圈、人人BI 是如何养成的？【转】
早在今年的上半年我应邀参加了由 Smartbi 主办的一个小型数据分析交流活动,在活动现场第一次了解到了民生银行的阿拉丁项目.由于时间关系,嘉宾现场分享的内容非常有限.凭着多年对行业研究和对解决方案的 ...
地图POI类别标签体系建设实践
导读 POI是“Point of interest”的缩写,中文可以翻译为“兴趣点”.在地图上,一个POI可以是一栋房子.一个商铺.一个公交站.一个湖泊.一条道路等.在地图搜索场景,POI是检索对象, ...
质量保障&&质量体系建设
一.质量保障先引用一段百度百科上对软件质量保障的解释:软件质量保障是建立一套有计划,系统的方法,来向管理层保证拟定出的标准.步骤.实践和方法能够正确地被项目所采用.软件质量保证的目的是使软件过程 ...
FUNMVP：5G技术对块链信任体系建设的影响
01 区块链现阶段应用在于概念证明 12月10日,工信部向三大运营商正式发放了5G系统实验频率运用允许,这让区块链从业者开端思索5G技术与区块链分别的可能性.在互联网的基础上依据区块链的特性完成价值的 ...

随机推荐

sde自动备份到文件gdb
本方法原理是使用python(以下简称py)调用arcmap的gp,在上再用bat调用py的方式实现.优点是能应用于所有数据库类型(包括pg,oracle等)的sde库环境:arcmap 10.4, ...
12-jQuery获取相关尺寸
# 相关尺寸 **获取元素相对于文档的偏移量** > var pos = $('#small').offset(); >> // console.log(pos.left);// c ...
java 中Shallow Heap与Retained Heap的区别
Shallow Size Shallow Size是对象本身占据的内存的大小,不包含其引用的对象.对于常规对象(非数组)的Shallow Size由其成员变量的数量和类型来定,而数组的ShallowS ...
【转载】JDK8 特性 stream(),lambda表达式，
Stream()表达式虽然大部分情况下stream是容器调用Collection.stream()方法得到的,但stream和collections有以下不同: 无存储.stream不是一种数据结构 ...
CentOS 系统开启防火墙，屏蔽IP，解决DDOS攻击
刚才发现网站特别慢,然后看了一下服务器状态 CPU 负载100%. 然后看了下网络,发现一个IP一直在请求本服务器的 443 端口,就是本站. 然后在终端通过 iftop 命令(一个流量健康软件,如果 ...
hadoop HA + HBase HA搭建：
hadoop HA搭建参考:https://www.cnblogs.com/NGames/p/11083640.html (本节:用不到YARN 所以可以不用考虑部署YARN部分) Hadoop 使用 ...
basename 显示文件名或目录名
1. 命令功能 basename 显示文件名或目录名,不显示文件的全路径文件名 2. 语法格式 basename 文件路径名 3. 使用范例 [root@localhost data]# basen ...
vue2.0 通信
一.父子组件通信父组件通过 props 向下传递数据给子组件,子组件通过 events 给父组件发送消息具体机制如下图: 1.父组件传递数据给子组件 ( parent ==> child ...
Oracle Internals Notes Redo Write Triggers
There are four conditions that cause LGWR to perform a redo write. When LGWR is idle, it sleeps on a ...
Centos7.5中的SElinux操作命令说明
设置Selinux模式 setenforce 0 0表示警告模式 1表示强制模式关闭要设置/etc/sysconfig/selinux下将"SELINUX=enforcing"改 ...

安全体系建设-OWASP

安全体系建设-OWASP的更多相关文章

随机推荐

热门专题