OWASP Checklist

Spiders, Robots and Crawlers    IG-

Search Engine Discovery/Reconnaissance    IG-

Identify application entry points    IG-

Testing for Web Application Fingerprint    IG-

Application Discovery    IG-

Analysis of Error Codes    IG-

SSL/TLS Testing (SSL Version, Algorithms, Key length, Digital Cert. Validity) - SSL Weakness    CM‐

DB Listener Testing - DB Listener weak    CM‐

Infrastructure Configuration Management Testing - Infrastructure Configuration management weakness    CM‐

Application Configuration Management Testing - Application Configuration management weakness    CM‐

Testing for File Extensions Handling - File extensions handling    CM‐

Old, backup and unreferenced files - Old, backup and unreferenced files    CM‐

Infrastructure and Application Admin Interfaces - Access to Admin interfaces    CM‐

Testing for HTTP Methods and XST - HTTP Methods enabled, XST permitted, HTTP Verb    CM‐

Credentials transport over an encrypted channel - Credentials transport over an encrypted channel    AT-

Testing for user enumeration - User enumeration    AT-

Testing for Guessable (Dictionary) User Account - Guessable user account    AT-

Brute Force Testing - Credentials Brute forcing    AT-

Testing for bypassing authentication schema - Bypassing authentication schema    AT-

Testing for vulnerable remember password and pwd reset - Vulnerable remember password, weak pwd reset    AT-

Testing for Logout and Browser Cache Management - - Logout function not properly implemented, browser cache weakness    AT-

Testing for CAPTCHA - Weak Captcha implementation    AT-

Testing Multiple Factors Authentication - Weak Multiple Factors Authentication    AT-

Testing for Race Conditions - Race Conditions vulnerability    AT-

Testing for Session Management Schema - Bypassing Session Management Schema, Weak Session Token    SM-

Testing for Cookies attributes - Cookies are set not ‘HTTP Only’, ‘Secure’, and no time validity    SM-

Testing for Session Fixation - Session Fixation    SM-

Testing for Exposed Session Variables - Exposed sensitive session variables    SM-

Testing for CSRF - CSRF    SM-

Testing for Path Traversal - Path Traversal    AZ-

Testing for bypassing authorization schema - Bypassing authorization schema    AZ-

Testing for Privilege Escalation - Privilege Escalation    AZ-

Testing for Business Logic - Bypassable business logic    BL-

Testing for Reflected Cross Site Scripting - Reflected XSS    DV-

Testing for Stored Cross Site Scripting - Stored XSS    DV-

Testing for DOM based Cross Site Scripting - DOM XSS    DV-

Testing for Cross Site Flashing - Cross Site Flashing    DV-

SQL Injection - SQL Injection    DV-

LDAP Injection - LDAP Injection    DV-

ORM Injection - ORM Injection    DV-

XML Injection - XML Injection    DV-

SSI Injection - SSI Injection    DV-

XPath Injection - XPath Injection    DV-

IMAP/SMTP Injection - IMAP/SMTP Injection    DV-

Code Injection - Code Injection    DV-

OS Commanding - OS Commanding    DV-

Buffer overflow - Buffer overflow    DV-

Incubated vulnerability - Incubated vulnerability    DV-

Testing for HTTP Splitting/Smuggling - HTTP Splitting, Smuggling    DV-

Testing for SQL Wildcard Attacks - SQL Wildcard vulnerability    DS-

Locking Customer Accounts - Locking Customer Accounts    DS-

Testing for DoS Buffer Overflows - Buffer Overflows    DS-

User Specified Object Allocation - User Specified Object Allocation    DS-

User Input as a Loop Counter - User Input as a Loop Counter    DS-

Writing User Provided Data to Disk - Writing User Provided Data to Disk    DS-

Failure to Release Resources - Failure to Release Resources    DS-

Storing too Much Data in Session - Storing too Much Data in Session    DS-

WS Information Gathering - N.A.    WS-

Testing WSDL - WSDL Weakness    WS-

XML Structural Testing - Weak XML Structure    WS-

XML content-level Testing - XML content-level    WS-

HTTP GET parameters/REST Testing - WS HTTP GET parameters/REST    WS-

Naughty SOAP attachments - WS Naughty SOAP attachments    WS-

Replay Testing - WS Replay Testing    WS-

AJAX Vulnerabilities - N.A.    AJ-

AJAX Testing - AJAX weakness    AJ-

Check Tools

Wikto

Nikto

Paros

TamperIE

Nessus

Nmap

Wget

SamSpade

Spike Proxy

Xenu

Curl

OpenSSL

BURP Proxy

SSLDigger

HTTrack

HTTPrint

Webscarab

Foundstone Cookie Digger

安全体系建设-OWASP的更多相关文章

  1. Atitit 项目中的勋章体系,,mvp建设 ,荣典体系建设

    Atitit 项目中的勋章体系,,mvp建设 ,荣典体系建设 1. 荣典体系的标准1 2. 勋章称号1 2.1.1. 授予标准1 3. 政出多门  统一的荣誉制度 2 3.1. 法则规定2 3.2. ...

  2. Hi,这有一份风控体系建设干货

    互联网.移动互联网.云计算.大数据.人工智能.物联网.区块链等技术已经在人类经济生活中扮演越来越重要的角色,技术给人类带来各种便利的同时,很多企业也饱受"硬币"另一面的伤害,并且形 ...

  3. 如何推进企业流程体系建设?_K2 BPM

    推进全集团统一的流程体系为什么比想象的难? 很多企业在推进全集团的流程管理过程中,经常会有一种“望山跑死马”的感觉.“各成员公司都建立起与集团公司统一的流程管理体系”,看似很简单一件事情,但没有经过良 ...

  4. Atitit 快速开发体系建设路线图

    Atitit 快速开发体系建设路线图 1.1. 项目类型划分 哑铃型 橄榄型  直板型(可以立即实行)1 1.2. 解决方案知识库 最佳实践库 最佳流程优化(已成,需要一些整理)2 1.3. 功能模板 ...

  5. Atitit 提升效率 界面gui方面的前后端分离与cbb体系建设 规范与推荐标准

    Atitit 提升效率 界面gui方面的前后端分离与cbb体系建设 规范与推荐标准 1. 界面gui方面的前后端分离重大意义1 2. 业务逻辑也适当的迁移js化1 3. 常用分离方法2 3.1. 页面 ...

  6. 民生银行十五年的数据体系建设,深入解读阿拉丁大数据生态圈、人人BI 是如何养成的?【转】

    早在今年的上半年我应邀参加了由 Smartbi 主办的一个小型数据分析交流活动,在活动现场第一次了解到了民生银行的阿拉丁项目.由于时间关系,嘉宾现场分享的内容非常有限.凭着多年对行业研究和对解决方案的 ...

  7. 地图POI类别标签体系建设实践

    导读 POI是“Point of interest”的缩写,中文可以翻译为“兴趣点”.在地图上,一个POI可以是一栋房子.一个商铺.一个公交站.一个湖泊.一条道路等.在地图搜索场景,POI是检索对象, ...

  8. 质量保障&&质量体系建设

    一.质量保障 先引用一段 百度百科 上对软件质量保障的解释:软件质量保障是建立一套有计划,系统的方法,来向管理层保证拟定出的标准.步骤.实践和方法能够正确地被项目所采用.软件质量保证的目的是使软件过程 ...

  9. FUNMVP:5G技术对块链信任体系建设的影响

    01 区块链现阶段应用在于概念证明 12月10日,工信部向三大运营商正式发放了5G系统实验频率运用允许,这让区块链从业者开端思索5G技术与区块链分别的可能性.在互联网的基础上依据区块链的特性完成价值的 ...

随机推荐

  1. ES6判断当前页面是否微信浏览器中打开

    1.使用jq判断是否用微信浏览器打开页面 var is_weixin = (function(){return navigator.userAgent.toLowerCase().indexOf('m ...

  2. 使用JS增加标签

    <!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8&quo ...

  3. Win10系统下插入耳机前面板无声后面板有声的处理

    问题描述: 当耳机插入后面板绿色口(注意:耳机扬声器为绿色口,红色为话筒麦克风:前后面板一样):可以听到声音,但是转到前面板插入后,无声音:调出声音面板发现声音可随音度波动 处理步骤: 1.保证插牢接 ...

  4. mysql中,表与表之间的关系

     """ 1.字段的修改.添加.删除 2.多表关系(外键) 3.单表详细操作:增删改,查(各种条件) """ 字段操作  create ta ...

  5. ASE Alpha Sprint - backend scrum 8

    本次scrum于2019.11.13再sky garden进行,持续30分钟. 参与人: Zhikai Chen, Jia Ning, Hao Wang 请假: Xin Kang, Lihao Ran ...

  6. 通过离线安装包解决了 from cryptography.hazmat.bindings._openssl import ffi, lib ImportError: /usr/local/python36/lib/python3.6/site-packages/cryptography-2.2.2-py3.6-linux-x86_64.egg/cryptography/hazmat/binding

    场景:内网服务器不能上外网(代理也不通!), 之前安装了PYTHON的几个安装包,但不是知道为什么无法使用PARAMIKO这个模块 在导入 from cryptography.hazmat.bindi ...

  7. 如何同步发送put或者delete请求

    1.必须把前端发送方式改为post . 2.在web.xml中配置一个filter:HiddenHttpMethodFilter过滤器 3.必须携带一个键值对,key=_method,  value= ...

  8. idea 配置自动编译 livereload

    1 pom中添加 spring-boot-devtools 依赖 <dependency> <groupId>org.springframework.boot</grou ...

  9. NOIP原题板刷

    update 10.11 我可能已经刷完大部分了,可是这篇blog我也不想更了 这个人很懒,做了很多题但是不想写题解,也不想更blog,所以这篇blog又咕咕了. 把从 \(1997-2017\) 近 ...

  10. 手工实现hashset

    package cn.study.lu.four; import java.util.*; /** * 手工实现hashmap,加深理解底层原理 * @author Administrator * * ...