安全体系建设-OWASP

OWASP Checklist

Spiders, Robots and Crawlers    IG-001
Search Engine Discovery/Reconnaissance    IG-002
Identify application entry points    IG-003
Testing for Web Application Fingerprint    IG-004
Application Discovery    IG-005
Analysis of Error Codes    IG-006
SSL/TLS Testing (SSL Version, Algorithms, Key length, Digital Cert. Validity) - SSL Weakness    CM‐001
DB Listener Testing - DB Listener weak    CM‐002
Infrastructure Configuration Management Testing - Infrastructure Configuration management weakness    CM‐003
Application Configuration Management Testing - Application Configuration management weakness    CM‐004
Testing for File Extensions Handling - File extensions handling    CM‐005
Old, backup and unreferenced files - Old, backup and unreferenced files    CM‐006
Infrastructure and Application Admin Interfaces - Access to Admin interfaces    CM‐007
Testing for HTTP Methods and XST - HTTP Methods enabled, XST permitted, HTTP Verb    CM‐008
Credentials transport over an encrypted channel - Credentials transport over an encrypted channel    AT-001
Testing for user enumeration - User enumeration    AT-002
Testing for Guessable (Dictionary) User Account - Guessable user account    AT-003
Brute Force Testing - Credentials Brute forcing    AT-004
Testing for bypassing authentication schema - Bypassing authentication schema    AT-005
Testing for vulnerable remember password and pwd reset - Vulnerable remember password, weak pwd reset    AT-006
Testing for Logout and Browser Cache Management - - Logout function not properly implemented, browser cache weakness    AT-007
Testing for CAPTCHA - Weak Captcha implementation    AT-008
Testing Multiple Factors Authentication - Weak Multiple Factors Authentication    AT-009
Testing for Race Conditions - Race Conditions vulnerability    AT-010
Testing for Session Management Schema - Bypassing Session Management Schema, Weak Session Token    SM-001
Testing for Cookies attributes - Cookies are set not ‘HTTP Only’, ‘Secure’, and no time validity    SM-002
Testing for Session Fixation - Session Fixation    SM-003
Testing for Exposed Session Variables - Exposed sensitive session variables    SM-004
Testing for CSRF - CSRF    SM-005
Testing for Path Traversal - Path Traversal    AZ-001
Testing for bypassing authorization schema - Bypassing authorization schema    AZ-002
Testing for Privilege Escalation - Privilege Escalation    AZ-003
Testing for Business Logic - Bypassable business logic    BL-001
Testing for Reflected Cross Site Scripting - Reflected XSS    DV-001
Testing for Stored Cross Site Scripting - Stored XSS    DV-002
Testing for DOM based Cross Site Scripting - DOM XSS    DV-003
Testing for Cross Site Flashing - Cross Site Flashing    DV-004
SQL Injection - SQL Injection    DV-005
LDAP Injection - LDAP Injection    DV-006
ORM Injection - ORM Injection    DV-007
XML Injection - XML Injection    DV-008
SSI Injection - SSI Injection    DV-009
XPath Injection - XPath Injection    DV-010
IMAP/SMTP Injection - IMAP/SMTP Injection    DV-011
Code Injection - Code Injection    DV-012
OS Commanding - OS Commanding    DV-013
Buffer overflow - Buffer overflow    DV-014
Incubated vulnerability - Incubated vulnerability    DV-015
Testing for HTTP Splitting/Smuggling - HTTP Splitting, Smuggling    DV-016
Testing for SQL Wildcard Attacks - SQL Wildcard vulnerability    DS-001
Locking Customer Accounts - Locking Customer Accounts    DS-002
Testing for DoS Buffer Overflows - Buffer Overflows    DS-003
User Specified Object Allocation - User Specified Object Allocation    DS-004
User Input as a Loop Counter - User Input as a Loop Counter    DS-005
Writing User Provided Data to Disk - Writing User Provided Data to Disk    DS-006
Failure to Release Resources - Failure to Release Resources    DS-007
Storing too Much Data in Session - Storing too Much Data in Session    DS-008
WS Information Gathering - N.A.    WS-001
Testing WSDL - WSDL Weakness    WS-002
XML Structural Testing - Weak XML Structure    WS-003
XML content-level Testing - XML content-level    WS-004
HTTP GET parameters/REST Testing - WS HTTP GET parameters/REST    WS-005
Naughty SOAP attachments - WS Naughty SOAP attachments    WS-006
Replay Testing - WS Replay Testing    WS-007
AJAX Vulnerabilities - N.A.    AJ-001
AJAX Testing - AJAX weakness    AJ-002

Check Tools

Wikto
Nikto
Paros
TamperIE
Nessus
Nmap
Wget
SamSpade
Spike Proxy
Xenu
Curl
OpenSSL
BURP Proxy
SSLDigger
HTTrack
HTTPrint
Webscarab
Foundstone Cookie Digger
posted @ 2019-08-06 11:09  7hang  阅读(332)  评论(0编辑  收藏  举报