Scribd Logo
Upload

Welcome to Scribd!

  • OWASP Mobile App Checklist v1.0

    Uploaded by

    Sam Kumar
    278 views3 pages
    The document lists 64 client-side and server-side security checks for a mobile or web application. These checks cover a wide range of issues including vulnerabilities like SQL injection, XSS, insecure authentication, sensitive data exposure, weak cryptography, and more. Each check lists the applicable platform, vulnerability name, and whether the application is compliant or not.

    Original Description:

    OWASP Mobile App Checklist v1.0

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    The document lists 64 client-side and server-side security checks for a mobile or web application. These checks cover a wide range of issues including vulnerabilities like SQL injection, XSS, insecure authentication, sensitive data exposure, weak cryptography, and more. Each check lists the applicable platform, vulnerability name, and whether the application is compliant or not.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    278 views3 pages

    OWASP Mobile App Checklist v1.0

    Uploaded by

    Sam Kumar
    The document lists 64 client-side and server-side security checks for a mobile or web application. These checks cover a wide range of issues including vulnerabilities like SQL injection, XSS, insecure authentication, sensitive data exposure, weak cryptography, and more. Each check lists the applicable platform, vulnerability name, and whether the application is compliant or not.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 3

    CLIENT SIDE CHECKS

    Sr.
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23

    Vulnerability Name

    Applicable
    Platform

    Application is Vulnerable to Reverse Engineering Attack


    Account Lockout not Implemented
    Application is Vulnerable to XSS
    Authentication bypassed
    Hard coded sensitive information in Application Code
    Malicious File Upload
    Session Fixation
    Application does not Verify MSISDN
    Privilege Escalation
    SQL Injection
    Attacker can bypass Second Level Authentication
    Application is vulnerable to LDAP Injection
    Application is vulnerable to OS Command Injection
    iOS snapshot/backgrounding Vulnerability
    Debug is set to TRUE
    Application makes use of Weak Cryptography
    Cleartext information under SSL Tunnel
    Client Side Validation can be bypassed
    Invalid SSL Certificate
    Sensitive Information is sent as Clear Text over network
    CAPTCHA is not implemented on Public Pages/Login Pages
    Improper or NO implementation of Change Password Page
    Application does not have Logout Functionality

    All
    All
    All
    All
    All
    All
    All
    WAP
    All
    All
    All
    All
    All
    iOS
    Android
    All
    All
    All
    All
    All
    All
    All
    All

    Compliant?
    Yes/No/NA

    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    39
    40
    41
    42
    43
    44
    45
    46
    47
    48
    49

    Sensitive information in Application Log Files


    Sensitive information sent as a querystring parameter
    URL Modification
    Sensitive information in Memory Dump
    Weak Password Policy
    Autocomplete is not set to OFF
    Application is accessible on Rooted or Jail Broken Device
    Back-and-Refresh attack
    Directory Browsing
    Usage of Persistent Cookies
    Open URL Redirects are possible
    Improper exception Handling: In code
    Insecure Application Permissions
    Application build contains Obsolete Files
    Certificate Chain is not Validated
    Last Login information is not displayed
    Private IP Disclosure
    UI Impersonation through RMS file modification
    UI Impersonation through JAR file modification
    Operation on a resource after expiration or release
    No Certificate Pinning
    Cached Cookies or information not cleaned after application removal/Clos
    ASLR Not Used
    Clipboard is not disabled
    Cache smashing protection is not enabled
    Android Backup Vulnerability

    All
    All
    All
    All
    All
    All
    All
    All
    All
    All
    All
    All
    All
    All
    All
    All
    All
    JAVA
    Android
    All
    All
    All
    iOS
    All
    iOS
    Android

    SERVER SIDE CHECKS


    Sr.

    Vulnerability Name
    50 Cleartext password in Response
    51 Direct Reference to internal resource without authentication

    Applicable
    Platform
    All
    All

    Compliant?
    Yes/No/NA

    52
    53
    54
    55
    56
    57
    58
    59
    60
    61
    62
    63
    64

    Application has NO or improper Session Management


    Cross Domain Scripting Vulnerability
    Cross Origin Resource Sharing
    Improper Input Validation - Server Side
    Detailed Error page shows internal sensitive information
    Application allows HTTP Methods besides GET and POST
    Cross Site Request Forgery (CSRF)/SSRF
    Cacheable HTTPS Responses
    Path Attribute not set on a Cookie
    HttpOnly Attribute not set for a cookie
    Secure Attribute not set for a cookie
    Application is Vulnerable to Clickjacking/Tapjacking attack
    Server/OS fingerprinting is possible

    All
    All
    All
    All
    All
    All
    All
    All
    All
    All
    All
    All
    All

    You might also like