Scribd Logo
Upload

Welcome to Scribd!

  • 103 views

    OWASP Mobile Checklist Final

    Uploaded by

    ims
    The document lists 76 client-side and server-side security vulnerabilities that were checked in an application. It includes vulnerabilities like SQL injection, cross-site scripting, lack of input validation, sensitive data exposure, weak authentication, and more. Each vulnerability is assigned an applicable platform and whether it was found to be compliant or not. The vulnerabilities are further classified as either static checks, dynamic checks, or requiring both static and dynamic analysis to detect.

    Copyright:

    © All Rights Reserved
    Download as XLSX, PDF, TXT or read online from Scribd

    OWASP Mobile Checklist Final

    Uploaded by

    ims
    103 views6 pages
    The document lists 76 client-side and server-side security vulnerabilities that were checked in an application. It includes vulnerabilities like SQL injection, cross-site scripting, lack of input validation, sensitive data exposure, weak authentication, and more. Each vulnerability is assigned an applicable platform and whether it was found to be compliant or not. The vulnerabilities are further classified as either static checks, dynamic checks, or requiring both static and dynamic analysis to detect.

    Original Description:

    OWASP Mobile Checklist Final

    Copyright

    © © All Rights Reserved

    Available Formats

    XLSX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    The document lists 76 client-side and server-side security vulnerabilities that were checked in an application. It includes vulnerabilities like SQL injection, cross-site scripting, lack of input validation, sensitive data exposure, weak authentication, and more. Each vulnerability is assigned an applicable platform and whether it was found to be compliant or not. The vulnerabilities are further classified as either static checks, dynamic checks, or requiring both static and dynamic analysis to detect.

    Copyright:

    © All Rights Reserved
    Download as XLSX, PDF, TXT or read online from Scribd
    Download as xlsx, pdf, or txt
    103 views6 pages

    OWASP Mobile Checklist Final

    Uploaded by

    ims
    The document lists 76 client-side and server-side security vulnerabilities that were checked in an application. It includes vulnerabilities like SQL injection, cross-site scripting, lack of input validation, sensitive data exposure, weak authentication, and more. Each vulnerability is assigned an applicable platform and whether it was found to be compliant or not. The vulnerabilities are further classified as either static checks, dynamic checks, or requiring both static and dynamic analysis to detect.

    Copyright:

    © All Rights Reserved
    Download as XLSX, PDF, TXT or read online from Scribd
    Download as xlsx, pdf, or txt
    of 6

    CLIENT SIDE CHECKS

    Sr. Vulnerability Name Applicable Compliant


    Platform ?
    Yes/No/N
    1 Application is Vulnerable to Reverse Engineering Attack/Lack of Code ObfuAll A
    2 Account Lockout not Implemented All
    3 Application is Vulnerable to XSS All
    4 Authentication bypassed All
    5 Hard coded sensitive information in Application Code (including CryptoKeyAll
    6 Malicious File Upload All
    7 Session Fixation All
    8 Application does not Verify MSISDN WAP
    9 Privilege Escalation All
    10 SQL Injection All
    11 Attacker can bypass Second Level Authentication All
    12 Application is vulnerable to LDAP Injection All
    13 Application is vulnerable to OS Command Injection All
    14 iOS snapshot/backgrounding Vulnerability iOS
    15 Debug is set to TRUE Android
    16 Application makes use of Weak Cryptography All
    17 Cleartext information under SSL Tunnel All
    18 Client Side Validation can be bypassed All
    19 Invalid SSL Certificate All
    20 Sensitive Information is sent as Clear Text over network/Lack of Data ProtecAll
    21 CAPTCHA is not implemented on Public Pages/Login Pages All
    22 Improper or NO implementation of Change Password Page All
    23 Application does not have Logout Functionality All
    24 Sensitive information in Application Log Files All
    25 Sensitive information sent as a querystring parameter All
    26 URL Modification All
    27 Sensitive information in Memory Dump All
    28 Weak Password Policy All
    29 Autocomplete is not set to OFF All
    30 Application is accessible on Rooted or Jail Broken Device All
    31 Back-and-Refresh attack All
    32 Directory Browsing All
    33 Usage of Persistent Cookies All
    34 Open URL Redirects are possible All
    35 Improper exception Handling: In code All
    36 Insecure Application Permissions All
    37 Application build contains Obsolete Files All
    38 Certificate Chain is not Validated All
    39 Last Login information is not displayed All
    40 Private IP Disclosure All
    41 UI Impersonation through RMS file modification JAVA
    42 UI Impersonation through JAR file modification Android
    43 Operation on a resource after expiration or release All
    44 No Certificate Pinning All
    45 Cached Cookies or information not cleaned after application removal/Clos All
    46 ASLR Not Used iOS
    47 Clipboard is not disabled All
    48 Cache smashing protection is not enabled iOS
    49 Android Backup Vulnerability Android
    50 Unencrypted Credentials in Databases (sqlite db) All
    51 Store sensitive information outside App Sandbox (on SDCard) All
    52 Allow Global File Permission on App Data Android
    53 Store Encryption Key Locally/Store Sensitive Data in ClearText All
    54 Bypass Certificate Pinning All
    55 Third-party Data Transit on Unencrypted Channel All
    56 Failure to Implement Trusted Issuers Android
    57 Allow All Hostname Verifier Android
    58 Ignore SSL Certificate Error All
    59 Weak Custom Hostname Verifier Android
    60 App/Web Caches Sensitive Data Leak All
    61 Leaking Content Provider Android
    62 Redundancy Permission Granted Android
    63 Use Spoof-able Values for Authenticating User (IMEI, UDID) All
    64 Use of Insecure and/or Deprecated Algorithms All
    65 Local File Inclusion (might be through XSS Vulnerability) All
    66 Activity Hijacking Android
    67 Service Hijacking Android
    68 Broadcast Thief Android
    69 Malicious Broadcast Injection Android
    70 Malicious Activity/Service Launch Android
    71 Using Device Identifier as Session All
    72 Symbols Remnant iOS
    73 Lack of Check-sum Controls/Altered Detection Android
    SERVER SIDE CHECKS

    Sr. Vulnerability Name Applicable Compliant


    Platform ?
    Yes/No/N
    73 Cleartext password in Response All A
    74 Direct Reference to internal resource without authentication All
    75 Application has NO or improper Session Management/Failure to InvalidateAll
    76 Cross Domain Scripting Vulnerability All
    77 Cross Origin Resource Sharing All
    78 Improper Input Validation - Server Side All
    79 Detailed Error page shows internal sensitive information All
    80 Application allows HTTP Methods besides GET and POST All
    81 Cross Site Request Forgery (CSRF)/SSRF All
    82 Cacheable HTTPS Responses All
    83 Path Attribute not set on a Cookie All
    84 HttpOnly Attribute not set for a cookie All
    85 Secure Attribute not set for a cookie All
    86 Application is Vulnerable to Clickjacking/Tapjacking attack All
    87 Server/OS fingerprinting is possible All
    88 Lack of Adequate Timeout Protection All
    Classification

    Static Checks
    Dynamic Checks
    Static + Dynamic Checks
    Dynamic Checks
    Static Checks
    Dynamic Checks
    Dynamic Checks
    Unknown
    Dynamic Checks
    Static + Dynamic Checks
    Dynamic Checks
    Dynamic Checks
    Dynamic Checks
    Dynamic Checks
    Static Checks
    Static Checks
    Dynamic Checks
    Dynamic Checks
    Static Checks
    Dynamic Checks
    Dynamic Checks
    Dynamic Checks
    Dynamic Checks
    Dynamic Checks
    Dynamic Checks
    Dynamic Checks
    Dynamic Checks
    Dynamic Checks
    Static Checks
    Dynamic Checks
    Dynamic Checks
    Static + Dynamic Checks
    Dynamic Checks
    Dynamic Checks
    Static Checks
    Static Checks
    Static Checks
    Static + Dynamic Checks
    Dynamic Checks
    Static Checks
    Dynamic Checks
    Dynamic Checks
    Dynamic Checks
    Dynamic Checks
    Dynamic Checks
    Static Checks
    Dynamic Checks
    Static Checks
    Static Checks
    Dynamic Checks
    Dynamic Checks
    Dynamic Checks
    Dynamic Checks
    Dynamic Checks
    Dynamic Checks
    Static Checks
    Static Checks
    Static Checks
    Static Checks
    Dynamic Checks
    Dynamic Checks
    Static Checks
    Dynamic Checks
    Static Checks
    Static + Dynamic Checks
    Static Checks
    Static Checks
    Static Checks
    Static Checks
    Static Checks
    Dynamic Checks
    Static Checks
    Dynamic Checks
    Dynamic Checks
    Dynamic Checks
    Dynamic Checks
    Dynamic Checks
    Dynamic Checks
    Dynamic Checks
    Dynamic Checks
    Dynamic Checks
    Dynamic Checks
    Dynamic Checks
    Dynamic Checks
    Dynamic Checks
    Dynamic Checks
    Dynamic Checks
    Dynamic Checks
    Dynamic Checks

    You might also like