Checklist for performing security testing on web applications

For every businessman, development of website is much important as it acts as a  most important promotional tool for his products and services. By Developing a website means, your website should be secured enough so that no one can break it down.

and for that security testing, we made one checklist in which we listed all the necessary guidelines and it is very important for a pen tester or a security researcher to follow this.

Information Gathering
1. Manually explore the site
2. Spider/crawl for missed or hidden content
3. Check for files that expose content, such as robots.txt, sitemap.xml, .DS_Store
4. Check the caches of major search engines for publicly accessible sites
5. Check for differences in content based on User Agent (eg, Mobile sites, access as a Search engine Crawler)
6. Perform Web Application Fingerprinting
7. Identify technologies used
8. Identify user roles
9. Identify application entry points
10. Identify client-side code
11. Identify multiple versions/channels (e.g. web, mobile web, mobile app, web services)
12. Identify co-hosted and related applications
13. Identify all hostnames and ports
14. Identify third-party hosted content
Configuration Management
1. Check for commonly used application and administrative URLs
2. Check for old, backup and unreferenced files
3. Check HTTP methods supported and Cross Site Tracing (XST)
4. Test file extensions handling
5. Test for security HTTP headers (e.g. CSP, X-Frame-Options, HSTS)
6. Test for policies (e.g. Flash, Silverlight, robots)
7. Test for non-production data in live environment, and vice-versa
8. Check for sensitive data in client-side code (e.g. API keys, credentials)
Secure Transmission
1. Check SSL Version, Algorithms, Key length
2. Check for Digital Certificate Validity (Duration, Signature and CN)
3. Check credentials only delivered over HTTPS
4. Check that the login form is delivered over HTTPS
5. Check session tokens only delivered over HTTPS
6. Check if HTTP Strict Transport Security (HSTS) in use
1. Test for user enumeration
2. Test for authentication bypass
3. Test for bruteforce protection
4. Test password quality rules
5. Test remember me functionality
6. Test for autocomplete on password forms/input
7. Test password reset and/or recovery
8. Test password change process
10. Test multi factor authentication
11. Test for logout functionality presence
12. Test for cache management on HTTP (eg Pragma, Expires, Max-age)
13. Test for default logins
14. Test for user-accessible authentication history
15. Test for out-of channel notification of account lockouts and successful password changes
16. Test for consistent authentication across applications with shared authentication schema / SSO
Session Management
1. Establish how session management is handled in the application (eg, tokens in cookies, token in URL)
2. Check session tokens for cookie flags (httpOnly and secure)
3. Check session cookie scope (path and domain)
4. Check session cookie duration (expires and max-age)
5. Check session termination after a maximum lifetime
6. Check session termination after relative timeout
7. Check session termination after logout
8. Test to see if users can have multiple simultaneous sessions
9. Test session cookies for randomness
10. Confirm that new session tokens are issued on login, role change and logout
11. Test for consistent session management across applications with shared session management
12. Test for session puzzling
13. Test for CSRF and clickjacking
1. Test for path traversal
2. Test for bypassing authorization schema
3. Test for vertical Access control problems (a.k.a. Privilege Escalation)
4. Test for horizontal Access control problems (between two users at the same privilege level)
5. Test for missing authorization
Data Validation
1. Test for Reflected Cross Site Scripting
2. Test for Stored Cross Site Scripting
3. Test for DOM based Cross Site Scripting
4. Test for Cross Site Flashing
5. Test for HTML Injection
6. Test for SQL Injection
7. Test for LDAP Injection
8. Test for ORM Injection
9. Test for XML Injection
10. Test for XXE Injection
11. Test for SSI Injection
12. Test for XPath Injection
13. Test for XQuery Injection
14. Test for IMAP/SMTP Injection
15. Test for Code Injection
16. Test for Expression Language Injection
17. Test for Command Injection
18. Test for Overflow (Stack, Heap and Integer)
19. Test for Format String
20. Test for incubated vulnerabilities
21. Test for HTTP Splitting/Smuggling
22. Test for HTTP Verb Tampering
23. Test for Open Redirection
24. Test for Local File Inclusion
25. Test for Remote File Inclusion
26. Compare client-side and server-side validation rules
27. Test for NoSQL injection
28. Test for HTTP parameter pollution
29. Test for auto-binding
30. Test for Mass Assignment
31. Test for NULL/Invalid Session Cookie
Denial of Service
1. Test for anti-automation
2. Test for account lockout
3. Test for HTTP protocol DoS
4. Test for SQL wildcard DoS
Business Logic
1. Test for feature misuse
2. Test for lack of non-repudiation
3. Test for trust relationships
4. Test for integrity of data
5. Test segregation of duties
1. Check if data which should be encrypted is not
2. Check for wrong algorithms usage depending on context
3. Check for weak algorithms usage
4. Check for proper use of salting
5. Check for randomness functions
Risky Functionality – File Uploads
1. Test that acceptable file types are whitelisted
2. Test that file size limits, upload frequency and total file counts are defined and are enforced
3. Test that file contents match the defined file type
4. Test that all file uploads have Anti-Virus scanning in-place.
5. Test that unsafe filenames are sanitised
6. Test that uploaded files are not directly accessible within the web root
7. Test that uploaded files are not served on the same hostname/port
8. Test that files and other media are integrated with the authentication and authorisation schemas
Risky Functionality – Card Payment
1. Test for known vulnerabilities and configuration issues on Web Server and Web Application
2. Test for default or guessable password
3. Test for non-production data in live environment, and vice-versa
4. Test for Injection vulnerabilities
5. Test for Buffer Overflows
6. Test for Insecure Cryptographic Storage
7. Test for Insufficient Transport Layer Protection
8. Test for Improper Error Handling
9. Test for all vulnerabilities with a CVSS v2 score > 4.0
10. Test for Authentication and Authorization issues
11. Test for CSRF
1. Test Web Messaging
2. Test for Web Storage SQL injection
3. Check CORS implementation
4. Check Offline Web Application
You may also like:

Sarcastic Writer

Step by step hacking tutorials about wireless cracking, kali linux, metasploit, ethical hacking, seo tips and tricks, malware analysis and scanning.

Related Posts