permalink: /Web_Application_Security_Testing_Cheat_Sheet/

Introduction

This cheat sheet provides a checklist of tasks to be performed during blackbox security testing of a web application.

Purpose

This checklist is intended to be used as a memory aid for experienced pentesters. It should be used in conjunction with the OWASP Testing Guide. It will be updated as the Testing Guide v4 progresses.

The intention is that this guide will be available as an XML document, with scripts that convert it into formats such as PDF, MediaWiki markup, HTML, and so forth. This will allow it to be consumed within security tools as well as being available in a format suitable for printing.

All feedback or offers of help will be appreciated. If you have specific changes you think should be made, please log in and make suggestions.

The Checklist

Information Gathering

Rendered Site Review

Manually explore the site
Spider/crawl for missed or hidden content
Check the webserver metafiles\ “wikilink”) for information leakage files that expose content, such as robots.txt, sitemap.xml, and .DS_Store
Check the caches of major search engines for publicly accessible sites\ “wikilink”)
Check for differences in content based on user agent (e.g. mobile sites, accessing as a search engine crawler)
Check webpage comments and metadata for information leakage_\ “wikilink”)

Development Review

Check the web application framework_\ “wikilink”)
Perform web application fingerprinting\ “wikilink”)
Identify technologies used
Identify user roles\ “wikilink”)
Identify application entry points_\ “wikilink”)
Identify client-side code
Identify multiple versions/channels (e.g. web, mobile web, mobile app)

Hosting and Platform Review

Identify web services
Identify co-hosted and related applications
Identify all hostnames and ports
Identify third-party hosted content

Configuration Management

Check for commonly used application and administrative URLs
Check for old, backup, and unreferenced files_\ “wikilink”)
Check HTTP methods supported and Cross Site Tracing (XST)_\ “wikilink”)
Test file extensions handling_\ “wikilink”)
Test RIA cross domain policy_\ “wikilink”)
Test for security HTTP headers (e.g. CSP, X-Frame-Options, HSTS)
Test for policies (e.g. Flash, Silverlight, robots)
Check for sensitive data in client-side code (e.g. API keys, credentials)

Secure Transmission

Protocols and Encryption

Check SSL version, algorithms, and key length_\ “wikilink”)
Check for digital certificate validity (duration, signature, and CN)
Check that credentials are only delivered over HTTPS
Check that the login form is delivered over HTTPS
Check that session tokens are only delivered over HTTPS
Check if HTTP Strict Transport Security (HSTS) in use_\ “wikilink”)
Test ability to forge requests_\ “wikilink”)
Test web messaging (HTML5)\ “wikilink”)
Check CORS implementation (HTML5)\ “wikilink”)

Web Services and REST

Authentication

Application Password Functionality

Test password quality rules\ “wikilink”)
Test remember me functionality
Test password reset and/or recovery
Test password change process
Test CAPTCHA
Test multi-factor authentication
Test for logout functionality presence
Test for default logins
Test for out-of-channel notification of account lockouts and successful password changes
Test for consistent authentication across applications with shared authentication schema/SSO and alternative channels
Test for weak security question/answer

Additional Authentication Functionality

Test for user enumeration_\ “wikilink”)
Test for authentication bypass_\ “wikilink”)
Test for brute force protection_\ “wikilink”)
Test for credentials transported over an encrypted channel\ “wikilink”)
Test for cache management on HTTP (eg Pragma, Expires, Max-age)
Test for user-accessible authentication history

Session Management

Establish how session management is handled in the application (eg, tokens in cookies, token in URL)
Check session tokens for cookie flags (httpOnly and secure)\ “wikilink”)
Check session cookie scope (path and domain)\ “wikilink”)
Check session cookie duration (expires and max-age)
Check session termination after a maximum lifetime\ “wikilink”)
Check session termination after relative timeout\ “wikilink”)
Check session termination after logout\ “wikilink”)
Test to see if users can have multiple simultaneous sessions
Test session cookies for randomness#SessionID_Predictability_and_Randomness\ “wikilink”)
Confirm that new session tokens are issued on login, role change, and logout
Test for consistent session management across applications with shared session management
Test for session puzzling
Test for CSRF and clickjacking

Authorization

Test for path traversal\ “wikilink”)
Test for vertical access control problems (a.k.a. privilege escalation)\ “wikilink”)
Test for horizontal access control problems (between two users at the same privilege level)
Test for missing authorization\ “wikilink”)
Test for insecure direct object references\ “wikilink”)

Cryptography

Check if data which should be encrypted is not\ “wikilink”)
Check for wrong algorithms usage depending on context
Check for weak algorithms usage\ “wikilink”)
Check for proper use of salting
Check for randomness functions

Data Validation

Injection

Test for HTML Injection
Test for SQL Injection\ “wikilink”)
Test for LDAP Injection
Test for ORM Injection\ “wikilink”)
Test for XML Injection\ “wikilink”)
Test for XXE Injection
Test for SSI Injection\ “wikilink”)
Test for XPath Injection\ “wikilink”)
Test for XQuery Injection
Test for IMAP/SMTP Injection\ “wikilink”)
Test for Code Injection\ “wikilink”)
Test for Expression Language Injection
Test for Command Injection\ “wikilink”)
Test for NoSQL injection

Other

Test for Reflected Cross Site Scripting\ “wikilink”)
Test for Stored Cross Site Scripting\ “wikilink”)
Test for DOM based Cross Site Scripting\ “wikilink”)
Test for Cross Site Flashing
Test for Overflow (Stack, Heap and Integer)
Test for Format String
Test for incubated vulnerabilities
Test for HTTP Splitting/Smuggling\ “wikilink”)
Test for HTTP Verb Tampering
Test for Open Redirection
Test for Local File Inclusion
Test for Remote File Inclusion
Compare client-side and server-side validation rules
Test for HTTP parameter pollution
Test for auto-binding
Test for Mass Assignment
Test for NULL/Invalid Session Cookie
Test for integrity of data_\ “wikilink”)
Test for the Circumvention of Work Flows_\ “wikilink”)
Test Defenses Against Application Mis-use_\ “wikilink”)
Test That a Function or Feature Cannot Be Used Outside Of Limits_\ “wikilink”)
Test for Process Timing_\ “wikilink”)
Test for Web Storage SQL injection (HTML5)\ “wikilink”)
Check Offline Web Application

Denial of Service

Test for anti-automation
Test for account lockout\ “wikilink”)
Test for HTTP protocol DoS
Test for SQL wildcard DoS

Specific Risky Functionality

File Uploads

Test that acceptable file types are whitelisted and non-whitelisted types are rejected\ “wikilink”)
Test that file size limits, upload frequency and total file counts are defined and are enforced
Test that file contents match the defined file type
Test that all file uploads have anti-virus scanning in place\ “wikilink”)
Test upload of malicious files_\ “wikilink”)
Test that unsafe filenames are sanitized
Test that uploaded files are not directly accessible within the web root
Test that uploaded files are not served on the same hostname/port
Test that files and other media are integrated with the authentication and authorization schemas

Payments