owasp mobile app checklist v1.0

Upload: sam-kumar

Post on 25-Feb-2018

213 views

Category:

Documents


0 download

TRANSCRIPT

  • 7/25/2019 OWASP Mobile App Checklist v1.0

    1/3

    CLIENT SIDE CHECKS

    Sr. Vulnerability Name ApplicablePlatform

    Compliant?Yes/No/NA

    1 Application is Vulnerable to Reverse Engineering Attack All

    2 Account Lockout not Implemented All

    3 Application is Vulnerable to XSS All

    4 Authentication bypassed All

    5 Hard coded sensitive information in Application Code All

    6 Malicious File Upload All

    7 Session Fixation All

    8 Application does not Verify MSISDN WAP

    9 Privilege Escalation All

    10 SQL Injection All

    11 Attacker can bypass Second Level Authentication All

    12 Application is vulnerable to LDAP Injection All

    13 Application is vulnerable to OS Command Injection All

    14 iOS snapshot/backgrounding Vulnerability iOS

    15 Debug is set to TRUE Android

    16 Application makes use of Weak Cryptography All

    17 Cleartext information under SSL Tunnel All

    18 Client Side Validation can be bypassed All

    19 Invalid SSL Certificate All

    20 Sensitive Information is sent as Clear Text over network All

    21 CAPTCHA is not implemented on Public Pages/Login Pages All

    22 Improper or NO implementation of Change Password Page All

    23 Application does not have Logout Functionality All

  • 7/25/2019 OWASP Mobile App Checklist v1.0

    2/3

    24 Sensitive information in Application Log Files All

    25 Sensitive information sent as a querystring parameter All

    26 URL Modification All

    27 Sensitive information in Memory Dump All

    28 Weak Password Policy All

    29 Autocomplete is not set to OFF All

    30 Application is accessible on Rooted or Jail Broken Device All31 Back-and-Refresh attack All

    32 Directory Browsing All

    33 Usage of Persistent Cookies All

    34 Open URL Redirects are possible All

    35 Improper exception Handling: In code All

    36 Insecure Application Permissions All

    37 Application build contains Obsolete Files All

    38 Certificate Chain is not Validated All

    39 Last Login information is not displayed All

    40 Private IP Disclosure All

    41 UI Impersonation through RMS file modification JAVA

    42 UI Impersonation through JAR file modification Android

    43 Operation on a resource after expiration or release All

    44 No Certificate Pinning All

    45 Cached Cookies or information not cleaned after application removal/Clos All

    46 ASLR Not Used iOS

    47 Clipboard is not disabled All

    48 Cache smashing protection is not enabled iOS

    49 Android Backup Vulnerability Android

    SERVER SIDE CHECKS

    Sr. Vulnerability Name ApplicablePlatform

    Compliant?Yes/No/NA

    50 Cleartext password in Response All

    51 Direct Reference to internal resource without authentication All

  • 7/25/2019 OWASP Mobile App Checklist v1.0

    3/3

    52 Application has NO or improper Session Management All

    53 Cross Domain Scripting Vulnerability All

    54 Cross Origin Resource Sharing All

    55 Improper Input Validation - Server Side All

    56 Detailed Error page shows internal sensitive information All

    57 Application allows HTTP Methods besides GET and POST All

    58 Cross Site Request Forgery (CSRF)/SSRF All59 Cacheable HTTPS Responses All

    60 Path Attribute not set on a Cookie All

    61 HttpOnly Attribute not set for a cookie All

    62 Secure Attribute not set for a cookie All

    63 Application is Vulnerable to Clickjacking/Tapjacking attack All

    64 Server/OS fingerprinting is possible All