{"id":13414757,"url":"https://github.com/0xRadi/OWASP-Web-Checklist","last_synced_at":"2025-03-14T22:32:08.860Z","repository":{"id":38430032,"uuid":"133163904","full_name":"0xRadi/OWASP-Web-Checklist","owner":"0xRadi","description":"OWASP Web Application Security Testing Checklist","archived":false,"fork":false,"pushed_at":"2022-08-18T02:31:06.000Z","size":212,"stargazers_count":1625,"open_issues_count":3,"forks_count":329,"subscribers_count":43,"default_branch":"master","last_synced_at":"2024-07-31T21:53:14.186Z","etag":null,"topics":["bugbounty","checklist","owasp","security","security-tools","security-vulnerability","testing"],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/0xRadi.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2018-05-12T16:34:01.000Z","updated_at":"2024-07-31T19:52:04.000Z","dependencies_parsed_at":"2022-07-13T17:20:44.157Z","dependency_job_id":null,"html_url":"https://github.com/0xRadi/OWASP-Web-Checklist","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0xRadi%2FOWASP-Web-Checklist","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0xRadi%2FOWASP-Web-Checklist/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0xRadi%2FOWASP-Web-Checklist/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0xRadi%2FOWASP-Web-Checklist/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/0xRadi","download_url":"https://codeload.github.com/0xRadi/OWASP-Web-Checklist/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":221513932,"owners_count":16835746,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bugbounty","checklist","owasp","security","security-tools","security-vulnerability","testing"],"created_at":"2024-07-30T21:00:35.222Z","updated_at":"2024-10-26T08:30:25.484Z","avatar_url":"https://github.com/0xRadi.png","language":null,"funding_links":[],"categories":["Security Related Code Review Checklists","Others","Secure Programming"],"sub_categories":["Secure Web dev"],"readme":"# OWASP Web Application Security Testing Checklist\n- Available in [PDF](OWASP/OWASP%20Web%20Application%20Security%20Testing%20Checklist.pdf) or [Docx](OWASP/OWASP%20Web%20Application%20Security%20Testing%20Checklist.docx) for printing\n-  [Trello Board to copy yours](https://trello.com/b/zTSkJPkL/owasp-web-checklist)\n\n## Table of Contents\n\n* [Information Gathering](#Information)\n* [Configuration Management](#Configuration)\n* [Secure Transmission](#Transmission)\n* [Authentication](#Authentication)\n* [Session Management](#Session)\n* [Authorization](#Authorization)\n* [Data Validation](#Validation)\n* [Denial of Service](#Denial)\n* [Business Logic](#Business)\n* [Cryptography](#Cryptography)\n* [Risky Functionality - File Uploads](#File)\n* [Risky Functionality - Card Payment](#Card)\n* [HTML 5](#HTML)\n\n-------\n### \u003ca name=\"Information\"\u003eInformation Gathering\u003c/a\u003e\n- [ ] Manually explore the site\n- [ ] Spider/crawl for missed or hidden content\n- [ ] Check for files that expose content, such as robots.txt, sitemap.xml, .DS_Store\n- [ ] Check the caches of major search engines for publicly accessible sites\n- [ ] Check for differences in content based on User Agent (eg, Mobile sites, access as a Search engine Crawler)\n- [ ] Perform Web Application Fingerprinting\n- [ ] Identify technologies used\n- [ ] Identify user roles\n- [ ] Identify application entry points\n- [ ] Identify client-side code\n- [ ] Identify multiple versions/channels (e.g. web, mobile web, mobile app, web services)\n- [ ] Identify co-hosted and related applications\n- [ ] Identify all hostnames and ports\n- [ ] Identify third-party hosted content\n\n\n### \u003ca name=\"Configuration\"\u003eConfiguration Management\u003c/a\u003e\n\n- [ ] Check for commonly used application and administrative URLs\n- [ ] Check for old, backup and unreferenced files\n- [ ] Check HTTP methods supported and Cross Site Tracing (XST)\n- [ ] Test file extensions handling\n- [ ] Test for security HTTP headers (e.g. CSP, X-Frame-Options, HSTS)\n- [ ] Test for policies (e.g. Flash, Silverlight, robots)\n- [ ] Test for non-production data in live environment, and vice-versa\n- [ ] Check for sensitive data in client-side code (e.g. API keys, credentials)\n\n\n### \u003ca name=\"Transmission\"\u003eSecure Transmission\u003c/a\u003e\n\n- [ ] Check SSL Version, Algorithms, Key length\n- [ ] Check for Digital Certificate Validity (Duration, Signature and CN)\n- [ ] Check credentials only delivered over HTTPS\n- [ ] Check that the login form is delivered over HTTPS\n- [ ] Check session tokens only delivered over HTTPS\n- [ ] Check if HTTP Strict Transport Security (HSTS) in use\n\n\n\n### \u003ca name=\"Authentication\"\u003eAuthentication\u003c/a\u003e\n- [ ] Test for user enumeration\n- [ ] Test for authentication bypass\n- [ ] Test for bruteforce protection\n- [ ] Test password quality rules\n- [ ] Test remember me functionality\n- [ ] Test for autocomplete on password forms/input\n- [ ] Test password reset and/or recovery\n- [ ] Test password change process\n- [ ] Test CAPTCHA\n- [ ] Test multi factor authentication\n- [ ] Test for logout functionality presence\n- [ ] Test for cache management on HTTP (eg Pragma, Expires, Max-age)\n- [ ] Test for default logins\n- [ ] Test for user-accessible authentication history\n- [ ] Test for out-of channel notification of account lockouts and successful password changes\n- [ ] Test for consistent authentication across applications with shared authentication schema / SSO\n\n\n\n### \u003ca name=\"Session\"\u003eSession Management\u003c/a\u003e\n- [ ] Establish how session management is handled in the application (eg, tokens in cookies, token in URL)\n- [ ] Check session tokens for cookie flags (httpOnly and secure)\n- [ ] Check session cookie scope (path and domain)\n- [ ] Check session cookie duration (expires and max-age)\n- [ ] Check session termination after a maximum lifetime\n- [ ] Check session termination after relative timeout\n- [ ] Check session termination after logout\n- [ ] Test to see if users can have multiple simultaneous sessions\n- [ ] Test session cookies for randomness\n- [ ] Confirm that new session tokens are issued on login, role change and logout\n- [ ] Test for consistent session management across applications with shared session management\n- [ ] Test for session puzzling\n- [ ] Test for CSRF and clickjacking\n\n\n\n### \u003ca name=\"Authorization\"\u003eAuthorization\u003c/a\u003e\n- [ ] Test for path traversal\n- [ ] Test for bypassing authorization schema\n- [ ] Test for vertical Access control problems (a.k.a. Privilege Escalation)\n- [ ] Test for horizontal Access control problems (between two users at the same privilege level)\n- [ ] Test for missing authorization\n\n\n### \u003ca name=\"Validation\"\u003eData Validation\u003c/a\u003e\n- [ ] Test for Reflected Cross Site Scripting\n- [ ] Test for Stored Cross Site Scripting\n- [ ] Test for DOM based Cross Site Scripting\n- [ ] Test for Cross Site Flashing\n- [ ] Test for HTML Injection\n- [ ] Test for SQL Injection\n- [ ] Test for SOQL Injection\n- [ ] Test for LDAP Injection\n- [ ] Test for ORM Injection\n- [ ] Test for XML Injection\n- [ ] Test for XXE Injection\n- [ ] Test for SSI Injection\n- [ ] Test for XPath Injection\n- [ ] Test for XQuery Injection\n- [ ] Test for IMAP/SMTP Injection\n- [ ] Test for Code Injection\n- [ ] Test for Expression Language Injection\n- [ ] Test for Command Injection\n- [ ] Test for Overflow (Stack, Heap and Integer)\n- [ ] Test for Format String\n- [ ] Test for incubated vulnerabilities\n- [ ] Test for HTTP Splitting/Smuggling\n- [ ] Test for HTTP Verb Tampering\n- [ ] Test for Open Redirection\n- [ ] Test for Local File Inclusion\n- [ ] Test for Remote File Inclusion\n- [ ] Compare client-side and server-side validation rules\n- [ ] Test for NoSQL injection\n- [ ] Test for HTTP parameter pollution\n- [ ] Test for auto-binding\n- [ ] Test for Mass Assignment\n- [ ] Test for NULL/Invalid Session Cookie\n\n### \u003ca name=\"Denial\"\u003eDenial of Service\u003c/a\u003e\n- [ ] Test for anti-automation\n- [ ] Test for account lockout\n- [ ] Test for HTTP protocol DoS\n- [ ] Test for SQL wildcard DoS\n\n\n### \u003ca name=\"Business\"\u003eBusiness Logic\u003c/a\u003e\n- [ ] Test for feature misuse\n- [ ] Test for lack of non-repudiation\n- [ ] Test for trust relationships\n- [ ] Test for integrity of data\n- [ ] Test segregation of duties\n\n\n### \u003ca name=\"Cryptography\"\u003eCryptography\u003c/a\u003e\n- [ ] Check if data which should be encrypted is not\n- [ ] Check for wrong algorithms usage depending on context\n- [ ] Check for weak algorithms usage\n- [ ] Check for proper use of salting\n- [ ] Check for randomness functions\n\n\n### \u003ca name=\"File\"\u003eRisky Functionality - File Uploads\u003c/a\u003e\n- [ ] Test that acceptable file types are whitelisted\n- [ ] Test that file size limits, upload frequency and total file counts are defined and are enforced\n- [ ] Test that file contents match the defined file type\n- [ ] Test that all file uploads have Anti-Virus scanning in-place.\n- [ ] Test that unsafe filenames are sanitised\n- [ ] Test that uploaded files are not directly accessible within the web root\n- [ ] Test that uploaded files are not served on the same hostname/port\n- [ ] Test that files and other media are integrated with the authentication and authorisation schemas\n\n\n### \u003ca name=\"Card\"\u003eRisky Functionality - Card Payment\u003c/a\u003e\n- [ ] Test for known vulnerabilities and configuration issues on Web Server and Web Application\n- [ ] Test for default or guessable password\n- [ ] Test for non-production data in live environment, and vice-versa\n- [ ] Test for Injection vulnerabilities\n- [ ] Test for Buffer Overflows\n- [ ] Test for Insecure Cryptographic Storage\n- [ ] Test for Insufficient Transport Layer Protection\n- [ ] Test for Improper Error Handling\n- [ ] Test for all vulnerabilities with a CVSS v2 score \u003e 4.0\n- [ ] Test for Authentication and Authorization issues\n- [ ] Test for CSRF\n\n\n### \u003ca name=\"HTML\"\u003eHTML 5\u003c/a\u003e\n- [ ] Test Web Messaging\n- [ ] Test for Web Storage SQL injection\n- [ ] Check CORS implementation\n- [ ] Check Offline Web Application\n\nSource: [OWASP](https://www.owasp.org/index.php/Web_Application_Security_Testing_Cheat_Sheet)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2F0xRadi%2FOWASP-Web-Checklist","html_url":"https://awesome.ecosyste.ms/projects/github.com%2F0xRadi%2FOWASP-Web-Checklist","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2F0xRadi%2FOWASP-Web-Checklist/lists"}