OWASP Checklist

Spiders, Robots and Crawlers    IG-

Search Engine Discovery/Reconnaissance    IG-

Identify application entry points    IG-

Testing for Web Application Fingerprint    IG-

Application Discovery    IG-

Analysis of Error Codes    IG-

SSL/TLS Testing (SSL Version, Algorithms, Key length, Digital Cert. Validity) - SSL Weakness    CM‐

DB Listener Testing - DB Listener weak    CM‐

Infrastructure Configuration Management Testing - Infrastructure Configuration management weakness    CM‐

Application Configuration Management Testing - Application Configuration management weakness    CM‐

Testing for File Extensions Handling - File extensions handling    CM‐

Old, backup and unreferenced files - Old, backup and unreferenced files    CM‐

Infrastructure and Application Admin Interfaces - Access to Admin interfaces    CM‐

Testing for HTTP Methods and XST - HTTP Methods enabled, XST permitted, HTTP Verb    CM‐

Credentials transport over an encrypted channel - Credentials transport over an encrypted channel    AT-

Testing for user enumeration - User enumeration    AT-

Testing for Guessable (Dictionary) User Account - Guessable user account    AT-

Brute Force Testing - Credentials Brute forcing    AT-

Testing for bypassing authentication schema - Bypassing authentication schema    AT-

Testing for vulnerable remember password and pwd reset - Vulnerable remember password, weak pwd reset    AT-

Testing for Logout and Browser Cache Management - - Logout function not properly implemented, browser cache weakness    AT-

Testing for CAPTCHA - Weak Captcha implementation    AT-

Testing Multiple Factors Authentication - Weak Multiple Factors Authentication    AT-

Testing for Race Conditions - Race Conditions vulnerability    AT-

Testing for Session Management Schema - Bypassing Session Management Schema, Weak Session Token    SM-

Testing for Cookies attributes - Cookies are set not ‘HTTP Only’, ‘Secure’, and no time validity    SM-

Testing for Session Fixation - Session Fixation    SM-

Testing for Exposed Session Variables - Exposed sensitive session variables    SM-

Testing for CSRF - CSRF    SM-

Testing for Path Traversal - Path Traversal    AZ-

Testing for bypassing authorization schema - Bypassing authorization schema    AZ-

Testing for Privilege Escalation - Privilege Escalation    AZ-

Testing for Business Logic - Bypassable business logic    BL-

Testing for Reflected Cross Site Scripting - Reflected XSS    DV-

Testing for Stored Cross Site Scripting - Stored XSS    DV-

Testing for DOM based Cross Site Scripting - DOM XSS    DV-

Testing for Cross Site Flashing - Cross Site Flashing    DV-

SQL Injection - SQL Injection    DV-

LDAP Injection - LDAP Injection    DV-

ORM Injection - ORM Injection    DV-

XML Injection - XML Injection    DV-

SSI Injection - SSI Injection    DV-

XPath Injection - XPath Injection    DV-

IMAP/SMTP Injection - IMAP/SMTP Injection    DV-

Code Injection - Code Injection    DV-

OS Commanding - OS Commanding    DV-

Buffer overflow - Buffer overflow    DV-

Incubated vulnerability - Incubated vulnerability    DV-

Testing for HTTP Splitting/Smuggling - HTTP Splitting, Smuggling    DV-

Testing for SQL Wildcard Attacks - SQL Wildcard vulnerability    DS-

Locking Customer Accounts - Locking Customer Accounts    DS-

Testing for DoS Buffer Overflows - Buffer Overflows    DS-

User Specified Object Allocation - User Specified Object Allocation    DS-

User Input as a Loop Counter - User Input as a Loop Counter    DS-

Writing User Provided Data to Disk - Writing User Provided Data to Disk    DS-

Failure to Release Resources - Failure to Release Resources    DS-

Storing too Much Data in Session - Storing too Much Data in Session    DS-

WS Information Gathering - N.A.    WS-

Testing WSDL - WSDL Weakness    WS-

XML Structural Testing - Weak XML Structure    WS-

XML content-level Testing - XML content-level    WS-

HTTP GET parameters/REST Testing - WS HTTP GET parameters/REST    WS-

Naughty SOAP attachments - WS Naughty SOAP attachments    WS-

Replay Testing - WS Replay Testing    WS-

AJAX Vulnerabilities - N.A.    AJ-

AJAX Testing - AJAX weakness    AJ-

Check Tools

Wikto

Nikto

Paros

TamperIE

Nessus

Nmap

Wget

SamSpade

Spike Proxy

Xenu

Curl

OpenSSL

BURP Proxy

SSLDigger

HTTrack

HTTPrint

Webscarab

Foundstone Cookie Digger

安全体系建设-OWASP的更多相关文章

  1. Atitit 项目中的勋章体系,,mvp建设 ,荣典体系建设

    Atitit 项目中的勋章体系,,mvp建设 ,荣典体系建设 1. 荣典体系的标准1 2. 勋章称号1 2.1.1. 授予标准1 3. 政出多门  统一的荣誉制度 2 3.1. 法则规定2 3.2. ...

  2. Hi,这有一份风控体系建设干货

    互联网.移动互联网.云计算.大数据.人工智能.物联网.区块链等技术已经在人类经济生活中扮演越来越重要的角色,技术给人类带来各种便利的同时,很多企业也饱受"硬币"另一面的伤害,并且形 ...

  3. 如何推进企业流程体系建设?_K2 BPM

    推进全集团统一的流程体系为什么比想象的难? 很多企业在推进全集团的流程管理过程中,经常会有一种“望山跑死马”的感觉.“各成员公司都建立起与集团公司统一的流程管理体系”,看似很简单一件事情,但没有经过良 ...

  4. Atitit 快速开发体系建设路线图

    Atitit 快速开发体系建设路线图 1.1. 项目类型划分 哑铃型 橄榄型  直板型(可以立即实行)1 1.2. 解决方案知识库 最佳实践库 最佳流程优化(已成,需要一些整理)2 1.3. 功能模板 ...

  5. Atitit 提升效率 界面gui方面的前后端分离与cbb体系建设 规范与推荐标准

    Atitit 提升效率 界面gui方面的前后端分离与cbb体系建设 规范与推荐标准 1. 界面gui方面的前后端分离重大意义1 2. 业务逻辑也适当的迁移js化1 3. 常用分离方法2 3.1. 页面 ...

  6. 民生银行十五年的数据体系建设,深入解读阿拉丁大数据生态圈、人人BI 是如何养成的?【转】

    早在今年的上半年我应邀参加了由 Smartbi 主办的一个小型数据分析交流活动,在活动现场第一次了解到了民生银行的阿拉丁项目.由于时间关系,嘉宾现场分享的内容非常有限.凭着多年对行业研究和对解决方案的 ...

  7. 地图POI类别标签体系建设实践

    导读 POI是“Point of interest”的缩写,中文可以翻译为“兴趣点”.在地图上,一个POI可以是一栋房子.一个商铺.一个公交站.一个湖泊.一条道路等.在地图搜索场景,POI是检索对象, ...

  8. 质量保障&&质量体系建设

    一.质量保障 先引用一段 百度百科 上对软件质量保障的解释:软件质量保障是建立一套有计划,系统的方法,来向管理层保证拟定出的标准.步骤.实践和方法能够正确地被项目所采用.软件质量保证的目的是使软件过程 ...

  9. FUNMVP:5G技术对块链信任体系建设的影响

    01 区块链现阶段应用在于概念证明 12月10日,工信部向三大运营商正式发放了5G系统实验频率运用允许,这让区块链从业者开端思索5G技术与区块链分别的可能性.在互联网的基础上依据区块链的特性完成价值的 ...

随机推荐

  1. 洛谷P1095守望者的逃离题解-伪动态规划/贪心

    链接 题目描述 恶魔猎手尤迪安野心勃勃,他背叛了暗夜精灵,率领深藏在海底的娜迦族企图叛变.守望者在与尤迪安的交锋中遭遇了围杀,被困在一个荒芜的大岛上.为了杀死守望者,尤迪安开始对这个荒岛施咒,这座岛很 ...

  2. java _static 关键字

    • 在类中,用static声明的成员变量为静态成员变量 ,或者叫做: 类属性,类变量. • 它为该类的公用变量,属于类,被该类的所有实例共享,在类被载入时被显式初始化, • 对于该类的所有对象来说,s ...

  3. 解决pip源问题 安装不了第三方库问题

    1. 参考链接: https://www.biaodianfu.com/python-pip.html http://blog.csdn.net/u012450329/article/details/ ...

  4. java 中的引用类型

    GC基本原理 GC (Garbage Collection)的基本原理:将内存中不再被使用的对象进行回收,GC中用于回收的方法称为收集器,由于GC需要消耗一些资源和时间,Java在对对象的生命周期特征 ...

  5. hdu 4651 Partition(整数拆分+五边形数)

    Partition Time Limit: 6000/3000 MS (Java/Others)    Memory Limit: 32768/32768 K (Java/Others) Total ...

  6. 安装phpredis扩展以及phpRedisAdmin工具

    先从phpredis的git拿到最新的源码包:wget https://github.com/nicolasff/phpredis/archive/master.tar.gz 然后解压到进入目录:ta ...

  7. docker中pull镜像,报错 pull access denied for ubantu, repository does not exist or may require 'docker login'

    报错说明:拒绝获取ubantu,  仓库不存在或者需要登录docker 1.先尝试注册docker 2.在拉镜像前,先登录docker, 命令:docker  login 3.然后执行 docker ...

  8. 怎么在tensorflow中打印graph中的tensor信息

    from tensorflow.python import pywrap_tensorflow import os checkpoint_path=os.path.join('./model.ckpt ...

  9. HttpClientUtil工具类封装

    package com.jd.ng.shiro.utils; import org.apache.http.HttpEntity; import org.apache.http.HttpStatus; ...

  10. linux命令学习记录

    1.查看目录和文件大小 du -sh ./* du -sh * | sort -nr 这个排序不正常都是因为-h参数的原因 du -s * | sort -nr | head 选出排在前面的10个 d ...