Mapping OWASP Top 10 (2010) against OWASP Testing Guide 3.0

Category

Testing Guide
Ref. Number

Top 10
Ref. Number

Test Name

Vulnerability

Information Gathering

OWASP-IG-001

Spiders, Robots and Crawlers -

N.A.

OWASP-IG-002

Search Engine Discovery/Reconnaissance

N.A.

OWASP-IG-003

Identify application entry points

N.A.

OWASP-IG-004

Testing for Web Application Fingerprint

N.A.

OWASP-IG-005

Application Discovery

N.A.

OWASP-IG-006

Analysis of Error Codes

Information Disclosure

Configuration Management Testing

OWASP-CM-001

A9

SSL/TLS Testing (SSL Version, Algorithms, Key length, Digital Cert. Validity)

SSL Weakness

OWASP-CM-002

DB Listener Testing

DB Listener weak

OWASP-CM-003

A6

Infrastructure Configuration Management Testing

Infrastructure Configuration management weakness

OWASP-CM-004

A6

Application Configuration Management Testing

Application Configuration management weakness

OWASP-CM-005

Testing for File Extensions Handling

File extensions handling

OWASP-CM-006

Old, backup and unreferenced files

Old, backup and unreferenced files

OWASP-CM-007

Infrastructure and Application Admin Interfaces

Access to Admin interfaces

OWASP-CM-008

Testing for HTTP Methods and XST

HTTP Methods enabled, XST permitted, HTTP Verb

Authentication Testing

OWASP-AT-001

A9

Credentials transport over an encrypted channel

Credentials transport over an encrypted channel

OWASP-AT-002

Testing for user enumeration

User enumeration

OWASP-AT-003

Testing for Guessable (Dictionary) User Account

Guessable user account

OWASP-AT-004

Brute Force Testing

Credentials Brute forcing

OWASP-AT-005

Testing for bypassing authentication schema

Bypassing authentication schema

OWASP-AT-006

Testing for vulnerable remember password and pwd reset

Vulnerable remember password, weak pwd reset

OWASP-AT-007

A3

Testing for Logout and Browser Cache Management

Logout function not properly implemented, browser cache weakness

OWASP-AT-008

Testing for CAPTCHA

Weak Captcha implementation

OWASP-AT-009

Testing Multiple Factors Authentication

Weak Multiple Factors Authentication

OWASP-AT-010

Testing for Race Conditions

Race Conditions vulnerability

Session Management

OWASP-SM-001

A3

Testing for Session Management Schema

Bypassing Session Management Schema, Weak Session Token

OWASP-SM-002

A3

Testing for Cookies attributes

Cookies are set not ‘HTTP Only’, ‘Secure’, and no time validity

OWASP-SM-003

A3

Testing for Session Fixation

Session Fixation

OWASP-SM-004

A3

Testing for Exposed Session Variables

Exposed sensitive session variables

OWASP-SM-005

A5

Testing for CSRF

CSRF

Authorization Testing

OWASP-AZ-001

A4

Testing for Path Traversal

Path Traversal

OWASP-AZ-002

A8

Testing for bypassing authorization schema

Bypassing authorization schema

OWASP-AZ-003

Testing for Privilege Escalation

Privilege Escalation

Business logic testing

OWASP-BL-001

Testing for business logic

Bypassable business logic

Data Validation Testing

OWASP-DV-001

A2

Testing for Reflected Cross Site Scripting

Reflected XSS

OWASP-DV-002

A2

Testing for Stored Cross Site Scripting

Stored XSS

OWASP-DV-003

A2

Testing for DOM based Cross Site Scripting

DOM XSS

OWASP-DV-004

Testing for Cross Site Flashing

Cross Site Flashing

OWASP-DV-005

A1

SQL Injection

SQL Injection

OWASP-DV-006

A1

LDAP Injection

LDAP Injection

OWASP-DV-007

A1

ORM Injection

ORM Injection

OWASP-DV-008

A1

XML Injection

XML Injection

OWASP-DV-009

A1

SSI Injection

SSI Injection

OWASP-DV-010

A1

XPath Injection

XPath Injection

OWASP-DV-011

A1

IMAP/SMTP Injection

IMAP/SMTP Injection

OWASP-DV-012

A1

Code Injection

Code Injection

OWASP-DV-013

OS Commanding

OS Commanding

OWASP-DV-014

Buffer overflow

Buffer overflow

OWASP-DV-015

Incubated vulnerability Testing

Incubated vulnerability

OWASP-DV-016

Testing for HTTP  Splitting/Smuggling

HTTP Splitting, Smuggling

Denial of Service Testing

OWASP-DS-001

Testing for SQL Wildcard Attacks

SQL Wildcard vulnerability

OWASP-DS-002

Locking Customer Accounts

Locking Customer Accounts

OWASP-DS-003

Testing for DoS Buffer Overflows

Buffer Overflows

OWASP-DS-004

User Specified Object Allocation

User Specified Object Allocation

OWASP-DS-005

User Input as a Loop Counter

User Input as a Loop Counter

OWASP-DS-006

Writing User Provided Data to Disk

Writing User Provided Data to Disk

OWASP-DS-007

Failure to Release Resources

Failure to Release Resources

OWASP-DS-008

Storing too Much Data in Session

Storing too Much Data in Session

Web Services Testing

OWASP-WS-001

WS Information Gathering

N.A.

OWASP-WS-002

Testing WSDL

WSDL Weakness

OWASP-WS-003

XML Structural Testing

Weak XML Structure

OWASP-WS-004

XML content-level Testing

XML content-level

OWASP-WS-005

HTTP GET parameters/REST Testing

WS HTTP GET parameters/REST

OWASP-WS-006

Naughty SOAP attachments

WS Naughty SOAP attachments

OWASP-WS-007

Replay Testing

WS Replay Testing

AJAX Testing

OWASP-AJ-001

AJAX Vulnerabilities

N.A

OWASP-AJ-002

AJAX Testing

AJAX weakness


As you might have noticed A7 (Insecure Cryptographic Storage) and A10 (Unvalidated Redirects and Forwards) are not present in OWASP Testing Guide 3.0, hopefully they will appear in OWASP Testing Guide 4.0 when it is released.
Comments