OWASP - User contributions [en]

Category:OWASP Flash Security Project

2016-01-22T08:11:24Z

Raesene: /* Example Vulnerabilities */

==== Main ====

== Overview ==

The OWASP Flash Security Project is an open project for sharing knowledge in order to raise awareness of Flash application security.

== Goals ==

The OWASP Flash Security Project aims to share guidelines, tools and resources for securing Flash applications.

 

== Table of Contents ==

{| cellspacing="1" cellpadding="1" border="0" style="width: 651px; height: 66px;"
|-
| '''Research'''
| '''References'''
| '''Tools'''
| '''Libraries'''
|-
| [http://www.owasp.org/index.php/Category:OWASP_Flash_Security_Project#Videos Videos]
| [http://www.owasp.org/index.php/Category:OWASP_Flash_Security_Project#References References]
| [http://www.owasp.org/index.php/Category:OWASP_Flash_Security_Project#OWASP_Tools OWASP Tools]
| [http://www.owasp.org/index.php/Category:OWASP_Flash_Security_Project#Third-party_Security_Libraries 3rd Party Libs]
|-
| [http://www.owasp.org/index.php/Category:OWASP_Flash_Security_Project#White_Papers_.2F_Presentations White Papers/Presentations]
| [http://www.owasp.org/index.php/Category:OWASP_Flash_Security_Project#Useful_Specifications Specifications]
| [http://www.owasp.org/index.php/Category:OWASP_Flash_Security_Project#Static_Analysis Static Analysis]
|
|-
| [http://www.owasp.org/index.php/Category:OWASP_Flash_Security_Project#Articles Articles]
|
| [http://www.owasp.org/index.php/Category:OWASP_Flash_Security_Project#Disassemblers Disassemblers]
|
|-
| [http://www.owasp.org/index.php/Category:OWASP_Flash_Security_Project#Example_Vulnerabilities Example Vulnerabilities]
|
| [http://www.owasp.org/index.php/Category:OWASP_Flash_Security_Project#Decompilers Decompilers]
|
|-
|
|
| [http://www.owasp.org/index.php/Category:OWASP_Flash_Security_Project#Obfuscators_.2F_De-obfuscators Obfuscators/De-obfuscators]
|
|-
|
|
| [http://www.owasp.org/index.php/Category:OWASP_Flash_Security_Project#Local_Shared_Object_Editors LSO Editors]
|
|-
|
|
| [http://www.owasp.org/index.php/Category:OWASP_Flash_Security_Project#AMF_Tools AMF Tools]
|
|-
|
|
| [http://www.owasp.org/index.php/Category:OWASP_Flash_Security_Project#Analysis Analysis/Defense]
|
|}

 

== Videos ==

* [http://tv.adobe.com/show/how-to-develop-secure-flash-platform-apps/ How to Develop Secure Flash Platform Apps] An Adobe TV series discussing how to author and test secure Flash applications. The presentations cover common vulnerabilities in SWF content and how to avoid them. Each video is about 5-10 minutes long and is by Peleus Uhley.

* [http://tv.adobe.com/watch/max-2010-develop/creating-secure-actionscript-applications/ Creating Secure ActionScript Applications] An hour long video targeted at developers and QEs on creating secure Flash applications from Adobe MAX 2010. Adobe MAX is Adobe's developer conference. The talk is by Peleus Uhley.

* [http://vimeo.com/15506137 Assessing, Testing & Validating Flash Content] A 45 minute talk from OWASP AppSec USA 2010 on how to assess and test Flash applications. The talk is by Peleus Uhley.

* [http://tv.adobe.com/#vi+f15384v1102 Understanding the Flash Player Security Model] Deneb Meketa of Adobe gives a one hour presentation at the Adobe MAX 2008 conference in San Francisco entitled, "Flash Security: Why and how." This presentation provides a good overview of several aspects of Flash Player's security model. Approximately 1 hour long.

* [http://h30431.www3.hp.com/index.jsp?fr_story=3a98c704f7ef61299c19ef1f648f1acb1a5aeab8&rf=bm Billy Wins A Cheeseburger] A video by HP that explains a basic Flash vulnerability that can be found by decompilers. Approximately 3 minutes long.

* [http://securitytube.net/Hacking-Flash-Applications-for-Fun-and-Profit-(Blackhat)-video.aspx Blinded by Flash: Widespread Security Risks Flash Developers Don't See] Prajakta Jagdale describes the attack surface flash applications have based on various things developers overlook. In this presentation she talks about the basic cross domain security model between flash applets, Cross Site Scripting attacks on Flash applications, Data injection attacks, Flash malware, decompilation of Flash swf files, code and binary obfuscation and many other attack vectors which a malicious attacker could use to hack Flash applications. Approximately 1 hour long.

* [https://media.defcon.org/dc-17/video/DEFCON%2017%20Hacking%20Conference%20Presentation%20By%20Jon%20Rose%20-%20Deblaze%20A%20Remote%20Method%20Enumeration%20Tool%20for%20Flex%20Servers%20-%20Video%20and%20Slides.m4v Deblaze - A Remote Method Enumeration Tool for Flex Servers] This is an excellent 20 minute presentation from DefCon 17 by Jon Rose on how to test AMF services using the deBlaze tool that he authored.

* [http://technet.microsoft.com/en-us/security/ee460903.aspx#ria RIA Security: Real-World Lessons from Flash and Silverlight] Jesse Collins from Microsoft's Silverlight team and Peleus Uhley from Adobe's Flash team discuss common threats to RIA applications. Approximately 1 hour long.

 

== White Papers / Presentations ==

'''Flash'''

* '''Flash Parameter Injection''' [http://blog.watchfire.com/FPI.pdf pdf], IBM Rational Application Security Team, [http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference OWASP AppSec 2008], 24th September 2008, NYC, NY (USA)

* '''Testing Flash Applications using WebScarab''' [https://www.owasp.org/images/5/58/Testing_Flash_Applications.pdf pdf], Martin Clausen - Deloitte [http://www.owasp.org/index.php/Denmark Denmark Chapter Meeting], 12th March 2008, Denmark

* '''Testing Flash Applications''' [http://www.owasp.org/images/8/8c/OWASPAppSec2007Milan_TestingFlashApplications.ppt ppt], Stefano Di Paola, [http://www.owasp.org/index.php/6th_OWASP_AppSec_Conference_-_Italy_2007/Agenda Owasp Appsec 2007], 17th May 2007, Milan (Italy).

* '''Testing and Exploiting Flash Applications''' [http://events.ccc.de/camp/2007/Fahrplan/attachments/1320-FlashSec.pdf pdf], Fukami, Chaos Computer Camp, 2007

* '''Finding Vulnerabilities in Flash Applications''' [http://www.owasp.org/images/d/d8/OWASP-WASCAppSec2007SanJose_FindingVulnsinFlashApps.ppt ppt], Stefano Di Paola, [http://www.owasp.org/index.php/7th_OWASP_AppSec_Conference_-_San_Jose_2007/Agenda Owasp Appsec 2007], 15th November 2007, San Jose, CA (USA)

* '''Neat, New, and Ridiculous Flash Hacks''' - whitepaper: [http://www.blackhat.com/presentations/bh-dc-10/Bailey_Mike/BlackHat-DC-2010-Bailey-Neat-New-Ridiculous-flash-hacks-wp.pdf pdf], presentation:[http://www.blackhat.com/presentations/bh-dc-10/Bailey_Mike/BlackHat-DC-2010-Bailey-Neat-New-Ridiculous-flash-hacks-slides.pdf pdf], Mike Bailey, Black Hat DC 2010, Washington, DC (USA)

 '''AMF'''

* '''AMF Testing Made Easy''' - whitepaper: [https://media.blackhat.com/bh-us-12/Briefings/Carettoni/BH_US_12_Carettoni_AMF_Testing_WP.pdf pdf], presentation: [https://media.blackhat.com/bh-us-12/Briefings/Carettoni/BH_US_12_Carettoni_AMF_Testing_Slides.pdf pdf], Luca Carettoni, Black Hat USA 2012, Las Vegas, NV (USA). This presentation discusses how to use the [http://code.google.com/p/blazer/ Blazer] tool with Burp to conduct AMF testing.

* '''Pentesting Adobe Flex Applications''' - [http://www.gdssecurity.com/l/OWASP_NYNJMetro_Pentesting_Flex.pdf pdf], Marcin Wielgoszewski, April 2010 OWASP NYC Chapter Meeting, NYC, NY (USA)

* '''DeBlaze: A remote enumeration tool for Flex servers''' [http://www.defcon.org/images/defcon-17/dc-17-presentations/defcon-17-jon_rose-deblaze.pdf pdf], Jon Rose, [http://www.defcon.org/html/links/dc-archives/dc-17-archive.html#Rose DefCon 17], 31st July 2009, Las Vegas, NV (USA)

 '''University Research'''

* '''ActionScript bytecode verification with co-logic programming''' [http://portal.acm.org/citation.cfm?id=1554339.1554342 pdf], Brian W. DeVries, Gopal Gupta, Kevin W. Hamlen, Scott Moore, and Meera Sridhar of The University of Texas at Dallas, Proceedings of the ACM SIGPLAN Fourth Workshop on Programming Languages and Analysis for Security 2009.

* '''Creating a more sophisticated security platform for Flash, AIR and others''' [http://www.utdallas.edu/~mxs072100/Adobe.ppt ppt] Presented at Adobe Systems, Inc. by Meera Sridhar, November, 2009

* '''ActionScript In-Lined Reference Monitoring in Prolog''' [http://www.utdallas.edu/~mxs072100/padl.pdf pdf], Meera Sridhar and Kevin W. Hamlen of The University of Texas at Dallas, Proceedings of the Twelfth Symposium on Practical Aspects of Declarative Languages (PADL), Jan 2010.

* '''ActionScript In-lined Reference Monitoring in Prolog''' [http://www.utdallas.edu/~mxs072100/padl10.pptx pptx] Presented at PADL 2010, Madrid, Spain by Meera Sridhar.

 

== Articles ==

'''Development'''
* [http://www.adobe.com/devnet/flashplayer/articles/secure_swf_apps.html Creating more secure SWF web applications] This Adobe Developer Center article discusses secure ActionScript programming practices.

* [http://www.adobe.com/devnet/flashplayer/articles/cross_domain_policy.html Cross-domain policy file usage recommendations for Flash Player] This Adobe Developer Center article discusses some of the common security issues that you should consider when deciding how to use a cross-domain policy file on your server.

* [http://www.insideria.com/2010/03/flash-player-10-security-model.html Flash Player 10 Security Model: Stakeholders and Sandboxes] This is an article that condenses the official Flash Player Security Model down to a one page article discussing the stakeholders and sandboxes.

* [http://theflashblog.com/?p=419 AMFPHP Security Basics] This a blog covering how to secure AMFPHP version 1.9 and higher. AMFPHP is server-side code that receives AMF requests from Flash clients.

* [http://blogs.adobe.com/asset/2009/11/securely_deploying_cross-domai.html Securely Deploying Cross-Domain Policy files] This Adobe ASSET blog provides 5 tips for securely deploying cross-domain policy files.

* [http://askmeflash.com/article/16/securing-your-flash-application Securing your Flash Application] A quick ten item checklist of high level things to look for in your SWF before shipping.

* [http://www.senocular.com/flash/tutorials/contentdomains/ Security Domains, Application Domains, and More in ActionScript 3.0] A fairly in depth article by Senocular.com explaining security domains, application domains, cross-domain policy files, allowDomain() and more.

'''Penetration Testing'''
* [http://www.ivizsecurity.com/blog/web-application-security/testing-flash-applications-pen-tester-guide/ A Lazy Pen Tester’s Guide to Testing Flash Applications] A short blog describing some of the basic steps of testing Flash applications by iViZ.

* [http://www.gdssecurity.com/l/b/2010/03/17/penetrating-intranets-through-adobe-flex-applications/ Penetrating Intranets through Adobe Flex Applications] A short blog (03/17/2010) by Marcin Wielgoszewski of Gothan Digital Science introducing the [http://www.gdssecurity.com/l/t/d.php?k=Blazentoo Blazentoo] tool and how to take advantage of open BlazeDS proxies.

* [http://www.gdssecurity.com/l/b/2009/11/11/pentesting-adobe-flex-applications-with-a-custom-amf-client/ Pentesting Adobe Flex Applications with a Custom AMF Client] A short blog (11/11/2009) by Marcin Wielgoszewski of Gothan Digital Science on how to write custom pyAMF-based clients for testing Flex services.

* [http://erlend.oftedal.no/blog/?blogid=103 Client-side Remote File Inclusion in Flash] This blog discusses how to perform cross-site scripting attacks against applications that read in XML configuration files.

* [http://code.google.com/p/doctype/wiki/ArticleFlashSecurity Flash Security] A Google code article on different types of cross-site scripting and crossdomain.xml attacks.

'''Updates to the Flash Player Security Model'''
* [http://www.adobe.com/devnet/security/articles/flash-player-sandbox-bridge.html The Flash Player sandbox bridge] - This Adobe Developer Center article describes how the new LoaderInfo sandbox bridge APIs can be used as a safer alternative to Security.allowDomain(*).

* [http://www.adobe.com/devnet/flashplayer/articles/fplayer10.1_air2_security_changes.html Understanding the security changes in Flash Player 10.1 and AIR 2] - This Adobe Developer Center article describes the new changes that affect security in Flash Player 10.1 and AIR. This article discusses a new feature, LoaderContext.allowCodeImport, which can help in safely loading remote content via loadBytes(). It also discusses minor changes in behavior that may require action by the developer.

* [http://www.adobe.com/devnet/flashplayer/articles/fplayer10_security_changes.html Understanding the security changes in Flash Player 10] - This Adobe Developer Center article describes the new changes that affect security in the Flash Player 10. This includes information on changes to socket timing, policy file strictness, upload and download, RTMFP and full screen mode.

* [http://www.adobe.com/devnet/flashplayer/articles/fplayer10_uia_requirements.html User-initiated action requirements in Flash Player 10] - This Adobe Developer Center article describes the new user-initiated action requires in Flash Player 10. These requirements include chances to FileReference, Clipboard, full-screen mode and pop-up windows.

* [http://www.adobe.com/devnet/flashplayer/articles/flash_player9_security_update.html Preparing for the Flash Player 9 April 2008 Security Update] - This Adobe Developer Center article describes the new mitigations for DNS Rebinding (socket policy files), cross-site flashing and the introduction of cross-domain header meta-policies to help address attacks such as the UPnP attack.

* [http://www.adobe.com/devnet/flashplayer/articles/fplayer9_security.html Security Changes in Flash Player 9] This Adobe Developer Center article describes the important changes that need to be made to existing crossdomain.xml and socket policy files. All websites that use cross-domain or socket policy files will need to implement these changes in order to be compatible with Adobe's new format. After the implementation of Phase II, Adobe will no longer support the old format.

 

== Example Vulnerabilities ==

''The intent of this section is to provide real-world examples of exploitation. This can be useful for consultants to help demonstrate to clients that these techniques have been used in the wild. In some instances, these examples include individual SWFs that were copied to hundreds of web sites. Therefore, a consultant should look for these specific SWFs on a website when performing an assessment to ensure that they have a current version.''

* [http://blog.watchfire.com/wfblog/2010/03/cross-site-scripting-through-flash-in-gmail-based-services.html Cross-site Scripting through Flash in Gmail Based Services] - This is an example of a cross-site scripting vulnerability that was the result of passing tainted data to ExternalInterface.call.

* [http://docs.google.com/Doc?docid=ajfxntc4dmsq_14dt57ssdw XSS Vulnerabilities in Common Flash Files] - This paper by Rich Cannings shows sample attack URLs for individual SWFs that are hosted across hundreds of websites. The techniques demonstrated in this paper for achieving cross-site scripting including using javascript: URLs, asfunction: URLs, and loading malicious child SWFs (aka cross-site Flashing).

* [http://lists.grok.org.uk/pipermail/full-disclosure/2003-April/004514.html clickTAG Cross-site scripting] - It is very common for Flash-based advertisements to accept a FlashVar called, clickTAG. If the clickTAG FlashVar is passed directly to a browser navigation API, such as getURL, then the attacker can achieve cross-site scripting by changing the clickTAG URL to a javascript: URL. Cross-site scripting as the result of a manipulated clickTAG FlashVar is the most common manifestation of cross-site scripting in Flash content.

* [http://jeremiahgrossman.blogspot.com/2008/09/i-used-to-know-what-you-watched-on.html I used to know what you watched on YouTube] - Jeremiah Grossman's blog post regarding his attack on youTube.com's "*.google.com" cross-domain permission.

 

== References ==

* [http://www.owasp.org/index.php/Testing_for_Cross_site_flashing_(OWASP-DV-004) OWASP Testing Guide: Testing for cross-site flashing] - Covers finding both cross-site scripting and cross-site flashing.

* [http://www.adobe.com/devnet/flashplayer/security.html Adobe Flash Player Developer Center Security section] - Where Adobe posts articles and information related to Flash Player security.

* [http://www.adobe.com/devnet/flashplayer/articles/flash_player10_security_wp.html Adobe Flash Player 10 Security Model]

* [http://www.adobe.com/devnet/flashplayer/articles/flash_player_9_security.pdf Adobe Flash Player 9 Security Model]

* [http://www.adobe.com/support/security/ Adobe Security Bulletins and Advisories] This is where Adobe posts all of their security advisories and bulletins.

* [http://help.adobe.com/en_US/Flex/4.0/UsingSDK/WS2db454920e96a9e51e63e3d11c0bf69084-7f9b.html Applying Flex Security] The security chapter from the Adobe Flex 4 manual.

* [http://help.adobe.com/en_US/ActionScript/3.0_ProgrammingAS3/WS5b3ccc516d4fbf351e63e3d118a9b90204-7d23.html Flash Player Security] The security chapter from the Programming ActionScript 3.0 section the Flash CS4 Documentation.

* [http://help.adobe.com/en_US/Flex/4.0/UsingSDK/WS2db454920e96a9e51e63e3d11c0bf69084-7d14.html Developing and Loading Sub-applications] This Flex SDK framework allows two or more untrusted SWFs to pass limited information between each other through the use of Shared Events.

 
== Useful Specifications ==

* [http://www.adobe.com/devnet/swf/ SWF File Format Specification] This documents the file format and structure of SWF files.

* [http://www.adobe.com/devnet/actionscript/articles/avm2overview.pdf AVM2 Specification] Describes the Flash ActionScript Virtual Machine used for ActionScript 3.0 code.

* [http://opensource.adobe.com/wiki/download/attachments/1114283/amf3_spec_05_05_08.pdf AMF3 Specification] The specification for version 3 of AMF used by Flash Player.

* [http://opensource.adobe.com/wiki/download/attachments/1114283/amf0_spec_121207.pdf?version=1 AMF0 Specification] The specification for the first generation of AMF (AMF 0) used by Flash Player.

* [http://www.adobe.com/devnet/rtmp/ RTMP Specification] This is the specification for the Real Time Messaging Protocol used by SWF content

* [http://www.adobe.com/devnet/flv/ Video File Format Specification] The FLV/F4V open specification documents the file formats for storing media content used to deliver streaming audio and video for playback in Adobe® Flash® Player and Adobe AIR™ software.

* [http://www.adobe.com/devnet/articles/crossdomain_policy_file_spec.html Cross-domain Policy File Specification] This document serves as a reference for the structure and use of cross-domain policy files.

* [http://www.mozilla.org/projects/tamarin/ Tamarin Open Source Project] The Tamarin virtual machine is used within the Adobe Flash Player and is also being adopted for use by projects outside Adobe. The Tamarin just-in-time compiler (the "NanoJIT") is a collaboratively developed component used by both Tamarin and Mozilla TraceMonkey.

 

== Third-party Security Libraries ==

* [http://crypto.hurlant.com/ AS3Crypto] - An ActionScript 3.0 cryptography library.

* [http://code.google.com/p/as3corelib/ as3corelib] - An Adobe sponsored Google Code project that contains ActionScript 3.0 implementations of WS-Security, SHA, MD5 and other utilities.

* [http://labs.adobe.com/wiki/index.php/Alchemy:Libraries Alchemy ActionScript 3 Crypto Wrapper] - An Adobe labs project to port OpenSSL to ActionScript using Alchemy (previously known as Flacc). Includes the SHA1, SHA2, MD5, PKCS12 and AES from OpenSSL.

* [http://code.google.com/p/flash-validators/ flash-validators] - An Adobe sponsored Google Code project that contains ActionScript 2.0 and ActionScript 3.0 data validation libraries.

* [http://bugs.adobe.com/jira/browse/BLZ-415 Protected Messaging Adaptor] - This addition to the latest version of BlazeDS protects against an attack that allows an untrusted individual to subscribe to wildcard sub-topics. This threat is described within this [http://www.jamesward.com/blog/2009/07/22/protected-messaging-in-flex-with-blazeds-and-lcds/ blog] by James Ward.

* [http://help.adobe.com/en_US/FlashPlatform/reference/actionscript/3/mx/validators/package-detail.html Flex validators] - Validation routines contained within the Adobe Flex SDK.

 

== OWASP Tools ==

* [https://www.owasp.org/index.php/Category:SWFIntruder SWFIntruder] OWASP Flash security testing tool

 
== Static Analysis ==

* [http://opensource.adobe.com/wiki/display/flexpmd/FlexPMD FlexPMD] Performs general code analysis with a few security checks.

* [https://www.fortify.com/products/hpfssc/source-code-analyzer.html Fortify Static Code Analyzer] '''($)''' Fortify's SCA supports searching for vulnerabilities within ActionScript 3.0, Flex 3 and Flex 4 applications.

* [http://www.bishopfox.com/resources/tools/google-hacking-diggity/attack-tools/#searchdiggity-v-3 FlashDiggity] FlashDiggity is part of the SearchDiggity tool created by the Bishop Fox consulting firm. It will decompile the SWF and use regular expressions to search for strings that are security related. FlashDiggity automates Google/Bing searching/downloading/decompiling/analysis of SWF files to identify Flash vulnerabilities and information disclosures.

* [http://h30499.www3.hp.com/t5/Following-the-White-Rabbit-A/SWFScan-FREE-Flash-decompiler/ba-p/5440167 SWFScan] This Windows tool decompiles a SWF and performs static analysis to identify common vulnerabilities for both ActionScript 2.0 and ActionScript 3.0 content.

 

== Disassemblers ==

* [http://labs.adobe.com/technologies/swfinvestigator/ Adobe SWF Investigator] An Adobe Labs project that performs disassembly of ActionScript 2 and ActionScript 3. Also shows SWF Tag information.

* [http://flasm.sourceforge.net/ Flasm] Flasm provides both disassembly and assembly functionality.

* [http://www.docsultant.com/nemo440/ Nemo440] Nemo440 is an AIR based ActionScript 3.0 disassembler.

* [http://opensource.adobe.com/svn/opensource/flex/sdk/trunk/bin/ swfdump] The Adobe Flex SDK, when built with ant, creates the swfdump utility ([http://blogs.adobe.com/gosmith/2008/02/disassembling_a_swf_with_swfdu_1.html overview]).

* [http://code.google.com/p/erlswf/ ErlSWF] A SWF disassembly tool based authored in Erlang

* [http://www.masonchang.com/2008/06/building-abcdump.html abcdump] The abcdump tool can be built from the tamarin source tree to disassemble AS3 byte code.

* [http://www.sweetscape.com/010editor/ 010Editor] This commercial tool has a [http://www.sweetscape.com/010editor/templates/files/SWFTemplate.bt template] for analyzing AS2 byte code.

* [http://segfaultlabs.com/swfutils swfutils] An ActionScript 3 library for disassembling SWF files.

* [https://github.com/CyberShadow/RABCDAsm#readme RABCDAsm] RABCDAsm is a collection of utilities including an ActionScript 3 assembler/disassembler, and a few tools to manipulate SWF files.

* [http://yogda.2ka.org/ Yogda AVM2 Workbench] Yogda® is a development tool for intermediate/advanced actionscript programmers. It includes an AVM2 disassembler.

 

== Decompilers ==

* [http://www.flash-decompiler.com/ Flash Decompiler Trillix] '''($):''' Windows and Mac versions. Supports ActionScript 2.0 and ActionScript 3.0, Flash 5, 6, 7, 8, 9, 10, Flash CS5 and Flex. Able to extract resources,edit SWF elements and provide a source FLA file. Costs @ $80 plus tax/shipping.

* [http://www.swfwire.com/inspector SWFWire Inspector] An open source AIR application for viewing images, shapes, and even syntax-highlighted ActionScript 3 within SWF files.

* [https://h30406.www3.hp.com/campaigns/2009/wwcampaign/1-5TUVE/index.php?key=swf SWFScan] This Windows tool decompiles a SWF and performs static analysis to identify common vulnerabilities for both ActionScript 2.0 and ActionScript 3.0 content.

* [http://www.nowrap.de/flare.html Flare] Flare ActionScript 2.0 decompiler for Windows, Linux and Mac OS X.

* [http://www.buraks.com/asv/ Buraks ActionScript Viewer] '''($):''' An ActionScript 2.0 and ActionScript 3.0 decompiler that is able to extract resources and provide a rough FLA file. Costs @ $80 plus tax/shipping.

* [http://www.sothink.com/product/flashdecompiler/ SoThink Flash Decompiler] '''($):''' An ActionScript 2.0 and ActionScript 3.0 decompiler that is able to extract resources and provide a rough FLA file. Costs @ $80 plus tax/shipping.

* [http://www.dcomsoft.com/download/dfdinstall.exe Dump Flash Decompiler] Freeware program that treats compressed and decompressed SWF-files and shows the detailed structure in the tree form. Windows.

* [http://www.free-decompiler.com/flash/ JPEXS Free Flash Decompiler (FFDec)] JPEXS Free Flash Decompiler (FFDec) is free opensource Flash SWF Decompiler. Program can view source code of ActionScript 1/2 or 3 parts, export it or edit (p-code editor for AS3). Texts or images can be edited or replaced. The SWF decompiler can also export shapes, images, sounds or movies. SWF to FLA format conversion is also available.

 

== Obfuscators / De-obfuscators ==

It should be noted that no obfuscator can protect a SWF from being reverse engineered. An attacker will always be able to extract data from SWFs if they believe it is worth the effort. Obfuscators are only serve as a deterrent for preventing casual inspection of the SWF.

It should also be noted that some obfuscators generate SWFs that do not conform to the Adobe SWF file format specification. Flash Player may still be able to play them but they do not conform to the spec. This could lead to some security tools such as Blitzablieter rejecting them as potentially malicious.

*[https://github.com/F-Secure/Sulo Sulo] Sulo is an open-source project from F-Secure. It can log decrypted strings from SecureSWF-protected files and it can dynamically save swf objects loaded with Loader.loadBytes() to disk.

*[http://sourceforge.net/p/swf-reader/wiki/Home/ SWF Reader] SWF Reader can edit and deobfuscate SWFs. It has implemented a few deobfuscators for AS2 and AS3 Flash but mostly concentrates on AS3 SWFs

*[http://www.buraks.com/swfrul/ SWF Revealer] There are two versions of Buraks SWF Revealer. This link points to one version. There is another version is which is an add-on to Buraks ActionScript Viewer.

*[http://swfid.zz.mu/ SWF ID] Detect common SWF protectors, SWF obfuscators, SWF cryptors and SWF compilers.

*[http://www.dcomsoft.com/ DComSoft SWF Protector] '''($):''' ActionScript 2.0/3.0 obfuscator for protecting your SWF files from Flash Decompilers. Available for Windows, Mac OS, Linux. Costs approximately $40.

 

== Local Shared Object Editors ==

* [http://labs.adobe.com/technologies/swfinvestigator/ Adobe SWF Investigator] Cross-platform tool for viewing and editing LSOs.

* [http://blog.coursevector.com/flashbug Flashbug] An extension for the Firefox Firebug plugin.

* [http://solve.sourceforge.net/ SolVE] Cross-platform Local Shared Object editor and viewer.

* [http://sourceforge.net/projects/soleditor/ .sol Editor] Windows based Local Shared Object editor

 

== AMF Tools ==

* [http://labs.adobe.com/technologies/swfinvestigator/ Adobe SWF Investigator] Allows sending of custom messages, simple fuzzing and service identification of AMF endpoints.

* [http://blog.coursevector.com/flashbug Flashbug] An extension for the Firefox Firebug plugin that allows you to view AMF data sent to and from the page to the server.

* [http://deblaze-tool.appspot.com/ DeBlaze] A free tool that attempts to identify AMF services through brute force, dictionary attacks.

* [http://www.gdssecurity.com/l/t/d.php?k=Blazentoo Blazentoo] Blazentoo is an Adobe AIR application that can be used to exploit insecure Adobe BlazeDS and LiveCycle Data Services ES servers. Blazentoo provides the ability to seamlessly browse web content, abusing insecurely configured Proxy Services.

* [http://code.google.com/p/blazer/ Blazer] Blazer is a custom AMF messages generator with fuzzing capabilities, developed as Burp Suite plugin. It is designed and implemented to make AMF testing easy, and yet allows researchers to control fully the entire security testing process.

* [http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project WebScarab] Full AMF support is currently checked into the main branch of the WebScarab project. It has not been rolled into the SourceForge or Java Web Start versions of the WebScarab project at the time of this writing.

* [http://code.google.com/p/webscarab-amf-plugin/ WebScarab AMF Plugin] This is a google code project to add AMF support as a plugin to WebScarab.

* [http://amfparser.codeplex.com/ AMF Parser] AMFParser plugin for Fiddler2 web debugger. It can be used for parsing and displaying AMF data inside HTTP's POST requests and responses.

* [http://code.google.com/p/pinta/ pinta] Pinta is a utility that allows a developer to test services by making custom AMF service calls, and viewing detailed output. This Google Code project is based on Adobe AIR.

* [http://www.charlesproxy.com/ Charles Proxy] '''($):''' This is a basic HTTP proxy but it provides support for interpreting AMF communications. Costs approximately $50.

* [http://releases.portswigger.net/2009/08/v1214.html Burp Suite Professional] '''($):''' The 1.2.124 version of Burp Suite Pro adds AMF support to all tools except for Burp Intruder and Burp Scanner is updated to automatically place attack payloads within string-based AMF values.

* [http://george.hedfors.com/content/action-message-format-amf-shell AMF Shell] AMF Shell is a command line utility based on Python that enumerates services and allows the user to send customized AMF messages to a server.

 

== Cross-Domain Tools ==

* [http://web.appsec.ws/Tools/Crossdomain.swf Cross-domain Policy Analyzer] A tool to test your cross-domain policy file by Jason Calvert of WhiteHat Security.

 

== Analysis ==

* [http://www.utdallas.edu/~mxs072100/ASIRM_project.html Certifying IRM for ActionScript Bytecode] This page contains the binaries for Meera Sridhar's research into using In-lined Reference Monitors to rewrite ActionScript bytecode for the purposes of policy enforcement. This project is currently targeted at AVM2 code.

* [http://blitzableiter.recurity.com/ Blitzablieter] Blitzablieter is a project currently run by Recurity Labs and the German government. The goal is to prevent malicious SWFs from entering a network through normalization and policy enforcement. This project currently handles AVM1 code.

* [http://wepawet.iseclab.org/ Wepawet] Wepawet is a service for detecting and analyzing web-based malware. It currently handles Flash, JavaScript, and PDF files. It is currently run by University of California, Santa Barbara.

* [https://github.com/sporst/SWFREtools/ SWFRETools] The SWFRETools are a collection of tools built for vulnerability analysis of the Adobe Flash player and for malware analysis of malicious SWF files. The tools are partly written in Java and partly in Python and are licensed under the GPL 2.0 license.

 

== Project Contributors ==

The Flash Security project is run by [[:User:Puhley|Peleus Uhley]].

== Project Sponsors ==

The Flash Security project is sponsored by [http://www.mindedsecurity.com [[Image:|MindedLogo.PNG]]]

==== Project Identification ====

{{Template:Project Details/OWASP_Flash_Security_Project | OWASP Project Identification Tab}}

__NOTOC__ <headertabs />

 __NOTOC__ <headertabs />

[[Category:OWASP_Project|Flash Security Project]] [[Category:OWASP_Download]] [[Category:OWASP_Tool]] [[Category:OWASP_Document]] [[Category:OWASP_Alpha_Quality_Document]]

Web Application Security Testing Cheat Sheet

2015-09-03T17:52:37Z

Raesene: /* Information Gathering */

= DRAFT CHEAT SHEET - WORK IN PROGRESS =

= Introduction =

This cheat sheet provides a checklist of tasks to be performed when performing a blackbox security test of a web application.

= Purpose =

This checklist is intended to be used as an aide memoire for experienced pentesters and should be used in conjunction with the [[:Category:OWASP Testing Project|OWASP Testing Guide]]. It will be updated as the [[OWASP_Application_Testing_guide_v4|Testing Guide v4]] is progressed.

The intention is that this guide will be available as an XML document, with scripts that convert it into formats such as pdf, Media Wiki markup, HTML etc.

This will allow it to be consumed within security tools as well as being available in a format suitable for printing.

All feedback or offers of help will be appreciated - and if you have specific chances you think should be made, just get stuck in.

= The Checklist =

== Information Gathering ==
* Manually explore the site
* [[Testing:_Spidering_and_googling | Spider/crawl]] for missed or hidden content
* [[Review_Webserver_Metafiles_for_Information_Leakage_(OTG-INFO-003)|Check the Webserver Metafiles]] for information leakage files that expose content, such as robots.txt, sitemap.xml, .DS_Store
* [[Conduct_search_engine_discovery/reconnaissance_for_information_leakage_(OTG-INFO-001)|Check the caches of major search engines for publicly accessible sites]]
* Check for differences in content based on User Agent (eg, Mobile sites, access as a Search engine Crawler)
* [[Review_webpage_comments_and_metadata_for_information_leakage_(OTG-INFO-005) | Check The Webpage Comments and Metadata for Information Leakage]]
* [[Fingerprint_Web_Application_Framework_(OTG-INFO-008) | Check The Web Application Framework]]
* [[Fingerprint_Web_Server_(OTG-INFO-002)|Perform Web Application Fingerprinting]]
* Identify technologies used
* [[Test_Role_Definitions_(OTG-IDENT-001)|Identify user roles]]
* [[Identify_application_entry_points_(OTG-INFO-006) | Identify application entry points]]
* Identify client-side code
* Identify multiple versions/channels (e.g. web, mobile web, mobile app)
* [[Web_Services | Identify web services]]
* Identify co-hosted and related applications
* Identify all hostnames and ports
* Identify third-party hosted content

== Configuration Management ==
* Check for commonly used application and administrative URLs
* Check for old, backup and unreferenced files
* Check HTTP methods supported and Cross Site Tracing (XST)
* Test file extensions handling
* Test RIA cross domain policy
* Test for security HTTP headers (e.g. CSP, X-Frame-Options, HSTS)
* Test for policies (e.g. Flash, Silverlight, robots)
* Test for non-production data in live environment, and vice-versa
* Check for sensitive data in client-side code (e.g. API keys, credentials)

== Secure Transmission ==
* Check SSL Version, Algorithms, Key length
* Check for Digital Certificate Validity (Duration, Signature and CN)
* Check credentials only delivered over HTTPS
* Check that the login form is delivered over HTTPS
* Check session tokens only delivered over HTTPS
* Check if HTTP Strict Transport Security (HSTS) in use

== Authentication ==
* [[Testing_for_User_Enumeration_and_Guessable_User_Account_(OWASP-AT-002) | Test for user enumeration]]
* [[Testing_for_Bypassing_Authentication_Schema_(OTG-AUTHN-004) | Test for authentication bypass]]
* [[Testing_for_Brute_Force_(OWASP-AT-004) | Test for brute force protection]]
* [[Testing_for_Credentials_Transported_over_an_Encrypted_Channel_(OTG-AUTHN-001)|Test for Credentials Transported over an Encrypted Channel]]
* [[Testing_for_Weak_password_policy_(OTG-AUTHN-007)|Test password quality rules
* Test remember me functionality]]
* Test password reset and/or recovery
* Test password change process
* Test CAPTCHA
* Test multi factor authentication
* Test for logout functionality presence
* Test for cache management on HTTP (eg Pragma, Expires, Max-age)
* Test for default logins
* Test for user-accessible authentication history
* Test for out-of channel notification of account lockouts and successful password changes
* Test for consistent authentication across applications with shared authentication schema / SSO and alternative channels
* Test for Weak security question/answer

== Session Management ==
* Establish how session management is handled in the application (eg, tokens in cookies, token in URL)
* [[Testing_for_cookies_attributes_(OTG-SESS-002)|Check session tokens for cookie flags (httpOnly and secure)]]
* [[Testing_for_cookies_attributes_(OTG-SESS-002)|Check session cookie scope (path and domain)]]
* Check session cookie duration (expires and max-age)
* [[Test_Session_Timeout_(OTG-SESS-007)|Check session termination after a maximum lifetime]]
* [[Test_Session_Timeout_(OTG-SESS-007)|Check session termination after relative timeout]]
* [[Testing_for_logout_functionality_(OTG-SESS-006)|Check session termination after logout]]
* Test to see if users can have multiple simultaneous sessions
* Test session cookies for randomness
* Confirm that new session tokens are issued on login, role change and logout
* Test for consistent session management across applications with shared session management
* Test for session puzzling
* Test for CSRF and clickjacking

== Authorization ==
* [[Testing_Directory_traversal/file_include_(OTG-AUTHZ-001)|Test for path traversal]]
* [[Testing_for_Privilege_escalation_(OTG-AUTHZ-003)|Test for vertical Access control problems (a.k.a. Privilege Escalation)]]
* Test for horizontal Access control problems (between two users at the same privilege level)
* [[Testing_for_Bypassing_Authorization_Schema_(OTG-AUTHZ-002)|Test for missing authorisation]]
* [[Testing_for_Insecure_Direct_Object_References_(OTG-AUTHZ-004)|Test for Insecure Direct Object References]]

== Data Validation ==
* [[Testing_for_Reflected_Cross_site_scripting_(OTG-INPVAL-001)|Test for Reflected Cross Site Scripting]]
* [[Testing_for_Stored_Cross_site_scripting_(OTG-INPVAL-002)|Test for Stored Cross Site Scripting]]
* [[Testing_for_DOM-based_Cross_site_scripting_(OTG-CLIENT-001)|Test for DOM based Cross Site Scripting]]
* Test for Cross Site Flashing
* Test for HTML Injection
* [[Testing_for_SQL_Injection_(OTG-INPVAL-005)|Test for SQL Injection]]
* Test for LDAP Injection
* [[Testing_for_ORM_Injection_(OTG-INPVAL-007)|Test for ORM Injection]]
* [[Testing_for_XML_Injection_(OTG-INPVAL-008)|Test for XML Injection]]
* Test for XXE Injection
* [[Testing_for_SSI_Injection_(OTG-INPVAL-009)|Test for SSI Injection]]
* [[Testing_for_XPath_Injection_(OTG-INPVAL-010)|Test for XPath Injection]]
* Test for XQuery Injection
* [[Testing_for_IMAP/SMTP_Injection_(OTG-INPVAL-011)|Test for IMAP/SMTP Injection]]
* [[Testing_for_Code_Injection_(OTG-INPVAL-012)|Test for Code Injection]]
* Test for Expression Language Injection
* [[Testing_for_Command_Injection_(OTG-INPVAL-013)|Test for Command Injection]]
* Test for Overflow ([[Testing_for_Stack_Overflow|Stack]], [[Testing_for_Heap_Overflow|Heap]] and Integer)
* [[Testing_for_Format_String|Test for Format String]]
* Test for incubated vulnerabilities
* [[Testing_for_HTTP_Splitting/Smuggling_(OTG-INPVAL-016)|Test for HTTP Splitting/Smuggling]]
* Test for HTTP Verb Tampering
* [[Top_10_2013-A10-Unvalidated_Redirects_and_Forwards|Test for Open Redirection]]
* [[Testing_for_Local_File_Inclusion|Test for Local File Inclusion]]
* [[Testing_for_Remote_File_Inclusion|Test for Remote File Inclusion]]
* Compare client-side and server-side validation rules
* Test for NoSQL injection
* Test for HTTP parameter pollution
* Test for auto-binding
* Test for Mass Assignment
* Test for NULL/Invalid Session Cookie

== Denial of Service ==
* Test for anti-automation
* [[Testing_for_Weak_lock_out_mechanism_(OTG-AUTHN-003)|Test for account lockout]]
* Test for HTTP protocol DoS
* Test for SQL wildcard DoS

== Business Logic ==
* Test for feature misuse
* Test for lack of non-repudiation
* Test for trust relationships
* Test for integrity of data
* Test segregation of duties
* Test for Process Timing
* Test Number of Times a Function Can be Used Limits
* Test for the Circumvention of Work Flows
* Test Defenses Against Application Mis-use
* Test Upload of Unexpected File Types

== Cryptography ==
* [[Testing_for_Sensitive_information_sent_via_unencrypted_channels_(OTG-CRYPST-003)|Check if data which should be encrypted is not]]
* Check for wrong algorithms usage depending on context
* [[Testing_for_Weak_SSL/TLS_Ciphers,_Insufficient_Transport_Layer_Protection_(OTG-CRYPST-001)|Check for weak algorithms usage]]
* [[Password_Storage_Cheat_Sheet#Use_a_cryptographically_strong_credential-specific_salt | Check for proper use of salting]]
* [[Insecure_Randomness | Check for randomness functions]]

== Risky Functionality - File Uploads ==
* [[Test_Upload_of_Unexpected_File_Types_(OTG-BUSLOGIC-008)|Test that acceptable file types are whitelisted and non-whitelisted types are rejected]]
* Test that file size limits, upload frequency and total file counts are defined and are enforced
* Test that file contents match the defined file type
* [[Test_Upload_of_Malicious_Files_(OTG-BUSLOGIC-009)|Test that all file uploads have Anti-Virus scanning in-place.]]
* Test that unsafe filenames are sanitised
* Test that uploaded files are not directly accessible within the web root
* Test that uploaded files are not served on the same hostname/port
* Test that files and other media are integrated with the authentication and authorisation schemas

== Risky Functionality - Card Payment ==
* Test for known vulnerabilities and configuration issues on Web Server and Web Application
* Test for default or guessable password
* Test for non-production data in live environment, and vice-versa
* [[Injection_Flaws | Test for Injection vulnerabilities ]]
* [[Testing_for_Buffer_Overflow_(OTG-INPVAL-014) | Test for Buffer Overflows]]
* [[Top_10_2010-A7-Insecure_Cryptographic_Storage | Test for Insecure Cryptographic Storage]]
* [[Top_10_2010-A9-Insufficient_Transport_Layer_Protection | Test for Insufficient Transport Layer Protection]]
* [[Web_Application_Security_Testing_Cheat_Sheet#Error_Handling|Test for Improper Error Handling]]
* Test for all vulnerabilities with a CVSS v2 score > 4.0
* Test for Authentication and Authorization issues
* [[Testing_for_CSRF_(OTG-SESS-005)|Test for CSRF]]

== HTML 5==
* [[Test_Web_Messaging_(OTG-CLIENT-011)|Test Web Messaging]]
* [[Test_Local_Storage_(OTG-CLIENT-012)|Test for Web Storage SQL injection]]
* [[Test_Cross_Origin_Resource_Sharing_(OTG-CLIENT-007)|Check CORS implementation]]
* [[HTML5_Security_Cheat_Sheet#Offline_Applications | Check Offline Web Application]]

== Error Handling==
* [[Testing_for_Error_Code_(OTG-ERR-001)|Check for Error Codes]]
* [[Testing_for_Stack_Traces_(OTG-ERR-002)|Check for Stack Traces]]

= Other Formats =

* DradisPro template format [https://github.com/raesene/OWASP_Web_App_Testing_Cheatsheet_Converter/blob/master/OWASP_Web_Application_Testing_Cheat_Sheet.xml on github]
* Asana template on [http://templana.com/templates/owasp-website-security-checklist/ Templana] (thanks to Bastien Siebman)

= Authors and primary contributors =

[[User:Simon Bennetts|Simon Bennetts]] 
[[User:Raesene|Rory McCune]] 
Colin Watson 
Simone Onofri 
[[User:Amro_Ahmed|Amro AlOlaqi]]

All the authors of the Testing Guide v3

= Other Contributors =

[[User:Ryan_Dewhurst|Ryan Dewhurst]] 

= Related articles =

OWASP [[:Category:OWASP Testing Project|Testing Guide]]

Mozilla [https://wiki.mozilla.org/WebAppSec/Web_Security_Verification Web Security Verification]

{{Cheatsheet_Navigation}}

[[Category:Cheatsheets]] [[Category:OWASP_Breakers]]

Web Application Security Testing Cheat Sheet

2015-09-03T17:49:28Z

Raesene: /* Data Validation */

= DRAFT CHEAT SHEET - WORK IN PROGRESS =

= Introduction =

This cheat sheet provides a checklist of tasks to be performed when performing a blackbox security test of a web application.

= Purpose =

This checklist is intended to be used as an aide memoire for experienced pentesters and should be used in conjunction with the [[:Category:OWASP Testing Project|OWASP Testing Guide]]. It will be updated as the [[OWASP_Application_Testing_guide_v4|Testing Guide v4]] is progressed.

The intention is that this guide will be available as an XML document, with scripts that convert it into formats such as pdf, Media Wiki markup, HTML etc.

This will allow it to be consumed within security tools as well as being available in a format suitable for printing.

All feedback or offers of help will be appreciated - and if you have specific chances you think should be made, just get stuck in.

= The Checklist =

== Information Gathering ==
* Manually explore the site
* [[Testing:_Spidering_and_googling | Spider/crawl]] for missed or hidden content
* [[Review_Webserver_Metafiles_for_Information_Leakage_(OTG-INFO-003)|Check the Webserver Metafiles]] for information leakage files that expose content, such as robots.txt, sitemap.xml, .DS_Store
* [[Conduct_search_engine_discovery/reconnaissance_for_information_leakage_(OTG-INFO-001)|Check the caches of major search engines for publicly accessible sites]]
* Check for differences in content based on User Agent (eg, Mobile sites, access as a Search engine Crawler)
* [[Review_webpage_comments_and_metadata_for_information_leakage_(OTG-INFO-005) | Check The Webpage Comments and Metadata for Information Leakage]]
* [[Fingerprint_Web_Application_Framework_(OTG-INFO-008) | Check The Web Application Framework]]
* [[Fingerprint_Web_Server_(OTG-INFO-002)|Perform Web Application Fingerprinting]]
* Identify technologies used
* Identify user roles
* [[Identify_application_entry_points_(OTG-INFO-006) | Identify application entry points]]
* Identify client-side code
* Identify multiple versions/channels (e.g. web, mobile web, mobile app)
* [[Web_Services | Identify web services]]
* Identify co-hosted and related applications
* Identify all hostnames and ports
* Identify third-party hosted content

== Configuration Management ==
* Check for commonly used application and administrative URLs
* Check for old, backup and unreferenced files
* Check HTTP methods supported and Cross Site Tracing (XST)
* Test file extensions handling
* Test RIA cross domain policy
* Test for security HTTP headers (e.g. CSP, X-Frame-Options, HSTS)
* Test for policies (e.g. Flash, Silverlight, robots)
* Test for non-production data in live environment, and vice-versa
* Check for sensitive data in client-side code (e.g. API keys, credentials)

== Secure Transmission ==
* Check SSL Version, Algorithms, Key length
* Check for Digital Certificate Validity (Duration, Signature and CN)
* Check credentials only delivered over HTTPS
* Check that the login form is delivered over HTTPS
* Check session tokens only delivered over HTTPS
* Check if HTTP Strict Transport Security (HSTS) in use

== Authentication ==
* [[Testing_for_User_Enumeration_and_Guessable_User_Account_(OWASP-AT-002) | Test for user enumeration]]
* [[Testing_for_Bypassing_Authentication_Schema_(OTG-AUTHN-004) | Test for authentication bypass]]
* [[Testing_for_Brute_Force_(OWASP-AT-004) | Test for brute force protection]]
* [[Testing_for_Credentials_Transported_over_an_Encrypted_Channel_(OTG-AUTHN-001)|Test for Credentials Transported over an Encrypted Channel]]
* [[Testing_for_Weak_password_policy_(OTG-AUTHN-007)|Test password quality rules
* Test remember me functionality]]
* Test password reset and/or recovery
* Test password change process
* Test CAPTCHA
* Test multi factor authentication
* Test for logout functionality presence
* Test for cache management on HTTP (eg Pragma, Expires, Max-age)
* Test for default logins
* Test for user-accessible authentication history
* Test for out-of channel notification of account lockouts and successful password changes
* Test for consistent authentication across applications with shared authentication schema / SSO and alternative channels
* Test for Weak security question/answer

== Session Management ==
* Establish how session management is handled in the application (eg, tokens in cookies, token in URL)
* [[Testing_for_cookies_attributes_(OTG-SESS-002)|Check session tokens for cookie flags (httpOnly and secure)]]
* [[Testing_for_cookies_attributes_(OTG-SESS-002)|Check session cookie scope (path and domain)]]
* Check session cookie duration (expires and max-age)
* [[Test_Session_Timeout_(OTG-SESS-007)|Check session termination after a maximum lifetime]]
* [[Test_Session_Timeout_(OTG-SESS-007)|Check session termination after relative timeout]]
* [[Testing_for_logout_functionality_(OTG-SESS-006)|Check session termination after logout]]
* Test to see if users can have multiple simultaneous sessions
* Test session cookies for randomness
* Confirm that new session tokens are issued on login, role change and logout
* Test for consistent session management across applications with shared session management
* Test for session puzzling
* Test for CSRF and clickjacking

== Authorization ==
* [[Testing_Directory_traversal/file_include_(OTG-AUTHZ-001)|Test for path traversal]]
* [[Testing_for_Privilege_escalation_(OTG-AUTHZ-003)|Test for vertical Access control problems (a.k.a. Privilege Escalation)]]
* Test for horizontal Access control problems (between two users at the same privilege level)
* [[Testing_for_Bypassing_Authorization_Schema_(OTG-AUTHZ-002)|Test for missing authorisation]]
* [[Testing_for_Insecure_Direct_Object_References_(OTG-AUTHZ-004)|Test for Insecure Direct Object References]]

== Data Validation ==
* [[Testing_for_Reflected_Cross_site_scripting_(OTG-INPVAL-001)|Test for Reflected Cross Site Scripting]]
* [[Testing_for_Stored_Cross_site_scripting_(OTG-INPVAL-002)|Test for Stored Cross Site Scripting]]
* [[Testing_for_DOM-based_Cross_site_scripting_(OTG-CLIENT-001)|Test for DOM based Cross Site Scripting]]
* Test for Cross Site Flashing
* Test for HTML Injection
* [[Testing_for_SQL_Injection_(OTG-INPVAL-005)|Test for SQL Injection]]
* Test for LDAP Injection
* [[Testing_for_ORM_Injection_(OTG-INPVAL-007)|Test for ORM Injection]]
* [[Testing_for_XML_Injection_(OTG-INPVAL-008)|Test for XML Injection]]
* Test for XXE Injection
* [[Testing_for_SSI_Injection_(OTG-INPVAL-009)|Test for SSI Injection]]
* [[Testing_for_XPath_Injection_(OTG-INPVAL-010)|Test for XPath Injection]]
* Test for XQuery Injection
* [[Testing_for_IMAP/SMTP_Injection_(OTG-INPVAL-011)|Test for IMAP/SMTP Injection]]
* [[Testing_for_Code_Injection_(OTG-INPVAL-012)|Test for Code Injection]]
* Test for Expression Language Injection
* [[Testing_for_Command_Injection_(OTG-INPVAL-013)|Test for Command Injection]]
* Test for Overflow ([[Testing_for_Stack_Overflow|Stack]], [[Testing_for_Heap_Overflow|Heap]] and Integer)
* [[Testing_for_Format_String|Test for Format String]]
* Test for incubated vulnerabilities
* [[Testing_for_HTTP_Splitting/Smuggling_(OTG-INPVAL-016)|Test for HTTP Splitting/Smuggling]]
* Test for HTTP Verb Tampering
* [[Top_10_2013-A10-Unvalidated_Redirects_and_Forwards|Test for Open Redirection]]
* [[Testing_for_Local_File_Inclusion|Test for Local File Inclusion]]
* [[Testing_for_Remote_File_Inclusion|Test for Remote File Inclusion]]
* Compare client-side and server-side validation rules
* Test for NoSQL injection
* Test for HTTP parameter pollution
* Test for auto-binding
* Test for Mass Assignment
* Test for NULL/Invalid Session Cookie

== Denial of Service ==
* Test for anti-automation
* [[Testing_for_Weak_lock_out_mechanism_(OTG-AUTHN-003)|Test for account lockout]]
* Test for HTTP protocol DoS
* Test for SQL wildcard DoS

== Business Logic ==
* Test for feature misuse
* Test for lack of non-repudiation
* Test for trust relationships
* Test for integrity of data
* Test segregation of duties
* Test for Process Timing
* Test Number of Times a Function Can be Used Limits
* Test for the Circumvention of Work Flows
* Test Defenses Against Application Mis-use
* Test Upload of Unexpected File Types

== Cryptography ==
* [[Testing_for_Sensitive_information_sent_via_unencrypted_channels_(OTG-CRYPST-003)|Check if data which should be encrypted is not]]
* Check for wrong algorithms usage depending on context
* [[Testing_for_Weak_SSL/TLS_Ciphers,_Insufficient_Transport_Layer_Protection_(OTG-CRYPST-001)|Check for weak algorithms usage]]
* [[Password_Storage_Cheat_Sheet#Use_a_cryptographically_strong_credential-specific_salt | Check for proper use of salting]]
* [[Insecure_Randomness | Check for randomness functions]]

== Risky Functionality - File Uploads ==
* [[Test_Upload_of_Unexpected_File_Types_(OTG-BUSLOGIC-008)|Test that acceptable file types are whitelisted and non-whitelisted types are rejected]]
* Test that file size limits, upload frequency and total file counts are defined and are enforced
* Test that file contents match the defined file type
* [[Test_Upload_of_Malicious_Files_(OTG-BUSLOGIC-009)|Test that all file uploads have Anti-Virus scanning in-place.]]
* Test that unsafe filenames are sanitised
* Test that uploaded files are not directly accessible within the web root
* Test that uploaded files are not served on the same hostname/port
* Test that files and other media are integrated with the authentication and authorisation schemas

== Risky Functionality - Card Payment ==
* Test for known vulnerabilities and configuration issues on Web Server and Web Application
* Test for default or guessable password
* Test for non-production data in live environment, and vice-versa
* [[Injection_Flaws | Test for Injection vulnerabilities ]]
* [[Testing_for_Buffer_Overflow_(OTG-INPVAL-014) | Test for Buffer Overflows]]
* [[Top_10_2010-A7-Insecure_Cryptographic_Storage | Test for Insecure Cryptographic Storage]]
* [[Top_10_2010-A9-Insufficient_Transport_Layer_Protection | Test for Insufficient Transport Layer Protection]]
* [[Web_Application_Security_Testing_Cheat_Sheet#Error_Handling|Test for Improper Error Handling]]
* Test for all vulnerabilities with a CVSS v2 score > 4.0
* Test for Authentication and Authorization issues
* [[Testing_for_CSRF_(OTG-SESS-005)|Test for CSRF]]

== HTML 5==
* [[Test_Web_Messaging_(OTG-CLIENT-011)|Test Web Messaging]]
* [[Test_Local_Storage_(OTG-CLIENT-012)|Test for Web Storage SQL injection]]
* [[Test_Cross_Origin_Resource_Sharing_(OTG-CLIENT-007)|Check CORS implementation]]
* [[HTML5_Security_Cheat_Sheet#Offline_Applications | Check Offline Web Application]]

== Error Handling==
* [[Testing_for_Error_Code_(OTG-ERR-001)|Check for Error Codes]]
* [[Testing_for_Stack_Traces_(OTG-ERR-002)|Check for Stack Traces]]

= Other Formats =

* DradisPro template format [https://github.com/raesene/OWASP_Web_App_Testing_Cheatsheet_Converter/blob/master/OWASP_Web_Application_Testing_Cheat_Sheet.xml on github]
* Asana template on [http://templana.com/templates/owasp-website-security-checklist/ Templana] (thanks to Bastien Siebman)

= Authors and primary contributors =

[[User:Simon Bennetts|Simon Bennetts]] 
[[User:Raesene|Rory McCune]] 
Colin Watson 
Simone Onofri 
[[User:Amro_Ahmed|Amro AlOlaqi]]

All the authors of the Testing Guide v3

= Other Contributors =

[[User:Ryan_Dewhurst|Ryan Dewhurst]] 

= Related articles =

OWASP [[:Category:OWASP Testing Project|Testing Guide]]

Mozilla [https://wiki.mozilla.org/WebAppSec/Web_Security_Verification Web Security Verification]

{{Cheatsheet_Navigation}}

[[Category:Cheatsheets]] [[Category:OWASP_Breakers]]

Web Application Security Testing Cheat Sheet

2015-09-03T17:30:10Z

Raesene: /* Data Validation */

= DRAFT CHEAT SHEET - WORK IN PROGRESS =

= Introduction =

This cheat sheet provides a checklist of tasks to be performed when performing a blackbox security test of a web application.

= Purpose =

This checklist is intended to be used as an aide memoire for experienced pentesters and should be used in conjunction with the [[:Category:OWASP Testing Project|OWASP Testing Guide]]. It will be updated as the [[OWASP_Application_Testing_guide_v4|Testing Guide v4]] is progressed.

The intention is that this guide will be available as an XML document, with scripts that convert it into formats such as pdf, Media Wiki markup, HTML etc.

This will allow it to be consumed within security tools as well as being available in a format suitable for printing.

All feedback or offers of help will be appreciated - and if you have specific chances you think should be made, just get stuck in.

= The Checklist =

== Information Gathering ==
* Manually explore the site
* [[Testing:_Spidering_and_googling | Spider/crawl]] for missed or hidden content
* [[Review_Webserver_Metafiles_for_Information_Leakage_(OTG-INFO-003)|Check the Webserver Metafiles]] for information leakage files that expose content, such as robots.txt, sitemap.xml, .DS_Store
* [[Conduct_search_engine_discovery/reconnaissance_for_information_leakage_(OTG-INFO-001)|Check the caches of major search engines for publicly accessible sites]]
* Check for differences in content based on User Agent (eg, Mobile sites, access as a Search engine Crawler)
* [[Review_webpage_comments_and_metadata_for_information_leakage_(OTG-INFO-005) | Check The Webpage Comments and Metadata for Information Leakage]]
* [[Fingerprint_Web_Application_Framework_(OTG-INFO-008) | Check The Web Application Framework]]
* [[Fingerprint_Web_Server_(OTG-INFO-002)|Perform Web Application Fingerprinting]]
* Identify technologies used
* Identify user roles
* [[Identify_application_entry_points_(OTG-INFO-006) | Identify application entry points]]
* Identify client-side code
* Identify multiple versions/channels (e.g. web, mobile web, mobile app)
* [[Web_Services | Identify web services]]
* Identify co-hosted and related applications
* Identify all hostnames and ports
* Identify third-party hosted content

== Configuration Management ==
* Check for commonly used application and administrative URLs
* Check for old, backup and unreferenced files
* Check HTTP methods supported and Cross Site Tracing (XST)
* Test file extensions handling
* Test RIA cross domain policy
* Test for security HTTP headers (e.g. CSP, X-Frame-Options, HSTS)
* Test for policies (e.g. Flash, Silverlight, robots)
* Test for non-production data in live environment, and vice-versa
* Check for sensitive data in client-side code (e.g. API keys, credentials)

== Secure Transmission ==
* Check SSL Version, Algorithms, Key length
* Check for Digital Certificate Validity (Duration, Signature and CN)
* Check credentials only delivered over HTTPS
* Check that the login form is delivered over HTTPS
* Check session tokens only delivered over HTTPS
* Check if HTTP Strict Transport Security (HSTS) in use

== Authentication ==
* [[Testing_for_User_Enumeration_and_Guessable_User_Account_(OWASP-AT-002) | Test for user enumeration]]
* [[Testing_for_Bypassing_Authentication_Schema_(OTG-AUTHN-004) | Test for authentication bypass]]
* [[Testing_for_Brute_Force_(OWASP-AT-004) | Test for brute force protection]]
* [[Testing_for_Credentials_Transported_over_an_Encrypted_Channel_(OTG-AUTHN-001)|Test for Credentials Transported over an Encrypted Channel]]
* [[Testing_for_Weak_password_policy_(OTG-AUTHN-007)|Test password quality rules
* Test remember me functionality]]
* Test password reset and/or recovery
* Test password change process
* Test CAPTCHA
* Test multi factor authentication
* Test for logout functionality presence
* Test for cache management on HTTP (eg Pragma, Expires, Max-age)
* Test for default logins
* Test for user-accessible authentication history
* Test for out-of channel notification of account lockouts and successful password changes
* Test for consistent authentication across applications with shared authentication schema / SSO and alternative channels
* Test for Weak security question/answer

== Session Management ==
* Establish how session management is handled in the application (eg, tokens in cookies, token in URL)
* [[Testing_for_cookies_attributes_(OTG-SESS-002)|Check session tokens for cookie flags (httpOnly and secure)]]
* [[Testing_for_cookies_attributes_(OTG-SESS-002)|Check session cookie scope (path and domain)]]
* Check session cookie duration (expires and max-age)
* [[Test_Session_Timeout_(OTG-SESS-007)|Check session termination after a maximum lifetime]]
* [[Test_Session_Timeout_(OTG-SESS-007)|Check session termination after relative timeout]]
* [[Testing_for_logout_functionality_(OTG-SESS-006)|Check session termination after logout]]
* Test to see if users can have multiple simultaneous sessions
* Test session cookies for randomness
* Confirm that new session tokens are issued on login, role change and logout
* Test for consistent session management across applications with shared session management
* Test for session puzzling
* Test for CSRF and clickjacking

== Authorization ==
* [[Testing_Directory_traversal/file_include_(OTG-AUTHZ-001)|Test for path traversal]]
* [[Testing_for_Privilege_escalation_(OTG-AUTHZ-003)|Test for vertical Access control problems (a.k.a. Privilege Escalation)]]
* Test for horizontal Access control problems (between two users at the same privilege level)
* [[Testing_for_Bypassing_Authorization_Schema_(OTG-AUTHZ-002)|Test for missing authorisation]]
* [[Testing_for_Insecure_Direct_Object_References_(OTG-AUTHZ-004)|Test for Insecure Direct Object References]]

== Data Validation ==
* [[Testing_for_Reflected_Cross_site_scripting_(OTG-INPVAL-001)|Test for Reflected Cross Site Scripting]]
* [[Testing_for_Stored_Cross_site_scripting_(OTG-INPVAL-002)|Test for Stored Cross Site Scripting]]
* [[Testing_for_DOM-based_Cross_site_scripting_(OTG-CLIENT-001)|Test for DOM based Cross Site Scripting]]
* Test for Cross Site Flashing
* Test for HTML Injection
* [[Testing_for_SQL_Injection_(OTG-INPVAL-005)|Test for SQL Injection]]
* Test for LDAP Injection
* [[Testing_for_ORM_Injection_(OTG-INPVAL-007)|Test for ORM Injection]]
* [[Testing_for_XML_Injection_(OTG-INPVAL-008)|Test for XML Injection]]
* Test for XXE Injection
* [[Testing_for_SSI_Injection_(OTG-INPVAL-009)|Test for SSI Injection]]
* [[Testing_for_XPath_Injection_(OTG-INPVAL-010)|Test for XPath Injection]]
* Test for XQuery Injection
* [[Testing_for_IMAP/SMTP_Injection_(OTG-INPVAL-011)|Test for IMAP/SMTP Injection]]
* [[Testing_for_Code_Injection_(OTG-INPVAL-012)|Test for Code Injection]]
* Test for Expression Language Injection
* [[Testing_for_Command_Injection_(OTG-INPVAL-013)|Test for Command Injection]]
* Test for Overflow ([[Testing_for_Stack_Overflow|Stack]], [[Testing_for_Heap_Overflow|Heap]] and Integer)
* [[Testing_for_Format_String|Test for Format String]]
* Test for incubated vulnerabilities
* [[Testing_for_HTTP_Splitting/Smuggling_(OTG-INPVAL-016)|Test for HTTP Splitting/Smuggling]]
* Test for HTTP Verb Tampering
* Test for Open Redirection
* [[Testing_for_Local_File_Inclusion|Test for Local File Inclusion]]
* [[Testing_for_Remote_File_Inclusion|Test for Remote File Inclusion]]
* Compare client-side and server-side validation rules
* Test for NoSQL injection
* Test for HTTP parameter pollution
* Test for auto-binding
* Test for Mass Assignment
* Test for NULL/Invalid Session Cookie

== Denial of Service ==
* Test for anti-automation
* [[Testing_for_Weak_lock_out_mechanism_(OTG-AUTHN-003)|Test for account lockout]]
* Test for HTTP protocol DoS
* Test for SQL wildcard DoS

== Business Logic ==
* Test for feature misuse
* Test for lack of non-repudiation
* Test for trust relationships
* Test for integrity of data
* Test segregation of duties
* Test for Process Timing
* Test Number of Times a Function Can be Used Limits
* Test for the Circumvention of Work Flows
* Test Defenses Against Application Mis-use
* Test Upload of Unexpected File Types

== Cryptography ==
* [[Testing_for_Sensitive_information_sent_via_unencrypted_channels_(OTG-CRYPST-003)|Check if data which should be encrypted is not]]
* Check for wrong algorithms usage depending on context
* [[Testing_for_Weak_SSL/TLS_Ciphers,_Insufficient_Transport_Layer_Protection_(OTG-CRYPST-001)|Check for weak algorithms usage]]
* [[Password_Storage_Cheat_Sheet#Use_a_cryptographically_strong_credential-specific_salt | Check for proper use of salting]]
* [[Insecure_Randomness | Check for randomness functions]]

== Risky Functionality - File Uploads ==
* [[Test_Upload_of_Unexpected_File_Types_(OTG-BUSLOGIC-008)|Test that acceptable file types are whitelisted and non-whitelisted types are rejected]]
* Test that file size limits, upload frequency and total file counts are defined and are enforced
* Test that file contents match the defined file type
* [[Test_Upload_of_Malicious_Files_(OTG-BUSLOGIC-009)|Test that all file uploads have Anti-Virus scanning in-place.]]
* Test that unsafe filenames are sanitised
* Test that uploaded files are not directly accessible within the web root
* Test that uploaded files are not served on the same hostname/port
* Test that files and other media are integrated with the authentication and authorisation schemas

== Risky Functionality - Card Payment ==
* Test for known vulnerabilities and configuration issues on Web Server and Web Application
* Test for default or guessable password
* Test for non-production data in live environment, and vice-versa
* [[Injection_Flaws | Test for Injection vulnerabilities ]]
* [[Testing_for_Buffer_Overflow_(OTG-INPVAL-014) | Test for Buffer Overflows]]
* [[Top_10_2010-A7-Insecure_Cryptographic_Storage | Test for Insecure Cryptographic Storage]]
* [[Top_10_2010-A9-Insufficient_Transport_Layer_Protection | Test for Insufficient Transport Layer Protection]]
* [[Web_Application_Security_Testing_Cheat_Sheet#Error_Handling|Test for Improper Error Handling]]
* Test for all vulnerabilities with a CVSS v2 score > 4.0
* Test for Authentication and Authorization issues
* [[Testing_for_CSRF_(OTG-SESS-005)|Test for CSRF]]

== HTML 5==
* [[Test_Web_Messaging_(OTG-CLIENT-011)|Test Web Messaging]]
* [[Test_Local_Storage_(OTG-CLIENT-012)|Test for Web Storage SQL injection]]
* [[Test_Cross_Origin_Resource_Sharing_(OTG-CLIENT-007)|Check CORS implementation]]
* [[HTML5_Security_Cheat_Sheet#Offline_Applications | Check Offline Web Application]]

== Error Handling==
* [[Testing_for_Error_Code_(OTG-ERR-001)|Check for Error Codes]]
* [[Testing_for_Stack_Traces_(OTG-ERR-002)|Check for Stack Traces]]

= Other Formats =

* DradisPro template format [https://github.com/raesene/OWASP_Web_App_Testing_Cheatsheet_Converter/blob/master/OWASP_Web_Application_Testing_Cheat_Sheet.xml on github]
* Asana template on [http://templana.com/templates/owasp-website-security-checklist/ Templana] (thanks to Bastien Siebman)

= Authors and primary contributors =

[[User:Simon Bennetts|Simon Bennetts]] 
[[User:Raesene|Rory McCune]] 
Colin Watson 
Simone Onofri 
[[User:Amro_Ahmed|Amro AlOlaqi]]

All the authors of the Testing Guide v3

= Other Contributors =

[[User:Ryan_Dewhurst|Ryan Dewhurst]] 

= Related articles =

OWASP [[:Category:OWASP Testing Project|Testing Guide]]

Mozilla [https://wiki.mozilla.org/WebAppSec/Web_Security_Verification Web Security Verification]

{{Cheatsheet_Navigation}}

[[Category:Cheatsheets]] [[Category:OWASP_Breakers]]

Web Application Security Testing Cheat Sheet

2015-09-03T17:26:26Z

Raesene: /* Session Management */

= DRAFT CHEAT SHEET - WORK IN PROGRESS =

= Introduction =

This cheat sheet provides a checklist of tasks to be performed when performing a blackbox security test of a web application.

= Purpose =

This checklist is intended to be used as an aide memoire for experienced pentesters and should be used in conjunction with the [[:Category:OWASP Testing Project|OWASP Testing Guide]]. It will be updated as the [[OWASP_Application_Testing_guide_v4|Testing Guide v4]] is progressed.

The intention is that this guide will be available as an XML document, with scripts that convert it into formats such as pdf, Media Wiki markup, HTML etc.

This will allow it to be consumed within security tools as well as being available in a format suitable for printing.

All feedback or offers of help will be appreciated - and if you have specific chances you think should be made, just get stuck in.

= The Checklist =

== Information Gathering ==
* Manually explore the site
* [[Testing:_Spidering_and_googling | Spider/crawl]] for missed or hidden content
* [[Review_Webserver_Metafiles_for_Information_Leakage_(OTG-INFO-003)|Check the Webserver Metafiles]] for information leakage files that expose content, such as robots.txt, sitemap.xml, .DS_Store
* [[Conduct_search_engine_discovery/reconnaissance_for_information_leakage_(OTG-INFO-001)|Check the caches of major search engines for publicly accessible sites]]
* Check for differences in content based on User Agent (eg, Mobile sites, access as a Search engine Crawler)
* [[Review_webpage_comments_and_metadata_for_information_leakage_(OTG-INFO-005) | Check The Webpage Comments and Metadata for Information Leakage]]
* [[Fingerprint_Web_Application_Framework_(OTG-INFO-008) | Check The Web Application Framework]]
* [[Fingerprint_Web_Server_(OTG-INFO-002)|Perform Web Application Fingerprinting]]
* Identify technologies used
* Identify user roles
* [[Identify_application_entry_points_(OTG-INFO-006) | Identify application entry points]]
* Identify client-side code
* Identify multiple versions/channels (e.g. web, mobile web, mobile app)
* [[Web_Services | Identify web services]]
* Identify co-hosted and related applications
* Identify all hostnames and ports
* Identify third-party hosted content

== Configuration Management ==
* Check for commonly used application and administrative URLs
* Check for old, backup and unreferenced files
* Check HTTP methods supported and Cross Site Tracing (XST)
* Test file extensions handling
* Test RIA cross domain policy
* Test for security HTTP headers (e.g. CSP, X-Frame-Options, HSTS)
* Test for policies (e.g. Flash, Silverlight, robots)
* Test for non-production data in live environment, and vice-versa
* Check for sensitive data in client-side code (e.g. API keys, credentials)

== Secure Transmission ==
* Check SSL Version, Algorithms, Key length
* Check for Digital Certificate Validity (Duration, Signature and CN)
* Check credentials only delivered over HTTPS
* Check that the login form is delivered over HTTPS
* Check session tokens only delivered over HTTPS
* Check if HTTP Strict Transport Security (HSTS) in use

== Authentication ==
* [[Testing_for_User_Enumeration_and_Guessable_User_Account_(OWASP-AT-002) | Test for user enumeration]]
* [[Testing_for_Bypassing_Authentication_Schema_(OTG-AUTHN-004) | Test for authentication bypass]]
* [[Testing_for_Brute_Force_(OWASP-AT-004) | Test for brute force protection]]
* [[Testing_for_Credentials_Transported_over_an_Encrypted_Channel_(OTG-AUTHN-001)|Test for Credentials Transported over an Encrypted Channel]]
* [[Testing_for_Weak_password_policy_(OTG-AUTHN-007)|Test password quality rules
* Test remember me functionality]]
* Test password reset and/or recovery
* Test password change process
* Test CAPTCHA
* Test multi factor authentication
* Test for logout functionality presence
* Test for cache management on HTTP (eg Pragma, Expires, Max-age)
* Test for default logins
* Test for user-accessible authentication history
* Test for out-of channel notification of account lockouts and successful password changes
* Test for consistent authentication across applications with shared authentication schema / SSO and alternative channels
* Test for Weak security question/answer

== Session Management ==
* Establish how session management is handled in the application (eg, tokens in cookies, token in URL)
* [[Testing_for_cookies_attributes_(OTG-SESS-002)|Check session tokens for cookie flags (httpOnly and secure)]]
* [[Testing_for_cookies_attributes_(OTG-SESS-002)|Check session cookie scope (path and domain)]]
* Check session cookie duration (expires and max-age)
* [[Test_Session_Timeout_(OTG-SESS-007)|Check session termination after a maximum lifetime]]
* [[Test_Session_Timeout_(OTG-SESS-007)|Check session termination after relative timeout]]
* [[Testing_for_logout_functionality_(OTG-SESS-006)|Check session termination after logout]]
* Test to see if users can have multiple simultaneous sessions
* Test session cookies for randomness
* Confirm that new session tokens are issued on login, role change and logout
* Test for consistent session management across applications with shared session management
* Test for session puzzling
* Test for CSRF and clickjacking

== Authorization ==
* [[Testing_Directory_traversal/file_include_(OTG-AUTHZ-001)|Test for path traversal]]
* [[Testing_for_Privilege_escalation_(OTG-AUTHZ-003)|Test for vertical Access control problems (a.k.a. Privilege Escalation)]]
* Test for horizontal Access control problems (between two users at the same privilege level)
* [[Testing_for_Bypassing_Authorization_Schema_(OTG-AUTHZ-002)|Test for missing authorisation]]
* [[Testing_for_Insecure_Direct_Object_References_(OTG-AUTHZ-004)|Test for Insecure Direct Object References]]

== Data Validation ==
* [[Testing_for_Reflected_Cross_site_scripting_(OTG-INPVAL-001)|Test for Reflected Cross Site Scripting]]
* [[Testing_for_Stored_Cross_site_scripting_(OTG-INPVAL-002)|Test for Stored Cross Site Scripting]]
* [[Testing_for_DOM-based_Cross_site_scripting_(OTG-CLIENT-001)|Test for DOM based Cross Site Scripting]]
* Test for Cross Site Flashing
* Test for HTML Injection
* [[Testing_for_SQL_Injection_(OTG-INPVAL-005)|Test for SQL Injection]]
* Test for LDAP Injection
* [[Testing_for_ORM_Injection_(OTG-INPVAL-007)|Test for ORM Injection]]
* [[Testing_for_XML_Injection_(OTG-INPVAL-008)|Test for XML Injection]]
* Test for XXE Injection
* [[Testing_for_SSI_Injection_(OTG-INPVAL-009)|Test for SSI Injection]]
* [[Testing_for_XPath_Injection_(OTG-INPVAL-010)|Test for XPath Injection]]
* Test for XQuery Injection
* [[Testing_for_IMAP/SMTP_Injection_(OTG-INPVAL-011)|Test for IMAP/SMTP Injection]]
* [[Testing_for_Code_Injection_(OTG-INPVAL-012)|Test for Code Injection]]
* Test for Expression Language Injection
* Test for Command Injection
* Test for Overflow (Stack, Heap and Integer)
* Test for Format String
* Test for incubated vulnerabilities
* Test for HTTP Splitting/Smuggling
* Test for HTTP Verb Tampering
* Test for Open Redirection
* [[Testing_for_Local_File_Inclusion|Test for Local File Inclusion]]
* [[Testing_for_Remote_File_Inclusion|Test for Remote File Inclusion]]
* Compare client-side and server-side validation rules
* Test for NoSQL injection
* Test for HTTP parameter pollution
* Test for auto-binding
* Test for Mass Assignment
* Test for NULL/Invalid Session Cookie

== Denial of Service ==
* Test for anti-automation
* [[Testing_for_Weak_lock_out_mechanism_(OTG-AUTHN-003)|Test for account lockout]]
* Test for HTTP protocol DoS
* Test for SQL wildcard DoS

== Business Logic ==
* Test for feature misuse
* Test for lack of non-repudiation
* Test for trust relationships
* Test for integrity of data
* Test segregation of duties
* Test for Process Timing
* Test Number of Times a Function Can be Used Limits
* Test for the Circumvention of Work Flows
* Test Defenses Against Application Mis-use
* Test Upload of Unexpected File Types

== Cryptography ==
* [[Testing_for_Sensitive_information_sent_via_unencrypted_channels_(OTG-CRYPST-003)|Check if data which should be encrypted is not]]
* Check for wrong algorithms usage depending on context
* [[Testing_for_Weak_SSL/TLS_Ciphers,_Insufficient_Transport_Layer_Protection_(OTG-CRYPST-001)|Check for weak algorithms usage]]
* [[Password_Storage_Cheat_Sheet#Use_a_cryptographically_strong_credential-specific_salt | Check for proper use of salting]]
* [[Insecure_Randomness | Check for randomness functions]]

== Risky Functionality - File Uploads ==
* [[Test_Upload_of_Unexpected_File_Types_(OTG-BUSLOGIC-008)|Test that acceptable file types are whitelisted and non-whitelisted types are rejected]]
* Test that file size limits, upload frequency and total file counts are defined and are enforced
* Test that file contents match the defined file type
* [[Test_Upload_of_Malicious_Files_(OTG-BUSLOGIC-009)|Test that all file uploads have Anti-Virus scanning in-place.]]
* Test that unsafe filenames are sanitised
* Test that uploaded files are not directly accessible within the web root
* Test that uploaded files are not served on the same hostname/port
* Test that files and other media are integrated with the authentication and authorisation schemas

== Risky Functionality - Card Payment ==
* Test for known vulnerabilities and configuration issues on Web Server and Web Application
* Test for default or guessable password
* Test for non-production data in live environment, and vice-versa
* [[Injection_Flaws | Test for Injection vulnerabilities ]]
* [[Testing_for_Buffer_Overflow_(OTG-INPVAL-014) | Test for Buffer Overflows]]
* [[Top_10_2010-A7-Insecure_Cryptographic_Storage | Test for Insecure Cryptographic Storage]]
* [[Top_10_2010-A9-Insufficient_Transport_Layer_Protection | Test for Insufficient Transport Layer Protection]]
* [[Web_Application_Security_Testing_Cheat_Sheet#Error_Handling|Test for Improper Error Handling]]
* Test for all vulnerabilities with a CVSS v2 score > 4.0
* Test for Authentication and Authorization issues
* [[Testing_for_CSRF_(OTG-SESS-005)|Test for CSRF]]

== HTML 5==
* [[Test_Web_Messaging_(OTG-CLIENT-011)|Test Web Messaging]]
* [[Test_Local_Storage_(OTG-CLIENT-012)|Test for Web Storage SQL injection]]
* [[Test_Cross_Origin_Resource_Sharing_(OTG-CLIENT-007)|Check CORS implementation]]
* [[HTML5_Security_Cheat_Sheet#Offline_Applications | Check Offline Web Application]]

== Error Handling==
* [[Testing_for_Error_Code_(OTG-ERR-001)|Check for Error Codes]]
* [[Testing_for_Stack_Traces_(OTG-ERR-002)|Check for Stack Traces]]

= Other Formats =

* DradisPro template format [https://github.com/raesene/OWASP_Web_App_Testing_Cheatsheet_Converter/blob/master/OWASP_Web_Application_Testing_Cheat_Sheet.xml on github]
* Asana template on [http://templana.com/templates/owasp-website-security-checklist/ Templana] (thanks to Bastien Siebman)

= Authors and primary contributors =

[[User:Simon Bennetts|Simon Bennetts]] 
[[User:Raesene|Rory McCune]] 
Colin Watson 
Simone Onofri 
[[User:Amro_Ahmed|Amro AlOlaqi]]

All the authors of the Testing Guide v3

= Other Contributors =

[[User:Ryan_Dewhurst|Ryan Dewhurst]] 

= Related articles =

OWASP [[:Category:OWASP Testing Project|Testing Guide]]

Mozilla [https://wiki.mozilla.org/WebAppSec/Web_Security_Verification Web Security Verification]

{{Cheatsheet_Navigation}}

[[Category:Cheatsheets]] [[Category:OWASP_Breakers]]

Web Application Security Testing Cheat Sheet

2015-09-03T17:25:57Z

Raesene: /* Session Management */

= DRAFT CHEAT SHEET - WORK IN PROGRESS =

= Introduction =

This cheat sheet provides a checklist of tasks to be performed when performing a blackbox security test of a web application.

= Purpose =

This checklist is intended to be used as an aide memoire for experienced pentesters and should be used in conjunction with the [[:Category:OWASP Testing Project|OWASP Testing Guide]]. It will be updated as the [[OWASP_Application_Testing_guide_v4|Testing Guide v4]] is progressed.

The intention is that this guide will be available as an XML document, with scripts that convert it into formats such as pdf, Media Wiki markup, HTML etc.

This will allow it to be consumed within security tools as well as being available in a format suitable for printing.

All feedback or offers of help will be appreciated - and if you have specific chances you think should be made, just get stuck in.

= The Checklist =

== Information Gathering ==
* Manually explore the site
* [[Testing:_Spidering_and_googling | Spider/crawl]] for missed or hidden content
* [[Review_Webserver_Metafiles_for_Information_Leakage_(OTG-INFO-003)|Check the Webserver Metafiles]] for information leakage files that expose content, such as robots.txt, sitemap.xml, .DS_Store
* [[Conduct_search_engine_discovery/reconnaissance_for_information_leakage_(OTG-INFO-001)|Check the caches of major search engines for publicly accessible sites]]
* Check for differences in content based on User Agent (eg, Mobile sites, access as a Search engine Crawler)
* [[Review_webpage_comments_and_metadata_for_information_leakage_(OTG-INFO-005) | Check The Webpage Comments and Metadata for Information Leakage]]
* [[Fingerprint_Web_Application_Framework_(OTG-INFO-008) | Check The Web Application Framework]]
* [[Fingerprint_Web_Server_(OTG-INFO-002)|Perform Web Application Fingerprinting]]
* Identify technologies used
* Identify user roles
* [[Identify_application_entry_points_(OTG-INFO-006) | Identify application entry points]]
* Identify client-side code
* Identify multiple versions/channels (e.g. web, mobile web, mobile app)
* [[Web_Services | Identify web services]]
* Identify co-hosted and related applications
* Identify all hostnames and ports
* Identify third-party hosted content

== Configuration Management ==
* Check for commonly used application and administrative URLs
* Check for old, backup and unreferenced files
* Check HTTP methods supported and Cross Site Tracing (XST)
* Test file extensions handling
* Test RIA cross domain policy
* Test for security HTTP headers (e.g. CSP, X-Frame-Options, HSTS)
* Test for policies (e.g. Flash, Silverlight, robots)
* Test for non-production data in live environment, and vice-versa
* Check for sensitive data in client-side code (e.g. API keys, credentials)

== Secure Transmission ==
* Check SSL Version, Algorithms, Key length
* Check for Digital Certificate Validity (Duration, Signature and CN)
* Check credentials only delivered over HTTPS
* Check that the login form is delivered over HTTPS
* Check session tokens only delivered over HTTPS
* Check if HTTP Strict Transport Security (HSTS) in use

== Authentication ==
* [[Testing_for_User_Enumeration_and_Guessable_User_Account_(OWASP-AT-002) | Test for user enumeration]]
* [[Testing_for_Bypassing_Authentication_Schema_(OTG-AUTHN-004) | Test for authentication bypass]]
* [[Testing_for_Brute_Force_(OWASP-AT-004) | Test for brute force protection]]
* [[Testing_for_Credentials_Transported_over_an_Encrypted_Channel_(OTG-AUTHN-001)|Test for Credentials Transported over an Encrypted Channel]]
* [[Testing_for_Weak_password_policy_(OTG-AUTHN-007)|Test password quality rules
* Test remember me functionality]]
* Test password reset and/or recovery
* Test password change process
* Test CAPTCHA
* Test multi factor authentication
* Test for logout functionality presence
* Test for cache management on HTTP (eg Pragma, Expires, Max-age)
* Test for default logins
* Test for user-accessible authentication history
* Test for out-of channel notification of account lockouts and successful password changes
* Test for consistent authentication across applications with shared authentication schema / SSO and alternative channels
* Test for Weak security question/answer

== Session Management ==
* Establish how session management is handled in the application (eg, tokens in cookies, token in URL)
* [[Testing_for_cookies_attributes_(OTG-SESS-002)|Check session tokens for cookie flags (httpOnly and secure)]]
* [[Testing_for_cookies_attributes_(OTG-SESS-002)|Check session cookie scope (path and domain)]]
* Check session cookie duration (expires and max-age)
* Check session termination after a maximum lifetime
* Check session termination after relative timeout
* [[Testing_for_logout_functionality_(OTG-SESS-006)|Check session termination after logout]]
* Test to see if users can have multiple simultaneous sessions
* Test session cookies for randomness
* Confirm that new session tokens are issued on login, role change and logout
* Test for consistent session management across applications with shared session management
* Test for session puzzling
* Test for CSRF and clickjacking

== Authorization ==
* [[Testing_Directory_traversal/file_include_(OTG-AUTHZ-001)|Test for path traversal]]
* [[Testing_for_Privilege_escalation_(OTG-AUTHZ-003)|Test for vertical Access control problems (a.k.a. Privilege Escalation)]]
* Test for horizontal Access control problems (between two users at the same privilege level)
* [[Testing_for_Bypassing_Authorization_Schema_(OTG-AUTHZ-002)|Test for missing authorisation]]
* [[Testing_for_Insecure_Direct_Object_References_(OTG-AUTHZ-004)|Test for Insecure Direct Object References]]

== Data Validation ==
* [[Testing_for_Reflected_Cross_site_scripting_(OTG-INPVAL-001)|Test for Reflected Cross Site Scripting]]
* [[Testing_for_Stored_Cross_site_scripting_(OTG-INPVAL-002)|Test for Stored Cross Site Scripting]]
* [[Testing_for_DOM-based_Cross_site_scripting_(OTG-CLIENT-001)|Test for DOM based Cross Site Scripting]]
* Test for Cross Site Flashing
* Test for HTML Injection
* [[Testing_for_SQL_Injection_(OTG-INPVAL-005)|Test for SQL Injection]]
* Test for LDAP Injection
* [[Testing_for_ORM_Injection_(OTG-INPVAL-007)|Test for ORM Injection]]
* [[Testing_for_XML_Injection_(OTG-INPVAL-008)|Test for XML Injection]]
* Test for XXE Injection
* [[Testing_for_SSI_Injection_(OTG-INPVAL-009)|Test for SSI Injection]]
* [[Testing_for_XPath_Injection_(OTG-INPVAL-010)|Test for XPath Injection]]
* Test for XQuery Injection
* [[Testing_for_IMAP/SMTP_Injection_(OTG-INPVAL-011)|Test for IMAP/SMTP Injection]]
* [[Testing_for_Code_Injection_(OTG-INPVAL-012)|Test for Code Injection]]
* Test for Expression Language Injection
* Test for Command Injection
* Test for Overflow (Stack, Heap and Integer)
* Test for Format String
* Test for incubated vulnerabilities
* Test for HTTP Splitting/Smuggling
* Test for HTTP Verb Tampering
* Test for Open Redirection
* [[Testing_for_Local_File_Inclusion|Test for Local File Inclusion]]
* [[Testing_for_Remote_File_Inclusion|Test for Remote File Inclusion]]
* Compare client-side and server-side validation rules
* Test for NoSQL injection
* Test for HTTP parameter pollution
* Test for auto-binding
* Test for Mass Assignment
* Test for NULL/Invalid Session Cookie

== Denial of Service ==
* Test for anti-automation
* [[Testing_for_Weak_lock_out_mechanism_(OTG-AUTHN-003)|Test for account lockout]]
* Test for HTTP protocol DoS
* Test for SQL wildcard DoS

== Business Logic ==
* Test for feature misuse
* Test for lack of non-repudiation
* Test for trust relationships
* Test for integrity of data
* Test segregation of duties
* Test for Process Timing
* Test Number of Times a Function Can be Used Limits
* Test for the Circumvention of Work Flows
* Test Defenses Against Application Mis-use
* Test Upload of Unexpected File Types

== Cryptography ==
* [[Testing_for_Sensitive_information_sent_via_unencrypted_channels_(OTG-CRYPST-003)|Check if data which should be encrypted is not]]
* Check for wrong algorithms usage depending on context
* [[Testing_for_Weak_SSL/TLS_Ciphers,_Insufficient_Transport_Layer_Protection_(OTG-CRYPST-001)|Check for weak algorithms usage]]
* [[Password_Storage_Cheat_Sheet#Use_a_cryptographically_strong_credential-specific_salt | Check for proper use of salting]]
* [[Insecure_Randomness | Check for randomness functions]]

== Risky Functionality - File Uploads ==
* [[Test_Upload_of_Unexpected_File_Types_(OTG-BUSLOGIC-008)|Test that acceptable file types are whitelisted and non-whitelisted types are rejected]]
* Test that file size limits, upload frequency and total file counts are defined and are enforced
* Test that file contents match the defined file type
* [[Test_Upload_of_Malicious_Files_(OTG-BUSLOGIC-009)|Test that all file uploads have Anti-Virus scanning in-place.]]
* Test that unsafe filenames are sanitised
* Test that uploaded files are not directly accessible within the web root
* Test that uploaded files are not served on the same hostname/port
* Test that files and other media are integrated with the authentication and authorisation schemas

== Risky Functionality - Card Payment ==
* Test for known vulnerabilities and configuration issues on Web Server and Web Application
* Test for default or guessable password
* Test for non-production data in live environment, and vice-versa
* [[Injection_Flaws | Test for Injection vulnerabilities ]]
* [[Testing_for_Buffer_Overflow_(OTG-INPVAL-014) | Test for Buffer Overflows]]
* [[Top_10_2010-A7-Insecure_Cryptographic_Storage | Test for Insecure Cryptographic Storage]]
* [[Top_10_2010-A9-Insufficient_Transport_Layer_Protection | Test for Insufficient Transport Layer Protection]]
* [[Web_Application_Security_Testing_Cheat_Sheet#Error_Handling|Test for Improper Error Handling]]
* Test for all vulnerabilities with a CVSS v2 score > 4.0
* Test for Authentication and Authorization issues
* [[Testing_for_CSRF_(OTG-SESS-005)|Test for CSRF]]

== HTML 5==
* [[Test_Web_Messaging_(OTG-CLIENT-011)|Test Web Messaging]]
* [[Test_Local_Storage_(OTG-CLIENT-012)|Test for Web Storage SQL injection]]
* [[Test_Cross_Origin_Resource_Sharing_(OTG-CLIENT-007)|Check CORS implementation]]
* [[HTML5_Security_Cheat_Sheet#Offline_Applications | Check Offline Web Application]]

== Error Handling==
* [[Testing_for_Error_Code_(OTG-ERR-001)|Check for Error Codes]]
* [[Testing_for_Stack_Traces_(OTG-ERR-002)|Check for Stack Traces]]

= Other Formats =

* DradisPro template format [https://github.com/raesene/OWASP_Web_App_Testing_Cheatsheet_Converter/blob/master/OWASP_Web_Application_Testing_Cheat_Sheet.xml on github]
* Asana template on [http://templana.com/templates/owasp-website-security-checklist/ Templana] (thanks to Bastien Siebman)

= Authors and primary contributors =

[[User:Simon Bennetts|Simon Bennetts]] 
[[User:Raesene|Rory McCune]] 
Colin Watson 
Simone Onofri 
[[User:Amro_Ahmed|Amro AlOlaqi]]

All the authors of the Testing Guide v3

= Other Contributors =

[[User:Ryan_Dewhurst|Ryan Dewhurst]] 

= Related articles =

OWASP [[:Category:OWASP Testing Project|Testing Guide]]

Mozilla [https://wiki.mozilla.org/WebAppSec/Web_Security_Verification Web Security Verification]

{{Cheatsheet_Navigation}}

[[Category:Cheatsheets]] [[Category:OWASP_Breakers]]

Web Application Security Testing Cheat Sheet

2015-09-03T17:25:19Z

Raesene: /* Session Management */

= DRAFT CHEAT SHEET - WORK IN PROGRESS =

= Introduction =

This cheat sheet provides a checklist of tasks to be performed when performing a blackbox security test of a web application.

= Purpose =

This checklist is intended to be used as an aide memoire for experienced pentesters and should be used in conjunction with the [[:Category:OWASP Testing Project|OWASP Testing Guide]]. It will be updated as the [[OWASP_Application_Testing_guide_v4|Testing Guide v4]] is progressed.

The intention is that this guide will be available as an XML document, with scripts that convert it into formats such as pdf, Media Wiki markup, HTML etc.

This will allow it to be consumed within security tools as well as being available in a format suitable for printing.

All feedback or offers of help will be appreciated - and if you have specific chances you think should be made, just get stuck in.

= The Checklist =

== Information Gathering ==
* Manually explore the site
* [[Testing:_Spidering_and_googling | Spider/crawl]] for missed or hidden content
* [[Review_Webserver_Metafiles_for_Information_Leakage_(OTG-INFO-003)|Check the Webserver Metafiles]] for information leakage files that expose content, such as robots.txt, sitemap.xml, .DS_Store
* [[Conduct_search_engine_discovery/reconnaissance_for_information_leakage_(OTG-INFO-001)|Check the caches of major search engines for publicly accessible sites]]
* Check for differences in content based on User Agent (eg, Mobile sites, access as a Search engine Crawler)
* [[Review_webpage_comments_and_metadata_for_information_leakage_(OTG-INFO-005) | Check The Webpage Comments and Metadata for Information Leakage]]
* [[Fingerprint_Web_Application_Framework_(OTG-INFO-008) | Check The Web Application Framework]]
* [[Fingerprint_Web_Server_(OTG-INFO-002)|Perform Web Application Fingerprinting]]
* Identify technologies used
* Identify user roles
* [[Identify_application_entry_points_(OTG-INFO-006) | Identify application entry points]]
* Identify client-side code
* Identify multiple versions/channels (e.g. web, mobile web, mobile app)
* [[Web_Services | Identify web services]]
* Identify co-hosted and related applications
* Identify all hostnames and ports
* Identify third-party hosted content

== Configuration Management ==
* Check for commonly used application and administrative URLs
* Check for old, backup and unreferenced files
* Check HTTP methods supported and Cross Site Tracing (XST)
* Test file extensions handling
* Test RIA cross domain policy
* Test for security HTTP headers (e.g. CSP, X-Frame-Options, HSTS)
* Test for policies (e.g. Flash, Silverlight, robots)
* Test for non-production data in live environment, and vice-versa
* Check for sensitive data in client-side code (e.g. API keys, credentials)

== Secure Transmission ==
* Check SSL Version, Algorithms, Key length
* Check for Digital Certificate Validity (Duration, Signature and CN)
* Check credentials only delivered over HTTPS
* Check that the login form is delivered over HTTPS
* Check session tokens only delivered over HTTPS
* Check if HTTP Strict Transport Security (HSTS) in use

== Authentication ==
* [[Testing_for_User_Enumeration_and_Guessable_User_Account_(OWASP-AT-002) | Test for user enumeration]]
* [[Testing_for_Bypassing_Authentication_Schema_(OTG-AUTHN-004) | Test for authentication bypass]]
* [[Testing_for_Brute_Force_(OWASP-AT-004) | Test for brute force protection]]
* [[Testing_for_Credentials_Transported_over_an_Encrypted_Channel_(OTG-AUTHN-001)|Test for Credentials Transported over an Encrypted Channel]]
* [[Testing_for_Weak_password_policy_(OTG-AUTHN-007)|Test password quality rules
* Test remember me functionality]]
* Test password reset and/or recovery
* Test password change process
* Test CAPTCHA
* Test multi factor authentication
* Test for logout functionality presence
* Test for cache management on HTTP (eg Pragma, Expires, Max-age)
* Test for default logins
* Test for user-accessible authentication history
* Test for out-of channel notification of account lockouts and successful password changes
* Test for consistent authentication across applications with shared authentication schema / SSO and alternative channels
* Test for Weak security question/answer

== Session Management ==
* Establish how session management is handled in the application (eg, tokens in cookies, token in URL)
* [[Testing_for_cookies_attributes_(OTG-SESS-002)|Check session tokens for cookie flags (httpOnly and secure)]]
* [[Testing_for_cookies_attributes_(OTG-SESS-002)|Check session cookie scope (path and domain)]]
* Check session cookie duration (expires and max-age)
* Check session termination after a maximum lifetime
* Check session termination after relative timeout
* Check session termination after logout
* Test to see if users can have multiple simultaneous sessions
* Test session cookies for randomness
* Confirm that new session tokens are issued on login, role change and logout
* Test for consistent session management across applications with shared session management
* Test for session puzzling
* Test for CSRF and clickjacking

== Authorization ==
* [[Testing_Directory_traversal/file_include_(OTG-AUTHZ-001)|Test for path traversal]]
* [[Testing_for_Privilege_escalation_(OTG-AUTHZ-003)|Test for vertical Access control problems (a.k.a. Privilege Escalation)]]
* Test for horizontal Access control problems (between two users at the same privilege level)
* [[Testing_for_Bypassing_Authorization_Schema_(OTG-AUTHZ-002)|Test for missing authorisation]]
* [[Testing_for_Insecure_Direct_Object_References_(OTG-AUTHZ-004)|Test for Insecure Direct Object References]]

== Data Validation ==
* [[Testing_for_Reflected_Cross_site_scripting_(OTG-INPVAL-001)|Test for Reflected Cross Site Scripting]]
* [[Testing_for_Stored_Cross_site_scripting_(OTG-INPVAL-002)|Test for Stored Cross Site Scripting]]
* [[Testing_for_DOM-based_Cross_site_scripting_(OTG-CLIENT-001)|Test for DOM based Cross Site Scripting]]
* Test for Cross Site Flashing
* Test for HTML Injection
* [[Testing_for_SQL_Injection_(OTG-INPVAL-005)|Test for SQL Injection]]
* Test for LDAP Injection
* [[Testing_for_ORM_Injection_(OTG-INPVAL-007)|Test for ORM Injection]]
* [[Testing_for_XML_Injection_(OTG-INPVAL-008)|Test for XML Injection]]
* Test for XXE Injection
* [[Testing_for_SSI_Injection_(OTG-INPVAL-009)|Test for SSI Injection]]
* [[Testing_for_XPath_Injection_(OTG-INPVAL-010)|Test for XPath Injection]]
* Test for XQuery Injection
* [[Testing_for_IMAP/SMTP_Injection_(OTG-INPVAL-011)|Test for IMAP/SMTP Injection]]
* [[Testing_for_Code_Injection_(OTG-INPVAL-012)|Test for Code Injection]]
* Test for Expression Language Injection
* Test for Command Injection
* Test for Overflow (Stack, Heap and Integer)
* Test for Format String
* Test for incubated vulnerabilities
* Test for HTTP Splitting/Smuggling
* Test for HTTP Verb Tampering
* Test for Open Redirection
* [[Testing_for_Local_File_Inclusion|Test for Local File Inclusion]]
* [[Testing_for_Remote_File_Inclusion|Test for Remote File Inclusion]]
* Compare client-side and server-side validation rules
* Test for NoSQL injection
* Test for HTTP parameter pollution
* Test for auto-binding
* Test for Mass Assignment
* Test for NULL/Invalid Session Cookie

== Denial of Service ==
* Test for anti-automation
* [[Testing_for_Weak_lock_out_mechanism_(OTG-AUTHN-003)|Test for account lockout]]
* Test for HTTP protocol DoS
* Test for SQL wildcard DoS

== Business Logic ==
* Test for feature misuse
* Test for lack of non-repudiation
* Test for trust relationships
* Test for integrity of data
* Test segregation of duties
* Test for Process Timing
* Test Number of Times a Function Can be Used Limits
* Test for the Circumvention of Work Flows
* Test Defenses Against Application Mis-use
* Test Upload of Unexpected File Types

== Cryptography ==
* [[Testing_for_Sensitive_information_sent_via_unencrypted_channels_(OTG-CRYPST-003)|Check if data which should be encrypted is not]]
* Check for wrong algorithms usage depending on context
* [[Testing_for_Weak_SSL/TLS_Ciphers,_Insufficient_Transport_Layer_Protection_(OTG-CRYPST-001)|Check for weak algorithms usage]]
* [[Password_Storage_Cheat_Sheet#Use_a_cryptographically_strong_credential-specific_salt | Check for proper use of salting]]
* [[Insecure_Randomness | Check for randomness functions]]

== Risky Functionality - File Uploads ==
* [[Test_Upload_of_Unexpected_File_Types_(OTG-BUSLOGIC-008)|Test that acceptable file types are whitelisted and non-whitelisted types are rejected]]
* Test that file size limits, upload frequency and total file counts are defined and are enforced
* Test that file contents match the defined file type
* [[Test_Upload_of_Malicious_Files_(OTG-BUSLOGIC-009)|Test that all file uploads have Anti-Virus scanning in-place.]]
* Test that unsafe filenames are sanitised
* Test that uploaded files are not directly accessible within the web root
* Test that uploaded files are not served on the same hostname/port
* Test that files and other media are integrated with the authentication and authorisation schemas

== Risky Functionality - Card Payment ==
* Test for known vulnerabilities and configuration issues on Web Server and Web Application
* Test for default or guessable password
* Test for non-production data in live environment, and vice-versa
* [[Injection_Flaws | Test for Injection vulnerabilities ]]
* [[Testing_for_Buffer_Overflow_(OTG-INPVAL-014) | Test for Buffer Overflows]]
* [[Top_10_2010-A7-Insecure_Cryptographic_Storage | Test for Insecure Cryptographic Storage]]
* [[Top_10_2010-A9-Insufficient_Transport_Layer_Protection | Test for Insufficient Transport Layer Protection]]
* [[Web_Application_Security_Testing_Cheat_Sheet#Error_Handling|Test for Improper Error Handling]]
* Test for all vulnerabilities with a CVSS v2 score > 4.0
* Test for Authentication and Authorization issues
* [[Testing_for_CSRF_(OTG-SESS-005)|Test for CSRF]]

== HTML 5==
* [[Test_Web_Messaging_(OTG-CLIENT-011)|Test Web Messaging]]
* [[Test_Local_Storage_(OTG-CLIENT-012)|Test for Web Storage SQL injection]]
* [[Test_Cross_Origin_Resource_Sharing_(OTG-CLIENT-007)|Check CORS implementation]]
* [[HTML5_Security_Cheat_Sheet#Offline_Applications | Check Offline Web Application]]

== Error Handling==
* [[Testing_for_Error_Code_(OTG-ERR-001)|Check for Error Codes]]
* [[Testing_for_Stack_Traces_(OTG-ERR-002)|Check for Stack Traces]]

= Other Formats =

* DradisPro template format [https://github.com/raesene/OWASP_Web_App_Testing_Cheatsheet_Converter/blob/master/OWASP_Web_Application_Testing_Cheat_Sheet.xml on github]
* Asana template on [http://templana.com/templates/owasp-website-security-checklist/ Templana] (thanks to Bastien Siebman)

= Authors and primary contributors =

[[User:Simon Bennetts|Simon Bennetts]] 
[[User:Raesene|Rory McCune]] 
Colin Watson 
Simone Onofri 
[[User:Amro_Ahmed|Amro AlOlaqi]]

All the authors of the Testing Guide v3

= Other Contributors =

[[User:Ryan_Dewhurst|Ryan Dewhurst]] 

= Related articles =

OWASP [[:Category:OWASP Testing Project|Testing Guide]]

Mozilla [https://wiki.mozilla.org/WebAppSec/Web_Security_Verification Web Security Verification]

{{Cheatsheet_Navigation}}

[[Category:Cheatsheets]] [[Category:OWASP_Breakers]]

Web Application Security Testing Cheat Sheet

2015-09-03T17:12:41Z

Raesene: /* Authorization */

= DRAFT CHEAT SHEET - WORK IN PROGRESS =

= Introduction =

This cheat sheet provides a checklist of tasks to be performed when performing a blackbox security test of a web application.

= Purpose =

This checklist is intended to be used as an aide memoire for experienced pentesters and should be used in conjunction with the [[:Category:OWASP Testing Project|OWASP Testing Guide]]. It will be updated as the [[OWASP_Application_Testing_guide_v4|Testing Guide v4]] is progressed.

The intention is that this guide will be available as an XML document, with scripts that convert it into formats such as pdf, Media Wiki markup, HTML etc.

This will allow it to be consumed within security tools as well as being available in a format suitable for printing.

All feedback or offers of help will be appreciated - and if you have specific chances you think should be made, just get stuck in.

= The Checklist =

== Information Gathering ==
* Manually explore the site
* [[Testing:_Spidering_and_googling | Spider/crawl]] for missed or hidden content
* [[Review_Webserver_Metafiles_for_Information_Leakage_(OTG-INFO-003)|Check the Webserver Metafiles]] for information leakage files that expose content, such as robots.txt, sitemap.xml, .DS_Store
* [[Conduct_search_engine_discovery/reconnaissance_for_information_leakage_(OTG-INFO-001)|Check the caches of major search engines for publicly accessible sites]]
* Check for differences in content based on User Agent (eg, Mobile sites, access as a Search engine Crawler)
* [[Review_webpage_comments_and_metadata_for_information_leakage_(OTG-INFO-005) | Check The Webpage Comments and Metadata for Information Leakage]]
* [[Fingerprint_Web_Application_Framework_(OTG-INFO-008) | Check The Web Application Framework]]
* [[Fingerprint_Web_Server_(OTG-INFO-002)|Perform Web Application Fingerprinting]]
* Identify technologies used
* Identify user roles
* [[Identify_application_entry_points_(OTG-INFO-006) | Identify application entry points]]
* Identify client-side code
* Identify multiple versions/channels (e.g. web, mobile web, mobile app)
* [[Web_Services | Identify web services]]
* Identify co-hosted and related applications
* Identify all hostnames and ports
* Identify third-party hosted content

== Configuration Management ==
* Check for commonly used application and administrative URLs
* Check for old, backup and unreferenced files
* Check HTTP methods supported and Cross Site Tracing (XST)
* Test file extensions handling
* Test RIA cross domain policy
* Test for security HTTP headers (e.g. CSP, X-Frame-Options, HSTS)
* Test for policies (e.g. Flash, Silverlight, robots)
* Test for non-production data in live environment, and vice-versa
* Check for sensitive data in client-side code (e.g. API keys, credentials)

== Secure Transmission ==
* Check SSL Version, Algorithms, Key length
* Check for Digital Certificate Validity (Duration, Signature and CN)
* Check credentials only delivered over HTTPS
* Check that the login form is delivered over HTTPS
* Check session tokens only delivered over HTTPS
* Check if HTTP Strict Transport Security (HSTS) in use

== Authentication ==
* [[Testing_for_User_Enumeration_and_Guessable_User_Account_(OWASP-AT-002) | Test for user enumeration]]
* [[Testing_for_Bypassing_Authentication_Schema_(OTG-AUTHN-004) | Test for authentication bypass]]
* [[Testing_for_Brute_Force_(OWASP-AT-004) | Test for brute force protection]]
* [[Testing_for_Credentials_Transported_over_an_Encrypted_Channel_(OTG-AUTHN-001)|Test for Credentials Transported over an Encrypted Channel]]
* [[Testing_for_Weak_password_policy_(OTG-AUTHN-007)|Test password quality rules
* Test remember me functionality]]
* Test password reset and/or recovery
* Test password change process
* Test CAPTCHA
* Test multi factor authentication
* Test for logout functionality presence
* Test for cache management on HTTP (eg Pragma, Expires, Max-age)
* Test for default logins
* Test for user-accessible authentication history
* Test for out-of channel notification of account lockouts and successful password changes
* Test for consistent authentication across applications with shared authentication schema / SSO and alternative channels
* Test for Weak security question/answer

== Session Management ==
* Establish how session management is handled in the application (eg, tokens in cookies, token in URL)
* Check session tokens for cookie flags (httpOnly and secure)
* Check session cookie scope (path and domain)
* Check session cookie duration (expires and max-age)
* Check session termination after a maximum lifetime
* Check session termination after relative timeout
* Check session termination after logout
* Test to see if users can have multiple simultaneous sessions
* Test session cookies for randomness
* Confirm that new session tokens are issued on login, role change and logout
* Test for consistent session management across applications with shared session management
* Test for session puzzling
* Test for CSRF and clickjacking

== Authorization ==
* [[Testing_Directory_traversal/file_include_(OTG-AUTHZ-001)|Test for path traversal]]
* [[Testing_for_Privilege_escalation_(OTG-AUTHZ-003)|Test for vertical Access control problems (a.k.a. Privilege Escalation)]]
* Test for horizontal Access control problems (between two users at the same privilege level)
* [[Testing_for_Bypassing_Authorization_Schema_(OTG-AUTHZ-002)|Test for missing authorisation]]
* [[Testing_for_Insecure_Direct_Object_References_(OTG-AUTHZ-004)|Test for Insecure Direct Object References]]

== Data Validation ==
* [[Testing_for_Reflected_Cross_site_scripting_(OTG-INPVAL-001)|Test for Reflected Cross Site Scripting]]
* [[Testing_for_Stored_Cross_site_scripting_(OTG-INPVAL-002)|Test for Stored Cross Site Scripting]]
* [[Testing_for_DOM-based_Cross_site_scripting_(OTG-CLIENT-001)|Test for DOM based Cross Site Scripting]]
* Test for Cross Site Flashing
* Test for HTML Injection
* [[Testing_for_SQL_Injection_(OTG-INPVAL-005)|Test for SQL Injection]]
* Test for LDAP Injection
* [[Testing_for_ORM_Injection_(OTG-INPVAL-007)|Test for ORM Injection]]
* [[Testing_for_XML_Injection_(OTG-INPVAL-008)|Test for XML Injection]]
* Test for XXE Injection
* [[Testing_for_SSI_Injection_(OTG-INPVAL-009)|Test for SSI Injection]]
* [[Testing_for_XPath_Injection_(OTG-INPVAL-010)|Test for XPath Injection]]
* Test for XQuery Injection
* [[Testing_for_IMAP/SMTP_Injection_(OTG-INPVAL-011)|Test for IMAP/SMTP Injection]]
* [[Testing_for_Code_Injection_(OTG-INPVAL-012)|Test for Code Injection]]
* Test for Expression Language Injection
* Test for Command Injection
* Test for Overflow (Stack, Heap and Integer)
* Test for Format String
* Test for incubated vulnerabilities
* Test for HTTP Splitting/Smuggling
* Test for HTTP Verb Tampering
* Test for Open Redirection
* [[Testing_for_Local_File_Inclusion|Test for Local File Inclusion]]
* [[Testing_for_Remote_File_Inclusion|Test for Remote File Inclusion]]
* Compare client-side and server-side validation rules
* Test for NoSQL injection
* Test for HTTP parameter pollution
* Test for auto-binding
* Test for Mass Assignment
* Test for NULL/Invalid Session Cookie

== Denial of Service ==
* Test for anti-automation
* [[Testing_for_Weak_lock_out_mechanism_(OTG-AUTHN-003)|Test for account lockout]]
* Test for HTTP protocol DoS
* Test for SQL wildcard DoS

== Business Logic ==
* Test for feature misuse
* Test for lack of non-repudiation
* Test for trust relationships
* Test for integrity of data
* Test segregation of duties
* Test for Process Timing
* Test Number of Times a Function Can be Used Limits
* Test for the Circumvention of Work Flows
* Test Defenses Against Application Mis-use
* Test Upload of Unexpected File Types

== Cryptography ==
* [[Testing_for_Sensitive_information_sent_via_unencrypted_channels_(OTG-CRYPST-003)|Check if data which should be encrypted is not]]
* Check for wrong algorithms usage depending on context
* [[Testing_for_Weak_SSL/TLS_Ciphers,_Insufficient_Transport_Layer_Protection_(OTG-CRYPST-001)|Check for weak algorithms usage]]
* [[Password_Storage_Cheat_Sheet#Use_a_cryptographically_strong_credential-specific_salt | Check for proper use of salting]]
* [[Insecure_Randomness | Check for randomness functions]]

== Risky Functionality - File Uploads ==
* [[Test_Upload_of_Unexpected_File_Types_(OTG-BUSLOGIC-008)|Test that acceptable file types are whitelisted and non-whitelisted types are rejected]]
* Test that file size limits, upload frequency and total file counts are defined and are enforced
* Test that file contents match the defined file type
* [[Test_Upload_of_Malicious_Files_(OTG-BUSLOGIC-009)|Test that all file uploads have Anti-Virus scanning in-place.]]
* Test that unsafe filenames are sanitised
* Test that uploaded files are not directly accessible within the web root
* Test that uploaded files are not served on the same hostname/port
* Test that files and other media are integrated with the authentication and authorisation schemas

== Risky Functionality - Card Payment ==
* Test for known vulnerabilities and configuration issues on Web Server and Web Application
* Test for default or guessable password
* Test for non-production data in live environment, and vice-versa
* [[Injection_Flaws | Test for Injection vulnerabilities ]]
* [[Testing_for_Buffer_Overflow_(OTG-INPVAL-014) | Test for Buffer Overflows]]
* [[Top_10_2010-A7-Insecure_Cryptographic_Storage | Test for Insecure Cryptographic Storage]]
* [[Top_10_2010-A9-Insufficient_Transport_Layer_Protection | Test for Insufficient Transport Layer Protection]]
* [[Web_Application_Security_Testing_Cheat_Sheet#Error_Handling|Test for Improper Error Handling]]
* Test for all vulnerabilities with a CVSS v2 score > 4.0
* Test for Authentication and Authorization issues
* [[Testing_for_CSRF_(OTG-SESS-005)|Test for CSRF]]

== HTML 5==
* [[Test_Web_Messaging_(OTG-CLIENT-011)|Test Web Messaging]]
* [[Test_Local_Storage_(OTG-CLIENT-012)|Test for Web Storage SQL injection]]
* [[Test_Cross_Origin_Resource_Sharing_(OTG-CLIENT-007)|Check CORS implementation]]
* [[HTML5_Security_Cheat_Sheet#Offline_Applications | Check Offline Web Application]]

== Error Handling==
* [[Testing_for_Error_Code_(OTG-ERR-001)|Check for Error Codes]]
* [[Testing_for_Stack_Traces_(OTG-ERR-002)|Check for Stack Traces]]

= Other Formats =

* DradisPro template format [https://github.com/raesene/OWASP_Web_App_Testing_Cheatsheet_Converter/blob/master/OWASP_Web_Application_Testing_Cheat_Sheet.xml on github]
* Asana template on [http://templana.com/templates/owasp-website-security-checklist/ Templana] (thanks to Bastien Siebman)

= Authors and primary contributors =

[[User:Simon Bennetts|Simon Bennetts]] 
[[User:Raesene|Rory McCune]] 
Colin Watson 
Simone Onofri 
[[User:Amro_Ahmed|Amro AlOlaqi]]

All the authors of the Testing Guide v3

= Other Contributors =

[[User:Ryan_Dewhurst|Ryan Dewhurst]] 

= Related articles =

OWASP [[:Category:OWASP Testing Project|Testing Guide]]

Mozilla [https://wiki.mozilla.org/WebAppSec/Web_Security_Verification Web Security Verification]

{{Cheatsheet_Navigation}}

[[Category:Cheatsheets]] [[Category:OWASP_Breakers]]

Web Application Security Testing Cheat Sheet

2015-09-03T17:11:52Z

Raesene: /* Authorization */

= DRAFT CHEAT SHEET - WORK IN PROGRESS =

= Introduction =

This cheat sheet provides a checklist of tasks to be performed when performing a blackbox security test of a web application.

= Purpose =

This checklist is intended to be used as an aide memoire for experienced pentesters and should be used in conjunction with the [[:Category:OWASP Testing Project|OWASP Testing Guide]]. It will be updated as the [[OWASP_Application_Testing_guide_v4|Testing Guide v4]] is progressed.

The intention is that this guide will be available as an XML document, with scripts that convert it into formats such as pdf, Media Wiki markup, HTML etc.

This will allow it to be consumed within security tools as well as being available in a format suitable for printing.

All feedback or offers of help will be appreciated - and if you have specific chances you think should be made, just get stuck in.

= The Checklist =

== Information Gathering ==
* Manually explore the site
* [[Testing:_Spidering_and_googling | Spider/crawl]] for missed or hidden content
* [[Review_Webserver_Metafiles_for_Information_Leakage_(OTG-INFO-003)|Check the Webserver Metafiles]] for information leakage files that expose content, such as robots.txt, sitemap.xml, .DS_Store
* [[Conduct_search_engine_discovery/reconnaissance_for_information_leakage_(OTG-INFO-001)|Check the caches of major search engines for publicly accessible sites]]
* Check for differences in content based on User Agent (eg, Mobile sites, access as a Search engine Crawler)
* [[Review_webpage_comments_and_metadata_for_information_leakage_(OTG-INFO-005) | Check The Webpage Comments and Metadata for Information Leakage]]
* [[Fingerprint_Web_Application_Framework_(OTG-INFO-008) | Check The Web Application Framework]]
* [[Fingerprint_Web_Server_(OTG-INFO-002)|Perform Web Application Fingerprinting]]
* Identify technologies used
* Identify user roles
* [[Identify_application_entry_points_(OTG-INFO-006) | Identify application entry points]]
* Identify client-side code
* Identify multiple versions/channels (e.g. web, mobile web, mobile app)
* [[Web_Services | Identify web services]]
* Identify co-hosted and related applications
* Identify all hostnames and ports
* Identify third-party hosted content

== Configuration Management ==
* Check for commonly used application and administrative URLs
* Check for old, backup and unreferenced files
* Check HTTP methods supported and Cross Site Tracing (XST)
* Test file extensions handling
* Test RIA cross domain policy
* Test for security HTTP headers (e.g. CSP, X-Frame-Options, HSTS)
* Test for policies (e.g. Flash, Silverlight, robots)
* Test for non-production data in live environment, and vice-versa
* Check for sensitive data in client-side code (e.g. API keys, credentials)

== Secure Transmission ==
* Check SSL Version, Algorithms, Key length
* Check for Digital Certificate Validity (Duration, Signature and CN)
* Check credentials only delivered over HTTPS
* Check that the login form is delivered over HTTPS
* Check session tokens only delivered over HTTPS
* Check if HTTP Strict Transport Security (HSTS) in use

== Authentication ==
* [[Testing_for_User_Enumeration_and_Guessable_User_Account_(OWASP-AT-002) | Test for user enumeration]]
* [[Testing_for_Bypassing_Authentication_Schema_(OTG-AUTHN-004) | Test for authentication bypass]]
* [[Testing_for_Brute_Force_(OWASP-AT-004) | Test for brute force protection]]
* [[Testing_for_Credentials_Transported_over_an_Encrypted_Channel_(OTG-AUTHN-001)|Test for Credentials Transported over an Encrypted Channel]]
* [[Testing_for_Weak_password_policy_(OTG-AUTHN-007)|Test password quality rules
* Test remember me functionality]]
* Test password reset and/or recovery
* Test password change process
* Test CAPTCHA
* Test multi factor authentication
* Test for logout functionality presence
* Test for cache management on HTTP (eg Pragma, Expires, Max-age)
* Test for default logins
* Test for user-accessible authentication history
* Test for out-of channel notification of account lockouts and successful password changes
* Test for consistent authentication across applications with shared authentication schema / SSO and alternative channels
* Test for Weak security question/answer

== Session Management ==
* Establish how session management is handled in the application (eg, tokens in cookies, token in URL)
* Check session tokens for cookie flags (httpOnly and secure)
* Check session cookie scope (path and domain)
* Check session cookie duration (expires and max-age)
* Check session termination after a maximum lifetime
* Check session termination after relative timeout
* Check session termination after logout
* Test to see if users can have multiple simultaneous sessions
* Test session cookies for randomness
* Confirm that new session tokens are issued on login, role change and logout
* Test for consistent session management across applications with shared session management
* Test for session puzzling
* Test for CSRF and clickjacking

== Authorization ==
* [[Testing_Directory_traversal/file_include_(OTG-AUTHZ-001)|Test for path traversal]]
* [[Testing_for_Privilege_escalation_(OTG-AUTHZ-003)|Test for vertical Access control problems (a.k.a. Privilege Escalation)]]
* Test for horizontal Access control problems (between two users at the same privilege level)
* Test for missing authorisation
* [[Testing_for_Insecure_Direct_Object_References_(OTG-AUTHZ-004)|Test for Insecure Direct Object References]]

== Data Validation ==
* [[Testing_for_Reflected_Cross_site_scripting_(OTG-INPVAL-001)|Test for Reflected Cross Site Scripting]]
* [[Testing_for_Stored_Cross_site_scripting_(OTG-INPVAL-002)|Test for Stored Cross Site Scripting]]
* [[Testing_for_DOM-based_Cross_site_scripting_(OTG-CLIENT-001)|Test for DOM based Cross Site Scripting]]
* Test for Cross Site Flashing
* Test for HTML Injection
* [[Testing_for_SQL_Injection_(OTG-INPVAL-005)|Test for SQL Injection]]
* Test for LDAP Injection
* [[Testing_for_ORM_Injection_(OTG-INPVAL-007)|Test for ORM Injection]]
* [[Testing_for_XML_Injection_(OTG-INPVAL-008)|Test for XML Injection]]
* Test for XXE Injection
* [[Testing_for_SSI_Injection_(OTG-INPVAL-009)|Test for SSI Injection]]
* [[Testing_for_XPath_Injection_(OTG-INPVAL-010)|Test for XPath Injection]]
* Test for XQuery Injection
* [[Testing_for_IMAP/SMTP_Injection_(OTG-INPVAL-011)|Test for IMAP/SMTP Injection]]
* [[Testing_for_Code_Injection_(OTG-INPVAL-012)|Test for Code Injection]]
* Test for Expression Language Injection
* Test for Command Injection
* Test for Overflow (Stack, Heap and Integer)
* Test for Format String
* Test for incubated vulnerabilities
* Test for HTTP Splitting/Smuggling
* Test for HTTP Verb Tampering
* Test for Open Redirection
* [[Testing_for_Local_File_Inclusion|Test for Local File Inclusion]]
* [[Testing_for_Remote_File_Inclusion|Test for Remote File Inclusion]]
* Compare client-side and server-side validation rules
* Test for NoSQL injection
* Test for HTTP parameter pollution
* Test for auto-binding
* Test for Mass Assignment
* Test for NULL/Invalid Session Cookie

== Denial of Service ==
* Test for anti-automation
* [[Testing_for_Weak_lock_out_mechanism_(OTG-AUTHN-003)|Test for account lockout]]
* Test for HTTP protocol DoS
* Test for SQL wildcard DoS

== Business Logic ==
* Test for feature misuse
* Test for lack of non-repudiation
* Test for trust relationships
* Test for integrity of data
* Test segregation of duties
* Test for Process Timing
* Test Number of Times a Function Can be Used Limits
* Test for the Circumvention of Work Flows
* Test Defenses Against Application Mis-use
* Test Upload of Unexpected File Types

== Cryptography ==
* [[Testing_for_Sensitive_information_sent_via_unencrypted_channels_(OTG-CRYPST-003)|Check if data which should be encrypted is not]]
* Check for wrong algorithms usage depending on context
* [[Testing_for_Weak_SSL/TLS_Ciphers,_Insufficient_Transport_Layer_Protection_(OTG-CRYPST-001)|Check for weak algorithms usage]]
* [[Password_Storage_Cheat_Sheet#Use_a_cryptographically_strong_credential-specific_salt | Check for proper use of salting]]
* [[Insecure_Randomness | Check for randomness functions]]

== Risky Functionality - File Uploads ==
* [[Test_Upload_of_Unexpected_File_Types_(OTG-BUSLOGIC-008)|Test that acceptable file types are whitelisted and non-whitelisted types are rejected]]
* Test that file size limits, upload frequency and total file counts are defined and are enforced
* Test that file contents match the defined file type
* [[Test_Upload_of_Malicious_Files_(OTG-BUSLOGIC-009)|Test that all file uploads have Anti-Virus scanning in-place.]]
* Test that unsafe filenames are sanitised
* Test that uploaded files are not directly accessible within the web root
* Test that uploaded files are not served on the same hostname/port
* Test that files and other media are integrated with the authentication and authorisation schemas

== Risky Functionality - Card Payment ==
* Test for known vulnerabilities and configuration issues on Web Server and Web Application
* Test for default or guessable password
* Test for non-production data in live environment, and vice-versa
* [[Injection_Flaws | Test for Injection vulnerabilities ]]
* [[Testing_for_Buffer_Overflow_(OTG-INPVAL-014) | Test for Buffer Overflows]]
* [[Top_10_2010-A7-Insecure_Cryptographic_Storage | Test for Insecure Cryptographic Storage]]
* [[Top_10_2010-A9-Insufficient_Transport_Layer_Protection | Test for Insufficient Transport Layer Protection]]
* [[Web_Application_Security_Testing_Cheat_Sheet#Error_Handling|Test for Improper Error Handling]]
* Test for all vulnerabilities with a CVSS v2 score > 4.0
* Test for Authentication and Authorization issues
* [[Testing_for_CSRF_(OTG-SESS-005)|Test for CSRF]]

== HTML 5==
* [[Test_Web_Messaging_(OTG-CLIENT-011)|Test Web Messaging]]
* [[Test_Local_Storage_(OTG-CLIENT-012)|Test for Web Storage SQL injection]]
* [[Test_Cross_Origin_Resource_Sharing_(OTG-CLIENT-007)|Check CORS implementation]]
* [[HTML5_Security_Cheat_Sheet#Offline_Applications | Check Offline Web Application]]

== Error Handling==
* [[Testing_for_Error_Code_(OTG-ERR-001)|Check for Error Codes]]
* [[Testing_for_Stack_Traces_(OTG-ERR-002)|Check for Stack Traces]]

= Other Formats =

* DradisPro template format [https://github.com/raesene/OWASP_Web_App_Testing_Cheatsheet_Converter/blob/master/OWASP_Web_Application_Testing_Cheat_Sheet.xml on github]
* Asana template on [http://templana.com/templates/owasp-website-security-checklist/ Templana] (thanks to Bastien Siebman)

= Authors and primary contributors =

[[User:Simon Bennetts|Simon Bennetts]] 
[[User:Raesene|Rory McCune]] 
Colin Watson 
Simone Onofri 
[[User:Amro_Ahmed|Amro AlOlaqi]]

All the authors of the Testing Guide v3

= Other Contributors =

[[User:Ryan_Dewhurst|Ryan Dewhurst]] 

= Related articles =

OWASP [[:Category:OWASP Testing Project|Testing Guide]]

Mozilla [https://wiki.mozilla.org/WebAppSec/Web_Security_Verification Web Security Verification]

{{Cheatsheet_Navigation}}

[[Category:Cheatsheets]] [[Category:OWASP_Breakers]]

Web Application Security Testing Cheat Sheet

2015-09-03T17:10:43Z

Raesene: /* Authorization */

= DRAFT CHEAT SHEET - WORK IN PROGRESS =

= Introduction =

This cheat sheet provides a checklist of tasks to be performed when performing a blackbox security test of a web application.

= Purpose =

This checklist is intended to be used as an aide memoire for experienced pentesters and should be used in conjunction with the [[:Category:OWASP Testing Project|OWASP Testing Guide]]. It will be updated as the [[OWASP_Application_Testing_guide_v4|Testing Guide v4]] is progressed.

The intention is that this guide will be available as an XML document, with scripts that convert it into formats such as pdf, Media Wiki markup, HTML etc.

This will allow it to be consumed within security tools as well as being available in a format suitable for printing.

All feedback or offers of help will be appreciated - and if you have specific chances you think should be made, just get stuck in.

= The Checklist =

== Information Gathering ==
* Manually explore the site
* [[Testing:_Spidering_and_googling | Spider/crawl]] for missed or hidden content
* [[Review_Webserver_Metafiles_for_Information_Leakage_(OTG-INFO-003)|Check the Webserver Metafiles]] for information leakage files that expose content, such as robots.txt, sitemap.xml, .DS_Store
* [[Conduct_search_engine_discovery/reconnaissance_for_information_leakage_(OTG-INFO-001)|Check the caches of major search engines for publicly accessible sites]]
* Check for differences in content based on User Agent (eg, Mobile sites, access as a Search engine Crawler)
* [[Review_webpage_comments_and_metadata_for_information_leakage_(OTG-INFO-005) | Check The Webpage Comments and Metadata for Information Leakage]]
* [[Fingerprint_Web_Application_Framework_(OTG-INFO-008) | Check The Web Application Framework]]
* [[Fingerprint_Web_Server_(OTG-INFO-002)|Perform Web Application Fingerprinting]]
* Identify technologies used
* Identify user roles
* [[Identify_application_entry_points_(OTG-INFO-006) | Identify application entry points]]
* Identify client-side code
* Identify multiple versions/channels (e.g. web, mobile web, mobile app)
* [[Web_Services | Identify web services]]
* Identify co-hosted and related applications
* Identify all hostnames and ports
* Identify third-party hosted content

== Configuration Management ==
* Check for commonly used application and administrative URLs
* Check for old, backup and unreferenced files
* Check HTTP methods supported and Cross Site Tracing (XST)
* Test file extensions handling
* Test RIA cross domain policy
* Test for security HTTP headers (e.g. CSP, X-Frame-Options, HSTS)
* Test for policies (e.g. Flash, Silverlight, robots)
* Test for non-production data in live environment, and vice-versa
* Check for sensitive data in client-side code (e.g. API keys, credentials)

== Secure Transmission ==
* Check SSL Version, Algorithms, Key length
* Check for Digital Certificate Validity (Duration, Signature and CN)
* Check credentials only delivered over HTTPS
* Check that the login form is delivered over HTTPS
* Check session tokens only delivered over HTTPS
* Check if HTTP Strict Transport Security (HSTS) in use

== Authentication ==
* [[Testing_for_User_Enumeration_and_Guessable_User_Account_(OWASP-AT-002) | Test for user enumeration]]
* [[Testing_for_Bypassing_Authentication_Schema_(OTG-AUTHN-004) | Test for authentication bypass]]
* [[Testing_for_Brute_Force_(OWASP-AT-004) | Test for brute force protection]]
* [[Testing_for_Credentials_Transported_over_an_Encrypted_Channel_(OTG-AUTHN-001)|Test for Credentials Transported over an Encrypted Channel]]
* [[Testing_for_Weak_password_policy_(OTG-AUTHN-007)|Test password quality rules
* Test remember me functionality]]
* Test password reset and/or recovery
* Test password change process
* Test CAPTCHA
* Test multi factor authentication
* Test for logout functionality presence
* Test for cache management on HTTP (eg Pragma, Expires, Max-age)
* Test for default logins
* Test for user-accessible authentication history
* Test for out-of channel notification of account lockouts and successful password changes
* Test for consistent authentication across applications with shared authentication schema / SSO and alternative channels
* Test for Weak security question/answer

== Session Management ==
* Establish how session management is handled in the application (eg, tokens in cookies, token in URL)
* Check session tokens for cookie flags (httpOnly and secure)
* Check session cookie scope (path and domain)
* Check session cookie duration (expires and max-age)
* Check session termination after a maximum lifetime
* Check session termination after relative timeout
* Check session termination after logout
* Test to see if users can have multiple simultaneous sessions
* Test session cookies for randomness
* Confirm that new session tokens are issued on login, role change and logout
* Test for consistent session management across applications with shared session management
* Test for session puzzling
* Test for CSRF and clickjacking

== Authorization ==
* Test for path traversal
* [[Testing_for_Privilege_escalation_(OTG-AUTHZ-003)|Test for vertical Access control problems (a.k.a. Privilege Escalation)]]
* Test for horizontal Access control problems (between two users at the same privilege level)
* Test for missing authorisation
* [[Testing_for_Insecure_Direct_Object_References_(OTG-AUTHZ-004)|Test for Insecure Direct Object References]]

== Data Validation ==
* [[Testing_for_Reflected_Cross_site_scripting_(OTG-INPVAL-001)|Test for Reflected Cross Site Scripting]]
* [[Testing_for_Stored_Cross_site_scripting_(OTG-INPVAL-002)|Test for Stored Cross Site Scripting]]
* [[Testing_for_DOM-based_Cross_site_scripting_(OTG-CLIENT-001)|Test for DOM based Cross Site Scripting]]
* Test for Cross Site Flashing
* Test for HTML Injection
* [[Testing_for_SQL_Injection_(OTG-INPVAL-005)|Test for SQL Injection]]
* Test for LDAP Injection
* [[Testing_for_ORM_Injection_(OTG-INPVAL-007)|Test for ORM Injection]]
* [[Testing_for_XML_Injection_(OTG-INPVAL-008)|Test for XML Injection]]
* Test for XXE Injection
* [[Testing_for_SSI_Injection_(OTG-INPVAL-009)|Test for SSI Injection]]
* [[Testing_for_XPath_Injection_(OTG-INPVAL-010)|Test for XPath Injection]]
* Test for XQuery Injection
* [[Testing_for_IMAP/SMTP_Injection_(OTG-INPVAL-011)|Test for IMAP/SMTP Injection]]
* [[Testing_for_Code_Injection_(OTG-INPVAL-012)|Test for Code Injection]]
* Test for Expression Language Injection
* Test for Command Injection
* Test for Overflow (Stack, Heap and Integer)
* Test for Format String
* Test for incubated vulnerabilities
* Test for HTTP Splitting/Smuggling
* Test for HTTP Verb Tampering
* Test for Open Redirection
* [[Testing_for_Local_File_Inclusion|Test for Local File Inclusion]]
* [[Testing_for_Remote_File_Inclusion|Test for Remote File Inclusion]]
* Compare client-side and server-side validation rules
* Test for NoSQL injection
* Test for HTTP parameter pollution
* Test for auto-binding
* Test for Mass Assignment
* Test for NULL/Invalid Session Cookie

== Denial of Service ==
* Test for anti-automation
* [[Testing_for_Weak_lock_out_mechanism_(OTG-AUTHN-003)|Test for account lockout]]
* Test for HTTP protocol DoS
* Test for SQL wildcard DoS

== Business Logic ==
* Test for feature misuse
* Test for lack of non-repudiation
* Test for trust relationships
* Test for integrity of data
* Test segregation of duties
* Test for Process Timing
* Test Number of Times a Function Can be Used Limits
* Test for the Circumvention of Work Flows
* Test Defenses Against Application Mis-use
* Test Upload of Unexpected File Types

== Cryptography ==
* [[Testing_for_Sensitive_information_sent_via_unencrypted_channels_(OTG-CRYPST-003)|Check if data which should be encrypted is not]]
* Check for wrong algorithms usage depending on context
* [[Testing_for_Weak_SSL/TLS_Ciphers,_Insufficient_Transport_Layer_Protection_(OTG-CRYPST-001)|Check for weak algorithms usage]]
* [[Password_Storage_Cheat_Sheet#Use_a_cryptographically_strong_credential-specific_salt | Check for proper use of salting]]
* [[Insecure_Randomness | Check for randomness functions]]

== Risky Functionality - File Uploads ==
* [[Test_Upload_of_Unexpected_File_Types_(OTG-BUSLOGIC-008)|Test that acceptable file types are whitelisted and non-whitelisted types are rejected]]
* Test that file size limits, upload frequency and total file counts are defined and are enforced
* Test that file contents match the defined file type
* [[Test_Upload_of_Malicious_Files_(OTG-BUSLOGIC-009)|Test that all file uploads have Anti-Virus scanning in-place.]]
* Test that unsafe filenames are sanitised
* Test that uploaded files are not directly accessible within the web root
* Test that uploaded files are not served on the same hostname/port
* Test that files and other media are integrated with the authentication and authorisation schemas

== Risky Functionality - Card Payment ==
* Test for known vulnerabilities and configuration issues on Web Server and Web Application
* Test for default or guessable password
* Test for non-production data in live environment, and vice-versa
* [[Injection_Flaws | Test for Injection vulnerabilities ]]
* [[Testing_for_Buffer_Overflow_(OTG-INPVAL-014) | Test for Buffer Overflows]]
* [[Top_10_2010-A7-Insecure_Cryptographic_Storage | Test for Insecure Cryptographic Storage]]
* [[Top_10_2010-A9-Insufficient_Transport_Layer_Protection | Test for Insufficient Transport Layer Protection]]
* [[Web_Application_Security_Testing_Cheat_Sheet#Error_Handling|Test for Improper Error Handling]]
* Test for all vulnerabilities with a CVSS v2 score > 4.0
* Test for Authentication and Authorization issues
* [[Testing_for_CSRF_(OTG-SESS-005)|Test for CSRF]]

== HTML 5==
* [[Test_Web_Messaging_(OTG-CLIENT-011)|Test Web Messaging]]
* [[Test_Local_Storage_(OTG-CLIENT-012)|Test for Web Storage SQL injection]]
* [[Test_Cross_Origin_Resource_Sharing_(OTG-CLIENT-007)|Check CORS implementation]]
* [[HTML5_Security_Cheat_Sheet#Offline_Applications | Check Offline Web Application]]

== Error Handling==
* [[Testing_for_Error_Code_(OTG-ERR-001)|Check for Error Codes]]
* [[Testing_for_Stack_Traces_(OTG-ERR-002)|Check for Stack Traces]]

= Other Formats =

* DradisPro template format [https://github.com/raesene/OWASP_Web_App_Testing_Cheatsheet_Converter/blob/master/OWASP_Web_Application_Testing_Cheat_Sheet.xml on github]
* Asana template on [http://templana.com/templates/owasp-website-security-checklist/ Templana] (thanks to Bastien Siebman)

= Authors and primary contributors =

[[User:Simon Bennetts|Simon Bennetts]] 
[[User:Raesene|Rory McCune]] 
Colin Watson 
Simone Onofri 
[[User:Amro_Ahmed|Amro AlOlaqi]]

All the authors of the Testing Guide v3

= Other Contributors =

[[User:Ryan_Dewhurst|Ryan Dewhurst]] 

= Related articles =

OWASP [[:Category:OWASP Testing Project|Testing Guide]]

Mozilla [https://wiki.mozilla.org/WebAppSec/Web_Security_Verification Web Security Verification]

{{Cheatsheet_Navigation}}

[[Category:Cheatsheets]] [[Category:OWASP_Breakers]]

Web Application Security Testing Cheat Sheet

2015-09-03T17:09:47Z

Raesene: /* Authorization */

= DRAFT CHEAT SHEET - WORK IN PROGRESS =

= Introduction =

This cheat sheet provides a checklist of tasks to be performed when performing a blackbox security test of a web application.

= Purpose =

This checklist is intended to be used as an aide memoire for experienced pentesters and should be used in conjunction with the [[:Category:OWASP Testing Project|OWASP Testing Guide]]. It will be updated as the [[OWASP_Application_Testing_guide_v4|Testing Guide v4]] is progressed.

The intention is that this guide will be available as an XML document, with scripts that convert it into formats such as pdf, Media Wiki markup, HTML etc.

This will allow it to be consumed within security tools as well as being available in a format suitable for printing.

All feedback or offers of help will be appreciated - and if you have specific chances you think should be made, just get stuck in.

= The Checklist =

== Information Gathering ==
* Manually explore the site
* [[Testing:_Spidering_and_googling | Spider/crawl]] for missed or hidden content
* [[Review_Webserver_Metafiles_for_Information_Leakage_(OTG-INFO-003)|Check the Webserver Metafiles]] for information leakage files that expose content, such as robots.txt, sitemap.xml, .DS_Store
* [[Conduct_search_engine_discovery/reconnaissance_for_information_leakage_(OTG-INFO-001)|Check the caches of major search engines for publicly accessible sites]]
* Check for differences in content based on User Agent (eg, Mobile sites, access as a Search engine Crawler)
* [[Review_webpage_comments_and_metadata_for_information_leakage_(OTG-INFO-005) | Check The Webpage Comments and Metadata for Information Leakage]]
* [[Fingerprint_Web_Application_Framework_(OTG-INFO-008) | Check The Web Application Framework]]
* [[Fingerprint_Web_Server_(OTG-INFO-002)|Perform Web Application Fingerprinting]]
* Identify technologies used
* Identify user roles
* [[Identify_application_entry_points_(OTG-INFO-006) | Identify application entry points]]
* Identify client-side code
* Identify multiple versions/channels (e.g. web, mobile web, mobile app)
* [[Web_Services | Identify web services]]
* Identify co-hosted and related applications
* Identify all hostnames and ports
* Identify third-party hosted content

== Configuration Management ==
* Check for commonly used application and administrative URLs
* Check for old, backup and unreferenced files
* Check HTTP methods supported and Cross Site Tracing (XST)
* Test file extensions handling
* Test RIA cross domain policy
* Test for security HTTP headers (e.g. CSP, X-Frame-Options, HSTS)
* Test for policies (e.g. Flash, Silverlight, robots)
* Test for non-production data in live environment, and vice-versa
* Check for sensitive data in client-side code (e.g. API keys, credentials)

== Secure Transmission ==
* Check SSL Version, Algorithms, Key length
* Check for Digital Certificate Validity (Duration, Signature and CN)
* Check credentials only delivered over HTTPS
* Check that the login form is delivered over HTTPS
* Check session tokens only delivered over HTTPS
* Check if HTTP Strict Transport Security (HSTS) in use

== Authentication ==
* [[Testing_for_User_Enumeration_and_Guessable_User_Account_(OWASP-AT-002) | Test for user enumeration]]
* [[Testing_for_Bypassing_Authentication_Schema_(OTG-AUTHN-004) | Test for authentication bypass]]
* [[Testing_for_Brute_Force_(OWASP-AT-004) | Test for brute force protection]]
* [[Testing_for_Credentials_Transported_over_an_Encrypted_Channel_(OTG-AUTHN-001)|Test for Credentials Transported over an Encrypted Channel]]
* [[Testing_for_Weak_password_policy_(OTG-AUTHN-007)|Test password quality rules
* Test remember me functionality]]
* Test password reset and/or recovery
* Test password change process
* Test CAPTCHA
* Test multi factor authentication
* Test for logout functionality presence
* Test for cache management on HTTP (eg Pragma, Expires, Max-age)
* Test for default logins
* Test for user-accessible authentication history
* Test for out-of channel notification of account lockouts and successful password changes
* Test for consistent authentication across applications with shared authentication schema / SSO and alternative channels
* Test for Weak security question/answer

== Session Management ==
* Establish how session management is handled in the application (eg, tokens in cookies, token in URL)
* Check session tokens for cookie flags (httpOnly and secure)
* Check session cookie scope (path and domain)
* Check session cookie duration (expires and max-age)
* Check session termination after a maximum lifetime
* Check session termination after relative timeout
* Check session termination after logout
* Test to see if users can have multiple simultaneous sessions
* Test session cookies for randomness
* Confirm that new session tokens are issued on login, role change and logout
* Test for consistent session management across applications with shared session management
* Test for session puzzling
* Test for CSRF and clickjacking

== Authorization ==
* Test for path traversal
* Test for vertical Access control problems (a.k.a. Privilege Escalation)
* Test for horizontal Access control problems (between two users at the same privilege level)
* Test for missing authorisation
* [[Testing_for_Insecure_Direct_Object_References_(OTG-AUTHZ-004)|Test for Insecure Direct Object References]]

== Data Validation ==
* [[Testing_for_Reflected_Cross_site_scripting_(OTG-INPVAL-001)|Test for Reflected Cross Site Scripting]]
* [[Testing_for_Stored_Cross_site_scripting_(OTG-INPVAL-002)|Test for Stored Cross Site Scripting]]
* [[Testing_for_DOM-based_Cross_site_scripting_(OTG-CLIENT-001)|Test for DOM based Cross Site Scripting]]
* Test for Cross Site Flashing
* Test for HTML Injection
* [[Testing_for_SQL_Injection_(OTG-INPVAL-005)|Test for SQL Injection]]
* Test for LDAP Injection
* [[Testing_for_ORM_Injection_(OTG-INPVAL-007)|Test for ORM Injection]]
* [[Testing_for_XML_Injection_(OTG-INPVAL-008)|Test for XML Injection]]
* Test for XXE Injection
* [[Testing_for_SSI_Injection_(OTG-INPVAL-009)|Test for SSI Injection]]
* [[Testing_for_XPath_Injection_(OTG-INPVAL-010)|Test for XPath Injection]]
* Test for XQuery Injection
* [[Testing_for_IMAP/SMTP_Injection_(OTG-INPVAL-011)|Test for IMAP/SMTP Injection]]
* [[Testing_for_Code_Injection_(OTG-INPVAL-012)|Test for Code Injection]]
* Test for Expression Language Injection
* Test for Command Injection
* Test for Overflow (Stack, Heap and Integer)
* Test for Format String
* Test for incubated vulnerabilities
* Test for HTTP Splitting/Smuggling
* Test for HTTP Verb Tampering
* Test for Open Redirection
* [[Testing_for_Local_File_Inclusion|Test for Local File Inclusion]]
* [[Testing_for_Remote_File_Inclusion|Test for Remote File Inclusion]]
* Compare client-side and server-side validation rules
* Test for NoSQL injection
* Test for HTTP parameter pollution
* Test for auto-binding
* Test for Mass Assignment
* Test for NULL/Invalid Session Cookie

== Denial of Service ==
* Test for anti-automation
* [[Testing_for_Weak_lock_out_mechanism_(OTG-AUTHN-003)|Test for account lockout]]
* Test for HTTP protocol DoS
* Test for SQL wildcard DoS

== Business Logic ==
* Test for feature misuse
* Test for lack of non-repudiation
* Test for trust relationships
* Test for integrity of data
* Test segregation of duties
* Test for Process Timing
* Test Number of Times a Function Can be Used Limits
* Test for the Circumvention of Work Flows
* Test Defenses Against Application Mis-use
* Test Upload of Unexpected File Types

== Cryptography ==
* [[Testing_for_Sensitive_information_sent_via_unencrypted_channels_(OTG-CRYPST-003)|Check if data which should be encrypted is not]]
* Check for wrong algorithms usage depending on context
* [[Testing_for_Weak_SSL/TLS_Ciphers,_Insufficient_Transport_Layer_Protection_(OTG-CRYPST-001)|Check for weak algorithms usage]]
* [[Password_Storage_Cheat_Sheet#Use_a_cryptographically_strong_credential-specific_salt | Check for proper use of salting]]
* [[Insecure_Randomness | Check for randomness functions]]

== Risky Functionality - File Uploads ==
* [[Test_Upload_of_Unexpected_File_Types_(OTG-BUSLOGIC-008)|Test that acceptable file types are whitelisted and non-whitelisted types are rejected]]
* Test that file size limits, upload frequency and total file counts are defined and are enforced
* Test that file contents match the defined file type
* [[Test_Upload_of_Malicious_Files_(OTG-BUSLOGIC-009)|Test that all file uploads have Anti-Virus scanning in-place.]]
* Test that unsafe filenames are sanitised
* Test that uploaded files are not directly accessible within the web root
* Test that uploaded files are not served on the same hostname/port
* Test that files and other media are integrated with the authentication and authorisation schemas

== Risky Functionality - Card Payment ==
* Test for known vulnerabilities and configuration issues on Web Server and Web Application
* Test for default or guessable password
* Test for non-production data in live environment, and vice-versa
* [[Injection_Flaws | Test for Injection vulnerabilities ]]
* [[Testing_for_Buffer_Overflow_(OTG-INPVAL-014) | Test for Buffer Overflows]]
* [[Top_10_2010-A7-Insecure_Cryptographic_Storage | Test for Insecure Cryptographic Storage]]
* [[Top_10_2010-A9-Insufficient_Transport_Layer_Protection | Test for Insufficient Transport Layer Protection]]
* [[Web_Application_Security_Testing_Cheat_Sheet#Error_Handling|Test for Improper Error Handling]]
* Test for all vulnerabilities with a CVSS v2 score > 4.0
* Test for Authentication and Authorization issues
* [[Testing_for_CSRF_(OTG-SESS-005)|Test for CSRF]]

== HTML 5==
* [[Test_Web_Messaging_(OTG-CLIENT-011)|Test Web Messaging]]
* [[Test_Local_Storage_(OTG-CLIENT-012)|Test for Web Storage SQL injection]]
* [[Test_Cross_Origin_Resource_Sharing_(OTG-CLIENT-007)|Check CORS implementation]]
* [[HTML5_Security_Cheat_Sheet#Offline_Applications | Check Offline Web Application]]

== Error Handling==
* [[Testing_for_Error_Code_(OTG-ERR-001)|Check for Error Codes]]
* [[Testing_for_Stack_Traces_(OTG-ERR-002)|Check for Stack Traces]]

= Other Formats =

* DradisPro template format [https://github.com/raesene/OWASP_Web_App_Testing_Cheatsheet_Converter/blob/master/OWASP_Web_Application_Testing_Cheat_Sheet.xml on github]
* Asana template on [http://templana.com/templates/owasp-website-security-checklist/ Templana] (thanks to Bastien Siebman)

= Authors and primary contributors =

[[User:Simon Bennetts|Simon Bennetts]] 
[[User:Raesene|Rory McCune]] 
Colin Watson 
Simone Onofri 
[[User:Amro_Ahmed|Amro AlOlaqi]]

All the authors of the Testing Guide v3

= Other Contributors =

[[User:Ryan_Dewhurst|Ryan Dewhurst]] 

= Related articles =

OWASP [[:Category:OWASP Testing Project|Testing Guide]]

Mozilla [https://wiki.mozilla.org/WebAppSec/Web_Security_Verification Web Security Verification]

{{Cheatsheet_Navigation}}

[[Category:Cheatsheets]] [[Category:OWASP_Breakers]]

Web Application Security Testing Cheat Sheet

2015-09-03T17:09:08Z

Raesene: /* Authentication */

= DRAFT CHEAT SHEET - WORK IN PROGRESS =

= Introduction =

This cheat sheet provides a checklist of tasks to be performed when performing a blackbox security test of a web application.

= Purpose =

This checklist is intended to be used as an aide memoire for experienced pentesters and should be used in conjunction with the [[:Category:OWASP Testing Project|OWASP Testing Guide]]. It will be updated as the [[OWASP_Application_Testing_guide_v4|Testing Guide v4]] is progressed.

The intention is that this guide will be available as an XML document, with scripts that convert it into formats such as pdf, Media Wiki markup, HTML etc.

This will allow it to be consumed within security tools as well as being available in a format suitable for printing.

All feedback or offers of help will be appreciated - and if you have specific chances you think should be made, just get stuck in.

= The Checklist =

== Information Gathering ==
* Manually explore the site
* [[Testing:_Spidering_and_googling | Spider/crawl]] for missed or hidden content
* [[Review_Webserver_Metafiles_for_Information_Leakage_(OTG-INFO-003)|Check the Webserver Metafiles]] for information leakage files that expose content, such as robots.txt, sitemap.xml, .DS_Store
* [[Conduct_search_engine_discovery/reconnaissance_for_information_leakage_(OTG-INFO-001)|Check the caches of major search engines for publicly accessible sites]]
* Check for differences in content based on User Agent (eg, Mobile sites, access as a Search engine Crawler)
* [[Review_webpage_comments_and_metadata_for_information_leakage_(OTG-INFO-005) | Check The Webpage Comments and Metadata for Information Leakage]]
* [[Fingerprint_Web_Application_Framework_(OTG-INFO-008) | Check The Web Application Framework]]
* [[Fingerprint_Web_Server_(OTG-INFO-002)|Perform Web Application Fingerprinting]]
* Identify technologies used
* Identify user roles
* [[Identify_application_entry_points_(OTG-INFO-006) | Identify application entry points]]
* Identify client-side code
* Identify multiple versions/channels (e.g. web, mobile web, mobile app)
* [[Web_Services | Identify web services]]
* Identify co-hosted and related applications
* Identify all hostnames and ports
* Identify third-party hosted content

== Configuration Management ==
* Check for commonly used application and administrative URLs
* Check for old, backup and unreferenced files
* Check HTTP methods supported and Cross Site Tracing (XST)
* Test file extensions handling
* Test RIA cross domain policy
* Test for security HTTP headers (e.g. CSP, X-Frame-Options, HSTS)
* Test for policies (e.g. Flash, Silverlight, robots)
* Test for non-production data in live environment, and vice-versa
* Check for sensitive data in client-side code (e.g. API keys, credentials)

== Secure Transmission ==
* Check SSL Version, Algorithms, Key length
* Check for Digital Certificate Validity (Duration, Signature and CN)
* Check credentials only delivered over HTTPS
* Check that the login form is delivered over HTTPS
* Check session tokens only delivered over HTTPS
* Check if HTTP Strict Transport Security (HSTS) in use

== Authentication ==
* [[Testing_for_User_Enumeration_and_Guessable_User_Account_(OWASP-AT-002) | Test for user enumeration]]
* [[Testing_for_Bypassing_Authentication_Schema_(OTG-AUTHN-004) | Test for authentication bypass]]
* [[Testing_for_Brute_Force_(OWASP-AT-004) | Test for brute force protection]]
* [[Testing_for_Credentials_Transported_over_an_Encrypted_Channel_(OTG-AUTHN-001)|Test for Credentials Transported over an Encrypted Channel]]
* [[Testing_for_Weak_password_policy_(OTG-AUTHN-007)|Test password quality rules
* Test remember me functionality]]
* Test password reset and/or recovery
* Test password change process
* Test CAPTCHA
* Test multi factor authentication
* Test for logout functionality presence
* Test for cache management on HTTP (eg Pragma, Expires, Max-age)
* Test for default logins
* Test for user-accessible authentication history
* Test for out-of channel notification of account lockouts and successful password changes
* Test for consistent authentication across applications with shared authentication schema / SSO and alternative channels
* Test for Weak security question/answer

== Session Management ==
* Establish how session management is handled in the application (eg, tokens in cookies, token in URL)
* Check session tokens for cookie flags (httpOnly and secure)
* Check session cookie scope (path and domain)
* Check session cookie duration (expires and max-age)
* Check session termination after a maximum lifetime
* Check session termination after relative timeout
* Check session termination after logout
* Test to see if users can have multiple simultaneous sessions
* Test session cookies for randomness
* Confirm that new session tokens are issued on login, role change and logout
* Test for consistent session management across applications with shared session management
* Test for session puzzling
* Test for CSRF and clickjacking

== Authorization ==
* Test for path traversal
* Test for vertical Access control problems (a.k.a. Privilege Escalation)
* Test for horizontal Access control problems (between two users at the same privilege level)
* Test for missing authorisation
* Test for Insecure Direct Object References

== Data Validation ==
* [[Testing_for_Reflected_Cross_site_scripting_(OTG-INPVAL-001)|Test for Reflected Cross Site Scripting]]
* [[Testing_for_Stored_Cross_site_scripting_(OTG-INPVAL-002)|Test for Stored Cross Site Scripting]]
* [[Testing_for_DOM-based_Cross_site_scripting_(OTG-CLIENT-001)|Test for DOM based Cross Site Scripting]]
* Test for Cross Site Flashing
* Test for HTML Injection
* [[Testing_for_SQL_Injection_(OTG-INPVAL-005)|Test for SQL Injection]]
* Test for LDAP Injection
* [[Testing_for_ORM_Injection_(OTG-INPVAL-007)|Test for ORM Injection]]
* [[Testing_for_XML_Injection_(OTG-INPVAL-008)|Test for XML Injection]]
* Test for XXE Injection
* [[Testing_for_SSI_Injection_(OTG-INPVAL-009)|Test for SSI Injection]]
* [[Testing_for_XPath_Injection_(OTG-INPVAL-010)|Test for XPath Injection]]
* Test for XQuery Injection
* [[Testing_for_IMAP/SMTP_Injection_(OTG-INPVAL-011)|Test for IMAP/SMTP Injection]]
* [[Testing_for_Code_Injection_(OTG-INPVAL-012)|Test for Code Injection]]
* Test for Expression Language Injection
* Test for Command Injection
* Test for Overflow (Stack, Heap and Integer)
* Test for Format String
* Test for incubated vulnerabilities
* Test for HTTP Splitting/Smuggling
* Test for HTTP Verb Tampering
* Test for Open Redirection
* [[Testing_for_Local_File_Inclusion|Test for Local File Inclusion]]
* [[Testing_for_Remote_File_Inclusion|Test for Remote File Inclusion]]
* Compare client-side and server-side validation rules
* Test for NoSQL injection
* Test for HTTP parameter pollution
* Test for auto-binding
* Test for Mass Assignment
* Test for NULL/Invalid Session Cookie

== Denial of Service ==
* Test for anti-automation
* [[Testing_for_Weak_lock_out_mechanism_(OTG-AUTHN-003)|Test for account lockout]]
* Test for HTTP protocol DoS
* Test for SQL wildcard DoS

== Business Logic ==
* Test for feature misuse
* Test for lack of non-repudiation
* Test for trust relationships
* Test for integrity of data
* Test segregation of duties
* Test for Process Timing
* Test Number of Times a Function Can be Used Limits
* Test for the Circumvention of Work Flows
* Test Defenses Against Application Mis-use
* Test Upload of Unexpected File Types

== Cryptography ==
* [[Testing_for_Sensitive_information_sent_via_unencrypted_channels_(OTG-CRYPST-003)|Check if data which should be encrypted is not]]
* Check for wrong algorithms usage depending on context
* [[Testing_for_Weak_SSL/TLS_Ciphers,_Insufficient_Transport_Layer_Protection_(OTG-CRYPST-001)|Check for weak algorithms usage]]
* [[Password_Storage_Cheat_Sheet#Use_a_cryptographically_strong_credential-specific_salt | Check for proper use of salting]]
* [[Insecure_Randomness | Check for randomness functions]]

== Risky Functionality - File Uploads ==
* [[Test_Upload_of_Unexpected_File_Types_(OTG-BUSLOGIC-008)|Test that acceptable file types are whitelisted and non-whitelisted types are rejected]]
* Test that file size limits, upload frequency and total file counts are defined and are enforced
* Test that file contents match the defined file type
* [[Test_Upload_of_Malicious_Files_(OTG-BUSLOGIC-009)|Test that all file uploads have Anti-Virus scanning in-place.]]
* Test that unsafe filenames are sanitised
* Test that uploaded files are not directly accessible within the web root
* Test that uploaded files are not served on the same hostname/port
* Test that files and other media are integrated with the authentication and authorisation schemas

== Risky Functionality - Card Payment ==
* Test for known vulnerabilities and configuration issues on Web Server and Web Application
* Test for default or guessable password
* Test for non-production data in live environment, and vice-versa
* [[Injection_Flaws | Test for Injection vulnerabilities ]]
* [[Testing_for_Buffer_Overflow_(OTG-INPVAL-014) | Test for Buffer Overflows]]
* [[Top_10_2010-A7-Insecure_Cryptographic_Storage | Test for Insecure Cryptographic Storage]]
* [[Top_10_2010-A9-Insufficient_Transport_Layer_Protection | Test for Insufficient Transport Layer Protection]]
* [[Web_Application_Security_Testing_Cheat_Sheet#Error_Handling|Test for Improper Error Handling]]
* Test for all vulnerabilities with a CVSS v2 score > 4.0
* Test for Authentication and Authorization issues
* [[Testing_for_CSRF_(OTG-SESS-005)|Test for CSRF]]

== HTML 5==
* [[Test_Web_Messaging_(OTG-CLIENT-011)|Test Web Messaging]]
* [[Test_Local_Storage_(OTG-CLIENT-012)|Test for Web Storage SQL injection]]
* [[Test_Cross_Origin_Resource_Sharing_(OTG-CLIENT-007)|Check CORS implementation]]
* [[HTML5_Security_Cheat_Sheet#Offline_Applications | Check Offline Web Application]]

== Error Handling==
* [[Testing_for_Error_Code_(OTG-ERR-001)|Check for Error Codes]]
* [[Testing_for_Stack_Traces_(OTG-ERR-002)|Check for Stack Traces]]

= Other Formats =

* DradisPro template format [https://github.com/raesene/OWASP_Web_App_Testing_Cheatsheet_Converter/blob/master/OWASP_Web_Application_Testing_Cheat_Sheet.xml on github]
* Asana template on [http://templana.com/templates/owasp-website-security-checklist/ Templana] (thanks to Bastien Siebman)

= Authors and primary contributors =

[[User:Simon Bennetts|Simon Bennetts]] 
[[User:Raesene|Rory McCune]] 
Colin Watson 
Simone Onofri 
[[User:Amro_Ahmed|Amro AlOlaqi]]

All the authors of the Testing Guide v3

= Other Contributors =

[[User:Ryan_Dewhurst|Ryan Dewhurst]] 

= Related articles =

OWASP [[:Category:OWASP Testing Project|Testing Guide]]

Mozilla [https://wiki.mozilla.org/WebAppSec/Web_Security_Verification Web Security Verification]

{{Cheatsheet_Navigation}}

[[Category:Cheatsheets]] [[Category:OWASP_Breakers]]

Web Application Security Testing Cheat Sheet

2015-09-03T17:08:28Z

Raesene: /* Authentication */

= DRAFT CHEAT SHEET - WORK IN PROGRESS =

= Introduction =

This cheat sheet provides a checklist of tasks to be performed when performing a blackbox security test of a web application.

= Purpose =

This checklist is intended to be used as an aide memoire for experienced pentesters and should be used in conjunction with the [[:Category:OWASP Testing Project|OWASP Testing Guide]]. It will be updated as the [[OWASP_Application_Testing_guide_v4|Testing Guide v4]] is progressed.

The intention is that this guide will be available as an XML document, with scripts that convert it into formats such as pdf, Media Wiki markup, HTML etc.

This will allow it to be consumed within security tools as well as being available in a format suitable for printing.

All feedback or offers of help will be appreciated - and if you have specific chances you think should be made, just get stuck in.

= The Checklist =

== Information Gathering ==
* Manually explore the site
* [[Testing:_Spidering_and_googling | Spider/crawl]] for missed or hidden content
* [[Review_Webserver_Metafiles_for_Information_Leakage_(OTG-INFO-003)|Check the Webserver Metafiles]] for information leakage files that expose content, such as robots.txt, sitemap.xml, .DS_Store
* [[Conduct_search_engine_discovery/reconnaissance_for_information_leakage_(OTG-INFO-001)|Check the caches of major search engines for publicly accessible sites]]
* Check for differences in content based on User Agent (eg, Mobile sites, access as a Search engine Crawler)
* [[Review_webpage_comments_and_metadata_for_information_leakage_(OTG-INFO-005) | Check The Webpage Comments and Metadata for Information Leakage]]
* [[Fingerprint_Web_Application_Framework_(OTG-INFO-008) | Check The Web Application Framework]]
* [[Fingerprint_Web_Server_(OTG-INFO-002)|Perform Web Application Fingerprinting]]
* Identify technologies used
* Identify user roles
* [[Identify_application_entry_points_(OTG-INFO-006) | Identify application entry points]]
* Identify client-side code
* Identify multiple versions/channels (e.g. web, mobile web, mobile app)
* [[Web_Services | Identify web services]]
* Identify co-hosted and related applications
* Identify all hostnames and ports
* Identify third-party hosted content

== Configuration Management ==
* Check for commonly used application and administrative URLs
* Check for old, backup and unreferenced files
* Check HTTP methods supported and Cross Site Tracing (XST)
* Test file extensions handling
* Test RIA cross domain policy
* Test for security HTTP headers (e.g. CSP, X-Frame-Options, HSTS)
* Test for policies (e.g. Flash, Silverlight, robots)
* Test for non-production data in live environment, and vice-versa
* Check for sensitive data in client-side code (e.g. API keys, credentials)

== Secure Transmission ==
* Check SSL Version, Algorithms, Key length
* Check for Digital Certificate Validity (Duration, Signature and CN)
* Check credentials only delivered over HTTPS
* Check that the login form is delivered over HTTPS
* Check session tokens only delivered over HTTPS
* Check if HTTP Strict Transport Security (HSTS) in use

== Authentication ==
* [[Testing_for_User_Enumeration_and_Guessable_User_Account_(OWASP-AT-002) | Test for user enumeration]]
* [[Testing_for_Bypassing_Authentication_Schema_(OTG-AUTHN-004) | Test for authentication bypass]]
* [[Testing_for_Brute_Force_(OWASP-AT-004) | Test for brute force protection]]
* [[Testing_for_Credentials_Transported_over_an_Encrypted_Channel_(OTG-AUTHN-001)|Test for Credentials Transported over an Encrypted Channel]]
* [[Testing_for_Weak_password_policy_(OTG-AUTHN-007)|Test password quality rules
* Test remember me functionality]]
* Test for autocomplete on password forms/input
* Test password reset and/or recovery
* Test password change process
* Test CAPTCHA
* Test multi factor authentication
* Test for logout functionality presence
* Test for cache management on HTTP (eg Pragma, Expires, Max-age)
* Test for default logins
* Test for user-accessible authentication history
* Test for out-of channel notification of account lockouts and successful password changes
* Test for consistent authentication across applications with shared authentication schema / SSO and alternative channels
* Test for Weak security question/answer

== Session Management ==
* Establish how session management is handled in the application (eg, tokens in cookies, token in URL)
* Check session tokens for cookie flags (httpOnly and secure)
* Check session cookie scope (path and domain)
* Check session cookie duration (expires and max-age)
* Check session termination after a maximum lifetime
* Check session termination after relative timeout
* Check session termination after logout
* Test to see if users can have multiple simultaneous sessions
* Test session cookies for randomness
* Confirm that new session tokens are issued on login, role change and logout
* Test for consistent session management across applications with shared session management
* Test for session puzzling
* Test for CSRF and clickjacking

== Authorization ==
* Test for path traversal
* Test for vertical Access control problems (a.k.a. Privilege Escalation)
* Test for horizontal Access control problems (between two users at the same privilege level)
* Test for missing authorisation
* Test for Insecure Direct Object References

== Data Validation ==
* [[Testing_for_Reflected_Cross_site_scripting_(OTG-INPVAL-001)|Test for Reflected Cross Site Scripting]]
* [[Testing_for_Stored_Cross_site_scripting_(OTG-INPVAL-002)|Test for Stored Cross Site Scripting]]
* [[Testing_for_DOM-based_Cross_site_scripting_(OTG-CLIENT-001)|Test for DOM based Cross Site Scripting]]
* Test for Cross Site Flashing
* Test for HTML Injection
* [[Testing_for_SQL_Injection_(OTG-INPVAL-005)|Test for SQL Injection]]
* Test for LDAP Injection
* [[Testing_for_ORM_Injection_(OTG-INPVAL-007)|Test for ORM Injection]]
* [[Testing_for_XML_Injection_(OTG-INPVAL-008)|Test for XML Injection]]
* Test for XXE Injection
* [[Testing_for_SSI_Injection_(OTG-INPVAL-009)|Test for SSI Injection]]
* [[Testing_for_XPath_Injection_(OTG-INPVAL-010)|Test for XPath Injection]]
* Test for XQuery Injection
* [[Testing_for_IMAP/SMTP_Injection_(OTG-INPVAL-011)|Test for IMAP/SMTP Injection]]
* [[Testing_for_Code_Injection_(OTG-INPVAL-012)|Test for Code Injection]]
* Test for Expression Language Injection
* Test for Command Injection
* Test for Overflow (Stack, Heap and Integer)
* Test for Format String
* Test for incubated vulnerabilities
* Test for HTTP Splitting/Smuggling
* Test for HTTP Verb Tampering
* Test for Open Redirection
* [[Testing_for_Local_File_Inclusion|Test for Local File Inclusion]]
* [[Testing_for_Remote_File_Inclusion|Test for Remote File Inclusion]]
* Compare client-side and server-side validation rules
* Test for NoSQL injection
* Test for HTTP parameter pollution
* Test for auto-binding
* Test for Mass Assignment
* Test for NULL/Invalid Session Cookie

== Denial of Service ==
* Test for anti-automation
* [[Testing_for_Weak_lock_out_mechanism_(OTG-AUTHN-003)|Test for account lockout]]
* Test for HTTP protocol DoS
* Test for SQL wildcard DoS

== Business Logic ==
* Test for feature misuse
* Test for lack of non-repudiation
* Test for trust relationships
* Test for integrity of data
* Test segregation of duties
* Test for Process Timing
* Test Number of Times a Function Can be Used Limits
* Test for the Circumvention of Work Flows
* Test Defenses Against Application Mis-use
* Test Upload of Unexpected File Types

== Cryptography ==
* [[Testing_for_Sensitive_information_sent_via_unencrypted_channels_(OTG-CRYPST-003)|Check if data which should be encrypted is not]]
* Check for wrong algorithms usage depending on context
* [[Testing_for_Weak_SSL/TLS_Ciphers,_Insufficient_Transport_Layer_Protection_(OTG-CRYPST-001)|Check for weak algorithms usage]]
* [[Password_Storage_Cheat_Sheet#Use_a_cryptographically_strong_credential-specific_salt | Check for proper use of salting]]
* [[Insecure_Randomness | Check for randomness functions]]

== Risky Functionality - File Uploads ==
* [[Test_Upload_of_Unexpected_File_Types_(OTG-BUSLOGIC-008)|Test that acceptable file types are whitelisted and non-whitelisted types are rejected]]
* Test that file size limits, upload frequency and total file counts are defined and are enforced
* Test that file contents match the defined file type
* [[Test_Upload_of_Malicious_Files_(OTG-BUSLOGIC-009)|Test that all file uploads have Anti-Virus scanning in-place.]]
* Test that unsafe filenames are sanitised
* Test that uploaded files are not directly accessible within the web root
* Test that uploaded files are not served on the same hostname/port
* Test that files and other media are integrated with the authentication and authorisation schemas

== Risky Functionality - Card Payment ==
* Test for known vulnerabilities and configuration issues on Web Server and Web Application
* Test for default or guessable password
* Test for non-production data in live environment, and vice-versa
* [[Injection_Flaws | Test for Injection vulnerabilities ]]
* [[Testing_for_Buffer_Overflow_(OTG-INPVAL-014) | Test for Buffer Overflows]]
* [[Top_10_2010-A7-Insecure_Cryptographic_Storage | Test for Insecure Cryptographic Storage]]
* [[Top_10_2010-A9-Insufficient_Transport_Layer_Protection | Test for Insufficient Transport Layer Protection]]
* [[Web_Application_Security_Testing_Cheat_Sheet#Error_Handling|Test for Improper Error Handling]]
* Test for all vulnerabilities with a CVSS v2 score > 4.0
* Test for Authentication and Authorization issues
* [[Testing_for_CSRF_(OTG-SESS-005)|Test for CSRF]]

== HTML 5==
* [[Test_Web_Messaging_(OTG-CLIENT-011)|Test Web Messaging]]
* [[Test_Local_Storage_(OTG-CLIENT-012)|Test for Web Storage SQL injection]]
* [[Test_Cross_Origin_Resource_Sharing_(OTG-CLIENT-007)|Check CORS implementation]]
* [[HTML5_Security_Cheat_Sheet#Offline_Applications | Check Offline Web Application]]

== Error Handling==
* [[Testing_for_Error_Code_(OTG-ERR-001)|Check for Error Codes]]
* [[Testing_for_Stack_Traces_(OTG-ERR-002)|Check for Stack Traces]]

= Other Formats =

* DradisPro template format [https://github.com/raesene/OWASP_Web_App_Testing_Cheatsheet_Converter/blob/master/OWASP_Web_Application_Testing_Cheat_Sheet.xml on github]
* Asana template on [http://templana.com/templates/owasp-website-security-checklist/ Templana] (thanks to Bastien Siebman)

= Authors and primary contributors =

[[User:Simon Bennetts|Simon Bennetts]] 
[[User:Raesene|Rory McCune]] 
Colin Watson 
Simone Onofri 
[[User:Amro_Ahmed|Amro AlOlaqi]]

All the authors of the Testing Guide v3

= Other Contributors =

[[User:Ryan_Dewhurst|Ryan Dewhurst]] 

= Related articles =

OWASP [[:Category:OWASP Testing Project|Testing Guide]]

Mozilla [https://wiki.mozilla.org/WebAppSec/Web_Security_Verification Web Security Verification]

{{Cheatsheet_Navigation}}

[[Category:Cheatsheets]] [[Category:OWASP_Breakers]]

Web Application Security Testing Cheat Sheet

2015-09-03T17:07:22Z

Raesene: /* Authentication */

= DRAFT CHEAT SHEET - WORK IN PROGRESS =

= Introduction =

This cheat sheet provides a checklist of tasks to be performed when performing a blackbox security test of a web application.

= Purpose =

This checklist is intended to be used as an aide memoire for experienced pentesters and should be used in conjunction with the [[:Category:OWASP Testing Project|OWASP Testing Guide]]. It will be updated as the [[OWASP_Application_Testing_guide_v4|Testing Guide v4]] is progressed.

The intention is that this guide will be available as an XML document, with scripts that convert it into formats such as pdf, Media Wiki markup, HTML etc.

This will allow it to be consumed within security tools as well as being available in a format suitable for printing.

All feedback or offers of help will be appreciated - and if you have specific chances you think should be made, just get stuck in.

= The Checklist =

== Information Gathering ==
* Manually explore the site
* [[Testing:_Spidering_and_googling | Spider/crawl]] for missed or hidden content
* [[Review_Webserver_Metafiles_for_Information_Leakage_(OTG-INFO-003)|Check the Webserver Metafiles]] for information leakage files that expose content, such as robots.txt, sitemap.xml, .DS_Store
* [[Conduct_search_engine_discovery/reconnaissance_for_information_leakage_(OTG-INFO-001)|Check the caches of major search engines for publicly accessible sites]]
* Check for differences in content based on User Agent (eg, Mobile sites, access as a Search engine Crawler)
* [[Review_webpage_comments_and_metadata_for_information_leakage_(OTG-INFO-005) | Check The Webpage Comments and Metadata for Information Leakage]]
* [[Fingerprint_Web_Application_Framework_(OTG-INFO-008) | Check The Web Application Framework]]
* [[Fingerprint_Web_Server_(OTG-INFO-002)|Perform Web Application Fingerprinting]]
* Identify technologies used
* Identify user roles
* [[Identify_application_entry_points_(OTG-INFO-006) | Identify application entry points]]
* Identify client-side code
* Identify multiple versions/channels (e.g. web, mobile web, mobile app)
* [[Web_Services | Identify web services]]
* Identify co-hosted and related applications
* Identify all hostnames and ports
* Identify third-party hosted content

== Configuration Management ==
* Check for commonly used application and administrative URLs
* Check for old, backup and unreferenced files
* Check HTTP methods supported and Cross Site Tracing (XST)
* Test file extensions handling
* Test RIA cross domain policy
* Test for security HTTP headers (e.g. CSP, X-Frame-Options, HSTS)
* Test for policies (e.g. Flash, Silverlight, robots)
* Test for non-production data in live environment, and vice-versa
* Check for sensitive data in client-side code (e.g. API keys, credentials)

== Secure Transmission ==
* Check SSL Version, Algorithms, Key length
* Check for Digital Certificate Validity (Duration, Signature and CN)
* Check credentials only delivered over HTTPS
* Check that the login form is delivered over HTTPS
* Check session tokens only delivered over HTTPS
* Check if HTTP Strict Transport Security (HSTS) in use

== Authentication ==
* [[Testing_for_User_Enumeration_and_Guessable_User_Account_(OWASP-AT-002) | Test for user enumeration]]
* [[Testing_for_Bypassing_Authentication_Schema_(OTG-AUTHN-004) | Test for authentication bypass]]
* [[Testing_for_Brute_Force_(OWASP-AT-004) | Test for brute force protection]]
* [[Testing_for_Credentials_Transported_over_an_Encrypted_Channel_(OTG-AUTHN-001)|Test for Credentials Transported over an Encrypted Channel]]
* Test password quality rules
* Test remember me functionality
* Test for autocomplete on password forms/input
* Test password reset and/or recovery
* Test password change process
* Test CAPTCHA
* Test multi factor authentication
* Test for logout functionality presence
* Test for cache management on HTTP (eg Pragma, Expires, Max-age)
* Test for default logins
* Test for user-accessible authentication history
* Test for out-of channel notification of account lockouts and successful password changes
* Test for consistent authentication across applications with shared authentication schema / SSO and alternative channels
* Test for Weak security question/answer

== Session Management ==
* Establish how session management is handled in the application (eg, tokens in cookies, token in URL)
* Check session tokens for cookie flags (httpOnly and secure)
* Check session cookie scope (path and domain)
* Check session cookie duration (expires and max-age)
* Check session termination after a maximum lifetime
* Check session termination after relative timeout
* Check session termination after logout
* Test to see if users can have multiple simultaneous sessions
* Test session cookies for randomness
* Confirm that new session tokens are issued on login, role change and logout
* Test for consistent session management across applications with shared session management
* Test for session puzzling
* Test for CSRF and clickjacking

== Authorization ==
* Test for path traversal
* Test for vertical Access control problems (a.k.a. Privilege Escalation)
* Test for horizontal Access control problems (between two users at the same privilege level)
* Test for missing authorisation
* Test for Insecure Direct Object References

== Data Validation ==
* [[Testing_for_Reflected_Cross_site_scripting_(OTG-INPVAL-001)|Test for Reflected Cross Site Scripting]]
* [[Testing_for_Stored_Cross_site_scripting_(OTG-INPVAL-002)|Test for Stored Cross Site Scripting]]
* [[Testing_for_DOM-based_Cross_site_scripting_(OTG-CLIENT-001)|Test for DOM based Cross Site Scripting]]
* Test for Cross Site Flashing
* Test for HTML Injection
* [[Testing_for_SQL_Injection_(OTG-INPVAL-005)|Test for SQL Injection]]
* Test for LDAP Injection
* [[Testing_for_ORM_Injection_(OTG-INPVAL-007)|Test for ORM Injection]]
* [[Testing_for_XML_Injection_(OTG-INPVAL-008)|Test for XML Injection]]
* Test for XXE Injection
* [[Testing_for_SSI_Injection_(OTG-INPVAL-009)|Test for SSI Injection]]
* [[Testing_for_XPath_Injection_(OTG-INPVAL-010)|Test for XPath Injection]]
* Test for XQuery Injection
* [[Testing_for_IMAP/SMTP_Injection_(OTG-INPVAL-011)|Test for IMAP/SMTP Injection]]
* [[Testing_for_Code_Injection_(OTG-INPVAL-012)|Test for Code Injection]]
* Test for Expression Language Injection
* Test for Command Injection
* Test for Overflow (Stack, Heap and Integer)
* Test for Format String
* Test for incubated vulnerabilities
* Test for HTTP Splitting/Smuggling
* Test for HTTP Verb Tampering
* Test for Open Redirection
* [[Testing_for_Local_File_Inclusion|Test for Local File Inclusion]]
* [[Testing_for_Remote_File_Inclusion|Test for Remote File Inclusion]]
* Compare client-side and server-side validation rules
* Test for NoSQL injection
* Test for HTTP parameter pollution
* Test for auto-binding
* Test for Mass Assignment
* Test for NULL/Invalid Session Cookie

== Denial of Service ==
* Test for anti-automation
* [[Testing_for_Weak_lock_out_mechanism_(OTG-AUTHN-003)|Test for account lockout]]
* Test for HTTP protocol DoS
* Test for SQL wildcard DoS

== Business Logic ==
* Test for feature misuse
* Test for lack of non-repudiation
* Test for trust relationships
* Test for integrity of data
* Test segregation of duties
* Test for Process Timing
* Test Number of Times a Function Can be Used Limits
* Test for the Circumvention of Work Flows
* Test Defenses Against Application Mis-use
* Test Upload of Unexpected File Types

== Cryptography ==
* [[Testing_for_Sensitive_information_sent_via_unencrypted_channels_(OTG-CRYPST-003)|Check if data which should be encrypted is not]]
* Check for wrong algorithms usage depending on context
* [[Testing_for_Weak_SSL/TLS_Ciphers,_Insufficient_Transport_Layer_Protection_(OTG-CRYPST-001)|Check for weak algorithms usage]]
* [[Password_Storage_Cheat_Sheet#Use_a_cryptographically_strong_credential-specific_salt | Check for proper use of salting]]
* [[Insecure_Randomness | Check for randomness functions]]

== Risky Functionality - File Uploads ==
* [[Test_Upload_of_Unexpected_File_Types_(OTG-BUSLOGIC-008)|Test that acceptable file types are whitelisted and non-whitelisted types are rejected]]
* Test that file size limits, upload frequency and total file counts are defined and are enforced
* Test that file contents match the defined file type
* [[Test_Upload_of_Malicious_Files_(OTG-BUSLOGIC-009)|Test that all file uploads have Anti-Virus scanning in-place.]]
* Test that unsafe filenames are sanitised
* Test that uploaded files are not directly accessible within the web root
* Test that uploaded files are not served on the same hostname/port
* Test that files and other media are integrated with the authentication and authorisation schemas

== Risky Functionality - Card Payment ==
* Test for known vulnerabilities and configuration issues on Web Server and Web Application
* Test for default or guessable password
* Test for non-production data in live environment, and vice-versa
* [[Injection_Flaws | Test for Injection vulnerabilities ]]
* [[Testing_for_Buffer_Overflow_(OTG-INPVAL-014) | Test for Buffer Overflows]]
* [[Top_10_2010-A7-Insecure_Cryptographic_Storage | Test for Insecure Cryptographic Storage]]
* [[Top_10_2010-A9-Insufficient_Transport_Layer_Protection | Test for Insufficient Transport Layer Protection]]
* [[Web_Application_Security_Testing_Cheat_Sheet#Error_Handling|Test for Improper Error Handling]]
* Test for all vulnerabilities with a CVSS v2 score > 4.0
* Test for Authentication and Authorization issues
* [[Testing_for_CSRF_(OTG-SESS-005)|Test for CSRF]]

== HTML 5==
* [[Test_Web_Messaging_(OTG-CLIENT-011)|Test Web Messaging]]
* [[Test_Local_Storage_(OTG-CLIENT-012)|Test for Web Storage SQL injection]]
* [[Test_Cross_Origin_Resource_Sharing_(OTG-CLIENT-007)|Check CORS implementation]]
* [[HTML5_Security_Cheat_Sheet#Offline_Applications | Check Offline Web Application]]

== Error Handling==
* [[Testing_for_Error_Code_(OTG-ERR-001)|Check for Error Codes]]
* [[Testing_for_Stack_Traces_(OTG-ERR-002)|Check for Stack Traces]]

= Other Formats =

* DradisPro template format [https://github.com/raesene/OWASP_Web_App_Testing_Cheatsheet_Converter/blob/master/OWASP_Web_Application_Testing_Cheat_Sheet.xml on github]
* Asana template on [http://templana.com/templates/owasp-website-security-checklist/ Templana] (thanks to Bastien Siebman)

= Authors and primary contributors =

[[User:Simon Bennetts|Simon Bennetts]] 
[[User:Raesene|Rory McCune]] 
Colin Watson 
Simone Onofri 
[[User:Amro_Ahmed|Amro AlOlaqi]]

All the authors of the Testing Guide v3

= Other Contributors =

[[User:Ryan_Dewhurst|Ryan Dewhurst]] 

= Related articles =

OWASP [[:Category:OWASP Testing Project|Testing Guide]]

Mozilla [https://wiki.mozilla.org/WebAppSec/Web_Security_Verification Web Security Verification]

{{Cheatsheet_Navigation}}

[[Category:Cheatsheets]] [[Category:OWASP_Breakers]]

Web Application Security Testing Cheat Sheet

2015-09-03T17:05:52Z

Raesene: /* Information Gathering */

= DRAFT CHEAT SHEET - WORK IN PROGRESS =

= Introduction =

This cheat sheet provides a checklist of tasks to be performed when performing a blackbox security test of a web application.

= Purpose =

This checklist is intended to be used as an aide memoire for experienced pentesters and should be used in conjunction with the [[:Category:OWASP Testing Project|OWASP Testing Guide]]. It will be updated as the [[OWASP_Application_Testing_guide_v4|Testing Guide v4]] is progressed.

The intention is that this guide will be available as an XML document, with scripts that convert it into formats such as pdf, Media Wiki markup, HTML etc.

This will allow it to be consumed within security tools as well as being available in a format suitable for printing.

All feedback or offers of help will be appreciated - and if you have specific chances you think should be made, just get stuck in.

= The Checklist =

== Information Gathering ==
* Manually explore the site
* [[Testing:_Spidering_and_googling | Spider/crawl]] for missed or hidden content
* [[Review_Webserver_Metafiles_for_Information_Leakage_(OTG-INFO-003)|Check the Webserver Metafiles]] for information leakage files that expose content, such as robots.txt, sitemap.xml, .DS_Store
* [[Conduct_search_engine_discovery/reconnaissance_for_information_leakage_(OTG-INFO-001)|Check the caches of major search engines for publicly accessible sites]]
* Check for differences in content based on User Agent (eg, Mobile sites, access as a Search engine Crawler)
* [[Review_webpage_comments_and_metadata_for_information_leakage_(OTG-INFO-005) | Check The Webpage Comments and Metadata for Information Leakage]]
* [[Fingerprint_Web_Application_Framework_(OTG-INFO-008) | Check The Web Application Framework]]
* [[Fingerprint_Web_Server_(OTG-INFO-002)|Perform Web Application Fingerprinting]]
* Identify technologies used
* Identify user roles
* [[Identify_application_entry_points_(OTG-INFO-006) | Identify application entry points]]
* Identify client-side code
* Identify multiple versions/channels (e.g. web, mobile web, mobile app)
* [[Web_Services | Identify web services]]
* Identify co-hosted and related applications
* Identify all hostnames and ports
* Identify third-party hosted content

== Configuration Management ==
* Check for commonly used application and administrative URLs
* Check for old, backup and unreferenced files
* Check HTTP methods supported and Cross Site Tracing (XST)
* Test file extensions handling
* Test RIA cross domain policy
* Test for security HTTP headers (e.g. CSP, X-Frame-Options, HSTS)
* Test for policies (e.g. Flash, Silverlight, robots)
* Test for non-production data in live environment, and vice-versa
* Check for sensitive data in client-side code (e.g. API keys, credentials)

== Secure Transmission ==
* Check SSL Version, Algorithms, Key length
* Check for Digital Certificate Validity (Duration, Signature and CN)
* Check credentials only delivered over HTTPS
* Check that the login form is delivered over HTTPS
* Check session tokens only delivered over HTTPS
* Check if HTTP Strict Transport Security (HSTS) in use

== Authentication ==
* [[Testing_for_User_Enumeration_and_Guessable_User_Account_(OWASP-AT-002) | Test for user enumeration]]
* [[Testing_for_Bypassing_Authentication_Schema_(OTG-AUTHN-004) | Test for authentication bypass]]
* [[Testing_for_Brute_Force_(OWASP-AT-004) | Test for brute force protection]]
* Test for Credentials Transported over an Encrypted Channel
* Test password quality rules
* Test remember me functionality
* Test for autocomplete on password forms/input
* Test password reset and/or recovery
* Test password change process
* Test CAPTCHA
* Test multi factor authentication
* Test for logout functionality presence
* Test for cache management on HTTP (eg Pragma, Expires, Max-age)
* Test for default logins
* Test for user-accessible authentication history
* Test for out-of channel notification of account lockouts and successful password changes
* Test for consistent authentication across applications with shared authentication schema / SSO and alternative channels
* Test for Weak security question/answer

== Session Management ==
* Establish how session management is handled in the application (eg, tokens in cookies, token in URL)
* Check session tokens for cookie flags (httpOnly and secure)
* Check session cookie scope (path and domain)
* Check session cookie duration (expires and max-age)
* Check session termination after a maximum lifetime
* Check session termination after relative timeout
* Check session termination after logout
* Test to see if users can have multiple simultaneous sessions
* Test session cookies for randomness
* Confirm that new session tokens are issued on login, role change and logout
* Test for consistent session management across applications with shared session management
* Test for session puzzling
* Test for CSRF and clickjacking

== Authorization ==
* Test for path traversal
* Test for vertical Access control problems (a.k.a. Privilege Escalation)
* Test for horizontal Access control problems (between two users at the same privilege level)
* Test for missing authorisation
* Test for Insecure Direct Object References

== Data Validation ==
* [[Testing_for_Reflected_Cross_site_scripting_(OTG-INPVAL-001)|Test for Reflected Cross Site Scripting]]
* [[Testing_for_Stored_Cross_site_scripting_(OTG-INPVAL-002)|Test for Stored Cross Site Scripting]]
* [[Testing_for_DOM-based_Cross_site_scripting_(OTG-CLIENT-001)|Test for DOM based Cross Site Scripting]]
* Test for Cross Site Flashing
* Test for HTML Injection
* [[Testing_for_SQL_Injection_(OTG-INPVAL-005)|Test for SQL Injection]]
* Test for LDAP Injection
* [[Testing_for_ORM_Injection_(OTG-INPVAL-007)|Test for ORM Injection]]
* [[Testing_for_XML_Injection_(OTG-INPVAL-008)|Test for XML Injection]]
* Test for XXE Injection
* [[Testing_for_SSI_Injection_(OTG-INPVAL-009)|Test for SSI Injection]]
* [[Testing_for_XPath_Injection_(OTG-INPVAL-010)|Test for XPath Injection]]
* Test for XQuery Injection
* [[Testing_for_IMAP/SMTP_Injection_(OTG-INPVAL-011)|Test for IMAP/SMTP Injection]]
* [[Testing_for_Code_Injection_(OTG-INPVAL-012)|Test for Code Injection]]
* Test for Expression Language Injection
* Test for Command Injection
* Test for Overflow (Stack, Heap and Integer)
* Test for Format String
* Test for incubated vulnerabilities
* Test for HTTP Splitting/Smuggling
* Test for HTTP Verb Tampering
* Test for Open Redirection
* [[Testing_for_Local_File_Inclusion|Test for Local File Inclusion]]
* [[Testing_for_Remote_File_Inclusion|Test for Remote File Inclusion]]
* Compare client-side and server-side validation rules
* Test for NoSQL injection
* Test for HTTP parameter pollution
* Test for auto-binding
* Test for Mass Assignment
* Test for NULL/Invalid Session Cookie

== Denial of Service ==
* Test for anti-automation
* [[Testing_for_Weak_lock_out_mechanism_(OTG-AUTHN-003)|Test for account lockout]]
* Test for HTTP protocol DoS
* Test for SQL wildcard DoS

== Business Logic ==
* Test for feature misuse
* Test for lack of non-repudiation
* Test for trust relationships
* Test for integrity of data
* Test segregation of duties
* Test for Process Timing
* Test Number of Times a Function Can be Used Limits
* Test for the Circumvention of Work Flows
* Test Defenses Against Application Mis-use
* Test Upload of Unexpected File Types

== Cryptography ==
* [[Testing_for_Sensitive_information_sent_via_unencrypted_channels_(OTG-CRYPST-003)|Check if data which should be encrypted is not]]
* Check for wrong algorithms usage depending on context
* [[Testing_for_Weak_SSL/TLS_Ciphers,_Insufficient_Transport_Layer_Protection_(OTG-CRYPST-001)|Check for weak algorithms usage]]
* [[Password_Storage_Cheat_Sheet#Use_a_cryptographically_strong_credential-specific_salt | Check for proper use of salting]]
* [[Insecure_Randomness | Check for randomness functions]]

== Risky Functionality - File Uploads ==
* [[Test_Upload_of_Unexpected_File_Types_(OTG-BUSLOGIC-008)|Test that acceptable file types are whitelisted and non-whitelisted types are rejected]]
* Test that file size limits, upload frequency and total file counts are defined and are enforced
* Test that file contents match the defined file type
* [[Test_Upload_of_Malicious_Files_(OTG-BUSLOGIC-009)|Test that all file uploads have Anti-Virus scanning in-place.]]
* Test that unsafe filenames are sanitised
* Test that uploaded files are not directly accessible within the web root
* Test that uploaded files are not served on the same hostname/port
* Test that files and other media are integrated with the authentication and authorisation schemas

== Risky Functionality - Card Payment ==
* Test for known vulnerabilities and configuration issues on Web Server and Web Application
* Test for default or guessable password
* Test for non-production data in live environment, and vice-versa
* [[Injection_Flaws | Test for Injection vulnerabilities ]]
* [[Testing_for_Buffer_Overflow_(OTG-INPVAL-014) | Test for Buffer Overflows]]
* [[Top_10_2010-A7-Insecure_Cryptographic_Storage | Test for Insecure Cryptographic Storage]]
* [[Top_10_2010-A9-Insufficient_Transport_Layer_Protection | Test for Insufficient Transport Layer Protection]]
* [[Web_Application_Security_Testing_Cheat_Sheet#Error_Handling|Test for Improper Error Handling]]
* Test for all vulnerabilities with a CVSS v2 score > 4.0
* Test for Authentication and Authorization issues
* [[Testing_for_CSRF_(OTG-SESS-005)|Test for CSRF]]

== HTML 5==
* [[Test_Web_Messaging_(OTG-CLIENT-011)|Test Web Messaging]]
* [[Test_Local_Storage_(OTG-CLIENT-012)|Test for Web Storage SQL injection]]
* [[Test_Cross_Origin_Resource_Sharing_(OTG-CLIENT-007)|Check CORS implementation]]
* [[HTML5_Security_Cheat_Sheet#Offline_Applications | Check Offline Web Application]]

== Error Handling==
* [[Testing_for_Error_Code_(OTG-ERR-001)|Check for Error Codes]]
* [[Testing_for_Stack_Traces_(OTG-ERR-002)|Check for Stack Traces]]

= Other Formats =

* DradisPro template format [https://github.com/raesene/OWASP_Web_App_Testing_Cheatsheet_Converter/blob/master/OWASP_Web_Application_Testing_Cheat_Sheet.xml on github]
* Asana template on [http://templana.com/templates/owasp-website-security-checklist/ Templana] (thanks to Bastien Siebman)

= Authors and primary contributors =

[[User:Simon Bennetts|Simon Bennetts]] 
[[User:Raesene|Rory McCune]] 
Colin Watson 
Simone Onofri 
[[User:Amro_Ahmed|Amro AlOlaqi]]

All the authors of the Testing Guide v3

= Other Contributors =

[[User:Ryan_Dewhurst|Ryan Dewhurst]] 

= Related articles =

OWASP [[:Category:OWASP Testing Project|Testing Guide]]

Mozilla [https://wiki.mozilla.org/WebAppSec/Web_Security_Verification Web Security Verification]

{{Cheatsheet_Navigation}}

[[Category:Cheatsheets]] [[Category:OWASP_Breakers]]

Web Application Security Testing Cheat Sheet

2015-09-03T16:56:28Z

Raesene: /* Data Validation */

= DRAFT CHEAT SHEET - WORK IN PROGRESS =

= Introduction =

This cheat sheet provides a checklist of tasks to be performed when performing a blackbox security test of a web application.

= Purpose =

This checklist is intended to be used as an aide memoire for experienced pentesters and should be used in conjunction with the [[:Category:OWASP Testing Project|OWASP Testing Guide]]. It will be updated as the [[OWASP_Application_Testing_guide_v4|Testing Guide v4]] is progressed.

The intention is that this guide will be available as an XML document, with scripts that convert it into formats such as pdf, Media Wiki markup, HTML etc.

This will allow it to be consumed within security tools as well as being available in a format suitable for printing.

All feedback or offers of help will be appreciated - and if you have specific chances you think should be made, just get stuck in.

= The Checklist =

== Information Gathering ==
* Manually explore the site
* [[Testing:_Spidering_and_googling | Spider/crawl]] for missed or hidden content
* [[Review_Webserver_Metafiles_for_Information_Leakage_(OTG-INFO-003)|Check the Webserver Metafiles]] for information leakage files that expose content, such as robots.txt, sitemap.xml, .DS_Store
* Check the caches of major search engines for publicly accessible sites
* Check for differences in content based on User Agent (eg, Mobile sites, access as a Search engine Crawler)
* [[Review_webpage_comments_and_metadata_for_information_leakage_(OTG-INFO-005) | Check The Webpage Comments and Metadata for Information Leakage]]
* [[Fingerprint_Web_Application_Framework_(OTG-INFO-008) | Check The Web Application Framework]]
* [[Fingerprint_Web_Server_(OTG-INFO-002)|Perform Web Application Fingerprinting]]
* Identify technologies used
* Identify user roles
* [[Identify_application_entry_points_(OTG-INFO-006) | Identify application entry points]]
* Identify client-side code
* Identify multiple versions/channels (e.g. web, mobile web, mobile app)
* [[Web_Services | Identify web services]]
* Identify co-hosted and related applications
* Identify all hostnames and ports
* Identify third-party hosted content

== Configuration Management ==
* Check for commonly used application and administrative URLs
* Check for old, backup and unreferenced files
* Check HTTP methods supported and Cross Site Tracing (XST)
* Test file extensions handling
* Test RIA cross domain policy
* Test for security HTTP headers (e.g. CSP, X-Frame-Options, HSTS)
* Test for policies (e.g. Flash, Silverlight, robots)
* Test for non-production data in live environment, and vice-versa
* Check for sensitive data in client-side code (e.g. API keys, credentials)

== Secure Transmission ==
* Check SSL Version, Algorithms, Key length
* Check for Digital Certificate Validity (Duration, Signature and CN)
* Check credentials only delivered over HTTPS
* Check that the login form is delivered over HTTPS
* Check session tokens only delivered over HTTPS
* Check if HTTP Strict Transport Security (HSTS) in use

== Authentication ==
* [[Testing_for_User_Enumeration_and_Guessable_User_Account_(OWASP-AT-002) | Test for user enumeration]]
* [[Testing_for_Bypassing_Authentication_Schema_(OTG-AUTHN-004) | Test for authentication bypass]]
* [[Testing_for_Brute_Force_(OWASP-AT-004) | Test for brute force protection]]
* Test for Credentials Transported over an Encrypted Channel
* Test password quality rules
* Test remember me functionality
* Test for autocomplete on password forms/input
* Test password reset and/or recovery
* Test password change process
* Test CAPTCHA
* Test multi factor authentication
* Test for logout functionality presence
* Test for cache management on HTTP (eg Pragma, Expires, Max-age)
* Test for default logins
* Test for user-accessible authentication history
* Test for out-of channel notification of account lockouts and successful password changes
* Test for consistent authentication across applications with shared authentication schema / SSO and alternative channels
* Test for Weak security question/answer

== Session Management ==
* Establish how session management is handled in the application (eg, tokens in cookies, token in URL)
* Check session tokens for cookie flags (httpOnly and secure)
* Check session cookie scope (path and domain)
* Check session cookie duration (expires and max-age)
* Check session termination after a maximum lifetime
* Check session termination after relative timeout
* Check session termination after logout
* Test to see if users can have multiple simultaneous sessions
* Test session cookies for randomness
* Confirm that new session tokens are issued on login, role change and logout
* Test for consistent session management across applications with shared session management
* Test for session puzzling
* Test for CSRF and clickjacking

== Authorization ==
* Test for path traversal
* Test for vertical Access control problems (a.k.a. Privilege Escalation)
* Test for horizontal Access control problems (between two users at the same privilege level)
* Test for missing authorisation
* Test for Insecure Direct Object References

== Data Validation ==
* [[Testing_for_Reflected_Cross_site_scripting_(OTG-INPVAL-001)|Test for Reflected Cross Site Scripting]]
* [[Testing_for_Stored_Cross_site_scripting_(OTG-INPVAL-002)|Test for Stored Cross Site Scripting]]
* [[Testing_for_DOM-based_Cross_site_scripting_(OTG-CLIENT-001)|Test for DOM based Cross Site Scripting]]
* Test for Cross Site Flashing
* Test for HTML Injection
* [[Testing_for_SQL_Injection_(OTG-INPVAL-005)|Test for SQL Injection]]
* Test for LDAP Injection
* [[Testing_for_ORM_Injection_(OTG-INPVAL-007)|Test for ORM Injection]]
* [[Testing_for_XML_Injection_(OTG-INPVAL-008)|Test for XML Injection]]
* Test for XXE Injection
* [[Testing_for_SSI_Injection_(OTG-INPVAL-009)|Test for SSI Injection]]
* [[Testing_for_XPath_Injection_(OTG-INPVAL-010)|Test for XPath Injection]]
* Test for XQuery Injection
* [[Testing_for_IMAP/SMTP_Injection_(OTG-INPVAL-011)|Test for IMAP/SMTP Injection]]
* [[Testing_for_Code_Injection_(OTG-INPVAL-012)|Test for Code Injection]]
* Test for Expression Language Injection
* Test for Command Injection
* Test for Overflow (Stack, Heap and Integer)
* Test for Format String
* Test for incubated vulnerabilities
* Test for HTTP Splitting/Smuggling
* Test for HTTP Verb Tampering
* Test for Open Redirection
* [[Testing_for_Local_File_Inclusion|Test for Local File Inclusion]]
* [[Testing_for_Remote_File_Inclusion|Test for Remote File Inclusion]]
* Compare client-side and server-side validation rules
* Test for NoSQL injection
* Test for HTTP parameter pollution
* Test for auto-binding
* Test for Mass Assignment
* Test for NULL/Invalid Session Cookie

== Denial of Service ==
* Test for anti-automation
* [[Testing_for_Weak_lock_out_mechanism_(OTG-AUTHN-003)|Test for account lockout]]
* Test for HTTP protocol DoS
* Test for SQL wildcard DoS

== Business Logic ==
* Test for feature misuse
* Test for lack of non-repudiation
* Test for trust relationships
* Test for integrity of data
* Test segregation of duties
* Test for Process Timing
* Test Number of Times a Function Can be Used Limits
* Test for the Circumvention of Work Flows
* Test Defenses Against Application Mis-use
* Test Upload of Unexpected File Types

== Cryptography ==
* [[Testing_for_Sensitive_information_sent_via_unencrypted_channels_(OTG-CRYPST-003)|Check if data which should be encrypted is not]]
* Check for wrong algorithms usage depending on context
* [[Testing_for_Weak_SSL/TLS_Ciphers,_Insufficient_Transport_Layer_Protection_(OTG-CRYPST-001)|Check for weak algorithms usage]]
* [[Password_Storage_Cheat_Sheet#Use_a_cryptographically_strong_credential-specific_salt | Check for proper use of salting]]
* [[Insecure_Randomness | Check for randomness functions]]

== Risky Functionality - File Uploads ==
* [[Test_Upload_of_Unexpected_File_Types_(OTG-BUSLOGIC-008)|Test that acceptable file types are whitelisted and non-whitelisted types are rejected]]
* Test that file size limits, upload frequency and total file counts are defined and are enforced
* Test that file contents match the defined file type
* [[Test_Upload_of_Malicious_Files_(OTG-BUSLOGIC-009)|Test that all file uploads have Anti-Virus scanning in-place.]]
* Test that unsafe filenames are sanitised
* Test that uploaded files are not directly accessible within the web root
* Test that uploaded files are not served on the same hostname/port
* Test that files and other media are integrated with the authentication and authorisation schemas

== Risky Functionality - Card Payment ==
* Test for known vulnerabilities and configuration issues on Web Server and Web Application
* Test for default or guessable password
* Test for non-production data in live environment, and vice-versa
* [[Injection_Flaws | Test for Injection vulnerabilities ]]
* [[Testing_for_Buffer_Overflow_(OTG-INPVAL-014) | Test for Buffer Overflows]]
* [[Top_10_2010-A7-Insecure_Cryptographic_Storage | Test for Insecure Cryptographic Storage]]
* [[Top_10_2010-A9-Insufficient_Transport_Layer_Protection | Test for Insufficient Transport Layer Protection]]
* [[Web_Application_Security_Testing_Cheat_Sheet#Error_Handling|Test for Improper Error Handling]]
* Test for all vulnerabilities with a CVSS v2 score > 4.0
* Test for Authentication and Authorization issues
* [[Testing_for_CSRF_(OTG-SESS-005)|Test for CSRF]]

== HTML 5==
* [[Test_Web_Messaging_(OTG-CLIENT-011)|Test Web Messaging]]
* [[Test_Local_Storage_(OTG-CLIENT-012)|Test for Web Storage SQL injection]]
* [[Test_Cross_Origin_Resource_Sharing_(OTG-CLIENT-007)|Check CORS implementation]]
* [[HTML5_Security_Cheat_Sheet#Offline_Applications | Check Offline Web Application]]

== Error Handling==
* [[Testing_for_Error_Code_(OTG-ERR-001)|Check for Error Codes]]
* [[Testing_for_Stack_Traces_(OTG-ERR-002)|Check for Stack Traces]]

= Other Formats =

* DradisPro template format [https://github.com/raesene/OWASP_Web_App_Testing_Cheatsheet_Converter/blob/master/OWASP_Web_Application_Testing_Cheat_Sheet.xml on github]
* Asana template on [http://templana.com/templates/owasp-website-security-checklist/ Templana] (thanks to Bastien Siebman)

= Authors and primary contributors =

[[User:Simon Bennetts|Simon Bennetts]] 
[[User:Raesene|Rory McCune]] 
Colin Watson 
Simone Onofri 
[[User:Amro_Ahmed|Amro AlOlaqi]]

All the authors of the Testing Guide v3

= Other Contributors =

[[User:Ryan_Dewhurst|Ryan Dewhurst]] 

= Related articles =

OWASP [[:Category:OWASP Testing Project|Testing Guide]]

Mozilla [https://wiki.mozilla.org/WebAppSec/Web_Security_Verification Web Security Verification]

{{Cheatsheet_Navigation}}

[[Category:Cheatsheets]] [[Category:OWASP_Breakers]]

Web Application Security Testing Cheat Sheet

2015-09-01T19:12:15Z

Raesene: /* Denial of Service */

= DRAFT CHEAT SHEET - WORK IN PROGRESS =

= Introduction =

This cheat sheet provides a checklist of tasks to be performed when performing a blackbox security test of a web application.

= Purpose =

This checklist is intended to be used as an aide memoire for experienced pentesters and should be used in conjunction with the [[:Category:OWASP Testing Project|OWASP Testing Guide]]. It will be updated as the [[OWASP_Application_Testing_guide_v4|Testing Guide v4]] is progressed.

The intention is that this guide will be available as an XML document, with scripts that convert it into formats such as pdf, Media Wiki markup, HTML etc.

This will allow it to be consumed within security tools as well as being available in a format suitable for printing.

All feedback or offers of help will be appreciated - and if you have specific chances you think should be made, just get stuck in.

= The Checklist =

== Information Gathering ==
* Manually explore the site
* [[Testing:_Spidering_and_googling | Spider/crawl]] for missed or hidden content
* [[Review_Webserver_Metafiles_for_Information_Leakage_(OTG-INFO-003)|Check the Webserver Metafiles]] for information leakage files that expose content, such as robots.txt, sitemap.xml, .DS_Store
* Check the caches of major search engines for publicly accessible sites
* Check for differences in content based on User Agent (eg, Mobile sites, access as a Search engine Crawler)
* [[Review_webpage_comments_and_metadata_for_information_leakage_(OTG-INFO-005) | Check The Webpage Comments and Metadata for Information Leakage]]
* [[Fingerprint_Web_Application_Framework_(OTG-INFO-008) | Check The Web Application Framework]]
* [[Fingerprint_Web_Server_(OTG-INFO-002)|Perform Web Application Fingerprinting]]
* Identify technologies used
* Identify user roles
* [[Identify_application_entry_points_(OTG-INFO-006) | Identify application entry points]]
* Identify client-side code
* Identify multiple versions/channels (e.g. web, mobile web, mobile app, web services)
* Identify co-hosted and related applications
* Identify all hostnames and ports
* Identify third-party hosted content

== Configuration Management ==
* Check for commonly used application and administrative URLs
* Check for old, backup and unreferenced files
* Check HTTP methods supported and Cross Site Tracing (XST)
* Test file extensions handling
* Test RIA cross domain policy
* Test for security HTTP headers (e.g. CSP, X-Frame-Options, HSTS)
* Test for policies (e.g. Flash, Silverlight, robots)
* Test for non-production data in live environment, and vice-versa
* Check for sensitive data in client-side code (e.g. API keys, credentials)

== Secure Transmission ==
* Check SSL Version, Algorithms, Key length
* Check for Digital Certificate Validity (Duration, Signature and CN)
* Check credentials only delivered over HTTPS
* Check that the login form is delivered over HTTPS
* Check session tokens only delivered over HTTPS
* Check if HTTP Strict Transport Security (HSTS) in use

== Authentication ==
* Test for user enumeration
* Test for authentication bypass
* Test for brute force protection
* Test for Credentials Transported over an Encrypted Channel
* Test password quality rules
* Test remember me functionality
* Test for autocomplete on password forms/input
* Test password reset and/or recovery
* Test password change process
* Test CAPTCHA
* Test multi factor authentication
* Test for logout functionality presence
* Test for cache management on HTTP (eg Pragma, Expires, Max-age)
* Test for default logins
* Test for user-accessible authentication history
* Test for out-of channel notification of account lockouts and successful password changes
* Test for consistent authentication across applications with shared authentication schema / SSO and alternative channels
* Test for Weak security question/answer

== Session Management ==
* Establish how session management is handled in the application (eg, tokens in cookies, token in URL)
* Check session tokens for cookie flags (httpOnly and secure)
* Check session cookie scope (path and domain)
* Check session cookie duration (expires and max-age)
* Check session termination after a maximum lifetime
* Check session termination after relative timeout
* Check session termination after logout
* Test to see if users can have multiple simultaneous sessions
* Test session cookies for randomness
* Confirm that new session tokens are issued on login, role change and logout
* Test for consistent session management across applications with shared session management
* Test for session puzzling
* Test for CSRF and clickjacking

== Authorization ==
* Test for path traversal
* Test for vertical Access control problems (a.k.a. Privilege Escalation)
* Test for horizontal Access control problems (between two users at the same privilege level)
* Test for missing authorisation
* Test for Insecure Direct Object References

== Data Validation ==
* Test for Reflected Cross Site Scripting
* Test for Stored Cross Site Scripting
* Test for DOM based Cross Site Scripting
* Test for Cross Site Flashing
* Test for HTML Injection
* Test for SQL Injection
* Test for LDAP Injection
* Test for ORM Injection
* Test for XML Injection
* Test for XXE Injection
* Test for SSI Injection
* Test for XPath Injection
* Test for XQuery Injection
* Test for IMAP/SMTP Injection
* Test for Code Injection
* Test for Expression Language Injection
* Test for Command Injection
* Test for Overflow (Stack, Heap and Integer)
* Test for Format String
* Test for incubated vulnerabilities
* Test for HTTP Splitting/Smuggling
* Test for HTTP Verb Tampering
* Test for Open Redirection
* Test for Local File Inclusion
* Test for Remote File Inclusion
* Compare client-side and server-side validation rules
* Test for NoSQL injection
* Test for HTTP parameter pollution
* Test for auto-binding
* Test for Mass Assignment
* Test for NULL/Invalid Session Cookie

== Denial of Service ==
* Test for anti-automation
* [[Testing_for_Weak_lock_out_mechanism_(OTG-AUTHN-003)|Test for account lockout]]
* Test for HTTP protocol DoS
* Test for SQL wildcard DoS

== Business Logic ==
* Test for feature misuse
* Test for lack of non-repudiation
* Test for trust relationships
* Test for integrity of data
* Test segregation of duties
* Test for Process Timing
* Test Number of Times a Function Can be Used Limits
* Test for the Circumvention of Work Flows
* Test Defenses Against Application Mis-use
* Test Upload of Unexpected File Types

== Cryptography ==
* [[Testing_for_Sensitive_information_sent_via_unencrypted_channels_(OTG-CRYPST-003)|Check if data which should be encrypted is not]]
* Check for wrong algorithms usage depending on context
* [[Testing_for_Weak_SSL/TLS_Ciphers,_Insufficient_Transport_Layer_Protection_(OTG-CRYPST-001)|Check for weak algorithms usage]]
* Check for proper use of salting
* [[Insecure_Randomness | Check for randomness functions]]

== Risky Functionality - File Uploads ==
* [[Test_Upload_of_Unexpected_File_Types_(OTG-BUSLOGIC-008)|Test that acceptable file types are whitelisted and non-whitelisted types are rejected]]
* Test that file size limits, upload frequency and total file counts are defined and are enforced
* Test that file contents match the defined file type
* [[Test_Upload_of_Malicious_Files_(OTG-BUSLOGIC-009)|Test that all file uploads have Anti-Virus scanning in-place.]]
* Test that unsafe filenames are sanitised
* Test that uploaded files are not directly accessible within the web root
* Test that uploaded files are not served on the same hostname/port
* Test that files and other media are integrated with the authentication and authorisation schemas

== Risky Functionality - Card Payment ==
* Test for known vulnerabilities and configuration issues on Web Server and Web Application
* Test for default or guessable password
* Test for non-production data in live environment, and vice-versa
* Test for Injection vulnerabilities
* Test for Buffer Overflows
* Test for Insecure Cryptographic Storage
* Test for Insufficient Transport Layer Protection
* [[Web_Application_Security_Testing_Cheat_Sheet#Error_Handling|Test for Improper Error Handling]]
* Test for all vulnerabilities with a CVSS v2 score > 4.0
* Test for Authentication and Authorization issues
* [[Testing_for_CSRF_(OTG-SESS-005)|Test for CSRF]]

== HTML 5==
* [[Test_Web_Messaging_(OTG-CLIENT-011)|Test Web Messaging]]
* [[Test_Local_Storage_(OTG-CLIENT-012)|Test for Web Storage SQL injection]]
* [[Test_Cross_Origin_Resource_Sharing_(OTG-CLIENT-007)|Check CORS implementation]]
* [[HTML5_Security_Cheat_Sheet#Offline_Applications | Check Offline Web Application]]

== Error Handling==
* [[Testing_for_Error_Code_(OTG-ERR-001)|Check for Error Codes]]
* [[Testing_for_Stack_Traces_(OTG-ERR-002)|Check for Stack Traces]]

= Other Formats =

* DradisPro template format [https://github.com/raesene/OWASP_Web_App_Testing_Cheatsheet_Converter/blob/master/OWASP_Web_Application_Testing_Cheat_Sheet.xml on github]
* Asana template on [http://templana.com/templates/owasp-website-security-checklist/ Templana] (thanks to Bastien Siebman)

= Authors and primary contributors =

[[User:Simon Bennetts|Simon Bennetts]] 
[[User:Raesene|Rory McCune]] 
Colin Watson 
Simone Onofri 
[[User:Amro_Ahmed|Amro AlOlaqi]]

All the authors of the Testing Guide v3

= Other Contributors =

[[User:Ryan_Dewhurst|Ryan Dewhurst]] 

= Related articles =

OWASP [[:Category:OWASP Testing Project|Testing Guide]]

Mozilla [https://wiki.mozilla.org/WebAppSec/Web_Security_Verification Web Security Verification]

{{Cheatsheet_Navigation}}

[[Category:Cheatsheets]] [[Category:OWASP_Breakers]]

Web Application Security Testing Cheat Sheet

2015-09-01T18:58:12Z

Raesene: /* Risky Functionality - Card Payment */

= DRAFT CHEAT SHEET - WORK IN PROGRESS =

= Introduction =

This cheat sheet provides a checklist of tasks to be performed when performing a blackbox security test of a web application.

= Purpose =

This checklist is intended to be used as an aide memoire for experienced pentesters and should be used in conjunction with the [[:Category:OWASP Testing Project|OWASP Testing Guide]]. It will be updated as the [[OWASP_Application_Testing_guide_v4|Testing Guide v4]] is progressed.

The intention is that this guide will be available as an XML document, with scripts that convert it into formats such as pdf, Media Wiki markup, HTML etc.

This will allow it to be consumed within security tools as well as being available in a format suitable for printing.

All feedback or offers of help will be appreciated - and if you have specific chances you think should be made, just get stuck in.

= The Checklist =

== Information Gathering ==
* Manually explore the site
* [[Testing:_Spidering_and_googling | Spider/crawl]] for missed or hidden content
* [[Review_Webserver_Metafiles_for_Information_Leakage_(OTG-INFO-003)|Check the Webserver Metafiles]] for information leakage files that expose content, such as robots.txt, sitemap.xml, .DS_Store
* Check the caches of major search engines for publicly accessible sites
* Check for differences in content based on User Agent (eg, Mobile sites, access as a Search engine Crawler)
* [[Review_webpage_comments_and_metadata_for_information_leakage_(OTG-INFO-005) | Check The Webpage Comments and Metadata for Information Leakage]]
* [[Fingerprint_Web_Application_Framework_(OTG-INFO-008) | Check The Web Application Framework]]
* [[Fingerprint_Web_Server_(OTG-INFO-002)|Perform Web Application Fingerprinting]]
* Identify technologies used
* Identify user roles
* [[Identify_application_entry_points_(OTG-INFO-006) | Identify application entry points]]
* Identify client-side code
* Identify multiple versions/channels (e.g. web, mobile web, mobile app, web services)
* Identify co-hosted and related applications
* Identify all hostnames and ports
* Identify third-party hosted content

== Configuration Management ==
* Check for commonly used application and administrative URLs
* Check for old, backup and unreferenced files
* Check HTTP methods supported and Cross Site Tracing (XST)
* Test file extensions handling
* Test RIA cross domain policy
* Test for security HTTP headers (e.g. CSP, X-Frame-Options, HSTS)
* Test for policies (e.g. Flash, Silverlight, robots)
* Test for non-production data in live environment, and vice-versa
* Check for sensitive data in client-side code (e.g. API keys, credentials)

== Secure Transmission ==
* Check SSL Version, Algorithms, Key length
* Check for Digital Certificate Validity (Duration, Signature and CN)
* Check credentials only delivered over HTTPS
* Check that the login form is delivered over HTTPS
* Check session tokens only delivered over HTTPS
* Check if HTTP Strict Transport Security (HSTS) in use

== Authentication ==
* Test for user enumeration
* Test for authentication bypass
* Test for brute force protection
* Test for Credentials Transported over an Encrypted Channel
* Test password quality rules
* Test remember me functionality
* Test for autocomplete on password forms/input
* Test password reset and/or recovery
* Test password change process
* Test CAPTCHA
* Test multi factor authentication
* Test for logout functionality presence
* Test for cache management on HTTP (eg Pragma, Expires, Max-age)
* Test for default logins
* Test for user-accessible authentication history
* Test for out-of channel notification of account lockouts and successful password changes
* Test for consistent authentication across applications with shared authentication schema / SSO and alternative channels
* Test for Weak security question/answer

== Session Management ==
* Establish how session management is handled in the application (eg, tokens in cookies, token in URL)
* Check session tokens for cookie flags (httpOnly and secure)
* Check session cookie scope (path and domain)
* Check session cookie duration (expires and max-age)
* Check session termination after a maximum lifetime
* Check session termination after relative timeout
* Check session termination after logout
* Test to see if users can have multiple simultaneous sessions
* Test session cookies for randomness
* Confirm that new session tokens are issued on login, role change and logout
* Test for consistent session management across applications with shared session management
* Test for session puzzling
* Test for CSRF and clickjacking

== Authorization ==
* Test for path traversal
* Test for vertical Access control problems (a.k.a. Privilege Escalation)
* Test for horizontal Access control problems (between two users at the same privilege level)
* Test for missing authorisation
* Test for Insecure Direct Object References

== Data Validation ==
* Test for Reflected Cross Site Scripting
* Test for Stored Cross Site Scripting
* Test for DOM based Cross Site Scripting
* Test for Cross Site Flashing
* Test for HTML Injection
* Test for SQL Injection
* Test for LDAP Injection
* Test for ORM Injection
* Test for XML Injection
* Test for XXE Injection
* Test for SSI Injection
* Test for XPath Injection
* Test for XQuery Injection
* Test for IMAP/SMTP Injection
* Test for Code Injection
* Test for Expression Language Injection
* Test for Command Injection
* Test for Overflow (Stack, Heap and Integer)
* Test for Format String
* Test for incubated vulnerabilities
* Test for HTTP Splitting/Smuggling
* Test for HTTP Verb Tampering
* Test for Open Redirection
* Test for Local File Inclusion
* Test for Remote File Inclusion
* Compare client-side and server-side validation rules
* Test for NoSQL injection
* Test for HTTP parameter pollution
* Test for auto-binding
* Test for Mass Assignment
* Test for NULL/Invalid Session Cookie

== Denial of Service ==
* Test for anti-automation
* Test for account lockout
* Test for HTTP protocol DoS
* Test for SQL wildcard DoS

== Business Logic ==
* Test for feature misuse
* Test for lack of non-repudiation
* Test for trust relationships
* Test for integrity of data
* Test segregation of duties
* Test for Process Timing
* Test Number of Times a Function Can be Used Limits
* Test for the Circumvention of Work Flows
* Test Defenses Against Application Mis-use
* Test Upload of Unexpected File Types

== Cryptography ==
* [[Testing_for_Sensitive_information_sent_via_unencrypted_channels_(OTG-CRYPST-003)|Check if data which should be encrypted is not]]
* Check for wrong algorithms usage depending on context
* [[Testing_for_Weak_SSL/TLS_Ciphers,_Insufficient_Transport_Layer_Protection_(OTG-CRYPST-001)|Check for weak algorithms usage]]
* Check for proper use of salting
* Check for randomness functions

== Risky Functionality - File Uploads ==
* [[Test_Upload_of_Unexpected_File_Types_(OTG-BUSLOGIC-008)|Test that acceptable file types are whitelisted and non-whitelisted types are rejected]]
* Test that file size limits, upload frequency and total file counts are defined and are enforced
* Test that file contents match the defined file type
* [[Test_Upload_of_Malicious_Files_(OTG-BUSLOGIC-009)|Test that all file uploads have Anti-Virus scanning in-place.]]
* Test that unsafe filenames are sanitised
* Test that uploaded files are not directly accessible within the web root
* Test that uploaded files are not served on the same hostname/port
* Test that files and other media are integrated with the authentication and authorisation schemas

== Risky Functionality - Card Payment ==
* Test for known vulnerabilities and configuration issues on Web Server and Web Application
* Test for default or guessable password
* Test for non-production data in live environment, and vice-versa
* Test for Injection vulnerabilities
* Test for Buffer Overflows
* Test for Insecure Cryptographic Storage
* Test for Insufficient Transport Layer Protection
* [[Web_Application_Security_Testing_Cheat_Sheet#Error_Handling|Test for Improper Error Handling]]
* Test for all vulnerabilities with a CVSS v2 score > 4.0
* Test for Authentication and Authorization issues
* [[Testing_for_CSRF_(OTG-SESS-005)|Test for CSRF]]

== HTML 5==
* [[Test_Web_Messaging_(OTG-CLIENT-011)|Test Web Messaging]]
* [[Test_Local_Storage_(OTG-CLIENT-012)|Test for Web Storage SQL injection]]
* [[Test_Cross_Origin_Resource_Sharing_(OTG-CLIENT-007)|Check CORS implementation]]
* Check Offline Web Application

== Error Handling==
* [[Testing_for_Error_Code_(OTG-ERR-001)|Check for Error Codes]]
* [[Testing_for_Stack_Traces_(OTG-ERR-002)|Check for Stack Traces]]

= Other Formats =

* DradisPro template format [https://github.com/raesene/OWASP_Web_App_Testing_Cheatsheet_Converter/blob/master/OWASP_Web_Application_Testing_Cheat_Sheet.xml on github]
* Asana template on [http://templana.com/templates/owasp-website-security-checklist/ Templana] (thanks to Bastien Siebman)

= Authors and primary contributors =

[[User:Simon Bennetts|Simon Bennetts]] 
[[User:Raesene|Rory McCune]] 
Colin Watson 
Simone Onofri 
[[User:Amro_Ahmed|Amro AlOlaqi]]

All the authors of the Testing Guide v3

= Other Contributors =

[[User:Ryan_Dewhurst|Ryan Dewhurst]] 

= Related articles =

OWASP [[:Category:OWASP Testing Project|Testing Guide]]

Mozilla [https://wiki.mozilla.org/WebAppSec/Web_Security_Verification Web Security Verification]

{{Cheatsheet_Navigation}}

[[Category:Cheatsheets]] [[Category:OWASP_Breakers]]

Web Application Security Testing Cheat Sheet

2015-09-01T18:56:20Z

Raesene: /* Risky Functionality - Card Payment */

= DRAFT CHEAT SHEET - WORK IN PROGRESS =

= Introduction =

This cheat sheet provides a checklist of tasks to be performed when performing a blackbox security test of a web application.

= Purpose =

This checklist is intended to be used as an aide memoire for experienced pentesters and should be used in conjunction with the [[:Category:OWASP Testing Project|OWASP Testing Guide]]. It will be updated as the [[OWASP_Application_Testing_guide_v4|Testing Guide v4]] is progressed.

The intention is that this guide will be available as an XML document, with scripts that convert it into formats such as pdf, Media Wiki markup, HTML etc.

This will allow it to be consumed within security tools as well as being available in a format suitable for printing.

All feedback or offers of help will be appreciated - and if you have specific chances you think should be made, just get stuck in.

= The Checklist =

== Information Gathering ==
* Manually explore the site
* [[Testing:_Spidering_and_googling | Spider/crawl]] for missed or hidden content
* [[Review_Webserver_Metafiles_for_Information_Leakage_(OTG-INFO-003)|Check the Webserver Metafiles]] for information leakage files that expose content, such as robots.txt, sitemap.xml, .DS_Store
* Check the caches of major search engines for publicly accessible sites
* Check for differences in content based on User Agent (eg, Mobile sites, access as a Search engine Crawler)
* [[Review_webpage_comments_and_metadata_for_information_leakage_(OTG-INFO-005) | Check The Webpage Comments and Metadata for Information Leakage]]
* [[Fingerprint_Web_Application_Framework_(OTG-INFO-008) | Check The Web Application Framework]]
* [[Fingerprint_Web_Server_(OTG-INFO-002)|Perform Web Application Fingerprinting]]
* Identify technologies used
* Identify user roles
* [[Identify_application_entry_points_(OTG-INFO-006) | Identify application entry points]]
* Identify client-side code
* Identify multiple versions/channels (e.g. web, mobile web, mobile app, web services)
* Identify co-hosted and related applications
* Identify all hostnames and ports
* Identify third-party hosted content

== Configuration Management ==
* Check for commonly used application and administrative URLs
* Check for old, backup and unreferenced files
* Check HTTP methods supported and Cross Site Tracing (XST)
* Test file extensions handling
* Test RIA cross domain policy
* Test for security HTTP headers (e.g. CSP, X-Frame-Options, HSTS)
* Test for policies (e.g. Flash, Silverlight, robots)
* Test for non-production data in live environment, and vice-versa
* Check for sensitive data in client-side code (e.g. API keys, credentials)

== Secure Transmission ==
* Check SSL Version, Algorithms, Key length
* Check for Digital Certificate Validity (Duration, Signature and CN)
* Check credentials only delivered over HTTPS
* Check that the login form is delivered over HTTPS
* Check session tokens only delivered over HTTPS
* Check if HTTP Strict Transport Security (HSTS) in use

== Authentication ==
* Test for user enumeration
* Test for authentication bypass
* Test for brute force protection
* Test for Credentials Transported over an Encrypted Channel
* Test password quality rules
* Test remember me functionality
* Test for autocomplete on password forms/input
* Test password reset and/or recovery
* Test password change process
* Test CAPTCHA
* Test multi factor authentication
* Test for logout functionality presence
* Test for cache management on HTTP (eg Pragma, Expires, Max-age)
* Test for default logins
* Test for user-accessible authentication history
* Test for out-of channel notification of account lockouts and successful password changes
* Test for consistent authentication across applications with shared authentication schema / SSO and alternative channels
* Test for Weak security question/answer

== Session Management ==
* Establish how session management is handled in the application (eg, tokens in cookies, token in URL)
* Check session tokens for cookie flags (httpOnly and secure)
* Check session cookie scope (path and domain)
* Check session cookie duration (expires and max-age)
* Check session termination after a maximum lifetime
* Check session termination after relative timeout
* Check session termination after logout
* Test to see if users can have multiple simultaneous sessions
* Test session cookies for randomness
* Confirm that new session tokens are issued on login, role change and logout
* Test for consistent session management across applications with shared session management
* Test for session puzzling
* Test for CSRF and clickjacking

== Authorization ==
* Test for path traversal
* Test for vertical Access control problems (a.k.a. Privilege Escalation)
* Test for horizontal Access control problems (between two users at the same privilege level)
* Test for missing authorisation
* Test for Insecure Direct Object References

== Data Validation ==
* Test for Reflected Cross Site Scripting
* Test for Stored Cross Site Scripting
* Test for DOM based Cross Site Scripting
* Test for Cross Site Flashing
* Test for HTML Injection
* Test for SQL Injection
* Test for LDAP Injection
* Test for ORM Injection
* Test for XML Injection
* Test for XXE Injection
* Test for SSI Injection
* Test for XPath Injection
* Test for XQuery Injection
* Test for IMAP/SMTP Injection
* Test for Code Injection
* Test for Expression Language Injection
* Test for Command Injection
* Test for Overflow (Stack, Heap and Integer)
* Test for Format String
* Test for incubated vulnerabilities
* Test for HTTP Splitting/Smuggling
* Test for HTTP Verb Tampering
* Test for Open Redirection
* Test for Local File Inclusion
* Test for Remote File Inclusion
* Compare client-side and server-side validation rules
* Test for NoSQL injection
* Test for HTTP parameter pollution
* Test for auto-binding
* Test for Mass Assignment
* Test for NULL/Invalid Session Cookie

== Denial of Service ==
* Test for anti-automation
* Test for account lockout
* Test for HTTP protocol DoS
* Test for SQL wildcard DoS

== Business Logic ==
* Test for feature misuse
* Test for lack of non-repudiation
* Test for trust relationships
* Test for integrity of data
* Test segregation of duties
* Test for Process Timing
* Test Number of Times a Function Can be Used Limits
* Test for the Circumvention of Work Flows
* Test Defenses Against Application Mis-use
* Test Upload of Unexpected File Types

== Cryptography ==
* [[Testing_for_Sensitive_information_sent_via_unencrypted_channels_(OTG-CRYPST-003)|Check if data which should be encrypted is not]]
* Check for wrong algorithms usage depending on context
* [[Testing_for_Weak_SSL/TLS_Ciphers,_Insufficient_Transport_Layer_Protection_(OTG-CRYPST-001)|Check for weak algorithms usage]]
* Check for proper use of salting
* Check for randomness functions

== Risky Functionality - File Uploads ==
* [[Test_Upload_of_Unexpected_File_Types_(OTG-BUSLOGIC-008)|Test that acceptable file types are whitelisted and non-whitelisted types are rejected]]
* Test that file size limits, upload frequency and total file counts are defined and are enforced
* Test that file contents match the defined file type
* [[Test_Upload_of_Malicious_Files_(OTG-BUSLOGIC-009)|Test that all file uploads have Anti-Virus scanning in-place.]]
* Test that unsafe filenames are sanitised
* Test that uploaded files are not directly accessible within the web root
* Test that uploaded files are not served on the same hostname/port
* Test that files and other media are integrated with the authentication and authorisation schemas

== Risky Functionality - Card Payment ==
* Test for known vulnerabilities and configuration issues on Web Server and Web Application
* Test for default or guessable password
* Test for non-production data in live environment, and vice-versa
* Test for Injection vulnerabilities
* Test for Buffer Overflows
* Test for Insecure Cryptographic Storage
* Test for Insufficient Transport Layer Protection
* Test for Improper Error Handling
* Test for all vulnerabilities with a CVSS v2 score > 4.0
* Test for Authentication and Authorization issues
* [[Testing_for_CSRF_(OTG-SESS-005)|Test for CSRF]]

== HTML 5==
* [[Test_Web_Messaging_(OTG-CLIENT-011)|Test Web Messaging]]
* [[Test_Local_Storage_(OTG-CLIENT-012)|Test for Web Storage SQL injection]]
* [[Test_Cross_Origin_Resource_Sharing_(OTG-CLIENT-007)|Check CORS implementation]]
* Check Offline Web Application

== Error Handling==
* [[Testing_for_Error_Code_(OTG-ERR-001)|Check for Error Codes]]
* [[Testing_for_Stack_Traces_(OTG-ERR-002)|Check for Stack Traces]]

= Other Formats =

* DradisPro template format [https://github.com/raesene/OWASP_Web_App_Testing_Cheatsheet_Converter/blob/master/OWASP_Web_Application_Testing_Cheat_Sheet.xml on github]
* Asana template on [http://templana.com/templates/owasp-website-security-checklist/ Templana] (thanks to Bastien Siebman)

= Authors and primary contributors =

[[User:Simon Bennetts|Simon Bennetts]] 
[[User:Raesene|Rory McCune]] 
Colin Watson 
Simone Onofri 
[[User:Amro_Ahmed|Amro AlOlaqi]]

All the authors of the Testing Guide v3

= Other Contributors =

[[User:Ryan_Dewhurst|Ryan Dewhurst]] 

= Related articles =

OWASP [[:Category:OWASP Testing Project|Testing Guide]]

Mozilla [https://wiki.mozilla.org/WebAppSec/Web_Security_Verification Web Security Verification]

{{Cheatsheet_Navigation}}

[[Category:Cheatsheets]] [[Category:OWASP_Breakers]]

Web Application Security Testing Cheat Sheet

2015-09-01T18:43:36Z

Raesene: /* HTML 5 */

= DRAFT CHEAT SHEET - WORK IN PROGRESS =

= Introduction =

This cheat sheet provides a checklist of tasks to be performed when performing a blackbox security test of a web application.

= Purpose =

This checklist is intended to be used as an aide memoire for experienced pentesters and should be used in conjunction with the [[:Category:OWASP Testing Project|OWASP Testing Guide]]. It will be updated as the [[OWASP_Application_Testing_guide_v4|Testing Guide v4]] is progressed.

The intention is that this guide will be available as an XML document, with scripts that convert it into formats such as pdf, Media Wiki markup, HTML etc.

This will allow it to be consumed within security tools as well as being available in a format suitable for printing.

All feedback or offers of help will be appreciated - and if you have specific chances you think should be made, just get stuck in.

= The Checklist =

== Information Gathering ==
* Manually explore the site
* [[Testing:_Spidering_and_googling | Spider/crawl]] for missed or hidden content
* [[Review_Webserver_Metafiles_for_Information_Leakage_(OTG-INFO-003)|Check the Webserver Metafiles]] for information leakage files that expose content, such as robots.txt, sitemap.xml, .DS_Store
* Check the caches of major search engines for publicly accessible sites
* Check for differences in content based on User Agent (eg, Mobile sites, access as a Search engine Crawler)
* [[Review_webpage_comments_and_metadata_for_information_leakage_(OTG-INFO-005) | Check The Webpage Comments and Metadata for Information Leakage]]
* [[Fingerprint_Web_Application_Framework_(OTG-INFO-008) | Check The Web Application Framework]]
* [[Fingerprint_Web_Server_(OTG-INFO-002)|Perform Web Application Fingerprinting]]
* Identify technologies used
* Identify user roles
* [[Identify_application_entry_points_(OTG-INFO-006) | Identify application entry points]]
* Identify client-side code
* Identify multiple versions/channels (e.g. web, mobile web, mobile app, web services)
* Identify co-hosted and related applications
* Identify all hostnames and ports
* Identify third-party hosted content

== Configuration Management ==
* Check for commonly used application and administrative URLs
* Check for old, backup and unreferenced files
* Check HTTP methods supported and Cross Site Tracing (XST)
* Test file extensions handling
* Test RIA cross domain policy
* Test for security HTTP headers (e.g. CSP, X-Frame-Options, HSTS)
* Test for policies (e.g. Flash, Silverlight, robots)
* Test for non-production data in live environment, and vice-versa
* Check for sensitive data in client-side code (e.g. API keys, credentials)

== Secure Transmission ==
* Check SSL Version, Algorithms, Key length
* Check for Digital Certificate Validity (Duration, Signature and CN)
* Check credentials only delivered over HTTPS
* Check that the login form is delivered over HTTPS
* Check session tokens only delivered over HTTPS
* Check if HTTP Strict Transport Security (HSTS) in use

== Authentication ==
* Test for user enumeration
* Test for authentication bypass
* Test for brute force protection
* Test for Credentials Transported over an Encrypted Channel
* Test password quality rules
* Test remember me functionality
* Test for autocomplete on password forms/input
* Test password reset and/or recovery
* Test password change process
* Test CAPTCHA
* Test multi factor authentication
* Test for logout functionality presence
* Test for cache management on HTTP (eg Pragma, Expires, Max-age)
* Test for default logins
* Test for user-accessible authentication history
* Test for out-of channel notification of account lockouts and successful password changes
* Test for consistent authentication across applications with shared authentication schema / SSO and alternative channels
* Test for Weak security question/answer

== Session Management ==
* Establish how session management is handled in the application (eg, tokens in cookies, token in URL)
* Check session tokens for cookie flags (httpOnly and secure)
* Check session cookie scope (path and domain)
* Check session cookie duration (expires and max-age)
* Check session termination after a maximum lifetime
* Check session termination after relative timeout
* Check session termination after logout
* Test to see if users can have multiple simultaneous sessions
* Test session cookies for randomness
* Confirm that new session tokens are issued on login, role change and logout
* Test for consistent session management across applications with shared session management
* Test for session puzzling
* Test for CSRF and clickjacking

== Authorization ==
* Test for path traversal
* Test for vertical Access control problems (a.k.a. Privilege Escalation)
* Test for horizontal Access control problems (between two users at the same privilege level)
* Test for missing authorisation
* Test for Insecure Direct Object References

== Data Validation ==
* Test for Reflected Cross Site Scripting
* Test for Stored Cross Site Scripting
* Test for DOM based Cross Site Scripting
* Test for Cross Site Flashing
* Test for HTML Injection
* Test for SQL Injection
* Test for LDAP Injection
* Test for ORM Injection
* Test for XML Injection
* Test for XXE Injection
* Test for SSI Injection
* Test for XPath Injection
* Test for XQuery Injection
* Test for IMAP/SMTP Injection
* Test for Code Injection
* Test for Expression Language Injection
* Test for Command Injection
* Test for Overflow (Stack, Heap and Integer)
* Test for Format String
* Test for incubated vulnerabilities
* Test for HTTP Splitting/Smuggling
* Test for HTTP Verb Tampering
* Test for Open Redirection
* Test for Local File Inclusion
* Test for Remote File Inclusion
* Compare client-side and server-side validation rules
* Test for NoSQL injection
* Test for HTTP parameter pollution
* Test for auto-binding
* Test for Mass Assignment
* Test for NULL/Invalid Session Cookie

== Denial of Service ==
* Test for anti-automation
* Test for account lockout
* Test for HTTP protocol DoS
* Test for SQL wildcard DoS

== Business Logic ==
* Test for feature misuse
* Test for lack of non-repudiation
* Test for trust relationships
* Test for integrity of data
* Test segregation of duties
* Test for Process Timing
* Test Number of Times a Function Can be Used Limits
* Test for the Circumvention of Work Flows
* Test Defenses Against Application Mis-use
* Test Upload of Unexpected File Types

== Cryptography ==
* [[Testing_for_Sensitive_information_sent_via_unencrypted_channels_(OTG-CRYPST-003)|Check if data which should be encrypted is not]]
* Check for wrong algorithms usage depending on context
* [[Testing_for_Weak_SSL/TLS_Ciphers,_Insufficient_Transport_Layer_Protection_(OTG-CRYPST-001)|Check for weak algorithms usage]]
* Check for proper use of salting
* Check for randomness functions

== Risky Functionality - File Uploads ==
* [[Test_Upload_of_Unexpected_File_Types_(OTG-BUSLOGIC-008)|Test that acceptable file types are whitelisted and non-whitelisted types are rejected]]
* Test that file size limits, upload frequency and total file counts are defined and are enforced
* Test that file contents match the defined file type
* [[Test_Upload_of_Malicious_Files_(OTG-BUSLOGIC-009)|Test that all file uploads have Anti-Virus scanning in-place.]]
* Test that unsafe filenames are sanitised
* Test that uploaded files are not directly accessible within the web root
* Test that uploaded files are not served on the same hostname/port
* Test that files and other media are integrated with the authentication and authorisation schemas

== Risky Functionality - Card Payment ==
* Test for known vulnerabilities and configuration issues on Web Server and Web Application
* Test for default or guessable password
* Test for non-production data in live environment, and vice-versa
* Test for Injection vulnerabilities
* Test for Buffer Overflows
* Test for Insecure Cryptographic Storage
* Test for Insufficient Transport Layer Protection
* Test for Improper Error Handling
* Test for all vulnerabilities with a CVSS v2 score > 4.0
* Test for Authentication and Authorization issues
* Test for CSRF

== HTML 5==
* [[Test_Web_Messaging_(OTG-CLIENT-011)|Test Web Messaging]]
* [[Test_Local_Storage_(OTG-CLIENT-012)|Test for Web Storage SQL injection]]
* [[Test_Cross_Origin_Resource_Sharing_(OTG-CLIENT-007)|Check CORS implementation]]
* Check Offline Web Application

== Error Handling==
* [[Testing_for_Error_Code_(OTG-ERR-001)|Check for Error Codes]]
* [[Testing_for_Stack_Traces_(OTG-ERR-002)|Check for Stack Traces]]

= Other Formats =

* DradisPro template format [https://github.com/raesene/OWASP_Web_App_Testing_Cheatsheet_Converter/blob/master/OWASP_Web_Application_Testing_Cheat_Sheet.xml on github]
* Asana template on [http://templana.com/templates/owasp-website-security-checklist/ Templana] (thanks to Bastien Siebman)

= Authors and primary contributors =

[[User:Simon Bennetts|Simon Bennetts]] 
[[User:Raesene|Rory McCune]] 
Colin Watson 
Simone Onofri 
[[User:Amro_Ahmed|Amro AlOlaqi]]

All the authors of the Testing Guide v3

= Other Contributors =

[[User:Ryan_Dewhurst|Ryan Dewhurst]] 

= Related articles =

OWASP [[:Category:OWASP Testing Project|Testing Guide]]

Mozilla [https://wiki.mozilla.org/WebAppSec/Web_Security_Verification Web Security Verification]

{{Cheatsheet_Navigation}}

[[Category:Cheatsheets]] [[Category:OWASP_Breakers]]

Web Application Security Testing Cheat Sheet

2015-09-01T18:41:41Z

Raesene: /* Error Handling */

= DRAFT CHEAT SHEET - WORK IN PROGRESS =

= Introduction =

This cheat sheet provides a checklist of tasks to be performed when performing a blackbox security test of a web application.

= Purpose =

This checklist is intended to be used as an aide memoire for experienced pentesters and should be used in conjunction with the [[:Category:OWASP Testing Project|OWASP Testing Guide]]. It will be updated as the [[OWASP_Application_Testing_guide_v4|Testing Guide v4]] is progressed.

The intention is that this guide will be available as an XML document, with scripts that convert it into formats such as pdf, Media Wiki markup, HTML etc.

This will allow it to be consumed within security tools as well as being available in a format suitable for printing.

All feedback or offers of help will be appreciated - and if you have specific chances you think should be made, just get stuck in.

= The Checklist =

== Information Gathering ==
* Manually explore the site
* [[Testing:_Spidering_and_googling | Spider/crawl]] for missed or hidden content
* [[Review_Webserver_Metafiles_for_Information_Leakage_(OTG-INFO-003)|Check the Webserver Metafiles]] for information leakage files that expose content, such as robots.txt, sitemap.xml, .DS_Store
* Check the caches of major search engines for publicly accessible sites
* Check for differences in content based on User Agent (eg, Mobile sites, access as a Search engine Crawler)
* [[Review_webpage_comments_and_metadata_for_information_leakage_(OTG-INFO-005) | Check The Webpage Comments and Metadata for Information Leakage]]
* [[Fingerprint_Web_Application_Framework_(OTG-INFO-008) | Check The Web Application Framework]]
* [[Fingerprint_Web_Server_(OTG-INFO-002)|Perform Web Application Fingerprinting]]
* Identify technologies used
* Identify user roles
* [[Identify_application_entry_points_(OTG-INFO-006) | Identify application entry points]]
* Identify client-side code
* Identify multiple versions/channels (e.g. web, mobile web, mobile app, web services)
* Identify co-hosted and related applications
* Identify all hostnames and ports
* Identify third-party hosted content

== Configuration Management ==
* Check for commonly used application and administrative URLs
* Check for old, backup and unreferenced files
* Check HTTP methods supported and Cross Site Tracing (XST)
* Test file extensions handling
* Test RIA cross domain policy
* Test for security HTTP headers (e.g. CSP, X-Frame-Options, HSTS)
* Test for policies (e.g. Flash, Silverlight, robots)
* Test for non-production data in live environment, and vice-versa
* Check for sensitive data in client-side code (e.g. API keys, credentials)

== Secure Transmission ==
* Check SSL Version, Algorithms, Key length
* Check for Digital Certificate Validity (Duration, Signature and CN)
* Check credentials only delivered over HTTPS
* Check that the login form is delivered over HTTPS
* Check session tokens only delivered over HTTPS
* Check if HTTP Strict Transport Security (HSTS) in use

== Authentication ==
* Test for user enumeration
* Test for authentication bypass
* Test for brute force protection
* Test for Credentials Transported over an Encrypted Channel
* Test password quality rules
* Test remember me functionality
* Test for autocomplete on password forms/input
* Test password reset and/or recovery
* Test password change process
* Test CAPTCHA
* Test multi factor authentication
* Test for logout functionality presence
* Test for cache management on HTTP (eg Pragma, Expires, Max-age)
* Test for default logins
* Test for user-accessible authentication history
* Test for out-of channel notification of account lockouts and successful password changes
* Test for consistent authentication across applications with shared authentication schema / SSO and alternative channels
* Test for Weak security question/answer

== Session Management ==
* Establish how session management is handled in the application (eg, tokens in cookies, token in URL)
* Check session tokens for cookie flags (httpOnly and secure)
* Check session cookie scope (path and domain)
* Check session cookie duration (expires and max-age)
* Check session termination after a maximum lifetime
* Check session termination after relative timeout
* Check session termination after logout
* Test to see if users can have multiple simultaneous sessions
* Test session cookies for randomness
* Confirm that new session tokens are issued on login, role change and logout
* Test for consistent session management across applications with shared session management
* Test for session puzzling
* Test for CSRF and clickjacking

== Authorization ==
* Test for path traversal
* Test for vertical Access control problems (a.k.a. Privilege Escalation)
* Test for horizontal Access control problems (between two users at the same privilege level)
* Test for missing authorisation
* Test for Insecure Direct Object References

== Data Validation ==
* Test for Reflected Cross Site Scripting
* Test for Stored Cross Site Scripting
* Test for DOM based Cross Site Scripting
* Test for Cross Site Flashing
* Test for HTML Injection
* Test for SQL Injection
* Test for LDAP Injection
* Test for ORM Injection
* Test for XML Injection
* Test for XXE Injection
* Test for SSI Injection
* Test for XPath Injection
* Test for XQuery Injection
* Test for IMAP/SMTP Injection
* Test for Code Injection
* Test for Expression Language Injection
* Test for Command Injection
* Test for Overflow (Stack, Heap and Integer)
* Test for Format String
* Test for incubated vulnerabilities
* Test for HTTP Splitting/Smuggling
* Test for HTTP Verb Tampering
* Test for Open Redirection
* Test for Local File Inclusion
* Test for Remote File Inclusion
* Compare client-side and server-side validation rules
* Test for NoSQL injection
* Test for HTTP parameter pollution
* Test for auto-binding
* Test for Mass Assignment
* Test for NULL/Invalid Session Cookie

== Denial of Service ==
* Test for anti-automation
* Test for account lockout
* Test for HTTP protocol DoS
* Test for SQL wildcard DoS

== Business Logic ==
* Test for feature misuse
* Test for lack of non-repudiation
* Test for trust relationships
* Test for integrity of data
* Test segregation of duties
* Test for Process Timing
* Test Number of Times a Function Can be Used Limits
* Test for the Circumvention of Work Flows
* Test Defenses Against Application Mis-use
* Test Upload of Unexpected File Types

== Cryptography ==
* [[Testing_for_Sensitive_information_sent_via_unencrypted_channels_(OTG-CRYPST-003)|Check if data which should be encrypted is not]]
* Check for wrong algorithms usage depending on context
* [[Testing_for_Weak_SSL/TLS_Ciphers,_Insufficient_Transport_Layer_Protection_(OTG-CRYPST-001)|Check for weak algorithms usage]]
* Check for proper use of salting
* Check for randomness functions

== Risky Functionality - File Uploads ==
* [[Test_Upload_of_Unexpected_File_Types_(OTG-BUSLOGIC-008)|Test that acceptable file types are whitelisted and non-whitelisted types are rejected]]
* Test that file size limits, upload frequency and total file counts are defined and are enforced
* Test that file contents match the defined file type
* [[Test_Upload_of_Malicious_Files_(OTG-BUSLOGIC-009)|Test that all file uploads have Anti-Virus scanning in-place.]]
* Test that unsafe filenames are sanitised
* Test that uploaded files are not directly accessible within the web root
* Test that uploaded files are not served on the same hostname/port
* Test that files and other media are integrated with the authentication and authorisation schemas

== Risky Functionality - Card Payment ==
* Test for known vulnerabilities and configuration issues on Web Server and Web Application
* Test for default or guessable password
* Test for non-production data in live environment, and vice-versa
* Test for Injection vulnerabilities
* Test for Buffer Overflows
* Test for Insecure Cryptographic Storage
* Test for Insufficient Transport Layer Protection
* Test for Improper Error Handling
* Test for all vulnerabilities with a CVSS v2 score > 4.0
* Test for Authentication and Authorization issues
* Test for CSRF

== HTML 5==
* Test Web Messaging
* Test for Web Storage SQL injection
* Check CORS implementation
* Check Offline Web Application

== Error Handling==
* [[Testing_for_Error_Code_(OTG-ERR-001)|Check for Error Codes]]
* [[Testing_for_Stack_Traces_(OTG-ERR-002)|Check for Stack Traces]]

= Other Formats =

* DradisPro template format [https://github.com/raesene/OWASP_Web_App_Testing_Cheatsheet_Converter/blob/master/OWASP_Web_Application_Testing_Cheat_Sheet.xml on github]
* Asana template on [http://templana.com/templates/owasp-website-security-checklist/ Templana] (thanks to Bastien Siebman)

= Authors and primary contributors =

[[User:Simon Bennetts|Simon Bennetts]] 
[[User:Raesene|Rory McCune]] 
Colin Watson 
Simone Onofri 
[[User:Amro_Ahmed|Amro AlOlaqi]]

All the authors of the Testing Guide v3

= Other Contributors =

[[User:Ryan_Dewhurst|Ryan Dewhurst]] 

= Related articles =

OWASP [[:Category:OWASP Testing Project|Testing Guide]]

Mozilla [https://wiki.mozilla.org/WebAppSec/Web_Security_Verification Web Security Verification]

{{Cheatsheet_Navigation}}

[[Category:Cheatsheets]] [[Category:OWASP_Breakers]]

Web Application Security Testing Cheat Sheet

2015-09-01T18:40:55Z

Raesene: /* Cryptography */

= DRAFT CHEAT SHEET - WORK IN PROGRESS =

= Introduction =

This cheat sheet provides a checklist of tasks to be performed when performing a blackbox security test of a web application.

= Purpose =

This checklist is intended to be used as an aide memoire for experienced pentesters and should be used in conjunction with the [[:Category:OWASP Testing Project|OWASP Testing Guide]]. It will be updated as the [[OWASP_Application_Testing_guide_v4|Testing Guide v4]] is progressed.

The intention is that this guide will be available as an XML document, with scripts that convert it into formats such as pdf, Media Wiki markup, HTML etc.

This will allow it to be consumed within security tools as well as being available in a format suitable for printing.

All feedback or offers of help will be appreciated - and if you have specific chances you think should be made, just get stuck in.

= The Checklist =

== Information Gathering ==
* Manually explore the site
* [[Testing:_Spidering_and_googling | Spider/crawl]] for missed or hidden content
* [[Review_Webserver_Metafiles_for_Information_Leakage_(OTG-INFO-003)|Check the Webserver Metafiles]] for information leakage files that expose content, such as robots.txt, sitemap.xml, .DS_Store
* Check the caches of major search engines for publicly accessible sites
* Check for differences in content based on User Agent (eg, Mobile sites, access as a Search engine Crawler)
* [[Review_webpage_comments_and_metadata_for_information_leakage_(OTG-INFO-005) | Check The Webpage Comments and Metadata for Information Leakage]]
* [[Fingerprint_Web_Application_Framework_(OTG-INFO-008) | Check The Web Application Framework]]
* [[Fingerprint_Web_Server_(OTG-INFO-002)|Perform Web Application Fingerprinting]]
* Identify technologies used
* Identify user roles
* [[Identify_application_entry_points_(OTG-INFO-006) | Identify application entry points]]
* Identify client-side code
* Identify multiple versions/channels (e.g. web, mobile web, mobile app, web services)
* Identify co-hosted and related applications
* Identify all hostnames and ports
* Identify third-party hosted content

== Configuration Management ==
* Check for commonly used application and administrative URLs
* Check for old, backup and unreferenced files
* Check HTTP methods supported and Cross Site Tracing (XST)
* Test file extensions handling
* Test RIA cross domain policy
* Test for security HTTP headers (e.g. CSP, X-Frame-Options, HSTS)
* Test for policies (e.g. Flash, Silverlight, robots)
* Test for non-production data in live environment, and vice-versa
* Check for sensitive data in client-side code (e.g. API keys, credentials)

== Secure Transmission ==
* Check SSL Version, Algorithms, Key length
* Check for Digital Certificate Validity (Duration, Signature and CN)
* Check credentials only delivered over HTTPS
* Check that the login form is delivered over HTTPS
* Check session tokens only delivered over HTTPS
* Check if HTTP Strict Transport Security (HSTS) in use

== Authentication ==
* Test for user enumeration
* Test for authentication bypass
* Test for brute force protection
* Test for Credentials Transported over an Encrypted Channel
* Test password quality rules
* Test remember me functionality
* Test for autocomplete on password forms/input
* Test password reset and/or recovery
* Test password change process
* Test CAPTCHA
* Test multi factor authentication
* Test for logout functionality presence
* Test for cache management on HTTP (eg Pragma, Expires, Max-age)
* Test for default logins
* Test for user-accessible authentication history
* Test for out-of channel notification of account lockouts and successful password changes
* Test for consistent authentication across applications with shared authentication schema / SSO and alternative channels
* Test for Weak security question/answer

== Session Management ==
* Establish how session management is handled in the application (eg, tokens in cookies, token in URL)
* Check session tokens for cookie flags (httpOnly and secure)
* Check session cookie scope (path and domain)
* Check session cookie duration (expires and max-age)
* Check session termination after a maximum lifetime
* Check session termination after relative timeout
* Check session termination after logout
* Test to see if users can have multiple simultaneous sessions
* Test session cookies for randomness
* Confirm that new session tokens are issued on login, role change and logout
* Test for consistent session management across applications with shared session management
* Test for session puzzling
* Test for CSRF and clickjacking

== Authorization ==
* Test for path traversal
* Test for vertical Access control problems (a.k.a. Privilege Escalation)
* Test for horizontal Access control problems (between two users at the same privilege level)
* Test for missing authorisation
* Test for Insecure Direct Object References

== Data Validation ==
* Test for Reflected Cross Site Scripting
* Test for Stored Cross Site Scripting
* Test for DOM based Cross Site Scripting
* Test for Cross Site Flashing
* Test for HTML Injection
* Test for SQL Injection
* Test for LDAP Injection
* Test for ORM Injection
* Test for XML Injection
* Test for XXE Injection
* Test for SSI Injection
* Test for XPath Injection
* Test for XQuery Injection
* Test for IMAP/SMTP Injection
* Test for Code Injection
* Test for Expression Language Injection
* Test for Command Injection
* Test for Overflow (Stack, Heap and Integer)
* Test for Format String
* Test for incubated vulnerabilities
* Test for HTTP Splitting/Smuggling
* Test for HTTP Verb Tampering
* Test for Open Redirection
* Test for Local File Inclusion
* Test for Remote File Inclusion
* Compare client-side and server-side validation rules
* Test for NoSQL injection
* Test for HTTP parameter pollution
* Test for auto-binding
* Test for Mass Assignment
* Test for NULL/Invalid Session Cookie

== Denial of Service ==
* Test for anti-automation
* Test for account lockout
* Test for HTTP protocol DoS
* Test for SQL wildcard DoS

== Business Logic ==
* Test for feature misuse
* Test for lack of non-repudiation
* Test for trust relationships
* Test for integrity of data
* Test segregation of duties
* Test for Process Timing
* Test Number of Times a Function Can be Used Limits
* Test for the Circumvention of Work Flows
* Test Defenses Against Application Mis-use
* Test Upload of Unexpected File Types

== Cryptography ==
* [[Testing_for_Sensitive_information_sent_via_unencrypted_channels_(OTG-CRYPST-003)|Check if data which should be encrypted is not]]
* Check for wrong algorithms usage depending on context
* [[Testing_for_Weak_SSL/TLS_Ciphers,_Insufficient_Transport_Layer_Protection_(OTG-CRYPST-001)|Check for weak algorithms usage]]
* Check for proper use of salting
* Check for randomness functions

== Risky Functionality - File Uploads ==
* [[Test_Upload_of_Unexpected_File_Types_(OTG-BUSLOGIC-008)|Test that acceptable file types are whitelisted and non-whitelisted types are rejected]]
* Test that file size limits, upload frequency and total file counts are defined and are enforced
* Test that file contents match the defined file type
* [[Test_Upload_of_Malicious_Files_(OTG-BUSLOGIC-009)|Test that all file uploads have Anti-Virus scanning in-place.]]
* Test that unsafe filenames are sanitised
* Test that uploaded files are not directly accessible within the web root
* Test that uploaded files are not served on the same hostname/port
* Test that files and other media are integrated with the authentication and authorisation schemas

== Risky Functionality - Card Payment ==
* Test for known vulnerabilities and configuration issues on Web Server and Web Application
* Test for default or guessable password
* Test for non-production data in live environment, and vice-versa
* Test for Injection vulnerabilities
* Test for Buffer Overflows
* Test for Insecure Cryptographic Storage
* Test for Insufficient Transport Layer Protection
* Test for Improper Error Handling
* Test for all vulnerabilities with a CVSS v2 score > 4.0
* Test for Authentication and Authorization issues
* Test for CSRF

== HTML 5==
* Test Web Messaging
* Test for Web Storage SQL injection
* Check CORS implementation
* Check Offline Web Application

== Error Handling==
* Check for Error Codes
* Check for Stack Traces

= Other Formats =

* DradisPro template format [https://github.com/raesene/OWASP_Web_App_Testing_Cheatsheet_Converter/blob/master/OWASP_Web_Application_Testing_Cheat_Sheet.xml on github]
* Asana template on [http://templana.com/templates/owasp-website-security-checklist/ Templana] (thanks to Bastien Siebman)

= Authors and primary contributors =

[[User:Simon Bennetts|Simon Bennetts]] 
[[User:Raesene|Rory McCune]] 
Colin Watson 
Simone Onofri 
[[User:Amro_Ahmed|Amro AlOlaqi]]

All the authors of the Testing Guide v3

= Other Contributors =

[[User:Ryan_Dewhurst|Ryan Dewhurst]] 

= Related articles =

OWASP [[:Category:OWASP Testing Project|Testing Guide]]

Mozilla [https://wiki.mozilla.org/WebAppSec/Web_Security_Verification Web Security Verification]

{{Cheatsheet_Navigation}}

[[Category:Cheatsheets]] [[Category:OWASP_Breakers]]

Web Application Security Testing Cheat Sheet

2015-09-01T18:39:44Z

Raesene: /* Cryptography */

= DRAFT CHEAT SHEET - WORK IN PROGRESS =

= Introduction =

This cheat sheet provides a checklist of tasks to be performed when performing a blackbox security test of a web application.

= Purpose =

This checklist is intended to be used as an aide memoire for experienced pentesters and should be used in conjunction with the [[:Category:OWASP Testing Project|OWASP Testing Guide]]. It will be updated as the [[OWASP_Application_Testing_guide_v4|Testing Guide v4]] is progressed.

The intention is that this guide will be available as an XML document, with scripts that convert it into formats such as pdf, Media Wiki markup, HTML etc.

This will allow it to be consumed within security tools as well as being available in a format suitable for printing.

All feedback or offers of help will be appreciated - and if you have specific chances you think should be made, just get stuck in.

= The Checklist =

== Information Gathering ==
* Manually explore the site
* [[Testing:_Spidering_and_googling | Spider/crawl]] for missed or hidden content
* [[Review_Webserver_Metafiles_for_Information_Leakage_(OTG-INFO-003)|Check the Webserver Metafiles]] for information leakage files that expose content, such as robots.txt, sitemap.xml, .DS_Store
* Check the caches of major search engines for publicly accessible sites
* Check for differences in content based on User Agent (eg, Mobile sites, access as a Search engine Crawler)
* [[Review_webpage_comments_and_metadata_for_information_leakage_(OTG-INFO-005) | Check The Webpage Comments and Metadata for Information Leakage]]
* [[Fingerprint_Web_Application_Framework_(OTG-INFO-008) | Check The Web Application Framework]]
* [[Fingerprint_Web_Server_(OTG-INFO-002)|Perform Web Application Fingerprinting]]
* Identify technologies used
* Identify user roles
* [[Identify_application_entry_points_(OTG-INFO-006) | Identify application entry points]]
* Identify client-side code
* Identify multiple versions/channels (e.g. web, mobile web, mobile app, web services)
* Identify co-hosted and related applications
* Identify all hostnames and ports
* Identify third-party hosted content

== Configuration Management ==
* Check for commonly used application and administrative URLs
* Check for old, backup and unreferenced files
* Check HTTP methods supported and Cross Site Tracing (XST)
* Test file extensions handling
* Test RIA cross domain policy
* Test for security HTTP headers (e.g. CSP, X-Frame-Options, HSTS)
* Test for policies (e.g. Flash, Silverlight, robots)
* Test for non-production data in live environment, and vice-versa
* Check for sensitive data in client-side code (e.g. API keys, credentials)

== Secure Transmission ==
* Check SSL Version, Algorithms, Key length
* Check for Digital Certificate Validity (Duration, Signature and CN)
* Check credentials only delivered over HTTPS
* Check that the login form is delivered over HTTPS
* Check session tokens only delivered over HTTPS
* Check if HTTP Strict Transport Security (HSTS) in use

== Authentication ==
* Test for user enumeration
* Test for authentication bypass
* Test for brute force protection
* Test for Credentials Transported over an Encrypted Channel
* Test password quality rules
* Test remember me functionality
* Test for autocomplete on password forms/input
* Test password reset and/or recovery
* Test password change process
* Test CAPTCHA
* Test multi factor authentication
* Test for logout functionality presence
* Test for cache management on HTTP (eg Pragma, Expires, Max-age)
* Test for default logins
* Test for user-accessible authentication history
* Test for out-of channel notification of account lockouts and successful password changes
* Test for consistent authentication across applications with shared authentication schema / SSO and alternative channels
* Test for Weak security question/answer

== Session Management ==
* Establish how session management is handled in the application (eg, tokens in cookies, token in URL)
* Check session tokens for cookie flags (httpOnly and secure)
* Check session cookie scope (path and domain)
* Check session cookie duration (expires and max-age)
* Check session termination after a maximum lifetime
* Check session termination after relative timeout
* Check session termination after logout
* Test to see if users can have multiple simultaneous sessions
* Test session cookies for randomness
* Confirm that new session tokens are issued on login, role change and logout
* Test for consistent session management across applications with shared session management
* Test for session puzzling
* Test for CSRF and clickjacking

== Authorization ==
* Test for path traversal
* Test for vertical Access control problems (a.k.a. Privilege Escalation)
* Test for horizontal Access control problems (between two users at the same privilege level)
* Test for missing authorisation
* Test for Insecure Direct Object References

== Data Validation ==
* Test for Reflected Cross Site Scripting
* Test for Stored Cross Site Scripting
* Test for DOM based Cross Site Scripting
* Test for Cross Site Flashing
* Test for HTML Injection
* Test for SQL Injection
* Test for LDAP Injection
* Test for ORM Injection
* Test for XML Injection
* Test for XXE Injection
* Test for SSI Injection
* Test for XPath Injection
* Test for XQuery Injection
* Test for IMAP/SMTP Injection
* Test for Code Injection
* Test for Expression Language Injection
* Test for Command Injection
* Test for Overflow (Stack, Heap and Integer)
* Test for Format String
* Test for incubated vulnerabilities
* Test for HTTP Splitting/Smuggling
* Test for HTTP Verb Tampering
* Test for Open Redirection
* Test for Local File Inclusion
* Test for Remote File Inclusion
* Compare client-side and server-side validation rules
* Test for NoSQL injection
* Test for HTTP parameter pollution
* Test for auto-binding
* Test for Mass Assignment
* Test for NULL/Invalid Session Cookie

== Denial of Service ==
* Test for anti-automation
* Test for account lockout
* Test for HTTP protocol DoS
* Test for SQL wildcard DoS

== Business Logic ==
* Test for feature misuse
* Test for lack of non-repudiation
* Test for trust relationships
* Test for integrity of data
* Test segregation of duties
* Test for Process Timing
* Test Number of Times a Function Can be Used Limits
* Test for the Circumvention of Work Flows
* Test Defenses Against Application Mis-use
* Test Upload of Unexpected File Types

== Cryptography ==
* [[Testing_for_Sensitive_information_sent_via_unencrypted_channels_(OTG-CRYPST-003)|Check if data which should be encrypted is not]]
* Check for wrong algorithms usage depending on context
* [[TLS_Ciphers,_Insufficient_Transport_Layer_Protection_(OTG-CRYPST-001)|Check for weak algorithms usage]]
* Check for proper use of salting
* Check for randomness functions

== Risky Functionality - File Uploads ==
* [[Test_Upload_of_Unexpected_File_Types_(OTG-BUSLOGIC-008)|Test that acceptable file types are whitelisted and non-whitelisted types are rejected]]
* Test that file size limits, upload frequency and total file counts are defined and are enforced
* Test that file contents match the defined file type
* [[Test_Upload_of_Malicious_Files_(OTG-BUSLOGIC-009)|Test that all file uploads have Anti-Virus scanning in-place.]]
* Test that unsafe filenames are sanitised
* Test that uploaded files are not directly accessible within the web root
* Test that uploaded files are not served on the same hostname/port
* Test that files and other media are integrated with the authentication and authorisation schemas

== Risky Functionality - Card Payment ==
* Test for known vulnerabilities and configuration issues on Web Server and Web Application
* Test for default or guessable password
* Test for non-production data in live environment, and vice-versa
* Test for Injection vulnerabilities
* Test for Buffer Overflows
* Test for Insecure Cryptographic Storage
* Test for Insufficient Transport Layer Protection
* Test for Improper Error Handling
* Test for all vulnerabilities with a CVSS v2 score > 4.0
* Test for Authentication and Authorization issues
* Test for CSRF

== HTML 5==
* Test Web Messaging
* Test for Web Storage SQL injection
* Check CORS implementation
* Check Offline Web Application

== Error Handling==
* Check for Error Codes
* Check for Stack Traces

= Other Formats =

* DradisPro template format [https://github.com/raesene/OWASP_Web_App_Testing_Cheatsheet_Converter/blob/master/OWASP_Web_Application_Testing_Cheat_Sheet.xml on github]
* Asana template on [http://templana.com/templates/owasp-website-security-checklist/ Templana] (thanks to Bastien Siebman)

= Authors and primary contributors =

[[User:Simon Bennetts|Simon Bennetts]] 
[[User:Raesene|Rory McCune]] 
Colin Watson 
Simone Onofri 
[[User:Amro_Ahmed|Amro AlOlaqi]]

All the authors of the Testing Guide v3

= Other Contributors =

[[User:Ryan_Dewhurst|Ryan Dewhurst]] 

= Related articles =

OWASP [[:Category:OWASP Testing Project|Testing Guide]]

Mozilla [https://wiki.mozilla.org/WebAppSec/Web_Security_Verification Web Security Verification]

{{Cheatsheet_Navigation}}

[[Category:Cheatsheets]] [[Category:OWASP_Breakers]]

Web Application Security Testing Cheat Sheet

2015-09-01T18:38:55Z

Raesene: /* Cryptography */

= DRAFT CHEAT SHEET - WORK IN PROGRESS =

= Introduction =

This cheat sheet provides a checklist of tasks to be performed when performing a blackbox security test of a web application.

= Purpose =

This checklist is intended to be used as an aide memoire for experienced pentesters and should be used in conjunction with the [[:Category:OWASP Testing Project|OWASP Testing Guide]]. It will be updated as the [[OWASP_Application_Testing_guide_v4|Testing Guide v4]] is progressed.

The intention is that this guide will be available as an XML document, with scripts that convert it into formats such as pdf, Media Wiki markup, HTML etc.

This will allow it to be consumed within security tools as well as being available in a format suitable for printing.

All feedback or offers of help will be appreciated - and if you have specific chances you think should be made, just get stuck in.

= The Checklist =

== Information Gathering ==
* Manually explore the site
* [[Testing:_Spidering_and_googling | Spider/crawl]] for missed or hidden content
* [[Review_Webserver_Metafiles_for_Information_Leakage_(OTG-INFO-003)|Check the Webserver Metafiles]] for information leakage files that expose content, such as robots.txt, sitemap.xml, .DS_Store
* Check the caches of major search engines for publicly accessible sites
* Check for differences in content based on User Agent (eg, Mobile sites, access as a Search engine Crawler)
* [[Review_webpage_comments_and_metadata_for_information_leakage_(OTG-INFO-005) | Check The Webpage Comments and Metadata for Information Leakage]]
* [[Fingerprint_Web_Application_Framework_(OTG-INFO-008) | Check The Web Application Framework]]
* [[Fingerprint_Web_Server_(OTG-INFO-002)|Perform Web Application Fingerprinting]]
* Identify technologies used
* Identify user roles
* [[Identify_application_entry_points_(OTG-INFO-006) | Identify application entry points]]
* Identify client-side code
* Identify multiple versions/channels (e.g. web, mobile web, mobile app, web services)
* Identify co-hosted and related applications
* Identify all hostnames and ports
* Identify third-party hosted content

== Configuration Management ==
* Check for commonly used application and administrative URLs
* Check for old, backup and unreferenced files
* Check HTTP methods supported and Cross Site Tracing (XST)
* Test file extensions handling
* Test RIA cross domain policy
* Test for security HTTP headers (e.g. CSP, X-Frame-Options, HSTS)
* Test for policies (e.g. Flash, Silverlight, robots)
* Test for non-production data in live environment, and vice-versa
* Check for sensitive data in client-side code (e.g. API keys, credentials)

== Secure Transmission ==
* Check SSL Version, Algorithms, Key length
* Check for Digital Certificate Validity (Duration, Signature and CN)
* Check credentials only delivered over HTTPS
* Check that the login form is delivered over HTTPS
* Check session tokens only delivered over HTTPS
* Check if HTTP Strict Transport Security (HSTS) in use

== Authentication ==
* Test for user enumeration
* Test for authentication bypass
* Test for brute force protection
* Test for Credentials Transported over an Encrypted Channel
* Test password quality rules
* Test remember me functionality
* Test for autocomplete on password forms/input
* Test password reset and/or recovery
* Test password change process
* Test CAPTCHA
* Test multi factor authentication
* Test for logout functionality presence
* Test for cache management on HTTP (eg Pragma, Expires, Max-age)
* Test for default logins
* Test for user-accessible authentication history
* Test for out-of channel notification of account lockouts and successful password changes
* Test for consistent authentication across applications with shared authentication schema / SSO and alternative channels
* Test for Weak security question/answer

== Session Management ==
* Establish how session management is handled in the application (eg, tokens in cookies, token in URL)
* Check session tokens for cookie flags (httpOnly and secure)
* Check session cookie scope (path and domain)
* Check session cookie duration (expires and max-age)
* Check session termination after a maximum lifetime
* Check session termination after relative timeout
* Check session termination after logout
* Test to see if users can have multiple simultaneous sessions
* Test session cookies for randomness
* Confirm that new session tokens are issued on login, role change and logout
* Test for consistent session management across applications with shared session management
* Test for session puzzling
* Test for CSRF and clickjacking

== Authorization ==
* Test for path traversal
* Test for vertical Access control problems (a.k.a. Privilege Escalation)
* Test for horizontal Access control problems (between two users at the same privilege level)
* Test for missing authorisation
* Test for Insecure Direct Object References

== Data Validation ==
* Test for Reflected Cross Site Scripting
* Test for Stored Cross Site Scripting
* Test for DOM based Cross Site Scripting
* Test for Cross Site Flashing
* Test for HTML Injection
* Test for SQL Injection
* Test for LDAP Injection
* Test for ORM Injection
* Test for XML Injection
* Test for XXE Injection
* Test for SSI Injection
* Test for XPath Injection
* Test for XQuery Injection
* Test for IMAP/SMTP Injection
* Test for Code Injection
* Test for Expression Language Injection
* Test for Command Injection
* Test for Overflow (Stack, Heap and Integer)
* Test for Format String
* Test for incubated vulnerabilities
* Test for HTTP Splitting/Smuggling
* Test for HTTP Verb Tampering
* Test for Open Redirection
* Test for Local File Inclusion
* Test for Remote File Inclusion
* Compare client-side and server-side validation rules
* Test for NoSQL injection
* Test for HTTP parameter pollution
* Test for auto-binding
* Test for Mass Assignment
* Test for NULL/Invalid Session Cookie

== Denial of Service ==
* Test for anti-automation
* Test for account lockout
* Test for HTTP protocol DoS
* Test for SQL wildcard DoS

== Business Logic ==
* Test for feature misuse
* Test for lack of non-repudiation
* Test for trust relationships
* Test for integrity of data
* Test segregation of duties
* Test for Process Timing
* Test Number of Times a Function Can be Used Limits
* Test for the Circumvention of Work Flows
* Test Defenses Against Application Mis-use
* Test Upload of Unexpected File Types

== Cryptography ==
* [[Testing_for_Sensitive_information_sent_via_unencrypted_channels_(OTG-CRYPST-003)|Check if data which should be encrypted is not]]
* Check for wrong algorithms usage depending on context
* Check for weak algorithms usage
* Check for proper use of salting
* Check for randomness functions

== Risky Functionality - File Uploads ==
* [[Test_Upload_of_Unexpected_File_Types_(OTG-BUSLOGIC-008)|Test that acceptable file types are whitelisted and non-whitelisted types are rejected]]
* Test that file size limits, upload frequency and total file counts are defined and are enforced
* Test that file contents match the defined file type
* [[Test_Upload_of_Malicious_Files_(OTG-BUSLOGIC-009)|Test that all file uploads have Anti-Virus scanning in-place.]]
* Test that unsafe filenames are sanitised
* Test that uploaded files are not directly accessible within the web root
* Test that uploaded files are not served on the same hostname/port
* Test that files and other media are integrated with the authentication and authorisation schemas

== Risky Functionality - Card Payment ==
* Test for known vulnerabilities and configuration issues on Web Server and Web Application
* Test for default or guessable password
* Test for non-production data in live environment, and vice-versa
* Test for Injection vulnerabilities
* Test for Buffer Overflows
* Test for Insecure Cryptographic Storage
* Test for Insufficient Transport Layer Protection
* Test for Improper Error Handling
* Test for all vulnerabilities with a CVSS v2 score > 4.0
* Test for Authentication and Authorization issues
* Test for CSRF

== HTML 5==
* Test Web Messaging
* Test for Web Storage SQL injection
* Check CORS implementation
* Check Offline Web Application

== Error Handling==
* Check for Error Codes
* Check for Stack Traces

= Other Formats =

* DradisPro template format [https://github.com/raesene/OWASP_Web_App_Testing_Cheatsheet_Converter/blob/master/OWASP_Web_Application_Testing_Cheat_Sheet.xml on github]
* Asana template on [http://templana.com/templates/owasp-website-security-checklist/ Templana] (thanks to Bastien Siebman)

= Authors and primary contributors =

[[User:Simon Bennetts|Simon Bennetts]] 
[[User:Raesene|Rory McCune]] 
Colin Watson 
Simone Onofri 
[[User:Amro_Ahmed|Amro AlOlaqi]]

All the authors of the Testing Guide v3

= Other Contributors =

[[User:Ryan_Dewhurst|Ryan Dewhurst]] 

= Related articles =

OWASP [[:Category:OWASP Testing Project|Testing Guide]]

Mozilla [https://wiki.mozilla.org/WebAppSec/Web_Security_Verification Web Security Verification]

{{Cheatsheet_Navigation}}

[[Category:Cheatsheets]] [[Category:OWASP_Breakers]]

Web Application Security Testing Cheat Sheet

2015-09-01T18:38:22Z

Raesene: /* Cryptography */

= DRAFT CHEAT SHEET - WORK IN PROGRESS =

= Introduction =

This cheat sheet provides a checklist of tasks to be performed when performing a blackbox security test of a web application.

= Purpose =

This checklist is intended to be used as an aide memoire for experienced pentesters and should be used in conjunction with the [[:Category:OWASP Testing Project|OWASP Testing Guide]]. It will be updated as the [[OWASP_Application_Testing_guide_v4|Testing Guide v4]] is progressed.

The intention is that this guide will be available as an XML document, with scripts that convert it into formats such as pdf, Media Wiki markup, HTML etc.

This will allow it to be consumed within security tools as well as being available in a format suitable for printing.

All feedback or offers of help will be appreciated - and if you have specific chances you think should be made, just get stuck in.

= The Checklist =

== Information Gathering ==
* Manually explore the site
* [[Testing:_Spidering_and_googling | Spider/crawl]] for missed or hidden content
* [[Review_Webserver_Metafiles_for_Information_Leakage_(OTG-INFO-003)|Check the Webserver Metafiles]] for information leakage files that expose content, such as robots.txt, sitemap.xml, .DS_Store
* Check the caches of major search engines for publicly accessible sites
* Check for differences in content based on User Agent (eg, Mobile sites, access as a Search engine Crawler)
* [[Review_webpage_comments_and_metadata_for_information_leakage_(OTG-INFO-005) | Check The Webpage Comments and Metadata for Information Leakage]]
* [[Fingerprint_Web_Application_Framework_(OTG-INFO-008) | Check The Web Application Framework]]
* [[Fingerprint_Web_Server_(OTG-INFO-002)|Perform Web Application Fingerprinting]]
* Identify technologies used
* Identify user roles
* [[Identify_application_entry_points_(OTG-INFO-006) | Identify application entry points]]
* Identify client-side code
* Identify multiple versions/channels (e.g. web, mobile web, mobile app, web services)
* Identify co-hosted and related applications
* Identify all hostnames and ports
* Identify third-party hosted content

== Configuration Management ==
* Check for commonly used application and administrative URLs
* Check for old, backup and unreferenced files
* Check HTTP methods supported and Cross Site Tracing (XST)
* Test file extensions handling
* Test RIA cross domain policy
* Test for security HTTP headers (e.g. CSP, X-Frame-Options, HSTS)
* Test for policies (e.g. Flash, Silverlight, robots)
* Test for non-production data in live environment, and vice-versa
* Check for sensitive data in client-side code (e.g. API keys, credentials)

== Secure Transmission ==
* Check SSL Version, Algorithms, Key length
* Check for Digital Certificate Validity (Duration, Signature and CN)
* Check credentials only delivered over HTTPS
* Check that the login form is delivered over HTTPS
* Check session tokens only delivered over HTTPS
* Check if HTTP Strict Transport Security (HSTS) in use

== Authentication ==
* Test for user enumeration
* Test for authentication bypass
* Test for brute force protection
* Test for Credentials Transported over an Encrypted Channel
* Test password quality rules
* Test remember me functionality
* Test for autocomplete on password forms/input
* Test password reset and/or recovery
* Test password change process
* Test CAPTCHA
* Test multi factor authentication
* Test for logout functionality presence
* Test for cache management on HTTP (eg Pragma, Expires, Max-age)
* Test for default logins
* Test for user-accessible authentication history
* Test for out-of channel notification of account lockouts and successful password changes
* Test for consistent authentication across applications with shared authentication schema / SSO and alternative channels
* Test for Weak security question/answer

== Session Management ==
* Establish how session management is handled in the application (eg, tokens in cookies, token in URL)
* Check session tokens for cookie flags (httpOnly and secure)
* Check session cookie scope (path and domain)
* Check session cookie duration (expires and max-age)
* Check session termination after a maximum lifetime
* Check session termination after relative timeout
* Check session termination after logout
* Test to see if users can have multiple simultaneous sessions
* Test session cookies for randomness
* Confirm that new session tokens are issued on login, role change and logout
* Test for consistent session management across applications with shared session management
* Test for session puzzling
* Test for CSRF and clickjacking

== Authorization ==
* Test for path traversal
* Test for vertical Access control problems (a.k.a. Privilege Escalation)
* Test for horizontal Access control problems (between two users at the same privilege level)
* Test for missing authorisation
* Test for Insecure Direct Object References

== Data Validation ==
* Test for Reflected Cross Site Scripting
* Test for Stored Cross Site Scripting
* Test for DOM based Cross Site Scripting
* Test for Cross Site Flashing
* Test for HTML Injection
* Test for SQL Injection
* Test for LDAP Injection
* Test for ORM Injection
* Test for XML Injection
* Test for XXE Injection
* Test for SSI Injection
* Test for XPath Injection
* Test for XQuery Injection
* Test for IMAP/SMTP Injection
* Test for Code Injection
* Test for Expression Language Injection
* Test for Command Injection
* Test for Overflow (Stack, Heap and Integer)
* Test for Format String
* Test for incubated vulnerabilities
* Test for HTTP Splitting/Smuggling
* Test for HTTP Verb Tampering
* Test for Open Redirection
* Test for Local File Inclusion
* Test for Remote File Inclusion
* Compare client-side and server-side validation rules
* Test for NoSQL injection
* Test for HTTP parameter pollution
* Test for auto-binding
* Test for Mass Assignment
* Test for NULL/Invalid Session Cookie

== Denial of Service ==
* Test for anti-automation
* Test for account lockout
* Test for HTTP protocol DoS
* Test for SQL wildcard DoS

== Business Logic ==
* Test for feature misuse
* Test for lack of non-repudiation
* Test for trust relationships
* Test for integrity of data
* Test segregation of duties
* Test for Process Timing
* Test Number of Times a Function Can be Used Limits
* Test for the Circumvention of Work Flows
* Test Defenses Against Application Mis-use
* Test Upload of Unexpected File Types

== Cryptography ==
* [[Check if data which should be encrypted is not|Testing_for_Sensitive_information_sent_via_unencrypted_channels_(OTG-CRYPST-003)]]
* Check for wrong algorithms usage depending on context
* Check for weak algorithms usage
* Check for proper use of salting
* Check for randomness functions

== Risky Functionality - File Uploads ==
* [[Test_Upload_of_Unexpected_File_Types_(OTG-BUSLOGIC-008)|Test that acceptable file types are whitelisted and non-whitelisted types are rejected]]
* Test that file size limits, upload frequency and total file counts are defined and are enforced
* Test that file contents match the defined file type
* [[Test_Upload_of_Malicious_Files_(OTG-BUSLOGIC-009)|Test that all file uploads have Anti-Virus scanning in-place.]]
* Test that unsafe filenames are sanitised
* Test that uploaded files are not directly accessible within the web root
* Test that uploaded files are not served on the same hostname/port
* Test that files and other media are integrated with the authentication and authorisation schemas

== Risky Functionality - Card Payment ==
* Test for known vulnerabilities and configuration issues on Web Server and Web Application
* Test for default or guessable password
* Test for non-production data in live environment, and vice-versa
* Test for Injection vulnerabilities
* Test for Buffer Overflows
* Test for Insecure Cryptographic Storage
* Test for Insufficient Transport Layer Protection
* Test for Improper Error Handling
* Test for all vulnerabilities with a CVSS v2 score > 4.0
* Test for Authentication and Authorization issues
* Test for CSRF

== HTML 5==
* Test Web Messaging
* Test for Web Storage SQL injection
* Check CORS implementation
* Check Offline Web Application

== Error Handling==
* Check for Error Codes
* Check for Stack Traces

= Other Formats =

* DradisPro template format [https://github.com/raesene/OWASP_Web_App_Testing_Cheatsheet_Converter/blob/master/OWASP_Web_Application_Testing_Cheat_Sheet.xml on github]
* Asana template on [http://templana.com/templates/owasp-website-security-checklist/ Templana] (thanks to Bastien Siebman)

= Authors and primary contributors =

[[User:Simon Bennetts|Simon Bennetts]] 
[[User:Raesene|Rory McCune]] 
Colin Watson 
Simone Onofri 
[[User:Amro_Ahmed|Amro AlOlaqi]]

All the authors of the Testing Guide v3

= Other Contributors =

[[User:Ryan_Dewhurst|Ryan Dewhurst]] 

= Related articles =

OWASP [[:Category:OWASP Testing Project|Testing Guide]]

Mozilla [https://wiki.mozilla.org/WebAppSec/Web_Security_Verification Web Security Verification]

{{Cheatsheet_Navigation}}

[[Category:Cheatsheets]] [[Category:OWASP_Breakers]]

User:Raesene

2015-09-01T18:35:38Z

Raesene: /* Rory McCune */

= Rory McCune =

I'm an IT Security professional based in Scotland. I've been in IT Security for over x years now, with the last x-5 focusing on penetration testing/ethical hacking.

Currently a managing consultant with a large provider of security testing services.

Any opinions expressed here are purely my own and not necessarily those of my employer.

* [http://security.stackexchange.com/users/37/r%D0%BEry-mccune Security StackExchange Profile]
* [https://twitter.com/raesene Twitter]
* [http://raesene.github.io/ Blog]

User:Raesene

2015-09-01T18:34:35Z

Raesene: /* Rory McCune */

= Rory McCune =

I'm an IT Security professional based in Scotland. I've been in IT Security for over x years now, with the last x-5 focusing on penetration testing/ethical hacking.

Currently a managing consultant with a large provider of security testing services.

Any opinions expressed here are purely my own and not necessarily those of my employer.

* [[http://security.stackexchange.com/users/37/r%D0%BEry-mccune|Security StackExchange Profile]]
* [[https://twitter.com/raesene|Twitter]]
* [[http://raesene.github.io/|Blog]]

Web Application Security Testing Cheat Sheet

2015-09-01T18:28:30Z

Raesene: /* Risky Functionality - File Uploads */

= DRAFT CHEAT SHEET - WORK IN PROGRESS =

= Introduction =

This cheat sheet provides a checklist of tasks to be performed when performing a blackbox security test of a web application.

= Purpose =

This checklist is intended to be used as an aide memoire for experienced pentesters and should be used in conjunction with the [[:Category:OWASP Testing Project|OWASP Testing Guide]]. It will be updated as the [[OWASP_Application_Testing_guide_v4|Testing Guide v4]] is progressed.

The intention is that this guide will be available as an XML document, with scripts that convert it into formats such as pdf, Media Wiki markup, HTML etc.

This will allow it to be consumed within security tools as well as being available in a format suitable for printing.

All feedback or offers of help will be appreciated - and if you have specific chances you think should be made, just get stuck in.

= The Checklist =

== Information Gathering ==
* Manually explore the site
* [[Testing:_Spidering_and_googling | Spider/crawl]] for missed or hidden content
* [[Review_Webserver_Metafiles_for_Information_Leakage_(OTG-INFO-003)|Check the Webserver Metafiles]] for information leakage files that expose content, such as robots.txt, sitemap.xml, .DS_Store
* Check the caches of major search engines for publicly accessible sites
* Check for differences in content based on User Agent (eg, Mobile sites, access as a Search engine Crawler)
* [[Review_webpage_comments_and_metadata_for_information_leakage_(OTG-INFO-005) | Check The Webpage Comments and Metadata for Information Leakage]]
* [[Fingerprint_Web_Application_Framework_(OTG-INFO-008) | Check The Web Application Framework]]
* [[Fingerprint_Web_Server_(OTG-INFO-002)|Perform Web Application Fingerprinting]]
* Identify technologies used
* Identify user roles
* Identify application entry points
* Identify client-side code
* Identify multiple versions/channels (e.g. web, mobile web, mobile app, web services)
* Identify co-hosted and related applications
* Identify all hostnames and ports
* Identify third-party hosted content

== Configuration Management ==
* Check for commonly used application and administrative URLs
* Check for old, backup and unreferenced files
* Check HTTP methods supported and Cross Site Tracing (XST)
* Test file extensions handling
* Test RIA cross domain policy
* Test for security HTTP headers (e.g. CSP, X-Frame-Options, HSTS)
* Test for policies (e.g. Flash, Silverlight, robots)
* Test for non-production data in live environment, and vice-versa
* Check for sensitive data in client-side code (e.g. API keys, credentials)

== Secure Transmission ==
* Check SSL Version, Algorithms, Key length
* Check for Digital Certificate Validity (Duration, Signature and CN)
* Check credentials only delivered over HTTPS
* Check that the login form is delivered over HTTPS
* Check session tokens only delivered over HTTPS
* Check if HTTP Strict Transport Security (HSTS) in use

== Authentication ==
* Test for user enumeration
* Test for authentication bypass
* Test for brute force protection
* Test for Credentials Transported over an Encrypted Channel
* Test password quality rules
* Test remember me functionality
* Test for autocomplete on password forms/input
* Test password reset and/or recovery
* Test password change process
* Test CAPTCHA
* Test multi factor authentication
* Test for logout functionality presence
* Test for cache management on HTTP (eg Pragma, Expires, Max-age)
* Test for default logins
* Test for user-accessible authentication history
* Test for out-of channel notification of account lockouts and successful password changes
* Test for consistent authentication across applications with shared authentication schema / SSO and alternative channels
* Test for Weak security question/answer

== Session Management ==
* Establish how session management is handled in the application (eg, tokens in cookies, token in URL)
* Check session tokens for cookie flags (httpOnly and secure)
* Check session cookie scope (path and domain)
* Check session cookie duration (expires and max-age)
* Check session termination after a maximum lifetime
* Check session termination after relative timeout
* Check session termination after logout
* Test to see if users can have multiple simultaneous sessions
* Test session cookies for randomness
* Confirm that new session tokens are issued on login, role change and logout
* Test for consistent session management across applications with shared session management
* Test for session puzzling
* Test for CSRF and clickjacking

== Authorization ==
* Test for path traversal
* Test for vertical Access control problems (a.k.a. Privilege Escalation)
* Test for horizontal Access control problems (between two users at the same privilege level)
* Test for missing authorisation
* Test for Insecure Direct Object References

== Data Validation ==
* Test for Reflected Cross Site Scripting
* Test for Stored Cross Site Scripting
* Test for DOM based Cross Site Scripting
* Test for Cross Site Flashing
* Test for HTML Injection
* Test for SQL Injection
* Test for LDAP Injection
* Test for ORM Injection
* Test for XML Injection
* Test for XXE Injection
* Test for SSI Injection
* Test for XPath Injection
* Test for XQuery Injection
* Test for IMAP/SMTP Injection
* Test for Code Injection
* Test for Expression Language Injection
* Test for Command Injection
* Test for Overflow (Stack, Heap and Integer)
* Test for Format String
* Test for incubated vulnerabilities
* Test for HTTP Splitting/Smuggling
* Test for HTTP Verb Tampering
* Test for Open Redirection
* Test for Local File Inclusion
* Test for Remote File Inclusion
* Compare client-side and server-side validation rules
* Test for NoSQL injection
* Test for HTTP parameter pollution
* Test for auto-binding
* Test for Mass Assignment
* Test for NULL/Invalid Session Cookie

== Denial of Service ==
* Test for anti-automation
* Test for account lockout
* Test for HTTP protocol DoS
* Test for SQL wildcard DoS

== Business Logic ==
* Test for feature misuse
* Test for lack of non-repudiation
* Test for trust relationships
* Test for integrity of data
* Test segregation of duties
* Test for Process Timing
* Test Number of Times a Function Can be Used Limits
* Test for the Circumvention of Work Flows
* Test Defenses Against Application Mis-use
* Test Upload of Unexpected File Types

== Cryptography ==
* Check if data which should be encrypted is not
* Check for wrong algorithms usage depending on context
* Check for weak algorithms usage
* Check for proper use of salting
* Check for randomness functions

== Risky Functionality - File Uploads ==
* [[Test_Upload_of_Unexpected_File_Types_(OTG-BUSLOGIC-008)|Test that acceptable file types are whitelisted and non-whitelisted types are rejected]]
* Test that file size limits, upload frequency and total file counts are defined and are enforced
* Test that file contents match the defined file type
* [[Test_Upload_of_Malicious_Files_(OTG-BUSLOGIC-009)|Test that all file uploads have Anti-Virus scanning in-place.]]
* Test that unsafe filenames are sanitised
* Test that uploaded files are not directly accessible within the web root
* Test that uploaded files are not served on the same hostname/port
* Test that files and other media are integrated with the authentication and authorisation schemas

== Risky Functionality - Card Payment ==
* Test for known vulnerabilities and configuration issues on Web Server and Web Application
* Test for default or guessable password
* Test for non-production data in live environment, and vice-versa
* Test for Injection vulnerabilities
* Test for Buffer Overflows
* Test for Insecure Cryptographic Storage
* Test for Insufficient Transport Layer Protection
* Test for Improper Error Handling
* Test for all vulnerabilities with a CVSS v2 score > 4.0
* Test for Authentication and Authorization issues
* Test for CSRF

== HTML 5==
* Test Web Messaging
* Test for Web Storage SQL injection
* Check CORS implementation
* Check Offline Web Application

== Error Handling==
* Check for Error Codes
* Check for Stack Traces

= Other Formats =

* DradisPro template format [https://github.com/raesene/OWASP_Web_App_Testing_Cheatsheet_Converter/blob/master/OWASP_Web_Application_Testing_Cheat_Sheet.xml on github]
* Asana template on [http://templana.com/templates/owasp-website-security-checklist/ Templana] (thanks to Bastien Siebman)

= Authors and primary contributors =

[[User:Simon Bennetts|Simon Bennetts]] 
[[User:Raesene|Rory McCune]] 
Colin Watson 
Simone Onofri 
[[User:Amro_Ahmed|Amro AlOlaqi]]

All the authors of the Testing Guide v3

= Other Contributors =

[[User:Ryan_Dewhurst|Ryan Dewhurst]] 

= Related articles =

OWASP [[:Category:OWASP Testing Project|Testing Guide]]

Mozilla [https://wiki.mozilla.org/WebAppSec/Web_Security_Verification Web Security Verification]

{{Cheatsheet_Navigation}}

[[Category:Cheatsheets]] [[Category:OWASP_Breakers]]

Web Application Security Testing Cheat Sheet

2015-09-01T18:26:17Z

Raesene: /* Risky Functionality - File Uploads */

= DRAFT CHEAT SHEET - WORK IN PROGRESS =

= Introduction =

This cheat sheet provides a checklist of tasks to be performed when performing a blackbox security test of a web application.

= Purpose =

This checklist is intended to be used as an aide memoire for experienced pentesters and should be used in conjunction with the [[:Category:OWASP Testing Project|OWASP Testing Guide]]. It will be updated as the [[OWASP_Application_Testing_guide_v4|Testing Guide v4]] is progressed.

The intention is that this guide will be available as an XML document, with scripts that convert it into formats such as pdf, Media Wiki markup, HTML etc.

This will allow it to be consumed within security tools as well as being available in a format suitable for printing.

All feedback or offers of help will be appreciated - and if you have specific chances you think should be made, just get stuck in.

= The Checklist =

== Information Gathering ==
* Manually explore the site
* [[Testing:_Spidering_and_googling | Spider/crawl]] for missed or hidden content
* [[Review_Webserver_Metafiles_for_Information_Leakage_(OTG-INFO-003)|Check the Webserver Metafiles]] for information leakage files that expose content, such as robots.txt, sitemap.xml, .DS_Store
* Check the caches of major search engines for publicly accessible sites
* Check for differences in content based on User Agent (eg, Mobile sites, access as a Search engine Crawler)
* [[Review_webpage_comments_and_metadata_for_information_leakage_(OTG-INFO-005) | Check The Webpage Comments and Metadata for Information Leakage]]
* [[Fingerprint_Web_Application_Framework_(OTG-INFO-008) | Check The Web Application Framework]]
* [[Fingerprint_Web_Server_(OTG-INFO-002)|Perform Web Application Fingerprinting]]
* Identify technologies used
* Identify user roles
* Identify application entry points
* Identify client-side code
* Identify multiple versions/channels (e.g. web, mobile web, mobile app, web services)
* Identify co-hosted and related applications
* Identify all hostnames and ports
* Identify third-party hosted content

== Configuration Management ==
* Check for commonly used application and administrative URLs
* Check for old, backup and unreferenced files
* Check HTTP methods supported and Cross Site Tracing (XST)
* Test file extensions handling
* Test RIA cross domain policy
* Test for security HTTP headers (e.g. CSP, X-Frame-Options, HSTS)
* Test for policies (e.g. Flash, Silverlight, robots)
* Test for non-production data in live environment, and vice-versa
* Check for sensitive data in client-side code (e.g. API keys, credentials)

== Secure Transmission ==
* Check SSL Version, Algorithms, Key length
* Check for Digital Certificate Validity (Duration, Signature and CN)
* Check credentials only delivered over HTTPS
* Check that the login form is delivered over HTTPS
* Check session tokens only delivered over HTTPS
* Check if HTTP Strict Transport Security (HSTS) in use

== Authentication ==
* Test for user enumeration
* Test for authentication bypass
* Test for brute force protection
* Test for Credentials Transported over an Encrypted Channel
* Test password quality rules
* Test remember me functionality
* Test for autocomplete on password forms/input
* Test password reset and/or recovery
* Test password change process
* Test CAPTCHA
* Test multi factor authentication
* Test for logout functionality presence
* Test for cache management on HTTP (eg Pragma, Expires, Max-age)
* Test for default logins
* Test for user-accessible authentication history
* Test for out-of channel notification of account lockouts and successful password changes
* Test for consistent authentication across applications with shared authentication schema / SSO and alternative channels
* Test for Weak security question/answer

== Session Management ==
* Establish how session management is handled in the application (eg, tokens in cookies, token in URL)
* Check session tokens for cookie flags (httpOnly and secure)
* Check session cookie scope (path and domain)
* Check session cookie duration (expires and max-age)
* Check session termination after a maximum lifetime
* Check session termination after relative timeout
* Check session termination after logout
* Test to see if users can have multiple simultaneous sessions
* Test session cookies for randomness
* Confirm that new session tokens are issued on login, role change and logout
* Test for consistent session management across applications with shared session management
* Test for session puzzling
* Test for CSRF and clickjacking

== Authorization ==
* Test for path traversal
* Test for vertical Access control problems (a.k.a. Privilege Escalation)
* Test for horizontal Access control problems (between two users at the same privilege level)
* Test for missing authorisation
* Test for Insecure Direct Object References

== Data Validation ==
* Test for Reflected Cross Site Scripting
* Test for Stored Cross Site Scripting
* Test for DOM based Cross Site Scripting
* Test for Cross Site Flashing
* Test for HTML Injection
* Test for SQL Injection
* Test for LDAP Injection
* Test for ORM Injection
* Test for XML Injection
* Test for XXE Injection
* Test for SSI Injection
* Test for XPath Injection
* Test for XQuery Injection
* Test for IMAP/SMTP Injection
* Test for Code Injection
* Test for Expression Language Injection
* Test for Command Injection
* Test for Overflow (Stack, Heap and Integer)
* Test for Format String
* Test for incubated vulnerabilities
* Test for HTTP Splitting/Smuggling
* Test for HTTP Verb Tampering
* Test for Open Redirection
* Test for Local File Inclusion
* Test for Remote File Inclusion
* Compare client-side and server-side validation rules
* Test for NoSQL injection
* Test for HTTP parameter pollution
* Test for auto-binding
* Test for Mass Assignment
* Test for NULL/Invalid Session Cookie

== Denial of Service ==
* Test for anti-automation
* Test for account lockout
* Test for HTTP protocol DoS
* Test for SQL wildcard DoS

== Business Logic ==
* Test for feature misuse
* Test for lack of non-repudiation
* Test for trust relationships
* Test for integrity of data
* Test segregation of duties
* Test for Process Timing
* Test Number of Times a Function Can be Used Limits
* Test for the Circumvention of Work Flows
* Test Defenses Against Application Mis-use
* Test Upload of Unexpected File Types

== Cryptography ==
* Check if data which should be encrypted is not
* Check for wrong algorithms usage depending on context
* Check for weak algorithms usage
* Check for proper use of salting
* Check for randomness functions

== Risky Functionality - File Uploads ==
* Test that acceptable file types are whitelisted
* Test that file size limits, upload frequency and total file counts are defined and are enforced
* Test that file contents match the defined file type
* [[Test_Upload_of_Malicious_Files_(OTG-BUSLOGIC-009)|Test that all file uploads have Anti-Virus scanning in-place.]]
* Test that unsafe filenames are sanitised
* Test that uploaded files are not directly accessible within the web root
* Test that uploaded files are not served on the same hostname/port
* Test that files and other media are integrated with the authentication and authorisation schemas

== Risky Functionality - Card Payment ==
* Test for known vulnerabilities and configuration issues on Web Server and Web Application
* Test for default or guessable password
* Test for non-production data in live environment, and vice-versa
* Test for Injection vulnerabilities
* Test for Buffer Overflows
* Test for Insecure Cryptographic Storage
* Test for Insufficient Transport Layer Protection
* Test for Improper Error Handling
* Test for all vulnerabilities with a CVSS v2 score > 4.0
* Test for Authentication and Authorization issues
* Test for CSRF

== HTML 5==
* Test Web Messaging
* Test for Web Storage SQL injection
* Check CORS implementation
* Check Offline Web Application

== Error Handling==
* Check for Error Codes
* Check for Stack Traces

= Other Formats =

* DradisPro template format [https://github.com/raesene/OWASP_Web_App_Testing_Cheatsheet_Converter/blob/master/OWASP_Web_Application_Testing_Cheat_Sheet.xml on github]
* Asana template on [http://templana.com/templates/owasp-website-security-checklist/ Templana] (thanks to Bastien Siebman)

= Authors and primary contributors =

[[User:Simon Bennetts|Simon Bennetts]] 
[[User:Raesene|Rory McCune]] 
Colin Watson 
Simone Onofri 
[[User:Amro_Ahmed|Amro AlOlaqi]]

All the authors of the Testing Guide v3

= Other Contributors =

[[User:Ryan_Dewhurst|Ryan Dewhurst]] 

= Related articles =

OWASP [[:Category:OWASP Testing Project|Testing Guide]]

Mozilla [https://wiki.mozilla.org/WebAppSec/Web_Security_Verification Web Security Verification]

{{Cheatsheet_Navigation}}

[[Category:Cheatsheets]] [[Category:OWASP_Breakers]]

Web Application Security Testing Cheat Sheet

2015-09-01T12:09:43Z

Raesene: /* Information Gathering */

= DRAFT CHEAT SHEET - WORK IN PROGRESS =

= Introduction =

This cheat sheet provides a checklist of tasks to be performed when performing a blackbox security test of a web application.

= Purpose =

This checklist is intended to be used as an aide memoire for experienced pentesters and should be used in conjunction with the [[:Category:OWASP Testing Project|OWASP Testing Guide]]. It will be updated as the [[OWASP_Application_Testing_guide_v4|Testing Guide v4]] is progressed.

The intention is that this guide will be available as an XML document, with scripts that convert it into formats such as pdf, Media Wiki markup, HTML etc.

This will allow it to be consumed within security tools as well as being available in a format suitable for printing.

All feedback or offers of help will be appreciated - and if you have specific chances you think should be made, just get stuck in.

= The Checklist =

== Information Gathering ==
* Manually explore the site
* Spider/crawl for missed or hidden content
* Check the Webserver Metafiles for information leakage files that expose content, such as robots.txt, sitemap.xml, .DS_Store
* Check the caches of major search engines for publicly accessible sites
* Check for differences in content based on User Agent (eg, Mobile sites, access as a Search engine Crawler)
* Check The Webpage Comments and Metadata for Information Leakage
* Check The Web Application Framework
* [[Fingerprint_Web_Server_(OTG-INFO-002)|Perform Web Application Fingerprinting]]
* Identify technologies used
* Identify user roles
* Identify application entry points
* Identify client-side code
* Identify multiple versions/channels (e.g. web, mobile web, mobile app, web services)
* Identify co-hosted and related applications
* Identify all hostnames and ports
* Identify third-party hosted content

== Configuration Management ==
* Check for commonly used application and administrative URLs
* Check for old, backup and unreferenced files
* Check HTTP methods supported and Cross Site Tracing (XST)
* Test file extensions handling
* Test RIA cross domain policy
* Test for security HTTP headers (e.g. CSP, X-Frame-Options, HSTS)
* Test for policies (e.g. Flash, Silverlight, robots)
* Test for non-production data in live environment, and vice-versa
* Check for sensitive data in client-side code (e.g. API keys, credentials)

== Secure Transmission ==
* Check SSL Version, Algorithms, Key length
* Check for Digital Certificate Validity (Duration, Signature and CN)
* Check credentials only delivered over HTTPS
* Check that the login form is delivered over HTTPS
* Check session tokens only delivered over HTTPS
* Check if HTTP Strict Transport Security (HSTS) in use

== Authentication ==
* Test for user enumeration
* Test for authentication bypass
* Test for brute force protection
* Test for Credentials Transported over an Encrypted Channel
* Test password quality rules
* Test remember me functionality
* Test for autocomplete on password forms/input
* Test password reset and/or recovery
* Test password change process
* Test CAPTCHA
* Test multi factor authentication
* Test for logout functionality presence
* Test for cache management on HTTP (eg Pragma, Expires, Max-age)
* Test for default logins
* Test for user-accessible authentication history
* Test for out-of channel notification of account lockouts and successful password changes
* Test for consistent authentication across applications with shared authentication schema / SSO and alternative channels
* Test for Weak security question/answer

== Session Management ==
* Establish how session management is handled in the application (eg, tokens in cookies, token in URL)
* Check session tokens for cookie flags (httpOnly and secure)
* Check session cookie scope (path and domain)
* Check session cookie duration (expires and max-age)
* Check session termination after a maximum lifetime
* Check session termination after relative timeout
* Check session termination after logout
* Test to see if users can have multiple simultaneous sessions
* Test session cookies for randomness
* Confirm that new session tokens are issued on login, role change and logout
* Test for consistent session management across applications with shared session management
* Test for session puzzling
* Test for CSRF and clickjacking

== Authorization ==
* Test for path traversal
* Test for vertical Access control problems (a.k.a. Privilege Escalation)
* Test for horizontal Access control problems (between two users at the same privilege level)
* Test for missing authorisation
* Test for Insecure Direct Object References

== Data Validation ==
* Test for Reflected Cross Site Scripting
* Test for Stored Cross Site Scripting
* Test for DOM based Cross Site Scripting
* Test for Cross Site Flashing
* Test for HTML Injection
* Test for SQL Injection
* Test for LDAP Injection
* Test for ORM Injection
* Test for XML Injection
* Test for XXE Injection
* Test for SSI Injection
* Test for XPath Injection
* Test for XQuery Injection
* Test for IMAP/SMTP Injection
* Test for Code Injection
* Test for Expression Language Injection
* Test for Command Injection
* Test for Overflow (Stack, Heap and Integer)
* Test for Format String
* Test for incubated vulnerabilities
* Test for HTTP Splitting/Smuggling
* Test for HTTP Verb Tampering
* Test for Open Redirection
* Test for Local File Inclusion
* Test for Remote File Inclusion
* Compare client-side and server-side validation rules
* Test for NoSQL injection
* Test for HTTP parameter pollution
* Test for auto-binding
* Test for Mass Assignment
* Test for NULL/Invalid Session Cookie

== Denial of Service ==
* Test for anti-automation
* Test for account lockout
* Test for HTTP protocol DoS
* Test for SQL wildcard DoS

== Business Logic ==
* Test for feature misuse
* Test for lack of non-repudiation
* Test for trust relationships
* Test for integrity of data
* Test segregation of duties
* Test for Process Timing
* Test Number of Times a Function Can be Used Limits
* Test for the Circumvention of Work Flows
* Test Defenses Against Application Mis-use
* Test Upload of Unexpected File Types

== Cryptography ==
* Check if data which should be encrypted is not
* Check for wrong algorithms usage depending on context
* Check for weak algorithms usage
* Check for proper use of salting
* Check for randomness functions

== Risky Functionality - File Uploads ==
* Test that acceptable file types are whitelisted
* Test that file size limits, upload frequency and total file counts are defined and are enforced
* Test that file contents match the defined file type
* Test that all file uploads have Anti-Virus scanning in-place.
* Test that unsafe filenames are sanitised
* Test that uploaded files are not directly accessible within the web root
* Test that uploaded files are not served on the same hostname/port
* Test that files and other media are integrated with the authentication and authorisation schemas

== Risky Functionality - Card Payment ==
* Test for known vulnerabilities and configuration issues on Web Server and Web Application
* Test for default or guessable password
* Test for non-production data in live environment, and vice-versa
* Test for Injection vulnerabilities
* Test for Buffer Overflows
* Test for Insecure Cryptographic Storage
* Test for Insufficient Transport Layer Protection
* Test for Improper Error Handling
* Test for all vulnerabilities with a CVSS v2 score > 4.0
* Test for Authentication and Authorization issues
* Test for CSRF

== HTML 5==
* Test Web Messaging
* Test for Web Storage SQL injection
* Check CORS implementation
* Check Offline Web Application

== Error Handling==
* Check for Error Codes
* Check for Stack Traces

= Other Formats =

* DradisPro template format [https://github.com/raesene/OWASP_Web_App_Testing_Cheatsheet_Converter/blob/master/OWASP_Web_Application_Testing_Cheat_Sheet.xml on github]
* Asana template on [http://templana.com/templates/owasp-website-security-checklist/ Templana] (thanks to Bastien Siebman)

= Authors and primary contributors =

[[User:Simon Bennetts|Simon Bennetts]] 
[[User:Raesene|Rory McCune]] 
Colin Watson 
Simone Onofri 
[[User:Amro_Ahmed|Amro AlOlaqi]]

All the authors of the Testing Guide v3

= Other Contributors =

[[User:Ryan_Dewhurst|Ryan Dewhurst]] 

= Related articles =

OWASP [[:Category:OWASP Testing Project|Testing Guide]]

Mozilla [https://wiki.mozilla.org/WebAppSec/Web_Security_Verification Web Security Verification]

{{Cheatsheet_Navigation}}

[[Category:Cheatsheets]] [[Category:OWASP_Breakers]]

OWASP Store Sheep Project

2014-06-17T14:24:40Z

Raesene:

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP Store Sheep==

OWASP Store Sheep is a work in progress application do demonstrate security concepts relating to Windows Store Apps.

==Introduction==

Store Sheep is a training app for Developers wishing to learn to securely code a Windows Store ('Metro Style') App, and Testers wanting to learn to test one. It contains a number of security vulnerabilities with explanations and fixes for them.

==Description==

Store Sheep (in line with the 'Goat' theme of Web Goat, Rails Goat etc - I thought it was about time we had a Sheep instead) is a training application for developers and testers. It takes the form of a pretend Windows Store App called 'A friend for Ewe' which is a dating agency for owners of pet Sheep.

The purpose of Store Sheep is for developers and testers alike to learn where these apps resemble and differ from traditional Win32 and Web applications and how to build them to resist attack. A side benefit from this project will be for the community to learn more about how the certification process for a big app store works and the kind of problems it does (and doesn't) find. I would imagine this would be relevant not only to Microsoft's Store but to Apple and Google's as well.

Broadly the idea at this stage is to get a basic app and some documentation up and running quite quickly and then to refine it as time goes on.

==Licensing==
OWASP Store Sheep is free to use. It is licensed under the GNU GPL v3 license, so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== What is Store Sheep? ==

OWASP Store Sheep provides:

* A Visual Studio project containing a JavaScript/HTML Windows Store app which can be side loaded on to a development machine running Windows 8.1.

== Presentation ==

== Project Leader ==

[mailto:marion.mccune@owasp.org Marion McCune]

== Related Projects ==

== Ohloh ==

| valign="top" style="padding-left:25px;width:200px;" |

== Quick Download ==

== Email List ==

[https://lists.owasp.org/mailman/listinfo/owasp_store_sheep Sign Up]

== News and Events ==

== In Print ==

==Classifications==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]
|}

|}

=FAQs=

; Q1
: A1

; Q2
: A2

= Acknowledgements =
==Volunteers==
XXX is developed by a worldwide team of volunteers. The primary contributors to date have been:

* xxx
* xxx

==Others==
* xxx
* xxx

= Road Map and Getting Involved =
As of June 2014, the priorities are:

The application in its finished form will have three versions.

# This 'original version' contains a number of critical vulnerabilities, some of which will cause it to fail WACK (Windows Application Certification Kit). As such, if submitted to the Windows Store it would be rejected by Microsoft. The associated documentation explains how to correct these problems and move it to B)
# This application passes WACK and may pass Microsoft's checks, however it still contains a number of vulnerabilities such as authorisation flaws, Web Service problems etc. which would cause it to be a danger to its users' data if put live. The associated documentation explains how to find and fix these problems.
# This 'fixed' version of the application represents a safe (if not tremendously useful!) app which could pass through a Web Application 'penetration' test without any significant findings.

Involvement in the development and promotion of Store Sheep is actively encouraged!
You do not have to be a security expert in order to contribute.
Some of the ways you can help:
* xxx
* xxx

=Project About=
{{:Projects/OWASP_Store_Sheep_Page}}

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]

Testing for Vulnerable Remember Password (OTG-AUTHN-005)

2014-04-17T15:29:37Z

Raesene: typo

{{Template:OWASP Testing Guide v4}}

== Summary ==

Browsers will sometimes ask a user if they wish to remember the password that they just entered. The browser will then store the password, and automatically enter it whenever the same authentication form is visited. This is a convenience for the user.
 
Additionally some websites will offer custom "remember me" functionality to allow users to persist logins on a specific client system.

== Description of the Issue ==
Having the browser storing passwords is not only a convenience for end-users, but also for an attacker. 
If an attacker can gain access to the victim's browser (e.g. through a Cross Site Scripting attack, or through a shared computer), then they can retrieve the stored passwords. It is not uncommon for browsers to store these passwords in an easily retrievable manner, but even if the browser were to store the passwords encrypted and only retrievable through the use of a master password, an attacker could retrieve the password by visiting the target web application's authentication form, entering the victim's username, and letting the browser to enter the password. 
Additionally where custom "remember me" functions are put in place weaknesses in how the token is stored on the client PC (for example using base64 encoded credentials as the token) could expose the users passwords. 
Since early 2014 most major browsers will override any use of autocomplete="off" with regards to password forms and as a result previous checks for this are not required and recommendations should not commonly be given for disabling this feature. However this can still apply to things like secondary secrets which may be stored in the browser inadvertently.

== Black Box testing and example ==

* Look for passwords being stored in a cookie. Examine the cookies stored by the application. Verify that the credentials are not stored in clear text, but are hashed. Examine the hashing mechanism: if it is a common, well-known algorithm, check for its strength; in homegrown hash functions, attempt several usernames to check whether the hash function is easily guessable. Additionally, verify that the credentials are only sent during the login phase, and not sent together with every request to the application.
* Consider other sensitive form fields (e.g. an answer to a secret question that must be entered in a password recovery or account unlock form).

== Remediation ==

Ensure that no credentials should to be stored in clear text or easily retrievable encoded/encrypted forms in cookies.

Testing for Vulnerable Remember Password (OTG-AUTHN-005)

2014-04-17T15:29:19Z

Raesene: Updated page to reflect change in browser handling of autocomplete="off" for password forms.

{{Template:OWASP Testing Guide v4}}

== Summary ==

Browsers will sometimes ask a user if they wish to remember the password that they just entered. The browser will then store the password, and automatically enter it whenever the same authentication form is visited. This is a convenience for the user.
 
Additionally some websites will offer custom "remember me" functionality to allow users to persist logins on a specific client system.

== Description of the Issue ==
Having the browser storing passwords is not only a convenience for end-users, but also for an attacker. 
If an attacker can gain access to the victim's browser (e.g. through a Cross Site Scripting attack, or through a shared computer), then they can retrieve the stored passwords. It is not uncommon for browsers to store these passwords in an easily retrievable manner, but even if the browser were to store the passwords encrypted and only retrievable through the use of a master password, an attacker could retrieve the password by visiting the target web application's authentication form, entering the victim's username, and letting the browser to enter the password. 
Additionally where custom "remember me" functions are put in place weaknesses in how the token is stored on the client PC (for example using base64 encoded credentials as the token) could expose the users passwords. 
Since early 2014 most major browsers will override any use of autocomplete="off" with regards to password forms and as a result previous checks for this are not required and recommendations should not commonly be given for disabling this feature. However this can still apply to things like secondary secrets which may be stored in the browser inadvertantly.

== Black Box testing and example ==

* Look for passwords being stored in a cookie. Examine the cookies stored by the application. Verify that the credentials are not stored in clear text, but are hashed. Examine the hashing mechanism: if it is a common, well-known algorithm, check for its strength; in homegrown hash functions, attempt several usernames to check whether the hash function is easily guessable. Additionally, verify that the credentials are only sent during the login phase, and not sent together with every request to the application.
* Consider other sensitive form fields (e.g. an answer to a secret question that must be entered in a password recovery or account unlock form).

== Remediation ==

Ensure that no credentials should to be stored in clear text or easily retrievable encoded/encrypted forms in cookies.

Testing for Vulnerable Remember Password and Pwd Reset (OWASP-AT-006)

2014-04-17T14:35:05Z

Raesene: /* Black Box Testing and Examples */

{{Template:OWASP Testing Guide v3}}

== Brief Summary ==
Most web applications allow users to reset their password if they have forgotten it, usually by sending them a password reset email and/or by asking them to answer one or more "security questions." In this test, we check that this function is properly implemented and that it does not introduce any flaw in the authentication scheme. We also check whether the application allows the user to store the password in the browser ("remember password" function).
 

== Description of the Issue ==
A great majority of web applications provide a way for users to recover (or reset) their password in case they have forgotten it. The exact procedure varies heavily among different applications, also depending on the required level of security, but the approach is always to use an alternate way of verifying the identity of the user. One of the simplest (and most common) approaches is to have on file the user's email address (e.g., this is obtained when the user first registers), and send the old password (or a new one) to that address. This scheme is based on the assumption that the user's email has not been compromised and that is secure enough for this goal. 
Alternatively (or in addition to that), the application could ask the user to answer one or more "secret questions", which are usually chosen by the user among a set of possible ones. The security of this scheme lies in the ability to provide a way for someone to identify themselves to the system with answers to questions that are not easily answerable via personal information lookups. As an example, a very insecure question would be “your mother’s maiden name” since that is a piece of information that an attacker could find out without much effort. An example of a better question would be “favorite grade-school teacher” since this would be a much more difficult topic to research about a person whose identity may otherwise already be stolen.
 
Another common feature that applications use to provide users a convenience is to cache the password locally in the browser (on the client machine) and having it 'pre-typed' in all subsequent accesses. While this feature can be perceived as extremely friendly for the average user, at the same time, it introduces a flaw, as the user account becomes easily accessible to anyone that uses the same account on the client machine. 

==Black Box Testing and Examples==

'''Password Reset''' 
The first step is to check whether secret questions are used. Sending the password (or a password reset link) to the user email address without first asking for a secret question means relying 100% on the security of that email address, which is not suitable if the application needs a high level of security. 
On the other hand, if secret questions are used, the next step is to assess their strength. As a first point, how many questions need to be answered before the password can be reset? The majority of applications only need the user to answer to one question, but some critical applications require the user to answer correctly to two or even more questions. 
As a second step, we need to analyze the questions themselves. Often a self-reset system offers the choice of multiple questions; this is a good sign for the would-be attacker as this presents him/her with options. Ask yourself whether you could obtain answers to any or all of these questions via a simple Google search on the Internet or with a social engineering attack. As a penetration tester, here is a step-by-step walk-through of assessing a password self-reset tool:

* Are there multiple questions offered?
** If so, try to pick a question which would have a “public” answer; for example, something Google would find with a simple query
** Always pick questions which have a factual answer such as a “first school” or other facts which can be looked up
** Look for questions which have few possible options, such as “what make was your first car”. These questions would present the attacker with a short-list of answers to guess at and based on statistics the attacker could rank answers from most to least likely
* Determine how many guesses you have (if possible)
** Does the password reset allow unlimited attempts?
** Is there a lockout period after X incorrect answers? Keep in mind that a lockout system can be a security problem in itself, as it can be exploited by an attacker to launch a Denial of Service against legitimate users
* Pick the appropriate question based on analysis from above point, and do research to determine the most likely answers
* How does the password-reset tool (once a successful answer to a question is found) behave?
** Does it allow immediate change of the password?
** Does it display the old password?
** Does it email the password to some pre-defined email address?
** The most insecure scenario here is if the password reset tool shows you the password; this gives the attacker the ability to log into the account, and unless the application provides information about the last login the victim would not know that his/her account has been compromised.
** A less insecure scenario is if the password reset tool forces the user to immediately change his/her password. While not as stealthy as the first case, it allows the attacker to gain access and locks the real user out.
** The best security is achieved if the password reset is done via an email to the address the user initially registered with, or some other email address; this forces the attacker to not only guess at which email account the password reset was sent to (unless the application tells that) but also to compromise that account in order to take control of the victim's access to the application.
 
The key to successfully exploiting and bypassing a password self-reset is to find a question or set of questions which give the possibility of easily acquiring the answers. Always look for questions which can give you the greatest statistical chance of guessing the correct answer, if you are completely unsure of any of the answers. In the end, a password self-reset tool is only as strong as the weakest question.
As a side note, if the application sends/visualizes the old password in cleartext it means that passwords are not stored in a hashed form, which is a security issue in itself.
 
'''Password Remember''' 

The "remember my password" mechanism can be implemented with one of the following methods:
# Allowing the "cache password" feature in web browsers. As of 2014 this is the preferred method as all major browsers have disabled the setting of autocomplete="off" by default for password fields.
# Storing the password in a permanent cookie. The password must be hashed/encrypted and not sent in the clear.

To check the second implementation type, examine the cookies stored by the application. Verify that the credentials are not stored in cleartext, but are hashed. Examine the hashing mechanism: if it is a common, well-known algorithm, check for its strength; in homegrown hash functions, attempt several usernames to check whether the hash function is easily guessable. Additionally, verify that the credentials are only sent during the login phase, and not sent together with every request to the application.
 

==Gray Box Testing and Examples==
This test uses only functional features of the application and HTML code that is always available to the client, the graybox testing follows the same guidelines of the previous section. The only exception is for the password encoded in the cookie, where the same gray box analysis described in the [[Testing_for_Session_Management_Schema (OWASP-SM-001)|Testing for Session Management Schema]] chapter can be applied.

Testing for Vulnerable Remember Password and Pwd Reset (OWASP-AT-006)

2014-04-17T14:34:46Z

Raesene: /* Black Box Testing and Examples */ removed the recommendation for settings autcomplete="off" as Internet Explorer, Chrome and Firefox all ignore this setting in relation to password fields.

{{Template:OWASP Testing Guide v3}}

== Brief Summary ==
Most web applications allow users to reset their password if they have forgotten it, usually by sending them a password reset email and/or by asking them to answer one or more "security questions." In this test, we check that this function is properly implemented and that it does not introduce any flaw in the authentication scheme. We also check whether the application allows the user to store the password in the browser ("remember password" function).
 

== Description of the Issue ==
A great majority of web applications provide a way for users to recover (or reset) their password in case they have forgotten it. The exact procedure varies heavily among different applications, also depending on the required level of security, but the approach is always to use an alternate way of verifying the identity of the user. One of the simplest (and most common) approaches is to have on file the user's email address (e.g., this is obtained when the user first registers), and send the old password (or a new one) to that address. This scheme is based on the assumption that the user's email has not been compromised and that is secure enough for this goal. 
Alternatively (or in addition to that), the application could ask the user to answer one or more "secret questions", which are usually chosen by the user among a set of possible ones. The security of this scheme lies in the ability to provide a way for someone to identify themselves to the system with answers to questions that are not easily answerable via personal information lookups. As an example, a very insecure question would be “your mother’s maiden name” since that is a piece of information that an attacker could find out without much effort. An example of a better question would be “favorite grade-school teacher” since this would be a much more difficult topic to research about a person whose identity may otherwise already be stolen.
 
Another common feature that applications use to provide users a convenience is to cache the password locally in the browser (on the client machine) and having it 'pre-typed' in all subsequent accesses. While this feature can be perceived as extremely friendly for the average user, at the same time, it introduces a flaw, as the user account becomes easily accessible to anyone that uses the same account on the client machine. 

==Black Box Testing and Examples==

'''Password Reset''' 
The first step is to check whether secret questions are used. Sending the password (or a password reset link) to the user email address without first asking for a secret question means relying 100% on the security of that email address, which is not suitable if the application needs a high level of security. 
On the other hand, if secret questions are used, the next step is to assess their strength. As a first point, how many questions need to be answered before the password can be reset? The majority of applications only need the user to answer to one question, but some critical applications require the user to answer correctly to two or even more questions. 
As a second step, we need to analyze the questions themselves. Often a self-reset system offers the choice of multiple questions; this is a good sign for the would-be attacker as this presents him/her with options. Ask yourself whether you could obtain answers to any or all of these questions via a simple Google search on the Internet or with a social engineering attack. As a penetration tester, here is a step-by-step walk-through of assessing a password self-reset tool:

* Are there multiple questions offered?
** If so, try to pick a question which would have a “public” answer; for example, something Google would find with a simple query
** Always pick questions which have a factual answer such as a “first school” or other facts which can be looked up
** Look for questions which have few possible options, such as “what make was your first car”. These questions would present the attacker with a short-list of answers to guess at and based on statistics the attacker could rank answers from most to least likely
* Determine how many guesses you have (if possible)
** Does the password reset allow unlimited attempts?
** Is there a lockout period after X incorrect answers? Keep in mind that a lockout system can be a security problem in itself, as it can be exploited by an attacker to launch a Denial of Service against legitimate users
* Pick the appropriate question based on analysis from above point, and do research to determine the most likely answers
* How does the password-reset tool (once a successful answer to a question is found) behave?
** Does it allow immediate change of the password?
** Does it display the old password?
** Does it email the password to some pre-defined email address?
** The most insecure scenario here is if the password reset tool shows you the password; this gives the attacker the ability to log into the account, and unless the application provides information about the last login the victim would not know that his/her account has been compromised.
** A less insecure scenario is if the password reset tool forces the user to immediately change his/her password. While not as stealthy as the first case, it allows the attacker to gain access and locks the real user out.
** The best security is achieved if the password reset is done via an email to the address the user initially registered with, or some other email address; this forces the attacker to not only guess at which email account the password reset was sent to (unless the application tells that) but also to compromise that account in order to take control of the victim's access to the application.
 
The key to successfully exploiting and bypassing a password self-reset is to find a question or set of questions which give the possibility of easily acquiring the answers. Always look for questions which can give you the greatest statistical chance of guessing the correct answer, if you are completely unsure of any of the answers. In the end, a password self-reset tool is only as strong as the weakest question.
As a side note, if the application sends/visualizes the old password in cleartext it means that passwords are not stored in a hashed form, which is a security issue in itself.
 
'''Password Remember''' 

The "remember my password" mechanism can be implemented with one of the following methods:
# Allowing the "cache password" feature in web browsers. As of 2014 this is the preferred method as all major browsers have disabled the setting of autocomplete="off" by default.
# Storing the password in a permanent cookie. The password must be hashed/encrypted and not sent in the clear.

To check the second implementation type, examine the cookies stored by the application. Verify that the credentials are not stored in cleartext, but are hashed. Examine the hashing mechanism: if it is a common, well-known algorithm, check for its strength; in homegrown hash functions, attempt several usernames to check whether the hash function is easily guessable. Additionally, verify that the credentials are only sent during the login phase, and not sent together with every request to the application.
 

==Gray Box Testing and Examples==
This test uses only functional features of the application and HTML code that is always available to the client, the graybox testing follows the same guidelines of the previous section. The only exception is for the password encoded in the cookie, where the same gray box analysis described in the [[Testing_for_Session_Management_Schema (OWASP-SM-001)|Testing for Session Management Schema]] chapter can be applied.

Scotland

2013-12-18T08:50:52Z

Raesene: /* Local News */

{{Chapter Template|chaptername=Scotland|extra=The chapter leader is [mailto:rorym@nmrconsult.net Rory McCune]
<paypal>Scotland</paypal>
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-scotland|emailarchives=http://lists.owasp.org/pipermail/owasp-scotland}}

== Local News ==

Best way to keep up to date with meet-ups and the like is subscribe to the mailing list (Link above)

=== Sponsors ===

The OWASP Scotland chapter now has a sponsor which is [http://www.sopragroup.co.uk Sopra Group]
[[File:Sopra.jpg|200px|left|Sopra Group]]

[[Category:United Kingdom]]
[[Category:Europe]]

Scotland

2013-05-01T13:58:17Z

Raesene: /* Local News */

{{Chapter Template|chaptername=Scotland|extra=The chapter leader is [mailto:rorym@nmrconsult.net Rory McCune]
<paypal>Scotland</paypal>
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-scotland|emailarchives=http://lists.owasp.org/pipermail/owasp-scotland}}

== Local News ==

===May 2013 Chapter Meeting ===

The next chapter meeting is on Thursday 30th May. Information and Sign-up here http://owaspscotlandmay2013.eventbrite.co.uk/

=== Sponsors ===

The OWASP Scotland chapter now has a sponsor which is [http://www.sopragroup.co.uk Sopra Group]
[[File:Sopra.jpg|200px|left|Sopra Group]]

[[Category:United Kingdom]]
[[Category:Europe]]

PHP Security Cheat Sheet

2013-04-14T09:27:40Z

Raesene: /* Session Hijacking Prevention */ Changed the code present to remove references to X_HTTP_FORWARDED_FOR as this variable is susceptible to spoofing and as such shouldn't be used for security decisions

= DRAFT CHEAT SHEET - WORK IN PROGRESS =
= Introduction =
This page intends to provide basic PHP security tips for developers and administrators. Keep in mind that tips mentioned in this page may not be sufficient for securing your web application.

==PHP status on the web==
PHP is the most commonly used server-side programming language and 72% of web servers deploy PHP. PHP is open source. The core of PHP is reasonably secure, but its plugins, libraries and third party tools are often insecure. Also no default security mechanism is included in PHP (there were some in the old days, but they usually broke things).

PHP developers are usually better informed than ASPX or JSP developers on how the web and HTTP works, and that makes for better coding practices, but they both lack basic security knowledge. Other languages have built-in security mechanisms, which is why PHP websites often have more flawed.

==Update PHP Now==
'''Important Note: ''' PHP 5.2.x is officially unsupported now. This means that in the near future, when a common security flaw on PHP 5.2.x is discovered, PHP 5.2.x powered website may become vulnerable. ''It is of utmost important that you upgrade your PHP to 5.3.x or 5.4.x right now.''

Also keep in mind that you should regularly upgrade your PHP distribution on an operational server. Every day new flaws are discovered and announced in PHP and attackers use these new flaws on random servers frequently.

=Untrusted data=
All data that is a product, or subproduct, of user input is to NOT be trusted. They have to either be validated, using the correct methodology, or filtered, before considering them untainted.

Super globals which are not to be trusted are $_SERVER, $_GET, $_POST, $_REQUEST, $_FILES and $_COOKIE. Not all data in $_SERVER can be faked by the user, but a considerable amount in it can, particularly and specially everything that deals with HTTP headers (they start with HTTP_).

==Common mistakes on the processing of $_FILES array==
It is common to find code snippets online doing something similar to the following code:

if ($_FILES['some_name']['type'] == 'image/jpeg') {
//Proceed to accept the file as a valid image
}

However, the type is not determined by using heuristics that validate it, but by simply reading the data sent by the HTTP request, which is created by a client. A better, yet not perfect, way of validating file types is to use finfo class.

$finfo = new finfo(FILEINFO_MIME_TYPE);
$fileContents = file_get_contents($_FILES['some_name']['tmp_name']);
$mimeType = $finfo->buffer($fileContents);

Where $mimeType is a better checked file type. This uses more resources on the server, but can prevent the user from sending a dangerous file and fooling the code into trusting it as an image, which would normally be regarded as a safe file type.

==Use of $_REQUEST==
Using $_REQUEST is strongly discouraged. This super global is not recommended since it includes not only POST and GET data, but also the cookies sent by the request. This can lead to confusion and makes your code prone to mistakes, which could lead to security problems.

=Database Cheat Sheet=
Since a single SQL Injection vulnerability permits the hacking of your website, and every hacker first tries SQL injection flaws, fixing SQL injections are the first step to securing your PHP powered application. Abide to the following rules:

==Encoding Issues==
===Everything is a string for a database===
There are ways to send different data types to a database, ints, floats, etc. Never rely on them, instead always send an string to the database. Database engines type cast automatically if they need to. This makes for much safer queries. Make this a habit of yours, and see how many time it saves you. Still, do not concatenate without escaping the values. Check the [[#Use Prepared Statements|Use Prepared Statements]].

====Wrong====
$x=1;
SELECT * FROM users WHERE ID > $x
====Right====
$x=1; // or $x='1';
SELECT * FROM users WHERE ID >'$x';

===Use UTF-8 unless necessary===
Many new attack vectors rely on encoding bypassing. Use UTF-8 as your database and application charset unless you have a mandatory requirement to use another encoding.

$DB = new mysqli($Host, $Username, $Password, $DatabaseName);
if (mysqli_connect_errno())
trigger_error("Unable to connect to MySQLi database.");
$DB->set_charset('UTF-8');

==Escaping is not safe==
'''mysql_real_escape_string''' is not safe. Don't rely on it for your SQL injection prevention.

'''Why:'''
When you use mysql_real_escape_string on every variable and then concat it to your query, ''you are bound to forget that at least once'', and once is all it takes. You can't force yourself in any way to never forget. Number fields might also be vulnerable if not used as strings. Instead use prepared statements or equivalent.

==Use Prepared Statements==
Prepared statements are very secure. In a prepared statement, data is separated from the SQL command, so that everything user inputs is considered data and put into the table the way it was.

====MySQLi Prepared Statements Wrapper====
The following function, performs a SQL query, returns its results as a 2D array (if query was SELECT) and does all that with prepared statements using MySQLi fast MySQL interface:

$DB = new mysqli($Host, $Username, $Password, $DatabaseName);
if (mysqli_connect_errno())
trigger_error("Unable to connect to MySQLi database.");
$DB->set_charset('UTF-8');

function SQL($Query) {
global $DB;
$args = func_get_args();
if (count($args) == 1) {
$result = $DB->query($Query);
if ($result->num_rows) {
$out = array();
while (null != ($r = $result->fetch_array(MYSQLI_ASSOC)))
$out [] = $r;
return $out;
}
return null;
} else {
if (!$stmt = $DB->prepare($Query))
trigger_error("Unable to prepare statement: {$Query}, reason: " . $DB->error . "");
array_shift($args); //remove $Query from args
//the following three lines are the only way to copy an array values in PHP
$a = array();
foreach ($args as $k => &$v)
$a[$k] = &$v;
$types = str_repeat("s", count($args)); //all params are strings, works well on MySQL and SQLite
array_unshift($a, $types);
call_user_func_array(array($stmt, 'bind_param'), $a);
$stmt->execute();
//fetching all results in a 2D array
$metadata = $stmt->result_metadata();
$out = array();
$fields = array();
if (!$metadata)
return null;
$length = 0;
while (null != ($field = mysqli_fetch_field($metadata))) {
$fields [] = &$out [$field->name];
$length+=$field->length;
}
call_user_func_array(array(
$stmt, "bind_result"
), $fields);
$output = array();
$count = 0;
while ($stmt->fetch()) {
foreach ($out as $k => $v)
$output [$count] [$k] = $v;
$count++;
}
$stmt->free_result();
return ($count == 0) ? null : $output;
}
}

Now you could do your every query like the example below:

$res=SQL("SELECT * FROM users WHERE ID>? ORDER BY ? ASC LIMIT ?" , 5 , "Username" , 2);

Every instance of ? is bound with an argument of the list, not ''replaced'' with it. MySQL 5.5+ supports ? as ORDER BY and LIMIT clause specifiers. If you're using a database that doesn't support them, see next section.

'''REMEMBER:''' When you use this approach, you should ''NEVER'' concat strings for a SQL query.

====PDO Prepared Statement Wrapper====
The following function, does the same thing as the above function but using PDO. You can use it with every PDO supported driver.

try {
$DB = new PDO("{$Driver}:dbname={$DatabaseName};host={$Host};", $Username, $Password);
} catch (Exception $e) {
trigger_error("PDO connection error: " . $e->getMessage());
}

function SQL($Query) {
global $DB;
$args = func_get_args();
if (count($args) == 1) {
$result = $DB->query($Query);
if ($result->rowCount()) {
return $result->fetchAll(PDO::FETCH_ASSOC);
}
return null;
} else {
if (!$stmt = $DB->prepare($Query)) {
$Error = $DB->errorInfo();
trigger_error("Unable to prepare statement: {$Query}, reason: {$Error[2]}");
}
array_shift($args); //remove $Query from args
$i = 0;
foreach ($args as &$v)
$stmt->bindValue(++$i, $v);
$stmt->execute();
return $stmt->fetchAll(PDO::FETCH_ASSOC);
}
}

$res=SQL("SELECT * FROM users WHERE ID>? ORDER BY ? ASC LIMIT 5" , 5 , "Username" );

===Where prepared statements do not work===
The problem is, when you need to build dynamic queries, or need to set variables not supported as a prepared variable, or your database engine does not support prepared statements. For example, PDO MySQL does not support ? as LIMIT specifier. In these cases, you need to do two things:

====Not Supported Fields====
When some field does not support binding (like LIMIT clause in PDO), you need to '''whitelist''' the data you're about to use. LIMIT always requires an integer, so cast the variable to an integer. ORDER BY needs a field name, so whitelist it with field names:

function whitelist($Needle,$Haystack)
{
if (!in_array($Needle,$Haystack))
return reset($Haystack); //first element
return $Needle;
}

$Limit = $_GET['lim'];
$Limit = $Limit * 1; //type cast, integers are safe

$Order = $_GET['sort'];
$Order=whitelist($Order,Array("ID","Username","Password"));

This is very important. If you think you're tired and you rather blacklist than whitelist, you're bound to fail.

====Dynamic Queries====
Now this is a highly delicate situation. Whenever hackers fail to injection SQL in your common application scenarios, they go for Advanced Search features or similars, because those features rely on dynamic queries and dynamic queries are almost always insecurely implemented.

When you're building a dynamic query, the only way is whitelisting. Whitelist every field name, every boolean operator (it should be OR or AND, nothing else) and after building your query, use prepared statements:

$Query="SELECT * FROM table WHERE ";
foreach ($_GET['fields'] as $g)
$Query.=whitelist($g,Array("list","of","possible","fields","here"))."=?";
$Values=$_GET['values'];
array_unshift($Query); //add to the beginning
$res=call_user_func_array(SQL, $Values);

==ORM==
ORMs (Object Relational Mappers) are good security practice. If you're using an ORM (like [http://www.doctrine-project.org/ Doctrine]) in your PHP project, you're still prone to SQL attacks. Although injecting queries in ORM's is much harder, keep in mind that concatenating ORM queries makes for the same flaws that concatenating SQL queries, so '''NEVER''' concatenate strings sent to a database. ORM's support prepared statements as well.

=Other Injection Cheat Sheet=
SQL aside, there are a few more injections possible ''and common'' in PHP:

==Shell Injection==
A few PHP functions namely

* shell_exec
* exec
* passthru
* system
* [http://no2.php.net/manual/en/language.operators.execution.php backtick operator] ( ` )

run a string as shell scripts and commands. Input provided to these functions (specially backtick operator that is not like a function). Depending on your configuration, shell script injection can cause your application settings and configuration to leak, or your whole server to be hijacked. This is a very dangerous injection and is somehow considered the haven of an attacker.

Never pass tainted input to these functions - that is input somehow manipulated by the user - unless you're absolutely sure there's no way for it to be dangerous (which you never are without whitelisting). Escaping and any other countermeasures are ineffective, there are plenty of vectors for bypassing each and every one of them; don't believe what novice developers tell you.

==Code Injection==
All interpreted languages such as PHP, have some function that accepts a string and runs that in that language. It is usually named Eval. PHP also has Eval.
Using Eval is a very bad practice, not just for security. If you're absolutely sure you have no other way but eval, use it without any tainted input.

Reflection also could have code injection flaws. Refer to the appropriate reflection documentations, since it is an advanced topic.

==Other Injections==
LDAP, XPath and any other third party application that runs a string, is vulnerable to injection. Always keep in mind that some strings are not data, but commands and thus should be secure before passing to third party libraries.

=XSS Cheat Sheet=

There are two scenarios when it comes to XSS, each one to be mitigated accordingly:

==No Tags==
Most of the time, output needs no HTML tags. For example when you're about to dump a textbox value, or output user data in a cell. In this scenarios, you can mitigate XSS by simply using the function below. '''Keep in mind that this scenario won't mitigate XSS when you use user input in dangerous elements (style, script, image's src, a, etc.)''', but mostly you don't. Also keep in mind that every output that is not intended to contain HTML tags should be sent to the browser filtered with the following function.

//xss mitigation functions
function xssafe($data,$encoding='UTF-8')
{
return htmlspecialchars($data,ENT_QUOTES | ENT_HTML401,$encoding);
}
function xecho($data)
{
echo xssafe($data);
}

//usage example
<input type='text' name='test' value='<?php
xecho ("' onclick='alert(1)");
?>' />

==Yes Tags==
When you need tags in your output, such as rich blog comments, forum posts, blog posts and etc., you have to use a '''Secure Encoding''' library. This is usually hard and slow, and that's why most applications have XSS vulnerabilities in them. OWASP ESAPI has a bunch of codecs for encoding different sections of data. There's also OWASP AntiSammy and HTMLPurifier for PHP. Each of these require lots of configuration and learning to perform well, but you need them when you want that good of an application.

==Templating engines==

There are several templating engines that can help the programmer (and designer) to output data without exposing it too much against XSS vulnerabilities. While their primary goal isn't security, but improving the designing experience, most important templating engines automatically escape the variables on output and force the developer to explicitly indicate if there is a variable that shouldn't be escaped. This makes output of variables have a white-list behavior. There exist several of these engines. A good example is twig[http://twig.sensiolabs.org/]. Other popular template engines are Smarty, Haanga and Rain TPL.

The advantage of following a white-list approach is that the programmer should be less prone to forget about using a function call to clean the output of a variable.

==Other Tips==

* We don't have a '''trusted section''' in any web application. Many developers tend to leave admin areas out of XSS mitigation, but most intruders are interested in admin cookies and XSS. Every output should be cleared by the functions provided above, if it has a variable in it. Remove every instance of echo, print, and printf from your application and replace them with the above statement when you see a variable is included, no harm comes with that.

* HTTP-Only cookies are a very good practice, for a near future when every browser is compatible. Start using them now. (See PHP.ini configuration for best practice)

* The function declared above, only works for valid HTML syntax. If you put your Element Attributes without quotation, you're doomed. Go for valid HTML.

* [[Reflected XSS]] is as dangerous as normal XSS, and usually comes at the most dusty corners of an application. Seek it and mitigate it.

=CSRF Cheat Sheet=
CSRF mitigation is easy in theory, but hard to implement correctly. First, a few tips about CSRF:

* Every request that does something noteworthy, should be CSRF mitigated. Noteworthy things are changes to the system, and reads that take a long time.
* CSRF mostly happens on GET, but is easy to happen on POST. Don't ever think that post is secure.

The [[PHP_CSRF_Guard|OWASP PHP CSRFGuard]] is a code snippet that shows how to mitigate CSRF. Only copy pasting it is not enough. In the near future, a copy-pasteable version would be available (hopefully). For now, mix that with the following tips:

* Use re-authentication for critical operations (change password, recovery email, etc.)
* If you're not sure whether your operation is CSRF proof, consider adding CAPTCHAs (however CAPTCHAs are inconvenience for users)
* If you're performing operations based on other parts of a request (neither GET nor POST) e.g Cookies or HTTP Headers, you might need to add CSRF tokens there as well.
* AJAX powered forms need to re-create their CSRF tokens. Use the function provided above (in code snippet) for that and never rely on Javascript.
* CSRF on GET or Cookies will lead to inconvenience, consider your design and architecture for best practices.

=Authentication and Session Management Cheat Sheet=
PHP doesn't ship with a readily available authentication module, you need to implement your own or use a PHP framework, unfortunately most PHP frameworks are far from perfect in this manner, due to the fact that they are developed by open source developer community rather than security experts. A few instructive and useful tips are listed below:

==Session Management==
PHP's default session facilites are considered safe, the generated PHPSessionID is random enough, but the storage is not necessarily safe:

* Session files are stored in temp (/tmp) folder and are world writable unless suPHP installed, so any LFI or other leak might end-up manipulating them.
* Sessions are stored in files in default configuration, which is terribly slow for highly visited websites. You can store them on a memory folder (if UNIX).
* You can implement your own session mechanism, without ever relying on PHP for it. If you did that, store session data in a database. You could use all, some or none of the PHP functionality for session handling if you go with that.

===Session Hijacking Prevention===
It is good practice to bind sessions to IP addresses, that would prevent most session hijacking scenarios (but not all), however some users might use anonymity tools (such as TOR) and they would have problems with your service.

To implement this, simply store the client IP in the session first time it is created, and enforce it to be the same afterwards. The code snippet below returns client IP address:

$IP = getenv ( "REMOTE_ADDR" );

Keep in mind that in local environments, a valid IP is not returned, and usually the string ''':::1''' or ''':::127''' might pop up, thus adapt your IP checking logic. Also beware of versions of this code which make use of the HTTP_X_FORWARDED_FOR variable as this data is effectively user input and therefore susceptible to spoofing (more information [http://www.thespanner.co.uk/2007/12/02/faking-the-unexpected/ here] and [http://security.stackexchange.com/a/34327/37 here] )

===Invalidate Session ID===
You should invalidate (unset cookie, unset session storage, remove traces) of a session whenever a violation occurs (e.g 2 IP addresses are observed). A log event would prove useful. Many applications also notify the logged in user (e.g GMail).

===Rolling of Session ID===
You should roll session ID whenever elevation occurs, e.g when a user logs in, the session ID of the session should be changed, since it's importance is changed.

===Exposed Session ID===
Session IDs are considered confidential, your application should not expose them anywhere (specially when bound to a logged in user). Try not to use URLs as session ID medium.

Transfer session ID over TLS whenever session holds confidential information, otherwise a passive attacker would be able to perform session hijacking.

===Session Fixation===
Session IDs are to be generated by your application only. Never create a session only because you receive the session ID from the client, the only source of creating a session should be a secure random generator.

===Session Expiration===
A session should expire after a certain amount of inactivity, and after a certain time of activity as well. The expiration process means invalidating and removing a session, and creating a new one when another request is met.

Also keep the '''log out''' button close, and unset all traces of the session on log out.

====Inactivity Timeout====
Expire a session if current request is X seconds later than the last request. For this you should update session data with time of the request each time a request is made. The common practice time is 30 minutes, but highly depends on application criteria.

This expiration helps when a user is logged in on a publicly accessible machine, but forgets to log out. It also helps with session hijacking.

====General Timeout====
Expire a session if current session has been active for a certain amount of time, even if active. This helps keeping track of things. The amount differs but something between a day and a week is usually good. To implement this you need to store start time of a session.

===Cookies===
Handling cookies in a PHP script has some tricks to it:

====Never Serialize====
Never serialize data stored in a cookie. It can easily be manipulated, resulting in adding variables to your scope.

====Proper Deletion====
To delete a cookie safely, use the following snippet:

setcookie ($name, "", 1);
setcookie ($name, false);
unset($_COOKIE[$name]);
The first line ensures that cookie expires in browser, the second line is the standard way of removing a cookie (thus you can't store false in a cookie). The third line removes the cookie from your script. Many guides tell developers to use time() - 3600 for expiry, but it might not work if browser time is not correct.

You can also use '''session_name()''' to retrieve the name default PHP session cookie.

====HTTP Only====
Most modern browsers support HTTP-only cookies. These cookies are only accessible via HTTP(s) requests and not Javascript, so XSS snippets can not access them. They are very good practice, but are not satisfactory since there are many flaws discovered in major browsers that lead to exposure of HTTP only cookies to javascript.

To use HTTP-only cookies in PHP (5.2+), you should perform session cookie setting [http://php.net/manual/en/function.setcookie.php manually] (not using '''session_start'''):

#prototype
bool setcookie ( string $name [, string $value [, int $expire = 0 [, string $path [, string $domain [, bool $secure = false [, bool $httponly = false ]]]]]] )

#usage
if (!setcookie("MySessionID", $secureRandomSessionID, $generalTimeout, $applicationRootURLwithoutHost, NULL, NULL,true))
echo ("could not set HTTP-only cookie");

The '''path''' parameter sets the path which cookie is valid for, e.g if you have your website at example.com/some/folder the path should be /some/folder or other applications residing at example.com could also see your cookie. If you're on a whole domain, don't mind it. '''Domain''' parameter enforces the domain, if you're accessible on multiple domains or IPs ignore this, otherwise set it accordingly. If '''secure''' parameter is set, cookie can only be transmitted over HTTPS. See the example below:

$r=setcookie("SECSESSID","1203j01j0s1209jw0s21jxd01h029y779g724jahsa9opk123973",time()+60*60*24*7 /*a week*/,"/","owasp.org",true,true);
if (!$r) die("Could not set session cookie.");

====Internet Explorer issues====
Many version of Internet Explorer tend to have problems with cookies. Mostly setting Expire time to 0 fixes their issues.

==Authentication==

===Remember Me===
Many websites are vulnerable on remember me features. The correct practice is to generate a one-time token for a user and store it in the cookie. The token should also reside in data store of the application to be validated and assigned to user. This token should have '''no relevance''' to username and/or password of the user, a secure long-enough random number is a good practice.

It is better if you imply locking and prevent brute-force on remember me tokens, and make them long enough, otherwise an attacker could brute-force remember me tokens until he gets access to a logged in user without credentials.

* '''Never store username/password or any relevant information in the cookie.'''

=Access Control Cheat Sheet=
This section aims to mitigate access control issues, as well as '''Insecure Direct Object Reference''' issues.

=Cryptography Cheat Sheet=

=File Inclusion Cheat Sheet=

=Configuration and Deployment Cheat Sheet=
Please see [[PHP Configuration Cheat Sheet]].

=Sources of Taint=

= OLD. PHP General Guidelines for Secure Web Applications =

== PHP Version ==
Use '''PHP 5.3.8'''. Stable versions are always safer then the beta ones.

== Framework==
Use a framework like '''Zend''' or '''Symfony'''. Try not to re-write the code again and again. Also avoid dead codes.

== Directory==
Code with most of your code outside of the webroot. This is automatic for Symfony and Zend. Stick to these frameworks.

== Hashing Extension ==
Not every PHP installation has a working '''mhash''' extension, so if you need to do hashing, check it before using it. Otherwise you can't do SHA-256

== Cryptographic Extension ==
Not every PHP installation has a working '''mcrypt''' extension, and without it you can't do AES. Do check if you need it.

== Authentication and Authorization ==
There is no authentication or authorization classes in native PHP. Use '''ZF''' or '''Symfony''' instead.

== Input nput validation ==
Use $_dirty['foo'] = $_GET['foo'] and then $foo = validate_foo($dirty['foo']);

== Use PDO or ORM ==
Use PDO with prepared statements or an ORM like Doctrine

== Use PHP Unit and Jenkins ==
When developing PHP code, make sure you develop with PHP Unit and Jenkins - see http://qualityassuranceinphpprojects.com/pages/tools.html for more details.

== Use Stefan Esser's Hardened PHP Patch ==
Consider using Stefan Esser's Hardened PHP patch - http://www.hardened-php.net/suhosin/index.html
(not maintained now, but the concepts are very powerful)

== Avoid Global Variables==
In terms of secure coding with PHP, do not use globals unless absolutely necessary
Check your php.ini to ensure register_globals is off Do not run at all with this setting enabled It's extremely dangerous (register_globals has been disabled since 5.0 / 2006, but .... most PHP 4 code needs it, so many hosters have it turned on)

== Avoid Eval() ==
It basically allows arbitrary PHP code execution, so do not evaluate user supplied input. and if you're not doing that, you can just use PHP directly. eval() is at least 10-100 times slower than native PHP

== Protection against RFI==
Ensure allow_url_fopen and allow_url_include are both disabled to protect against RFI But don't cause issues by using the pattern include $user_supplied_data or require "base" + $user_supplied_data - it's just unsafe as you can input /etc/passwd and PHP will try to include it

== Regexes (!)==
Watch for executable regexes (!)

== Session Rotation ==
Session rotation is very easy - just after authentication, plonk in session_regenerate_id() and you're done.

== Be aware of PHP filters ==
PHP filters can be tricky and complex. Be extra-conscious when using them.

== Logging ==
Set display_errors to 0, and set up logging to go to a file you control, or at least syslog. This is the most commonly neglected area of PHP configuration

== Output encoding ==
Output encoding is entirely up to you. Just do it, ESAPI for PHP is ready for this job.

These are transparent to you and you need to know about them. php://input: takes input from the console gzip: takes compressed input and might bypass input validation http://au2.php.net/manual/en/filters.php

= Authors and Primary Editors =

[[User:Abbas Naderi|Abbas Naderi Afooshteh]] ([mailto:abbas.naderi@owasp.org abbas.naderi@owasp.org])

[[User:Achim|Achim]] - [mailto:achim_at_owasp.org Achim at owasp.org]

[mailto:vanderaj@owasp.org Andrew van der Stock]

= Other Cheatsheets =
{{Cheatsheet_Navigation}}

[[Category:Cheatsheets]]

Category:OWASP Top Ten Project

2013-02-08T08:14:10Z

Raesene: typo your --> you're

{{OWASP Book|1400974}}

{{Social Media Links}}

= Main =

'''Welcome to the OWASP Top Ten Project''' - if you're looking for the OWASP Top 10 Mobile - [http://www.owasp.org/index.php/OWASP_Mobile_Security_Project#tab=Top_Ten_Mobile_Risks Click Here]

== OWASP Top 10 for 2010 ==

On April 19, 2010 we released the final version of the OWASP Top 10 for 2010, and here is the associated [[OWASPTop10-2010-PressRelease|press release]]. This version was updated based on numerous comments received during the comment period after the release candidate was released in Nov. 2009.

*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010.pdf OWASP Top 10 - 2010 Document]
*[[Top 10 2010|OWASP Top 10 - 2010 - wiki]]
*[http://owasptop10.googlecode.com/files/OWASP_Top_10_-_2010%20Presentation.pptx OWASP Top 10 - 2010 Presentation]
*[http://blip.tv/owasp-appsec-conference-in-europe/day2_track1_1430-1505-3936900 OWASP Top 10 Video of the Presentation above - this focused alot on the Top 10 for 2010 approach, rather than the details. (From OWASP AppSec EU 2010)]
*[http://www.vimeo.com/9006276 OWASP Top 10 Video of this Presentation when the Top 10 for 2010 was 1st released for comment - this goes through each item in the Top 10. (From OWASP AppSec DC 2009)]

The OWASP Top 10 Web Application Security Risks for 2010 are:

*[[Top_10_2010-A1|A1: Injection]]
*[[Top_10_2010-A2|A2: Cross-Site Scripting (XSS)]]
*[[Top_10_2010-A3|A3: Broken Authentication and Session Management]]
*[[Top_10_2010-A4|A4: Insecure Direct Object References]]
*[[Top_10_2010-A5|A5: Cross-Site Request Forgery (CSRF)]]
*[[Top_10_2010-A6|A6: Security Misconfiguration]]
*[[Top_10_2010-A7|A7: Insecure Cryptographic Storage]]
*[[Top_10_2010-A8|A8: Failure to Restrict URL Access]]
*[[Top_10_2010-A9|A9: Insufficient Transport Layer Protection]]
*[[Top_10_2010-A10|A10: Unvalidated Redirects and Forwards]]

Please help us make sure every developer in the ENTIRE WORLD knows about the OWASP Top 10 by helping to spread the word!!!

As you help us spread the word, please emphasize:

*OWASP is reaching out to developers, not just the application security community
*The Top 10 is about managing risk, not just avoiding vulnerabilities
*To manage these risks, organizations need an application risk management program, not just awareness training, app testing, and remediation

We need to encourage organizations to get off the penetrate and patch mentality. As Jeff Williams said in his 2009 OWASP AppSec DC Keynote: “we’ll never hack our way secure – it’s going to take a culture change” for organizations to properly address application security.

If you are interested in doing a presentation on the OWASP Top 10, please feel free to use all or parts of this:

== Introduction ==

The OWASP Top Ten provides a powerful awareness document for web application security. The OWASP Top Ten represents a broad consensus about what the most critical web application security flaws are. Project members include a variety of security experts from around the world who have shared their expertise to produce this list. Versions of the 2007 were translated into English, French, Spanish, Japanese, Korean and Turkish and other languages. Translation efforts for the 2010 version are underway and they will be posted as they become available.

We urge all companies to adopt this awareness document within their organization and start the process of ensuring that their web applications do not contain these flaws. Adopting the OWASP Top Ten is perhaps the most effective first step towards changing the software development culture within your organization into one that produces secure code.

== Versions ==

Stable:

*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010.pdf OWASP Top 10 2010 - PDF]
*[[Top 10 2010|OWASP Top 10 2010 - wiki]]

2010 Translations:

*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010%20French.pdf OWASP Top 10 2010 - French PDF]
*[https://www.owasp.org/images/b/b8/OWASPTop10_DE_Version_1_0.pdf OWASP Top 10 2010 - German PDF]
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010%20Indonesian.pdf OWASP Top 10 2010 - Indonesian PDF]
*[http://www.owasp.org/images/f/f9/OWASP_Top_10_-_2010_ITA.pdf OWASP Top 10 2010 - Italian PDF]
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010%20Japanese-A4.pdf OWASP Top 10 2010 - Japanese PDF]
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010%20Korean.pdf OWASP Top 10 2010 - Korean PDF]
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010%20Spanish.pdf OWASP Top 10 2010 - Spanish PDF]
*[http://www.owasp.org/images/a/a9/OWASP_Top_10_2010_Chinese_V1.0_Released.pdf OWASP Top 10 2010 - Chinese PDF]
*[http://owasptop10.googlecode.com/files/OWASPTop%2010%20-%202010%20Vietnamese.pdf OWASP Top 10 2010 - Vietnamese PDF]
*[https://www.owasp.org/images/c/cd/OWASP_Top_10_Heb.pdf OWASP Top 10 2010 - Hebrew PDF]

2010 Release Candidate:

*[http://www.owasp.org/index.php/File:OWASP_T10_-_2010_rc1.pdf OWASP Top 10 2010 Release Candidate]
*[http://www.owasp.org/images/e/e1/OWASP_Top_10_RC-Public_Comments.docx OWASP Top 10 2010 Release Candidate Comments], except for one set of scanned comments [http://www.owasp.org/images/2/2e/OWASP_T10_-_2010_rc1_cmts_Kai_Jendrian.pdf which are here].

Old versions:

*[http://www.owasp.org/images/e/e8/OWASP_Top_10_2007.pdf OWASP Top 10 2007 - PDF]
*[[Top 10 2007|OWASP Top 10 2007 - wiki]]
*[http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project#tab=Project_Details OWASP Top 10 2007 - PDF Translations are here]
*[[Top 10 2004|OWASP Top 10 2004 - wiki]]

== Users and Adopters ==

The U.S. Federal Trade Commission strongly recommends that all companies use the OWASP Top Ten and ensure that their partners do the same. In addition, the U.S. Defense Information Systems Agency (DISA) has listed the OWASP Top Ten as key best practices that should be used as part of the DoD Information Assurance Certification and Accreditation Process ([http://iase.disa.mil/diacap/ DIACAP]).

In the commercial market, the [http://usa.visa.com/download/business/accepting_visa/ops_risk_management/cisp_PCI_Data_Security_Standard.pdf Payment Card Industry (PCI) standard] has adopted the OWASP Top Ten, and requires (among other things) that all merchants get a security code review for all their custom code. In addition, a broad range of companies and agencies around the globe are also using the OWASP Top Ten, including:

*A.G. Edwards
*Bank of Newport
*Best Software
*British Telecom
*Bureau of Alcohol, Tobacco, and Firearms (ATF)
*Citibank
*Cboss Internet
*Cognizant
*Contra Costa County, CA
*Corillian Corporation
*Digital Payment Technologies
*Foundstone Strategic Security
*HP
*IBM Global Services
*National Australia Bank
*Norfolk Southern
*OneSAS.com
*Online Business Systems
*Predictive Systems
*Price Waterhouse Coopers
*Recreational Equipment, Inc. (REI)
*SSP Solutions
*Samsung SDS (Korea)
*Sempra Energy
*Sprint
*Sun Microsystems
*Swiss Federal Institute of Technology
*Symantec
*Texas Dept of Human Services
*The Hartford
*Zapatec
*ZipForm
*...and many others

Several schools have also adopted the OWASP Top Ten as a part of their curriculum, including Michigan State University (MSU), and the University of California at San Diego (UCSD).

Several open source projects have adopted the OWASP Top Ten as part of their security audits, including:

*[http://plone.org Plone open source CMS project] (managed by the Plone Foundation)

== Feedback ==

Please let us know how your organization is using the Top Ten. Include your name, organization's name, and brief description of how you use the list. Thanks for supporting OWASP!

We hope you find the information in the OWASP Top Ten useful. Please contribute back to the project by sending your comments, questions, and suggestions to topten@lists.owasp.org Thanks!

To join the OWASP Top Ten mailing list or view the archives, please visit the [http://lists.owasp.org/mailman/listinfo/owasp-topten subscription page.]

== Project Sponsors ==

The OWASP Top Ten project is sponsored by {{MemberLinks|link=http://www.aspectsecurity.com|logo=Aspect_logo_owasp.jpg}} [[Image:AppSecDC2009-Sponsor-softtek.gif|link=http://www.softtek.com]]



= 2010 Translation Efforts =

Efforts are underway in numerous languages to translate the OWASP Top 10. If you are interested in helping, please contact the other members of the team for the language you are interested in contribution to, or if you don't see your language listed, please let me know you want to help and we'll form a volunteer group for your language too!!

Completed Translations:

*French: [http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010%20French.pdf OWASP Top 10 2010 - French PDF] ludovic.petit@owasp.org, sebastien.gioria@owasp.org, antonio.fontes@owasp.org, benoit.guerette@owasp.org, Jocelyn.aubert@owasp.org, Eric.Garreau@gemalto.com, Guillaume.Huysmans@gemalto.com
*German: [https://www.owasp.org/images/b/b8/OWASPTop10_DE_Version_1_0.pdf OWASP Top 10 - German PDF] top10@owasp.de which is Frank Dölitzscher, Tobias Glemser, Dr. Ingo Hanke, [[User:Kai_Jendrian|Kai Jendrian]], [[User:Ralf_Reinhardt|Ralf Reinhardt]], Michael Schäfer
*Indonesian: [http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010%20Indonesian.pdf OWASP Top 10 2010 - Indonesian PDF] Tedi Heriyanto (coordinator), Lathifah Arief, Tri A Sundara, Zaki Akhmad
*Italian: [http://www.owasp.org/images/f/f9/OWASP_Top_10_-_2010_ITA.pdf OWASP Top 10 2010 - Italian PDF] See Italian Translation Tab for Translation Team
*Japanese: [http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010%20Japanese-A4.pdf OWASP Top 10 2010 - Japanese PDF] cecil.su@owasp.org, Dr. Masayuki Hisada, Yoshimasa Kawamoto, Ryusuke Sakamoto, Keisuke Seki, Shin Umemoto, Takashi Arima
*Korean: [http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010%20Korean.pdf OWASP Top 10 2010 - Korean PDF] Hyungkeun Park, (mirrk1@gmail.com)
*Spanish: [http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010%20Spanish.pdf OWASP Top 10 2010 - Spanish PDF] See Spanish Translation Tab for Translation Team
*Chinese: [http://www.owasp.org/images/a/a9/OWASP_Top_10_2010_Chinese_V1.0_Released.pdf OWASP Top 10 2010 - Chinese PDF] See Chinese Translation Tab for Translation Team
*Vietnamese: [http://owasptop10.googlecode.com/files/OWASPTop%2010%20-%202010%20Vietnamese.pdf OWASP Top 10 2010 - Vietnamese PDF] (NEW) Translation lead by Cecil Su - Translation Team: Dang Hoang Vu, Nguyen Ba Tien, Nguyen Tang Hung, Luong Dieu Phuong, Huynh Thien Tam
*Hebrew (New): [[OWASP_Top10_Hebrew|OWASP Top 10 Hebrew]]. Lead by Or Katz, see translation page for list of contributors.

Volunteer Translation Efforts Underway:

*Portuguese: carlos.j.serrao@gmail.com; taquiles@gmail.com; wagner.elias@owasp.org; victoreufrasio@gmail.com; leo.cavallari@owasp.org; victoreufrasio@gmail.com;
*Greek: Konstantinos Papapanagiotou (conpap@di.uoa.gr)
*Turkish: bora@abi.com.tr
*Malay: cecil.su@owasp.org
*Czech: petr.zavodsky@owasp-czech-republic.cz
*Dutch: marinus@kuivenhoven.com

= Project Details =

{{:GPC_Project_Details/OWASP_Top10 | OWASP Project Identification Tab}}

= Spanish Translation =

Me complace en informarles que gracias al trabajo excepcional y totalmente voluntario de las personas listadas abajo hemos concluido con la traducción del Top 10 al español.

Muchas gracias a nuestro equipo de traducción!

*Daniel Cabezas Molina
*Edgar Sanchez
*Juan Carlos Calderon
*Jose Antonio Guasch
*Paulo Coronado
*Rodrigo Marcos
*Vicente Aguilera

El documento se puede obtener en la siguiente dirección URL:

*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010%20Spanish.pdf Formato PDF]
*[http://www.owasp.org/images/8/86/OWASP_Top_10_-_2010_FINAL_%28spanish%29.pptx Formato PPT]

Desde ya, se agradecen los comentarios y/o sugerencias sobre el mismo.

Saludos,

Fabio Cerullo Comité Global de Educación OWASP

= Italian Translation =

Grazie al contributo del seguente team di traduttori, è possibile ottenere il documento OWASP Top 10 2010 in italiano:

*Simone Onofri
*Paolo Perego
*Massimo Biagiotti
*Edoardo Viscosi
*Salvatore Fiorillo
*Roberto Battistoni
*Loredana Mancini
*Michele Nesta
*Paco Schiaffella
*Lucilla Mancini
*Gerardo Di Giacomo
*Valentino Squilloni

Il documento è disponibile [http://www.owasp.org/images/f/f9/OWASP_Top_10_-_2010_ITA.pdf qui.] 

Grazie e buona lettura!

[http://www.owasp.org/index.php/Italy OWASP-Italy]

= Chinese Translation =
感谢以下为中文版本做出贡献的翻译人员和审核人员:

* Rip Torn
* 钟卫林
* 高雯
* 王颉
* 于振东

下载链接:

点击[http://www.owasp.org/images/a/a9/OWASP_Top_10_2010_Chinese_V1.0_Released.pdf 这里下载PDF格式文档]

其他相关链接:

[http://www.owasp.org/index.php/China-Mainland OWASP China-Mainland]

[http://www.owasp.org/index.php/OWASP_Chinese_Project OWASP Chinese Project]

= How Are Companies-Projects-Vendors Using the OWASP Top 10 =

Click the links for more details on each use!

'''Warning''': these articles have not been rated for accuracy by OWASP. Product companies should be extremely careful about claiming to "cover" or "ensure compliance" with the OWASP Top 10. The current state-of-the-art for automated detection (scanners and static analysis) and prevention (waf) is nowhere near sufficient to claim adequate coverage of the issues in the Top 10. Nevertheless, using the Top 10 as a simple way to communicate security to end users is effective.

;[http://blogs.msdn.com/b/sdl/archive/2008/05/01/sdl-and-the-owasp-top-ten.aspx Microsoft]
:as a way to measure the coverage of their SDL and improve security

;[http://www.nsa.gov/applications/search/index.cfm?q=owasp NSA]
:in their developer guidance on web application security

;[https://www.pcisecuritystandards.org/index.shtml PCI Council]
:as part of the Payment Card Industry Data Security Standard (PCI DSS)

;[http://community.citrix.com/display/ocb/2010/06/02/NetScaler+Application+Firewall+and+the+OWASP+Top+10+2010 Citrix]
:in a guide showing how to configure their NetScalar product

;[http://msdn.microsoft.com/en-us/library/dd129898.aspx Microsoft]
:to show how "T10 threats are handled by the security design and test procedures of Microsoft"

;[http://www.web2py.com/examples/default/security web2py]
:to demonstrate the security of this Python web framework

;[http://www.owasp.org/index.php/Commentary_OWASP_Top_Ten_2004_Project Oracle]
:for developer awareness

;[http://www.theatremanagerhelp.com/book/export/html/1640 TheatreManager]
:to show how their product is secure for web use

;[http://knol.google.com/k/automated-vulnerabilty-scanners-and-the-owasp-top-10# WhiteHat]
:as a way to explain the coverage of their service

;[http://www.imperva.com/docs/TB_SecureSphere_OWASP_2010-Top-Ten.pdf Imperva]
:to show the coverage of the SecureSphere tool

;[http://blog.cenzic.com/public/item/254309 Cenzic]
:to enable "focused scans for compliance testing with the updated PCI standard"

= Other uses and resources =

* [[OWASP_Top_10/Mapping_to_WHID | OWASP Top 10 Mapped to the Web Hacking Incident Database]]

__NOTOC__ <headertabs />

[[Category:OWASP_Project]] [[Category:OWASP_Document]] [[Category:OWASP_Download]] [[Category:OWASP_Release_Quality_Document]]

Scotland

2012-10-26T12:12:00Z

Raesene: /* Sponsors */

{{Chapter Template|chaptername=Scotland|extra=The chapter leader is [mailto:rorym@nmrconsult.net Rory McCune]
<paypal>Scotland</paypal>
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-scotland|emailarchives=http://lists.owasp.org/pipermail/owasp-scotland}}

== Local News ==

===November 2012 Chapter Meeting ===

The next chapter meeting is on Wednesday 28th November. Information and sign-up here http://owaspscotland-november2012.eventbrite.co.uk/

=== Sponsors ===

The OWASP Scotland chapter now has a sponsor which is [http://www.sopragroup.co.uk Sopra Group]
[[File:Sopra.jpg|200px|left|Sopra Group]]

[[Category:United Kingdom]]
[[Category:Europe]]

File:Sopra-thumb.jpg

2012-10-25T17:52:17Z

Raesene: smaller version of the sopra logo for embedding.

smaller version of the sopra logo for embedding.

Scotland

2012-10-25T17:48:16Z

Raesene: /* Sponsors */

{{Chapter Template|chaptername=Scotland|extra=The chapter leader is [mailto:rorym@nmrconsult.net Rory McCune]
<paypal>Scotland</paypal>
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-scotland|emailarchives=http://lists.owasp.org/pipermail/owasp-scotland}}

== Local News ==

===November 2012 Chapter Meeting ===

The next chapter meeting is on Wednesday 28th November. Information and sign-up here http://owaspscotland-november2012.eventbrite.co.uk/

=== Sponsors ===

The OWASP Scotland chapter now has a sponsor which is the [http://www.sopra.com Sopra Group]
[[File:Sopra.jpg|200px|left|Sopra Group]]

[[Category:United Kingdom]]
[[Category:Europe]]

Scotland

2012-10-25T17:47:43Z

Raesene: /* Sponsors */

{{Chapter Template|chaptername=Scotland|extra=The chapter leader is [mailto:rorym@nmrconsult.net Rory McCune]
<paypal>Scotland</paypal>
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-scotland|emailarchives=http://lists.owasp.org/pipermail/owasp-scotland}}

== Local News ==

===November 2012 Chapter Meeting ===

The next chapter meeting is on Wednesday 28th November. Information and sign-up here http://owaspscotland-november2012.eventbrite.co.uk/

=== Sponsors ===

The OWASP Scotland chapter now has a sponsor which is the [http://www.sopra.com Sopra Group]
[[File:Sopra.jpg|200px|thumb|left|Sopra Group]]

[[Category:United Kingdom]]
[[Category:Europe]]

Scotland

2012-10-25T17:47:25Z

Raesene:

{{Chapter Template|chaptername=Scotland|extra=The chapter leader is [mailto:rorym@nmrconsult.net Rory McCune]
<paypal>Scotland</paypal>
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-scotland|emailarchives=http://lists.owasp.org/pipermail/owasp-scotland}}

== Local News ==

===November 2012 Chapter Meeting ===

The next chapter meeting is on Wednesday 28th November. Information and sign-up here http://owaspscotland-november2012.eventbrite.co.uk/

=== Sponsors ===

The OWASP Scotland chapter now has a sponsor which is the [http://www.sopra.com Sopra Group]
[[File:Sopra.jpg|500px|thumb|left|Sopra Group]]

[[Category:United Kingdom]]
[[Category:Europe]]

File:Sopra.jpg

2012-10-25T17:46:46Z

Raesene: Logo for Sopra Group as sponsors of the Scotland Chapter

Logo for Sopra Group as sponsors of the Scotland Chapter

Scotland

2012-10-25T17:36:36Z

Raesene: /* September 2012 Chapter Meeting */

{{Chapter Template|chaptername=Scotland|extra=The chapter leader is [mailto:rorym@nmrconsult.net Rory McCune]
<paypal>Scotland</paypal>
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-scotland|emailarchives=http://lists.owasp.org/pipermail/owasp-scotland}}

== Local News ==

===November 2012 Chapter Meeting ===

The next chapter meeting is on Wednesday 28th November. Information and sign-up here http://owaspscotland-november2012.eventbrite.co.uk/

=== Sponsors ===

The OWASP Scotland chapter now has a sponsor which is the [http://www.sopra.com Sopra Group]

[[Category:United Kingdom]]
[[Category:Europe]]

Web Application Security Testing Cheat Sheet

2012-09-16T10:14:40Z

Raesene:

Scotland

2012-08-29T20:27:56Z

Raesene:

{{Chapter Template|chaptername=Scotland|extra=The chapter leader is [mailto:rorym@nmrconsult.net Rory McCune]
<paypal>Scotland</paypal>
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-scotland|emailarchives=http://lists.owasp.org/pipermail/owasp-scotland}}

== Local News ==

===September 2012 Chapter Meeting ===

The next chapter meeting is on Wednesday 19th September. Information and sign-up here http://owaspscotland-september2012.eventbrite.co.uk/

[[Category:United Kingdom]]
[[Category:Europe]]

Web Application Security Testing Cheat Sheet

2012-08-22T11:56:34Z

Raesene: /* Authentication */

Web Application Security Testing Cheat Sheet

2012-08-21T14:05:59Z

Raesene: /* Configuration Management */