Web Application Security Testing Cheat Sheet
[hide]
- 1 DRAFT CHEAT SHEET - WORK IN PROGRESS
- 2 Introduction
- 3 Purpose
- 4 The Checklist
- 4.1 Information Gathering
- 4.2 Configuration Management
- 4.3 Secure Transmission
- 4.4 Authentication
- 4.5 Session Management
- 4.6 Authorization
- 4.7 Data Validation
- 4.8 Denial of Service
- 4.9 Business Logic
- 4.10 Cryptography
- 4.11 Risky Functionality - File Uploads
- 4.12 Risky Functionality - Card Payment
- 4.13 Web Service Testing
- 4.14 HTML 5
- 4.15 Error Handling
- 4.16 Other Formats
- 4.17 Authors and contributors
- 4.18 Related articles
DRAFT CHEAT SHEET - WORK IN PROGRESS
Introduction
This cheat sheet provides a checklist of tasks to be performed when performing a blackbox security test of a web application.
Purpose
This checklist is intended to be used as an aide memoire for experienced pentesters and should be used in conjunction with the OWASP Testing Guide. It will be updated as the Testing Guide v4 is progressed.
The intention is that this guide will be available as an XML document, with scripts that convert it into formats such as pdf, Media Wiki markup, HTML etc.
This will allow it to be consumed within security tools as well as being available in a format suitable for printing.
All feedback or offers of help will be appreciated - and if you have specific chances you think should be made, just get stuck in.
The Checklist
Information Gathering
- Manually explore the site
- Spider/crawl for missed or hidden content
- Check the Webserver Metafiles for information leakage files that expose content, such as robots.txt, sitemap.xml, .DS_Store
- Check the caches of major search engines for publicly accessible sites
- Check for differences in content based on User Agent (eg, Mobile sites, access as a Search engine Crawler)
- Check The Webpage Comments and Metadata for Information Leakage
- Check The Web Application Framework
- Perform Web Application Fingerprinting
- Identify technologies used
- Identify user roles
- Identify application entry points
- Identify client-side code
- Identify multiple versions/channels (e.g. web, mobile web, mobile app)
- Identify web services
- Identify co-hosted and related applications
- Identify all hostnames and ports
- Identify third-party hosted content
Configuration Management
- Check for commonly used application and administrative URLs
- Check for old, backup and unreferenced files
- Check HTTP methods supported and Cross Site Tracing (XST)
- Test file extensions handling
- Test RIA cross domain policy
- Test for security HTTP headers (e.g. CSP, X-Frame-Options, HSTS)
- Test for policies (e.g. Flash, Silverlight, robots)
- Test for non-production data in live environment, and vice-versa
- Check for sensitive data in client-side code (e.g. API keys, credentials)
Secure Transmission
- Check SSL Version, Algorithms, Key length
- Check for Digital Certificate Validity (Duration, Signature and CN)
- Check credentials only delivered over HTTPS
- Check that the login form is delivered over HTTPS
- Check session tokens only delivered over HTTPS
- Check if HTTP Strict Transport Security (HSTS) in use
Authentication
- Test for user enumeration
- Test for authentication bypass
- Test for brute force protection
- Test for Credentials Transported over an Encrypted Channel
- Test password quality rules * Test remember me functionality
- Test password reset and/or recovery
- Test password change process
- Test CAPTCHA
- Test multi factor authentication
- Test for logout functionality presence
- Test for cache management on HTTP (eg Pragma, Expires, Max-age)
- Test for default logins
- Test for user-accessible authentication history
- Test for out-of channel notification of account lockouts and successful password changes
- Test for consistent authentication across applications with shared authentication schema / SSO and alternative channels
- Test for Weak security question/answer
Session Management
- Establish how session management is handled in the application (eg, tokens in cookies, token in URL)
- Check session tokens for cookie flags (httpOnly and secure)
- Check session cookie scope (path and domain)
- Check session cookie duration (expires and max-age)
- Check session termination after a maximum lifetime
- Check session termination after relative timeout
- Check session termination after logout
- Test to see if users can have multiple simultaneous sessions
- Test session cookies for randomness
- Confirm that new session tokens are issued on login, role change and logout
- Test for consistent session management across applications with shared session management
- Test for session puzzling
- Test for CSRF and clickjacking
Authorization
- Test for path traversal
- Test for vertical Access control problems (a.k.a. Privilege Escalation)
- Test for horizontal Access control problems (between two users at the same privilege level)
- Test for missing authorisation
- Test for Insecure Direct Object References
Data Validation
- Test for Reflected Cross Site Scripting
- Test for Stored Cross Site Scripting
- Test for DOM based Cross Site Scripting
- Test for Cross Site Flashing
- Test for HTML Injection
- Test for SQL Injection
- Test for LDAP Injection
- Test for ORM Injection
- Test for XML Injection
- Test for XXE Injection
- Test for SSI Injection
- Test for XPath Injection
- Test for XQuery Injection
- Test for IMAP/SMTP Injection
- Test for Code Injection
- Test for Expression Language Injection
- Test for Command Injection
- Test for Overflow (Stack, Heap and Integer)
- Test for Format String
- Test for incubated vulnerabilities
- Test for HTTP Splitting/Smuggling
- Test for HTTP Verb Tampering
- Test for Open Redirection
- Test for Local File Inclusion
- Test for Remote File Inclusion
- Compare client-side and server-side validation rules
- Test for NoSQL injection
- Test for HTTP parameter pollution
- Test for auto-binding
- Test for Mass Assignment
- Test for NULL/Invalid Session Cookie
Denial of Service
- Test for anti-automation
- Test for account lockout
- Test for HTTP protocol DoS
- Test for SQL wildcard DoS
Business Logic
- Test business logic data validation
- Test ability to forge requests
- Test for feature misuse
- Test for lack of non-repudiation
- Test for trust relationships
- Test for integrity of data
- Test segregation of duties
- Test for Process Timing
- Test Number of Times a Function Can be Used Limits
- Test for the Circumvention of Work Flows
- Test Defenses Against Application Mis-use
- Test Upload of Unexpected File Types
- Test upload of malicious files
Cryptography
- Check if data which should be encrypted is not
- Check for wrong algorithms usage depending on context
- Check for weak algorithms usage
- Check for proper use of salting
- Check for randomness functions
Risky Functionality - File Uploads
- Test that acceptable file types are whitelisted and non-whitelisted types are rejected
- Test that file size limits, upload frequency and total file counts are defined and are enforced
- Test that file contents match the defined file type
- Test that all file uploads have Anti-Virus scanning in-place.
- Test that unsafe filenames are sanitised
- Test that uploaded files are not directly accessible within the web root
- Test that uploaded files are not served on the same hostname/port
- Test that files and other media are integrated with the authentication and authorisation schemas
Risky Functionality - Card Payment
- Test for known vulnerabilities and configuration issues on Web Server and Web Application
- Test for default or guessable password
- Test for non-production data in live environment, and vice-versa
- Test for Injection vulnerabilities
- Test for Buffer Overflows
- Test for Insecure Cryptographic Storage
- Test for Insufficient Transport Layer Protection
- Test for Improper Error Handling
- Test for all vulnerabilities with a CVSS v2 score > 4.0
- Test for Authentication and Authorization issues
- Test for CSRF
Web Service Testing
HTML 5
- Test Web Messaging
- Test for Web Storage SQL injection
- Check CORS implementation
- Check Offline Web Application
Error Handling
Other Formats
Authors and contributors
All above are authors of the Testing Guide v3
Related articles
OWASP Testing Guide
Mozilla Web Security Verification
OWASP Cheat Sheets Project Homepage
Developer Cheat Sheets (Builder)
- Authentication Cheat Sheet (Spanish)
- Choosing and Using Security Questions Cheat Sheet
- Clickjacking Defense Cheat Sheet
- C-Based Toolchain Hardening Cheat Sheet
- Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet
- Cryptographic Storage Cheat Sheet
- DOM based XSS Prevention Cheat Sheet
- Forgot Password Cheat Sheet
- HTML5 Security Cheat Sheet
- Input Validation Cheat Sheet
- JAAS Cheat Sheet
- Logging Cheat Sheet
- .NET Security Cheat Sheet
- OWASP Top Ten Cheat Sheet
- Password Storage Cheat Sheet
- Pinning Cheat Sheet
- Query Parameterization Cheat Sheet
- Ruby on Rails Cheatsheet
- REST Security Cheat Sheet
- Session Management Cheat Sheet
- SAML Security Cheat Sheet
- SQL Injection Prevention Cheat Sheet
- Transaction Authorization Cheat Sheet
- Transport Layer Protection Cheat Sheet
- Unvalidated Redirects and Forwards Cheat Sheet
- User Privacy Protection Cheat Sheet
- Web Service Security Cheat Sheet
- XSS (Cross Site Scripting) Prevention Cheat Sheet
Assessment Cheat Sheets (Breaker)
- Attack Surface Analysis Cheat Sheet
- XSS Filter Evasion Cheat Sheet
- REST Assessment Cheat Sheet
- Web Service Security Testing Cheat Sheet
Mobile Cheat Sheets
OpSec Cheat Sheets (Defender)
Draft Cheat Sheets
- Access Control Cheat Sheet
- Application Security Architecture Cheat Sheet
- Business Logic Security Cheat Sheet
- PHP Security Cheat Sheet
- Secure Coding Cheat Sheet
- Secure SDLC Cheat Sheet
- Threat Modeling Cheat Sheet
- Web Application Security Testing Cheat Sheet
- Grails Secure Code Review Cheat Sheet
- IOS Application Security Testing Cheat Sheet
- Key Management Cheat Sheet
- Insecure Direct Object Reference Prevention Cheat Sheet
- Content Security Policy Cheat Sheet
Không có nhận xét nào:
Đăng nhận xét