Wiki

User Tools

Site Tools

Trace: mapping_owasp_top_10_2010_against_owasp_testing_guide_3.0
security:owasp_open_web_application_security_project:mapping_owasp_top_10_2010_against_owasp_testing_guide_3.0

Security - OWASP (Open Web Application Security Project) - Mapping OWASP Top 10 (2010) against OWASP Testing Guide 3.0

CategoryTesting Guide Ref. NumberTop 10 Ref. NumberTest NameVulnerability
Information GatheringOWASP-IG-001 Spiders, Robots and Crawlers -N.A.
OWASP-IG-002 Search Engine Discovery/ReconnaissanceN.A.
OWASP-IG-003 Identify application entry pointsN.A.
OWASP-IG-004 Testing for Web Application FingerprintN.A.
OWASP-IG-005 Application DiscoveryN.A.
OWASP-IG-006 Analysis of Error CodesInformation Disclosure
Configuration Management TestingOWASP-CM-001A9SSL/TLS Testing (SSL Version, Algorithms, Key length, Digital Cert. Validity)SSL Weakness
OWASP-CM-002 DB Listener TestingDB Listener weak
OWASP-CM-003A6Infrastructure Configuration Management TestingInfrastructure Configuration management weakness
OWASP-CM-004A6Application Configuration Management TestingApplication Configuration management weakness
OWASP-CM-005 Testing for File Extensions HandlingFile extensions handling
OWASP-CM-006 Old, backup and unreferenced filesOld, backup and unreferenced files
OWASP-CM-007 Infrastructure and Application Admin InterfacesAccess to Admin interfaces
OWASP-CM-008 Testing for HTTP Methods and XSTHTTP Methods enabled, XST permitted, HTTP Verb
Authentication TestingOWASP-AT-001A9Credentials transport over an encrypted channelCredentials transport over an encrypted channel
OWASP-AT-002 Testing for user enumerationUser enumeration
OWASP-AT-003 Testing for Guessable (Dictionary) User AccountGuessable user account
OWASP-AT-004 Brute Force TestingCredentials Brute forcing
OWASP-AT-005 Testing for bypassing authentication schemaBypassing authentication schema
OWASP-AT-006 Testing for vulnerable remember password and pwd resetVulnerable remember password, weak pwd reset
OWASP-AT-007A3Testing for Logout and Browser Cache ManagementLogout function not properly implemented, browser cache weakness
OWASP-AT-008 Testing for CAPTCHAWeak Captcha implementation
OWASP-AT-009 Testing Multiple Factors AuthenticationWeak Multiple Factors Authentication
OWASP-AT-010 Testing for Race ConditionsRace Conditions vulnerability
Session ManagementOWASP-SM-001A3Testing for Session Management SchemaBypassing Session Management Schema, Weak Session Token
OWASP-SM-002A3Testing for Cookies attributesCookies are set not ‘HTTP Only’, ‘Secure’, and no time validity
OWASP-SM-003A3Testing for Session FixationSession Fixation
OWASP-SM-004A3Testing for Exposed Session VariablesExposed sensitive session variables
OWASP-SM-005A5Testing for CSRFCSRF
Authorization TestingOWASP-AZ-001A4Testing for Path TraversalPath Traversal
OWASP-AZ-002A8Testing for bypassing authorization schemaBypassing authorization schema
OWASP-AZ-003 Testing for Privilege EscalationPrivilege Escalation
Business logic testingOWASP-BL-001 Testing for business logicBypassable business logic
Data Validation TestingOWASP-DV-001A2Testing for Reflected Cross Site ScriptingReflected XSS
OWASP-DV-002A2Testing for Stored Cross Site ScriptingStored XSS
OWASP-DV-003A2Testing for DOM based Cross Site ScriptingDOM XSS
OWASP-DV-004 Testing for Cross Site FlashingCross Site Flashing
OWASP-DV-005A1SQL InjectionSQL Injection
OWASP-DV-006A1LDAP InjectionLDAP Injection
OWASP-DV-007A1ORM InjectionORM Injection
OWASP-DV-008A1XML InjectionXML Injection
OWASP-DV-009A1SSI InjectionSSI Injection
OWASP-DV-010A1XPath InjectionXPath Injection
OWASP-DV-011A1IMAP/SMTP InjectionIMAP/SMTP Injection
OWASP-DV-012A1Code InjectionCode Injection
OWASP-DV-013 OS CommandingOS Commanding
OWASP-DV-014 Buffer overflowBuffer overflow
OWASP-DV-015 Incubated vulnerability TestingIncubated vulnerability
OWASP-DV-016 Testing for HTTP Splitting/SmugglingHTTP Splitting, Smuggling
Denial of Service TestingOWASP-DS-001 Testing for SQL Wildcard AttacksSQL Wildcard vulnerability
OWASP-DS-002 Locking Customer AccountsLocking Customer Accounts
OWASP-DS-003 Testing for DoS Buffer OverflowsBuffer Overflows
OWASP-DS-004 User Specified Object AllocationUser Specified Object Allocation
OWASP-DS-005 User Input as a Loop CounterUser Input as a Loop Counter
OWASP-DS-006 Writing User Provided Data to DiskWriting User Provided Data to Disk
OWASP-DS-007 Failure to Release ResourcesFailure to Release Resources
OWASP-DS-008 Storing too Much Data in SessionStoring too Much Data in Session
Web Services TestingOWASP-WS-001 WS Information GatheringN.A.
OWASP-WS-002 Testing WSDLWSDL Weakness
OWASP-WS-003 XML Structural TestingWeak XML Structure
OWASP-WS-004 XML content-level TestingXML content-level
OWASP-WS-005 HTTP GET parameters/REST TestingWS HTTP GET parameters/REST
OWASP-WS-006 Naughty SOAP attachmentsWS Naughty SOAP attachments
OWASP-WS-007 Replay TestingWS Replay Testing
AJAX TestingOWASP-AJ-001 AJAX VulnerabilitiesN.A
OWASP-AJ-002 AJAX TestingAJAX weakness

NOTE: As you might have noticed A7 (Insecure Cryptographic Storage) and A10 (Unvalidated Redirects and Forwards) are not present in OWASP Testing Guide 3.0, hopefully they will appear in OWASP Testing Guide 4.0 when it is released.

References

https://www.michaelboman.org/books/mapping-owasp-top-10-2010-against-owasp-testing-guide-3-0

security/owasp_open_web_application_security_project/mapping_owasp_top_10_2010_against_owasp_testing_guide_3.0.txt · Last modified: 2020/07/15 10:30 by 127.0.0.1
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki