OWASP Web Application Penetration Checklist

OWASP Web Application Penetration Checklist

Version 1.1

July 14, 2004

 OWASP Web Application Penetration Checklist

July 13, 2004

This document is released under the GNU documentation license and is Copyrighted to the
OWASP Foundation. You should read and understand that license and copyright conditions.

ii
 OWASP Web Application Penetration Checklist

Contents

Introduction......................................................................................................................................1
About OWASP.........................................................................................................................1
Feedback...................................................................................................................................1
Pen Test Checklist............................................................................................................................2
Using this Checklist as an RFP Template........................................................................................2
Using this Checklist as a Benchmark...............................................................................................3
Using this Checklist as a Checklist..................................................................................................3
About the OWASP Testing Project (Parts One and Two)...............................................................3
The OASIS WAS Standard..............................................................................................................3
Penetration Testing Workflow.........................................................................................................4
Checklist..........................................................................................................................................7
Appendix A - OASIS WAS Vulnerability Types......................................................................1314
Index..........................................................................................................................................1819

Figures

Figure 1: Model Testing Workflow.................................................................................................6

Tables
Table 1: Pen Test Checklist............................................................................................................7

iii
 OWASP Web Application Penetration Checklist

iv
OWASP Web Application Penetration Checklist

1
 OWASP Web Application Penetration Checklist

Introduction

Penetration testing will never be an exact science where a complete list of all possible
issues that should be tested can de defined. Indeed, penetration testing is only an
appropriate technique for testing the security of web applications under certain
circumstances. Penetration testing alone does not really help identify operational and
management vulnerabilities. For information on operational and management
vulnerabilities, and how to test for them, it is recommended that you read:
 OWASP Testing Framework Part One manual (http://www.owasp.org), which
provides information on how to build a testing framework and on which testing
techniques you should consider.
 Risk Management Guide for Information Technology Systems manual, NIST 800-
30 1, which describes vulnerabilities in operational, technical, and management
categories.

About OWASP
OWASP is a volunteer organization that is dedicated to developing knowledge-based
documentation and reference implementations, as well as software that can be used by
system architects, developers and security professionals. OWASP’s work promotes and
helps consumers build more secure web applications.
For more information about OWASP, see http://www.owasp.org.

1
http://csrc.nist.gov/publications/nistpubs/index.html#sp800-30 – The revised version can be found at
http://csrc.nist.gov/publications/drafts/SP800-30-RevA-draft.pdf
1
 OWASP Web Application Penetration Checklist

Feedback
To provide feedback on this checklist, please send an e-mail to [email protected] with a
subject stating:
[Pen Testing Checklist Feedback].
We welcome all comments and suggestions. If your suggestion is for a new issue, please
detail the issue as you would like to see it in the checklist. If your suggestion is a
correction or improvement, please send your comments and suggested completed text for
the change. As a volunteer group, the easier your changes are to make, the faster they can
be incorporated into our revisions.

Pen Test Checklist

Many OWASP followers, especially financial services companies, have asked OWASP
to develop a checklist that they can use for penetration testing. The intent of the checklist
is to promote consistency among both internal testing teams and external vendors. As
such, this checklist is intended to be used in several ways, including;
 Request for Proposal (RFP) Template
 Benchmarks
 Testing Checklist
This checklist provides issues that should be tested. It does not prescribe techniques that
should be used.

Using this Checklist as an RFP Template

Some people expressed the need for a checklist from which they can request services
from vendors and consulting companies to ensure consistency, and from which they can
compare approaches and results on a level playing field. As such, this checklist can form
the basis of a Request for Proposal (RFP) for services to a vendor. In effect, you are
asking the vendor to perform all of the services listed in the checklist.
Note: If you or your company develops an RFP Template from this checklist, please
share it with OWASP and the community. Send it to [email protected] with the Subject
[Testing Checklist RFP Template].

2
 OWASP Web Application Penetration Checklist

Using this Checklist as a Benchmark

Some people expressed the need for a checklist from which they can base their internal
testing and from which they can use the test result to develop metrics. Using the same
checklist allows people to compare different applications and even different sources of
development on an “apples to apples” basis.
The OASIS Web Application Security (WAS) project (http://www.oasis-
open.org/committees/tc_home.php?wg_abbrev=was) will provide a set of vulnerability
types that can be used as a classification scheme, and therefore can be adopted into this
checklist to help people sort data easily. For more information, see The OASIS WAS
Standard later in this document.

Using this Checklist as a Checklist

Of course many people will want to use this checklist as just that; a checklist or crib
sheet. As such, the checklist is written as a set of issues that need to be tested. It does not
prescribe techniques that should be used, although examples are provided.

About the OWASP Testing Project (Parts One and Two)

OWASP is currently working on a comprehensive Testing Framework. By the time you
read this document, Part One of the Testing Framework will be close to release and Part
Two will be underway. Part One describes the Why, What, Where, and When of testing
the security of web applications. Part Two provides technical details about how to look
for specific issues using source code inspection and penetration testing; for example,
exactly how to find SQL Injection flaws in code by review or through penetration testing.
This checklist is likely to become an Appendix to Part Two of the OWASP Testing
Framework along with similar checklists for source code review.

The OASIS WAS Standard

The issues identified in this checklist are not ordered according to importance or
criticality. Several members of the OWASP Team are working on an XML standard to
develop a way to describe consistently web application security issues at OASIS. The
mission of OASIS is to drive the development, convergence, and adoption of structured
information standards in the areas of e-business, web services, etc. For more information
about OASIS, see http://www.oasis-open.org.

3
 OWASP Web Application Penetration Checklist

We believe OASIS WAS will become a very important standard that will allow people to
develop vulnerability and risk management systems and processes on top of data. As this
work is taking place at an official standards body, and is independent of vendor bias or
technology, as well as the fact that its longevity can be guaranteed, it makes OASIS WAS
a suitable standard on which to base your work.
Part of the OASIS WAS standard will be a set of vulnerability types. These are standard
vulnerability issues that will have standard textual definitions that allow people to build
consistent classification schemes and thesauruses. Using these vulnerability types, people
can create useful views into their vulnerability data.
The OASIS WAS XL standard is due to be published in August 2004. The WAS
Vulnerability Types will be published as a separate draft document at the end of April
2004. As such, this checklist may change when the standard is ratified, although this is
unlikely.
As we believe the WAS vulnerability types will become an integral part of application
vulnerability management in the future, it will be tightly coupled to all OWASP work
such as this checklist and the OWASP Testing Framework.

Penetration Testing Workflow

Clearly, by promoting a checklist we are promoting methodical and repeatable testing.
While it is beyond the scope of this checklist to prescribe a penetration testing
methodology (this will be presented in OWASP Testing Part Two), a model testing
workflow has been included, which is shown in Figure 1. The tester may find the
workflow diagram useful when using the testing techniques described in this document. It
is important to note that an infrastructure-level penetration test should be performed prior
to performing the application test. In some cases, the server operating system can be
exploited and can give the tester further leverage in exploiting the web application.
The flow diagram in Figure 1 is based around several steps:
1. The penetration test starts by gathering all possible information regarding the
infrastructure and applications involved. This stage is paramount, as without a
solid understanding of the underlying technology, sections may be missed during
the testing phase.
2. The test should follow all of the different phases shown in Figure 1.
3. Testers should attempt to exploit all discovered vulnerabilities. Even if the
exploitation fails, the tester will gain a better understanding of the vulnerability
risk.
4. Any information returned by checking for vulnerabilities (for example,
programming errors, source code retrieval, or other internal information

4
 OWASP Web Application Penetration Checklist
disclosure) should be used to re-assess the overall understanding of the
application and how it performs.
5. If, at any point during the testing, a vulnerability is detected that may lead to the
successful compromise of the target or may disclose business-critical information,
the relevant contact for the company should be contacted immediately and made
aware of the situation and the risks involved.

5
 OWASP Web Application Penetration Checklist

Information Gathering
- Harvest Information on the infrastructure and web
environment
- Harvest Information of the interactive applications and
dynamic content generation used
Tester - Produce results for start of test

No
Go through each phase to test
for individual weaknesses:
No
- Input Validation
- Session Manipulation
Have
- Logon Process, etc.
Have Yes all attack methods
all possible tests been exhausted and
been executed? investigated?

No

Has a
No possible
vulnerability been detected?
(Programming error, configuration
error or system
Did the vulnerability)
attack succeed?

Yes

Yes No
Attack target
directed to
exploit
Make a risk assessment vulnerability
of the vulnerability
Yes

Yes
Can the Is internal
vulnerability No information leaked? (Source
compromise code fragments implementation
the service? information, etc.)

Yes
Yes

Results:
- Tested and succeeded vulnerabilities
- Detailed impact and consequences Generate an
Yes Is the
of vulnerabilities in web service alert and
information business
contact the
critical?
Organization

No

Figure 1: Model Testing Workflow.

6
 OWASP Web Application Penetration Checklist
Checklist
The following table is the current Pen Test Checklist:

Table 1: Pen Test Checklist

Category Ref Number Name Objective Notes
AppDOS OWASP-AD-001 Application Ensure that the Use various fuzzing
Flooding application functions tools to perform this
correctly when test (e.g., SPIKE)
presented with large
volumes of requests,
transactions, and/or
network traffic.
OWASP-AD-002 Application Ensure that the
Lockout application does not
allow an attacker to
reset or lockout users’
accounts.
AccessControl OWASP-AC-001 Parameter Ensure that the Typically, this
Analysis application enforces includes
its access control manipulation of
model by ensuring form fields, URL
that any parameters query strings, client-
available to an side script values
attacker would not and cookies.
afford additional
service.
OWASP-AC-002 Authorization Ensure that resources
that require
authorization perform
adequate authorization
checks before being
sent to a user.
OWASP-AC-003 Authorization Ensure that once a I.e., accountnumber,
Parameter valid user has logged policynumber,
Manipulation in, it is not possible to usernr, etc.
change the session
ID’s parameter to
reflect another user
account.
OWASP-AC-004 Authorized Check if it is possible
pages/functions to access pages or
functions that require
logon but can be
bypassed.
OWASP-AC-005 Application Ensure that where the
Workflow application requires
the user to perform
7
 OWASP Web Application Penetration Checklist

Category Ref Number Name Objective Notes

actions in a specific
sequence, the
sequence is enforced.
Authentication OWASP- Authentication Ensure that users are This ensures that the
AUTHN-001 endpoint request only asked to submit user knows who is
should be authentication asking for their
HTTPS credentials on pages credentials as well as
that are served with where they are being
SSL. sent.
OWASP- Authentication Ensure that the Typically, this
AUTHN-002 bypass authentication process happens in
cannot be bypassed. conjunction with
flaws such as SQL
Injection.
Authentication. OWASP- Credentials Ensure that usernames Typically, this
User AUTHN-003 transport over an and passwords are should be SSL.
encrypted sent over an encrypted
channel channel.
OWASP- Default Check for default
AUTHN-004 Accounts account names and
passwords in use.
OWASP- Username Ensure that the
AUTHN-005 username is not public
(or “wallet”)
information such as e-
mail or SSN.
OWASP- Password Ensure that the
AUTHN-006 Quality password complexity
makes guessing
passwords difficult.
OWASP- Password Reset Ensure that the user Ensure that
AUTHN-007 must respond to a passwords are not
secret answer or secret sent to users in e-
question or other mail.
predetermined
information before
passwords can be
reset.

OWASP- Password Ensure that the users

AUTHN-008 Lockout account is locked out
for a period of time
when the incorrect
password is entered
more that a specific

8
 OWASP Web Application Penetration Checklist

Category Ref Number Name Objective Notes

number of times
(usually 5).
OWASP- Password Ensure that special Can be useful when
AUTHN-009 Structure meta characters performing SQL
cannot be used within injection.
the password.
OWASP- Blank Passwords Ensure that passwords
AUTHN-010 are not blank.
Authentication. OWASP- Session Token Ensure that the session
SessionManage AUTHSM-001 Length token is of adequate
ment length to provide
protection from
guessing during an
authenticated session.
OWASP- Session Timeout Ensure that the session
AUTHSM-002 tokens are only valid
for a predetermined
period after the last
request by the user.

OWASP- Session Reuse Ensure that session

tokens are changed
AUTHSM-003
when the user moves
from an SSL protected
resource to a non-SSL
protected resource.
OWASP- Session Deletion Ensure that the session
AUTHSM-004 token is invalidated
when the user logs
out.
OWASP- Session Token Ensure that the session
AUTHSM-005 Format token is non-persistent
and is never written to
the browsers history
or cache.
Configuration. OWASP-CM-001 HTTP Methods Ensure that the web
Management server does not
support the ability to
manipulate resources
from the Internet (e.g.,
PUT and DELETE).

OWASP-CM-002 Virtually Hosted Try to determine if the If there are further

Sites site is virtually hosted. sites, they could be
vulnerable and lead
to the compromise of
the base server.

9
 OWASP Web Application Penetration Checklist

Category Ref Number Name Objective Notes

OWASP-CM-003 Known Ensure that known
Vulnerabilities / vulnerabilities that
Security Patches vendors have patched
are not present.
OWASP-CM-004 Back-up Files Ensure that no backup
files of source code
are accessible on the
publicly accessible
part of the application.
OWASP-CM-004 Web Server Ensure that common
Configuration configuration issues
such as directory
listings and sample
files have been
addressed.

OWASP-CM-005 Web Server Ensure that web server

Components components such as
Front Page Server
Extensions or Apache
modules do not
introduce any security
vulnerabilities.
OWASP-CM-006 Common Paths Check for existence of /backup & /admin
common directories may contain
within the application information.
root.

OWASP-CM-007 Language/Appli- I.e., J2EE

cation defaults environmental quirks;
e.g., availability of
snoop.jsp /*Spy.jsp
and loaded modules
Configuration. OWASP-CM-008 Infrastructure Ensure that
Management Admin Interfaces administrative
Infrastructure interfaces to
infrastructure, such as
web servers and
application servers,
are not accessible to
the Internet.
Configuration. OWASP-CM-009 Application Ensure that
Management. Admin Interfaces administrative
Application interfaces to the
applications are not
accessible to the
Internet.
Error Handling OWASP-EH-001 Application Ensure that the This typically occurs

10
 OWASP Web Application Penetration Checklist

Category Ref Number Name Objective Notes

Error Messages application does not when applications
present application return verbose error
error messages to an messages such as
attacker that could be stack traces or
used in an attack. database errors.
OWASP-EH-002 User Error Ensure that the This typically occurs
Messages application does not when applications
present user error return error
messages to an messages such as
attacker that could be “User does not exist”
used in an attack. or “User Correct,
Password
Incorrect.”
Error Handling OWASP-EH-001 Application Ensure that the This typically occurs
Error Messages application does not when applications
present application return verbose error
error messages to an messages such as
attacker that could be stack traces or
used in an attack. database errors.
DataProtection OWASP-DP-001 Sensitive Data in Ensure that there is no This typically occurs
HTML sensitive data in the when developers
HTML (cached in the leave information in
browser history) that HTML comments or
could lead an attacker the application
to mount a focused renders names and
attack. addresses in HTML.

OWASP-DP-002 Data Storage Ensure data is

protected to ensure its
confidentiality and
integrity, where
required.
DataProtection. OWASP-DP-003 SSL Version Ensure that supported Typically, this means
Transport SSL versions do not supporting SSL 3
have cryptographic and TLS 1.0 only.
weaknesses.
OWASP-DP-004 SSL Key Ensure that the web Typically ADH
Exchange server does not allow Anonymous Diffie-
Methods anonymous key Hellman.
exchange methods.
OWASP-DP-005 SSL Algorithms Ensure that weak Typically,
algorithms are not algorithms such as
available. RC2 and DES.
OWASP-DP-006 SSL Key Ensure the web site Most web sites
Lengths uses an appropriate should enforce 128
length key. bit encryption.

11
 OWASP Web Application Penetration Checklist

Category Ref Number Name Objective Notes

OWASP-DP-007 Digital Ensure the application Ensure that the
Certificate uses valid digital digital certificate is
Validity certificates. valid; i.e., its
signature, host, date,
etc. are valid.

InputValidation OWASP-IV-001 Script Injection Ensure that any part of Classic case of Cross
the application that Site Scripting but
allows input does not includes other
process scripts as part scripting as well.
of the input.
InputValidation OWASP-IV-002 SQL Injection Ensure the application
.SQL will not process SQL
commands from the
user.
InputValidation OWASP-IV-003 OS Command Ensure the This typically
.OS Injection applications will not includes issues such
process operating as path traversal,
system commands spawning command
from the user. shells, and OS
functions.
InputValidation OWASP-IV-004 LDAP Injection Ensure the application
.LDAP will not process
LDAP commands
form the user.
InputValidatio OWASP-IV-005 Cross Site Ensure that the
n.XSS Scripting application will not
store or reflect
malicious script
code.

12
 OWASP Web Application Penetration Checklist

Appendix A - OASIS WAS Vulnerability Types

AccessControl
Problemas que pueden permitir a usuarios acceder activos o funciones de las cuales no
estan autorizados. Frecuentemente, no hay ningun mecanismo de control de acceso donde
deberia haberser.Problems that can allow users to access assets or functions for which
they are not authorized. Frequently, there is no access control mechanism where there
should be. Un mecanismo de control de acceso adecuado deberia enforzar los principios
de un monitor de referencia: estos deberian ser resistentes a la manipulación y
analizables. A proper access control mechanism should enforce the principles of a
reference monitor: they should be tamperproof and analyzable.
AppDOS
Fallas que pueden permitir a un atacante incapacitar completamente o parcialmente a los
usuarios el uso de una aplicación adecuadamente.Flaws that may allow an attacker to
completely or partially prevent users from using an application properly.
AppDOS.Flood
Usado para dela negación de servicio deen aplicaciones el cual involucra la saturación de
un recursos limitado y compartido por todos los usuarios de la aplicación, tales como
espacio en disco duro, CPU, ancho de banda de red, conexiones dea base de datos o
memoria.Used for application denial of service problems that involve saturating a limited
resource shared by all users of the application, such as disk space, CPU, network
bandwidth, database connections, or memory.
AppDOS.Lockout
Usado para la denegación de servicio deen aplicaciones el cual involucra el uso de un
recurso o limite asignado a los usuarios, tales como cantidades de intentos fallidos,
mensajes o transacciones.Used for application denial of service problems that involve
using up a resource or limit allocated to users, such as failed logon attempts, messages, or
transactions.
Authentication
Usado para problemas relacionados cona determinar la identidad de los individuos o
entidades, y la autenticación de esa identidad.Used for problems related to determining
the identity of individuals or entities, and authenticating that identity.
Authentication.Entity
Usado para problemas con los sistemas de automatizados de autenticación, tales como
servicios wWeb, bases de datos, directorios y otros. Ejemplos incluyen almacenamiento
seguro de credenciales seguros, transporte seguro, cambio de credenciales y terminación

13
 OWASP Web Application Penetration Checklist
de acceso.Used for problems with authenticating automated systems, such as web
services, databases, directories, and others. Examples include secure credential storage,
securing transport, changing credentials, and terminating access.

Authentication.SessionManagement
Usado para problemas con la asignación, utilización, protección, modificación y
terminación de identificadores de sesión de todos los tipos. Los identificadores de Used
for problems with issuing, using, protecting, changing, and terminating session identifiers
of all kinds. sesión se posicionan en el lugar de las credenciales de autenticación, aun así
no son frecuentemente protegidas tan atentamente.Session identifiers stand in the place of
authentication credentials, yet are frequently not protected as carefully.
Authentication.User
Usado para los puntos relacionados con la identificación y autenticación de personas que
puedan usar una aplicación. Problemas con nombre de usuarios, contraseñas, tokens,
smartcards, biometria y otraos credenciales son ejemplos comunes.Used for issues related
to identification and authentication of people who may use an application. Problems with
usernames, passwords, tokens, smartcards, biometrics, and other credentials are
examples.

14
 OWASP Web Application Penetration Checklist

Authentication.UserManagement
Usado para problemas relacionados con la administración de un conjuntos de usuarios,
especialmente información relevante sobre la seguridad tales como los roles, privilegios,
autorizaciones, grupos, números de identidad personal, números de tarjetas de crédito y
otra información sensitivasensible,; también, problemas con la creación de nuevos
usuarios, registro, asignación de derechos, y terminación de acceso.Used for problems
related to managing a set of users, especially security-relevant information such as roles,
privileges, authorizations, groups, social security numbers, credit card numbers, and other
sensitive information; also, problems with creating new users, registration, granting
rights, and terminating access.

BufferOverflow
Fallas que pueden permitir a un atacante utilizar cadenas de caracteres formateadas para
sobreescribir locaciones en memoria, permitiendo cambiar los datos, alterar el control del
programa o tumbar el programa.datos ser cambiados, el control del programa ser alterado
o tumbar el programa.Flaws that can allow an attacker to use format strings to overwrite
locations in memory, allowing data to be changed, program control to be altered, or the
program to crash.

BufferOverflow.Format
Fallas que pueden permitir a un atacante utilizar cadenas de caracteres formateadas para
sobreescribir locaciones en memoria, permitiendo datos ser cambiados, el control del
programa ser alterado o tumbar el programa.
Flaws that can allow an attacker to use format strings to overwrite locations in memory,
allowing data to be changed, program control to be altered, or the program to crash.

BufferOverflow.Heap
Fallas que pueden permitir a un atacante sobreescribir la memoria que es dináamicamente
asignada por la aplicación.Flaws that can allow an attacker to overflow memory that is
dynamically allocated by the application.

BufferOverflow.Stack
Fallas que pueden permitir que un atacante escriba datos en la pila, causando alque el
programa a tumbarse caiga o transfieraerir el control.Flaws that can allow an attacker to
write data into the stack, causing the program to crash or transfer control.

Concurrency
Usado para errores en ambientes de multihilos que permiten que los datos sean
compartidos o corrompidos. Ejemplos incluyen variables que son compartidas entre hilos
y causan problemas “time-of-check-time-of-use (TOCTOU)”, patrones de singleton
incorrectos y mal diseño del cache.Used for errors in multithreaded environments that
allow data to be shared or corrupted. Examples include variables that are shared between

15
 OWASP Web Application Penetration Checklist
threads and cause time-of-check-time-of-use (TOCTOU) problems, broken singleton
patterns, and poor cache design.

ConfigurationManagement
Usado para describir los problemas en la configuración de una aplicación o ambiente de
aplicación.Used to describe problems in the configuration of an application or application
environment.

ConfigurationManagement.Administration
Usado para problemas en los mecanismos de una aplicación que permite administración
remota, tales como administración de usuarios, administración de credenciales,
administración de base edde datos y otras opciones de configuración.Used for problems
in the application's mechanisms that enable remote administration, such as user
management, credential management, database management, and other configuration
options.

ConfigurationManagement.Application
Usado para describir problemas en la configuración de la aplicación, tales como
mecanismos de seguridad mal configurados, programas predefinidos, código no utilizado
y caracteristicascaracterísticas habilitadas no necesarias.Used to describe problems in the
application's configuration, such as mis-configured security mechanisms, default
programs, unused code, and unnecessarily enabled features.

ConfigurationManagement.Infrastrure
Usado para problemas con la configuración de la infraestructura de la aplicación, tales
como servidores de web y aplicación, filtros y mecanismos externos de seguridad.Used
for problems with the configuration of the application's infrastructure, such as the web
and application servers, filters, and external security mechanisms.

Cryptography
Usado para problemas de encriptación, decriptación, firmado y verificación.Used for
problems related to encryption, decryption, signing, and verification.

Cryptography.Algorithm
Usado para la selección de algoritmos criptográficos, problemas de implementación y
problemas de análisis.Used for cryptographic algorithm selection, implementation, and
analysis problems.

Cryptography.KeyManagement
Usado para asuntos de almacenamiento de certificados, tokens, revocación,
almacenamientoalmacenes de llaves, generación de llaves y otros puntos relacionados a
las llaves.Used for issues with certificate storage, tokens, revocation, certificates, key
stores, issuing keys, and other key issues.

16
 OWASP Web Application Penetration Checklist
DataProtection
Usado para los puntos relacionados al usoa la inapropiadao de revelación de datos.Used
for issues related to inappropriate disclosure of data.

DataProtection.Storage
Usado par problemas con el almacenamiento seguro de datos, incluyendo
almacenamiento de credenciales, llaves y otra información sensitivasensible. Errores
relacionados con los mecanismos de criptografía incluyendo recursos fuentes pobres de
generación al azar aleatoriedad, mala selección de algoritmos y pobre
implementación.Used for problems storing data securely, including storage of credentials,
keys, and other sensitive information. Mistakes related to cryptographic mechanisms
include poor sources of randomness, bad choice of algorithm, and poor implementation.

DataProtection.Transport
Usado para problemas relacionados a la transferencia segura de información.
Frecuentemente, esto se referiráiere a problemas con la configuración SSL o TLS, pero
pudiera incluir otros protocolos con caracteristicascaracterísticas de seguridad.Used for
problems related to secure transfer of information. Frequently, this will refer to problems
with SSL or TLS configuration, but could include other protocols with security features.

ErrorHandling
Usado para problemas en el manejo de errores, incluyendo imprimiendoimpresión de
“stack traces” a la pantalla, mecanismos de seguridad abiertos incorrectamente,
permitiendo que errores afecten la operación entera de la aplicación entera y revelando
demasiada información acerca de una falla.Used for problems in handling errors,
including printing stack traces to the screen, fail-open security mechanisms, allowing
errors to affect the operation of the entire application, and revealing too much
information about a failure.

InputValidation
Usado para asuntos relacionados a las fallas de fallar en la validación de entradas de
datos no seguras, antes de que sean enviadas a la aplicación.Used for issues related to
failure to validate un-trusted input before it is relied on by an application.

InputValidation.File
Usado para los problemas de validación de entrada de datos donde la entrada viene
comode un archivo, tales como un archivo de propiedades, archivo de datos “batch”, base
de datos de archivo plano yu otros datos basados en archivos.Used for input validation
problems where the input comes from a file, such as a properties file, batch data file, flat-
file databases, or other file-based data.

17
 OWASP Web Application Penetration Checklist
InputValidation.User
Usado para los problemas de validación de entrada de datos donde la entrada viene de un
usuario humano, tales como parametrosparámetros de llamadas HTTP, entrada de la linea
de comandos y eventos de entrada deen la interfaz gráfica de launa aplicación.Used for
input validation problems where the input comes from a human user, such as HTTP
request parameters, command line input, or input events from an application's GUI.

InputValidation.Network
Usado para los problemas de validación de entrada de datos donde la entrada viene de un
protocolo de red, tales como los encabezados HTTP, números secuenciales y otros
campos del protocolo.Used for input validation problems where the input comes from a
network protocol, such as HTTP headers, sequence numbers, or other protocol fields.

Injection
Problemas que pueden permitir a un atacante enterrar comandos en los datos y tener estos
interpretados hacer que se interpreten por algunalgún sistema que los datos
alcancen.Problems that can allow an attacker to bury commands into data and have them
interpreted by some system that the data reaches.

Injection.HTML
Fallas que puede permitir a un atacante inyectar HTML hacia una aplicación y modificar
la apariencia del HTML generado por esta aplicación.Flaws that can allow an attacker to
inject HTML into an application and modify the appearance of HTML generated by that
application. Por ejemplo, un atacante pudiera inyectar una etiqueta tag IMG no deseadao
hacia dentro de un libro de visitas y ofender a otros usuarios. For example, an attacker
might inject an unwanted IMG tag into a guest book, and offend other users.

Injection.OSCommand
Fallas que pueden permitir a un atacante inyectar caracteres especiales y comandos hacia
la consola de comandos del sistema operativo y modificar los comandos iniciales.Flaws
that can allow an attacker to inject special characters and commands into the operating
system command shell and modify the intended command. El ataque pudiera aintentar de
modificar como un programa es invocadoi o pudiera aintentar de encadenar comandos
adicionales. The attack might attempt to modify how a program is invoked, or might
attempt to chain additional commands.

Injection.LDAP
Fallas que pueden permitir a un atacante inyectar caracteres especiales y buscar terminos
de búsqueda dentro de un servidor LDAP y modificar la consulta inicial.Flaws that can
allow an attacker to inject special characters and search terms into an LDAP server and
modify the intended query.

Injection.SQL

18
 OWASP Web Application Penetration Checklist
Fallas que pueden permitir a un atacante inyectar caracteres especiales y comandos hacia
una base de datos SQL y modificar la consulta inicial.Flaws that can allow an attacker to
inject special characters and commands into an SQL database and modify the intended
query. El ataque pudiera intentar de cambiar el significado de la consulta o pudiera
aintentar de encadenar comandos adicionales.The attack might attempt to change the
meaning of the query, or might attempt to chain additional commands.

Injection.XSS
Fallas que pueden permitir a un atacante enviar o ejecutar un script malicioso a traves de
una aplicación web.Flaws that can allow an attacker to send and execute malicious scripts
through a web application. Los ataques de XSS almacenados almacenanguardan los
scripts en la aplicación web.Stored XSS attacks store the script in the web application.
Los Aataques de XSS reflejados son rebotados de una aplicación web en tiempo real y
requieren de que un usuario sea engañado a enviar una llamada conteniendo el
ataque.Reflected XSS attacks are bounced off a web application in real time and require a
user to be tricked into sending the request containing the attack.

Monitoring
Usado para los asuntos relacionados al monitoreo del la postura estado de seguridad de
una aplicación web.Used for issues related to monitoring the security posture of a web
application.

Monitoring.Logging
Usados para los asuntos relacionados al loggingregistro adecuado de eventos, incluyendo
lo que requiere ser logueadoregistrado, como deberia ser logueadoregistrado, como los
logs archivos de registros son revisados y otros asuntos relacionados a la responsabilidad
“Used for issues concerning the proper logging of events, including what should be
logged, how it should be logged, how logs should be reviewed, and other issues related to
accountability”.

Monitoring.Detection
Usado para asuntos relacionados a la detección de ataques de una aplicación, coómo los
ataques deben ser manejados, la información que debe ser coleccionadoscolectada y
quien deberia ser notificado.Used for issues related to the detection of attacks on an
application, how attacks should be handled, the information that should be gathered, and
who should be notified.

19
 OWASP Web Application Penetration Checklist

20
 OWASP Web Application Penetration Checklist

Index

B T
benchmark testing farmework
checklist, 6 part one, 6
testing framework, 6
C part two, 6
checklist testing project
background, 5 OWASP, 6
pen test, 10
using as a checklist, 6
V
checklist as a bencmark, 6 vulnerability types
WAS, 7
F
feedback on checklist, iv
W
framework WAS
testing, 6 OASIS, 6
WAS vulnerability types, 7
O workflow
OASIS WAS, 6 penetration testing, 7
standard, 6
OASIS WAS XL standard, 7
X
OWASP XML standard, 6
about, iv
testing project, 6

P
pen test checklist, 5
penetration testing workflow, 7
penetration testing workflow diagram, 9

R
RFP template, 5

21
 OWASP Web Application Penetration Checklist

22