ABCDEFGHIJKLMNOPQRST
1
Security Control CategoryOTG numberODG number candidatesOCRG number candidatesTest case description
2
Information Gathering
3
OTG-INFO-01Conduct Search Engine Discovery and Reconnaissance for Information Leakage (formerly "OWASP-IG-002 - Search Engine Discovery and Reconnaissance")
4
OTG-INFO-02Fingerprint Web Server (formerly "OWASP-IG-004 - Testing for Web Application Fingerprint")
5
OTG-INFO-03Review Webserver Metafiles for Information Leakage (formerly "OWASP-IG-001 - Spiders, Robots and Crawlers")
6
OTG-INFO-04Enumerate Applications on Webserver (formerly "OWASP-IG-005 - Application Discovery")
7
OTG-INFO-05Review Webpage Comments and Metadata for Information Leakage (formerly OWASP-IG-007)
8
OTG-INFO-06Identify application entry points (formerly OWASP-IG-003)
9
OTG-INFO-07Identify application exit/handover points (formerly OWASP-IG-008)
10
OTG-INFO-08Map execution paths through application (formerly OWASP-IG-009)
11
OTG-INFO-09Fingerprint Web Application Framework (formerly OWASP-IG-010)
12
OTG-INFO-10Fingerprint Web Application (formerly OWASP-IG-010)
13
OTG-INFO-11Map Network and Application Architecture (formerly "OWASP-CM-001 - Testing for Infrastructure Configuration Management Testing weakness")
14
Platform Configuration
15
OTG-CONFIG-01Test Network/Infrastructure Configuration (formerly "OWASP-CM-001 - Testing for Infrastructure Configuration Management Testing weakness")
16
OTG-CONFIG-02Test Application Platform Configuration (formerly "OWASP-CM-002 - Testing for Application Configuration Management weakness")
17
OTG-CONFIG-03Test File Extensions Handling for Sensitive Information (formerly "OWASP-CM-003 - Testing for File Extensions Handling")
18
OTG-CONFIG-04Review Old, Backup and Unreferenced Files for Sensitive Information (formerly "OWASP-CM-004 - Old, Backup and Unreferenced Files")
19
OTG-CONFIG-05Test Infrastructure and Application Admin Interfaces (formerly "OWASP-CM-005 - Infrastructure and Application Admin Interfaces")
20
OTG-CONFIG-06Test HTTP Methods (formerly "OWASP-CM-006 - Testing for Bad HTTP Methods")[new - Abian Blome]
21
OTG-CONFIG-07Testing for Database credentials/connection strings available (OWASP-CM-007)
22
OTG-CONFIG-08Test Content Security Policy (OWASP-CM-008)[New! - Simone Onofri]
23
OTG-CONFIG-09Test HTTP Strict Tranport Security (OWASP-CM-009)[New! Juan Manuel Bahamonde ]
24
OTG-CONFIG-10Test Frame Options
25
OTG-CONFIG-11Test RIA cross domain policy (OWASP-CM-010) [New! - Eduardo Castellanos]
26
Identity Management
27
Role Management
28
OTG-IDENT-01Test Role Definitions
29
User registration
30
OTG-IDENT-02Test User Registration Process
31
User provisioning
32
OTG-IDENT-03Test Account Provisioning Process
33
Standard Account
34
Privileged Account
35
OTG-IDENT-04ODG-AUTHN-17OCR-AUTHN-13Testing for Account Enumeration and Guessable User Account (OWASP-AT-002) [Robert Winkel]
36
OTG-IDENT-05Testing for Weak or unenforced username policy (OWASP-AT-009) [New! - Robert Winkel]
37
OTG-IDENT-06Test Permissions of Guest/Training Accounts
38
User deregistration and deprovisioning
39
OTG-IDENT-07Test Account Suspension/Resumption Process
40
OTG-IDENT-08Test User Deregistration Process
41
OTG-IDENT-09Test Account Deprovisioning Process
42
Authenication
43
OTG-AUTHN-01OCR-AUTHN-11, OCR-AUTHN-12Testing for Credentials Transported over an Encrypted Channel (OWASP-AT-001) [Robert Winkel]
44
OTG-AUTHN-03ODG-AUTHN-18Testing for default credentials (OWASP-AT-003) [Davide Danelon]
45
OTG-AUTHN-04ODG-AUTHN-03, ODG-AUTHN-11OCR-AUTHN-17Testing for Weak lock out mechanism (OWASP-AT-004) [New! - Robert Winkel]
46
OTG-AUTHN-06OCR-AUTHN-02, OCR-AUTHN-05Testing for bypassing authentication schema (OWASP-AT-005)
47
Basic
48
Multi-factor
49
Single-Sign On
50
Certificate
51
Biometric
52
OTG-AUTHN-07ODG-AUTHN-02OCR-AUTHN-10Testing for remember password functionality (OWASP-AT-006) [Robert Winkel]
53
OTG-AUTHN-08ODG-AUTHN-02OCR-AUTHN-10?Testing for Browser cache weakness (OWASP-AT-007) [New! - Abian Blome]
54
OTG-AUTHN-09ODG-AUTHN-07, ODG-AUTHN-22OCR-AUTHN-06, OCR-AUTHN-07, OCR-AUTHN-08Testing for Weak password policy (OWASP-AT-008) [New! - Robert Winkel]
55
OTG-AUTHN-11ODG-AUTHN-21OCR-AUTHN-22Weak security question/answer [New! - Robert Winkel - MAT Note: same as AT-006]
56
OTG-AUTHN-12ODG-AUTHN-01Testing for failure to restrict access to authenticated resource (OWASP-AT-010) [New! - This seems better suited to the Authorization test cases (Andrew Muller)]
57
OTG-AUTHN-13ODG-AUTHN-09, ODG-AUTHN-16, ODG-AUTHN-19, ODG-AUTHN-20OCR-AUTHN-20, OCR-AUTHN-22, OCR-AUTHN-23, OCR-AUTHN-24, OCR-AUTHN-25, OCR-AUTHN-26, OCR-AUTHN-27Testing for weak password change or reset functionalities (OWASP-AT-011) [New! - Robert Winkel]
58
OTG-AUTHN-15ODG-AUTHN-08Weaker authentication in alternative channel (e.g. mobile app, IVR, help desk) [New!: MAT Note: to explain better the kind of test to perform please]
59
Authorisation
60
User privilege management
61
OTG-AUTHZ-01Test Management of Account Permissions
62
Assignment
63
Modification
64
Revocation
65
Delegation
66
OTG-AUTHZ-02ODG-FILE-02, ODG-FILE-074.6.1 Testing Directory traversal/file include (OWASP-AZ-001) [Juan Galiana]
67
OTG-AUTHZ-034.6.2 Testing for bypassing authorization schema (OWASP-AZ-002)
68
OTG-AUTHZ-044.6.3 Testing for Privilege Escalation (OWASP-AZ-003) [Irene Abezgauz]
69
Horizontal
70
Vertical
71
OTG-AUTHZ-05ODG-AUTHZ-044.6.4 Testing for Insecure Direct Object References (OWASP-AZ-004) [Irene Abezgauz]
72
OTG-AUTHZ-06ODG-AUTHZ-01, ODG-AUTHZ-02, ODG-AUTHZ-034.6.5 Testing for Failure to Restrict access to authorized resource (OWASP-AZ-005) [New!]
73
OTG-AUTHZ-07> Server component has excessive privileges (e.g. indexing service, reporting interface, file generator)[New!]
74
OTG-AUTHZ-08> Lack of enforcement of application entry points (including exposure of objects)[New!]
75
Session Management
76
OTG-SESS-014.5.1 Testing for Bypassing Session Management Schema (OWASP-SM-001)
77
OTG-SESS-02ODG-SESS-12, ODG-SESS-14, ODG-SESS-154.5.2 Testing for Cookies attributes (Cookies are set not ‘HTTP Only’, ‘Secure’, and no time validity) (OWASP-SM-002)
78
OTG-SESS-03ODG-SESS-074.5.3 Testing for Session Fixation (OWASP-SM-003)
79
OTG-SESS-04ODG-SESS-064.5.4 Testing for Exposed Session Variables (OWASP-SM-004)
80
OTG-SESS-05ODG-AUTHZ-144.5.5 Testing for Cross Site Request Forgery (CSRF) (OWASP-SM-005)
81
OTG-SESS-06ODG-SESS-11> Weak Session Token (MAT NOTE included in 4.5.1)
82
OTG-SESS-074.5.6 Testing for Session token not restricted properly (such as domain or path not set properly) (OWASP-SM-006) [New! - Abian Blome]
83
OTG-SESS-08ODG-SESS-06> Session passed over http (NOTE: included in SM-004) [New!]
84
OTG-SESS-09ODG-SESS-02, ODG-SESS-03, ODG-SESS-044.5.7 Testing for logout functionality (OWASP-SM-007)
85
OTG-SESS-10>Session token not removed on server after logout [New!: NOTE included in the above test]
86
OTG-SESS-11> Logout function not properly implemented (NOTE:same above)
87
OTG-SESS-12> Persistent session token [New! NOTE: this is not a vulnerability if session time out is correctly performed]
88
OTG-SESS-134.5.8 Testing for Session puzzling (OWASP-SM-008) [New! - Abian Blome]
89
OTG-SESS-14> Missing user-viewable log of authentication events [NOTE: needs more details: which test perform?]
90
OTG-SESS-15> Establishment of multiple sessions with same credentials [New! - Andrew Muller]
91
Input Validation
92
OTG-INPVAL-054.8.5 Testing for Unvalidated Redirects and Forwards [Brad Causey]
93
OTG-INPVAL-034.8.3 Testing for HTTP Verb Tampering [Brad Causey]
94
OTG-INPVAL-044.8.4 Testing for HTTP Parameter pollution [Luca Carettoni, Stefano Di Paola, Brad Causey]
95
OTG-INPVAL-174.8.16 Testing for HTTP Splitting/Smuggling (OWASP-DV-016) [Juan Galiana]
96
OTG-INPVAL-064.8.5 Testing for SQL Injection (OWASP-DV-005) [Ismael Gonçalves](Ismael NOTE: ready to be reviewed)
97
4.8.5.1 Oracle Testing
98
4.8.5.2 MySQL Testing [Ismael Gonçalves]
99
4.8.5.3 SQL Server Testing
100
4.8.5.4 MS Access Testing