https://wiki.owasp.org/api.php?action=feedcontributions&user=VinMiller&feedformat=atomOWASP - User contributions [en]2024-03-29T11:19:32ZUser contributionsMediaWiki 1.27.2https://wiki.owasp.org/index.php?title=Web_Application_Security_Testing_Cheat_Sheet&diff=204657Web Application Security Testing Cheat Sheet2015-12-06T19:57:11Z<p>VinMiller: /* Authors and contributors */</p>
<hr />
<div>= Introduction =<br />
<br />
This cheat sheet provides a checklist of tasks to be performed during blackbox security testing of a web application.<br />
<br />
= Purpose =<br />
<br />
This checklist is intended to be used as an aide memoire for experienced pentesters and should be used in conjunction with the [[:Category:OWASP Testing Project|OWASP Testing Guide]]. It will be updated as the [[OWASP_Application_Testing_guide_v4|Testing Guide v4]] is progressed.<br />
<br />
The intention is that this guide will be available as an XML document, with scripts that convert it into formats such as pdf, Media Wiki markup, HTML etc. <br />
<br />
This will allow it to be consumed within security tools as well as being available in a format suitable for printing.<br />
<br />
All feedback or offers of help will be appreciated - and if you have specific changes you think should be made, please log in and make suggestions.<br />
<br />
= The Checklist =<br />
<br />
== Information Gathering ==<br />
''Rendered Site Review''<br />
* Manually explore the site<br />
* [[Testing:_Spidering_and_googling | Spider/crawl]] for missed or hidden content<br />
* [[Review_Webserver_Metafiles_for_Information_Leakage_(OTG-INFO-003)|Check the Webserver Metafiles]] for information leakage files that expose content, such as robots.txt, sitemap.xml, .DS_Store<br />
* [[Conduct_search_engine_discovery/reconnaissance_for_information_leakage_(OTG-INFO-001)|Check the caches of major search engines for publicly accessible sites]]<br />
* Check for differences in content based on User Agent (eg, Mobile sites, access as a Search engine Crawler)<br />
* [[Review_webpage_comments_and_metadata_for_information_leakage_(OTG-INFO-005) | Check The Webpage Comments and Metadata for Information Leakage]]<br />
<br />
''Development Review''<br />
* [[Fingerprint_Web_Application_Framework_(OTG-INFO-008) | Check The Web Application Framework]]<br />
* [[Fingerprint_Web_Server_(OTG-INFO-002)|Perform Web Application Fingerprinting]]<br />
* Identify technologies used<br />
* [[Test_Role_Definitions_(OTG-IDENT-001)|Identify user roles]]<br />
* [[Identify_application_entry_points_(OTG-INFO-006) | Identify application entry points]]<br />
* Identify client-side code<br />
* Identify multiple versions/channels (e.g. web, mobile web, mobile app)<br />
<br />
''Hosting and Platform Review''<br />
* [[Web_Services | Identify web services]]<br />
* Identify co-hosted and related applications<br />
* Identify all hostnames and ports<br />
* Identify third-party hosted content<br />
<br />
== Configuration Management ==<br />
* Check for commonly used application and administrative URLs<br />
* [[4.3.4_Review_Old,_Backup_and_Unreferenced_Files_for_Sensitive_Information_(OTG-CONFIG-004) | Check for old, backup and unreferenced files]]<br />
* [[Test_HTTP_Methods_(OTG-CONFIG-006) | Check HTTP methods supported and Cross Site Tracing (XST)]]<br />
* [[4.3.3_Test_File_Extensions_Handling_for_Sensitive_Information_(OTG-CONFIG-003) | Test file extensions handling]]<br />
* [[Test_RIA_cross_domain_policy_(OTG-CONFIG-008) | Test RIA cross domain policy]]<br />
* Test for [[List_of_useful_HTTP_headers | security HTTP headers]] (e.g. CSP, X-Frame-Options, HSTS)<br />
* Test for policies (e.g. Flash, Silverlight, robots)<br />
* Check for sensitive data in client-side code (e.g. API keys, credentials)<br />
<br />
== Secure Transmission ==<br />
''Protocols and Encryption''<br />
* [[Testing_for_Weak_SSL/TLS_Ciphers,_Insufficient_Transport_Layer_Protection_(OTG-CRYPST-001) | Check SSL Version, Algorithms, Key length]]<br />
* Check for Digital Certificate Validity (Duration, Signature and CN)<br />
* Check credentials only delivered over HTTPS<br />
* Check that the login form is delivered over HTTPS<br />
* Check session tokens only delivered over HTTPS<br />
* [[Test_HTTP_Strict_Transport_Security_(OTG-CONFIG-009) | Check if HTTP Strict Transport Security (HSTS) in use]]<br />
* [[Test_Ability_to_forge_requests_(OTG-BUSLOGIC-002) | Test ability to forge requests]]<br />
* [[Test_Web_Messaging_(OTG-CLIENT-011)|Test Web Messaging (HTML5)]]<br />
* [[Test_Cross_Origin_Resource_Sharing_(OTG-CLIENT-007)|Check CORS implementation (HTML5)]]<br />
<br />
''Web Services and REST''<br />
* [[Web_Service_Security_Testing_Cheat_Sheet | Test for Web Service Issues]]<br />
* [[REST_Assessment_Cheat_Sheet | Test REST]]<br />
<br />
== Authentication ==<br />
''Application Password Functionality''<br />
* [[Testing_for_Weak_password_policy_(OTG-AUTHN-007)|Test password quality rules]]<br />
* Test remember me functionality<br />
* Test password reset and/or recovery<br />
* Test password change process<br />
* Test CAPTCHA<br />
* Test multi factor authentication<br />
* Test for logout functionality presence<br />
* Test for default logins<br />
* Test for out-of channel notification of account lockouts and successful password changes<br />
* Test for consistent authentication across applications with shared authentication schema / SSO and alternative channels<br />
* Test for Weak security question/answer<br />
<br />
''Additional Authentication Functionality''<br />
* [[Testing_for_User_Enumeration_and_Guessable_User_Account_(OWASP-AT-002) | Test for user enumeration]]<br />
* [[Testing_for_Bypassing_Authentication_Schema_(OTG-AUTHN-004) | Test for authentication bypass]]<br />
* [[Testing_for_Brute_Force_(OWASP-AT-004) | Test for brute force protection]]<br />
* [[Testing_for_Credentials_Transported_over_an_Encrypted_Channel_(OTG-AUTHN-001)|Test for Credentials Transported over an Encrypted Channel]]<br />
* Test for cache management on HTTP (eg Pragma, Expires, Max-age)<br />
* Test for user-accessible authentication history<br />
<br />
== Session Management ==<br />
* Establish how session management is handled in the application (eg, tokens in cookies, token in URL)<br />
* [[Testing_for_cookies_attributes_(OTG-SESS-002)|Check session tokens for cookie flags (httpOnly and secure)]]<br />
* [[Testing_for_cookies_attributes_(OTG-SESS-002)|Check session cookie scope (path and domain)]]<br />
* Check session cookie duration (expires and max-age)<br />
* [[Test_Session_Timeout_(OTG-SESS-007)|Check session termination after a maximum lifetime]]<br />
* [[Test_Session_Timeout_(OTG-SESS-007)|Check session termination after relative timeout]]<br />
* [[Testing_for_logout_functionality_(OTG-SESS-006)|Check session termination after logout]]<br />
* Test to see if users can have multiple simultaneous sessions<br />
* [[Testing_for_Session_Management_Schema_(OTG-SESS-001)#Session_ID_Predictability_and_Randomness | Test session cookies for randomness]]<br />
* Confirm that new session tokens are issued on login, role change and logout<br />
* Test for consistent session management across applications with shared session management<br />
* Test for session puzzling<br />
* Test for CSRF and clickjacking<br />
<br />
== Authorization ==<br />
* [[Testing_Directory_traversal/file_include_(OTG-AUTHZ-001)|Test for path traversal]]<br />
* [[Testing_for_Privilege_escalation_(OTG-AUTHZ-003)|Test for vertical Access control problems (a.k.a. Privilege Escalation)]]<br />
* Test for horizontal Access control problems (between two users at the same privilege level)<br />
* [[Testing_for_Bypassing_Authorization_Schema_(OTG-AUTHZ-002)|Test for missing authorisation]]<br />
* [[Testing_for_Insecure_Direct_Object_References_(OTG-AUTHZ-004)|Test for Insecure Direct Object References]]<br />
<br />
== Cryptography ==<br />
* [[Testing_for_Sensitive_information_sent_via_unencrypted_channels_(OTG-CRYPST-003)|Check if data which should be encrypted is not]]<br />
* Check for wrong algorithms usage depending on context<br />
* [[Testing_for_Weak_SSL/TLS_Ciphers,_Insufficient_Transport_Layer_Protection_(OTG-CRYPST-001)|Check for weak algorithms usage]]<br />
* [[Password_Storage_Cheat_Sheet#Use_a_cryptographically_strong_credential-specific_salt | Check for proper use of salting]]<br />
* [[Insecure_Randomness | Check for randomness functions]]<br />
<br />
== Data Validation ==<br />
''Injection''<br />
* Test for HTML Injection<br />
* [[Testing_for_SQL_Injection_(OTG-INPVAL-005)|Test for SQL Injection]]<br />
* Test for LDAP Injection<br />
* [[Testing_for_ORM_Injection_(OTG-INPVAL-007)|Test for ORM Injection]]<br />
* [[Testing_for_XML_Injection_(OTG-INPVAL-008)|Test for XML Injection]]<br />
* Test for XXE Injection<br />
* [[Testing_for_SSI_Injection_(OTG-INPVAL-009)|Test for SSI Injection]]<br />
* [[Testing_for_XPath_Injection_(OTG-INPVAL-010)|Test for XPath Injection]]<br />
* Test for XQuery Injection<br />
* [[Testing_for_IMAP/SMTP_Injection_(OTG-INPVAL-011)|Test for IMAP/SMTP Injection]]<br />
* [[Testing_for_Code_Injection_(OTG-INPVAL-012)|Test for Code Injection]]<br />
* Test for Expression Language Injection<br />
* [[Testing_for_Command_Injection_(OTG-INPVAL-013)|Test for Command Injection]]<br />
* Test for NoSQL injection<br />
<br />
''Other''<br />
* [[Testing_for_Reflected_Cross_site_scripting_(OTG-INPVAL-001)|Test for Reflected Cross Site Scripting]]<br />
* [[Testing_for_Stored_Cross_site_scripting_(OTG-INPVAL-002)|Test for Stored Cross Site Scripting]]<br />
* [[Testing_for_DOM-based_Cross_site_scripting_(OTG-CLIENT-001)|Test for DOM based Cross Site Scripting]]<br />
* Test for Cross Site Flashing<br />
* Test for Overflow ([[Testing_for_Stack_Overflow|Stack]], [[Testing_for_Heap_Overflow|Heap]] and Integer)<br />
* [[Testing_for_Format_String|Test for Format String]]<br />
* Test for incubated vulnerabilities<br />
* [[Testing_for_HTTP_Splitting/Smuggling_(OTG-INPVAL-016)|Test for HTTP Splitting/Smuggling]]<br />
* Test for HTTP Verb Tampering<br />
* [[Top_10_2013-A10-Unvalidated_Redirects_and_Forwards|Test for Open Redirection]]<br />
* [[Testing_for_Local_File_Inclusion|Test for Local File Inclusion]]<br />
* [[Testing_for_Remote_File_Inclusion|Test for Remote File Inclusion]]<br />
* Compare client-side and server-side validation rules<br />
* Test for HTTP parameter pollution<br />
* Test for auto-binding<br />
* Test for Mass Assignment<br />
* Test for NULL/Invalid Session Cookie<br />
* [[Test_integrity_checks_(OTG-BUSLOGIC-003) | Test for integrity of data]]<br />
* [[Testing_for_the_Circumvention_of_Work_Flows_(OTG-BUSLOGIC-009) | Test for the Circumvention of Work Flows]]<br />
* [[Test_defenses_against_application_mis-use_(OTG-BUSLOGIC-011) | Test Defenses Against Application Mis-use]]<br />
* [[Test_number_of_times_a_function_can_be_used_limits_(OTG-BUSLOGIC-007) | Test That a Function or Feature Cannot Be Used Outside Of Limits]]<br />
* [[Test_for_Process_Timing_(OTG-BUSLOGIC-007) | Test for Process Timing]]<br />
* [[Test_Local_Storage_(OTG-CLIENT-012)|Test for Web Storage SQL injection (HTML5)]]<br />
* [[HTML5_Security_Cheat_Sheet#Offline_Applications | Check Offline Web Application]]<br />
<br />
== Denial of Service ==<br />
* Test for anti-automation<br />
* [[Testing_for_Weak_lock_out_mechanism_(OTG-AUTHN-003)|Test for account lockout]]<br />
* Test for HTTP protocol DoS<br />
* Test for SQL wildcard DoS<br />
<br />
== Specific Risky Functionality ==<br />
''File Uploads''<br />
* [[Test_Upload_of_Unexpected_File_Types_(OTG-BUSLOGIC-008)|Test that acceptable file types are whitelisted and non-whitelisted types are rejected]]<br />
* Test that file size limits, upload frequency and total file counts are defined and are enforced<br />
* Test that file contents match the defined file type<br />
* [[Test_Upload_of_Malicious_Files_(OTG-BUSLOGIC-009)|Test that all file uploads have Anti-Virus scanning in-place.]]<br />
* [[Test_Upload_of_Malicious_Files_(OTG-BUSLOGIC-016) | Test upload of malicious files]]<br />
* Test that unsafe filenames are sanitized<br />
* Test that uploaded files are not directly accessible within the web root<br />
* Test that uploaded files are not served on the same hostname/port<br />
* Test that files and other media are integrated with the authentication and authorisation schemas<br />
''Payments''<br />
* Test for known vulnerabilities and configuration issues on Web Server and Web Application<br />
* Test for default or guessable password<br />
* [[Injection_Flaws | Test for Injection vulnerabilities ]]<br />
* [[Testing_for_Buffer_Overflow_(OTG-INPVAL-014) | Test for Buffer Overflows]]<br />
* [[Top_10_2010-A7-Insecure_Cryptographic_Storage | Test for Insecure Cryptographic Storage]]<br />
* [[Top_10_2010-A9-Insufficient_Transport_Layer_Protection | Test for Insufficient Transport Layer Protection]]<br />
* [[Web_Application_Security_Testing_Cheat_Sheet#Error_Handling|Test for Improper Error Handling]]<br />
* Test for all vulnerabilities with a CVSS v2 score > 4.0<br />
* Test for Authentication and Authorization issues<br />
* [[Testing_for_CSRF_(OTG-SESS-005)|Test for CSRF]]<br />
<br />
== Error Handling==<br />
* [[Testing_for_Error_Code_(OTG-ERR-001)|Check for Error Codes]]<br />
* [[Testing_for_Stack_Traces_(OTG-ERR-002)|Check for Stack Traces]]<br />
<br />
<br />
= Appendices =<br />
<br />
== Other Formats ==<br />
* DradisPro template format [https://github.com/raesene/OWASP_Web_App_Testing_Cheatsheet_Converter/blob/master/OWASP_Web_Application_Testing_Cheat_Sheet.xml on github]<br />
* Asana template on [http://templana.com/templates/owasp-website-security-checklist/ Templana] (thanks to Bastien Siebman)<br />
<br />
== Authors and contributors ==<br />
<br />
[[User:Simon Bennetts|Simon Bennetts]]<br/><br />
[[User:Raesene|Rory McCune]] <br/><br />
Colin Watson<br/><br />
Simone Onofri<br/><br />
[[User:Amro_Ahmed|Amro AlOlaqi]] <br />
<br />
All above are authors of the [[OWASP_Testing_Guide_v3_Table_of_Contents | Testing Guide v3]] <br />
<br />
[[User:Ryan_Dewhurst|Ryan Dewhurst]]<br/><br />
[[User:Frank.catucci | Frank Catucci]]<br/><br />
[[User:VinMiller | Vin Miller]]<br />
<br />
== Related articles ==<br />
<br />
* OWASP [[:Category:OWASP Testing Project|Testing Guide]]<br />
* Mozilla [https://wiki.mozilla.org/WebAppSec/Web_Security_Verification Web Security Verification]<br />
<br />
== Other Cheatsheets ==<br />
<br />
{{Cheatsheet_Navigation}}<br />
<br />
[[Category:Cheatsheets]] [[Category:OWASP_Breakers]]</div>VinMillerhttps://wiki.owasp.org/index.php?title=Web_Application_Security_Testing_Cheat_Sheet&diff=204656Web Application Security Testing Cheat Sheet2015-12-06T19:56:48Z<p>VinMiller: /* Authors and contributors */</p>
<hr />
<div>= Introduction =<br />
<br />
This cheat sheet provides a checklist of tasks to be performed during blackbox security testing of a web application.<br />
<br />
= Purpose =<br />
<br />
This checklist is intended to be used as an aide memoire for experienced pentesters and should be used in conjunction with the [[:Category:OWASP Testing Project|OWASP Testing Guide]]. It will be updated as the [[OWASP_Application_Testing_guide_v4|Testing Guide v4]] is progressed.<br />
<br />
The intention is that this guide will be available as an XML document, with scripts that convert it into formats such as pdf, Media Wiki markup, HTML etc. <br />
<br />
This will allow it to be consumed within security tools as well as being available in a format suitable for printing.<br />
<br />
All feedback or offers of help will be appreciated - and if you have specific changes you think should be made, please log in and make suggestions.<br />
<br />
= The Checklist =<br />
<br />
== Information Gathering ==<br />
''Rendered Site Review''<br />
* Manually explore the site<br />
* [[Testing:_Spidering_and_googling | Spider/crawl]] for missed or hidden content<br />
* [[Review_Webserver_Metafiles_for_Information_Leakage_(OTG-INFO-003)|Check the Webserver Metafiles]] for information leakage files that expose content, such as robots.txt, sitemap.xml, .DS_Store<br />
* [[Conduct_search_engine_discovery/reconnaissance_for_information_leakage_(OTG-INFO-001)|Check the caches of major search engines for publicly accessible sites]]<br />
* Check for differences in content based on User Agent (eg, Mobile sites, access as a Search engine Crawler)<br />
* [[Review_webpage_comments_and_metadata_for_information_leakage_(OTG-INFO-005) | Check The Webpage Comments and Metadata for Information Leakage]]<br />
<br />
''Development Review''<br />
* [[Fingerprint_Web_Application_Framework_(OTG-INFO-008) | Check The Web Application Framework]]<br />
* [[Fingerprint_Web_Server_(OTG-INFO-002)|Perform Web Application Fingerprinting]]<br />
* Identify technologies used<br />
* [[Test_Role_Definitions_(OTG-IDENT-001)|Identify user roles]]<br />
* [[Identify_application_entry_points_(OTG-INFO-006) | Identify application entry points]]<br />
* Identify client-side code<br />
* Identify multiple versions/channels (e.g. web, mobile web, mobile app)<br />
<br />
''Hosting and Platform Review''<br />
* [[Web_Services | Identify web services]]<br />
* Identify co-hosted and related applications<br />
* Identify all hostnames and ports<br />
* Identify third-party hosted content<br />
<br />
== Configuration Management ==<br />
* Check for commonly used application and administrative URLs<br />
* [[4.3.4_Review_Old,_Backup_and_Unreferenced_Files_for_Sensitive_Information_(OTG-CONFIG-004) | Check for old, backup and unreferenced files]]<br />
* [[Test_HTTP_Methods_(OTG-CONFIG-006) | Check HTTP methods supported and Cross Site Tracing (XST)]]<br />
* [[4.3.3_Test_File_Extensions_Handling_for_Sensitive_Information_(OTG-CONFIG-003) | Test file extensions handling]]<br />
* [[Test_RIA_cross_domain_policy_(OTG-CONFIG-008) | Test RIA cross domain policy]]<br />
* Test for [[List_of_useful_HTTP_headers | security HTTP headers]] (e.g. CSP, X-Frame-Options, HSTS)<br />
* Test for policies (e.g. Flash, Silverlight, robots)<br />
* Check for sensitive data in client-side code (e.g. API keys, credentials)<br />
<br />
== Secure Transmission ==<br />
''Protocols and Encryption''<br />
* [[Testing_for_Weak_SSL/TLS_Ciphers,_Insufficient_Transport_Layer_Protection_(OTG-CRYPST-001) | Check SSL Version, Algorithms, Key length]]<br />
* Check for Digital Certificate Validity (Duration, Signature and CN)<br />
* Check credentials only delivered over HTTPS<br />
* Check that the login form is delivered over HTTPS<br />
* Check session tokens only delivered over HTTPS<br />
* [[Test_HTTP_Strict_Transport_Security_(OTG-CONFIG-009) | Check if HTTP Strict Transport Security (HSTS) in use]]<br />
* [[Test_Ability_to_forge_requests_(OTG-BUSLOGIC-002) | Test ability to forge requests]]<br />
* [[Test_Web_Messaging_(OTG-CLIENT-011)|Test Web Messaging (HTML5)]]<br />
* [[Test_Cross_Origin_Resource_Sharing_(OTG-CLIENT-007)|Check CORS implementation (HTML5)]]<br />
<br />
''Web Services and REST''<br />
* [[Web_Service_Security_Testing_Cheat_Sheet | Test for Web Service Issues]]<br />
* [[REST_Assessment_Cheat_Sheet | Test REST]]<br />
<br />
== Authentication ==<br />
''Application Password Functionality''<br />
* [[Testing_for_Weak_password_policy_(OTG-AUTHN-007)|Test password quality rules]]<br />
* Test remember me functionality<br />
* Test password reset and/or recovery<br />
* Test password change process<br />
* Test CAPTCHA<br />
* Test multi factor authentication<br />
* Test for logout functionality presence<br />
* Test for default logins<br />
* Test for out-of channel notification of account lockouts and successful password changes<br />
* Test for consistent authentication across applications with shared authentication schema / SSO and alternative channels<br />
* Test for Weak security question/answer<br />
<br />
''Additional Authentication Functionality''<br />
* [[Testing_for_User_Enumeration_and_Guessable_User_Account_(OWASP-AT-002) | Test for user enumeration]]<br />
* [[Testing_for_Bypassing_Authentication_Schema_(OTG-AUTHN-004) | Test for authentication bypass]]<br />
* [[Testing_for_Brute_Force_(OWASP-AT-004) | Test for brute force protection]]<br />
* [[Testing_for_Credentials_Transported_over_an_Encrypted_Channel_(OTG-AUTHN-001)|Test for Credentials Transported over an Encrypted Channel]]<br />
* Test for cache management on HTTP (eg Pragma, Expires, Max-age)<br />
* Test for user-accessible authentication history<br />
<br />
== Session Management ==<br />
* Establish how session management is handled in the application (eg, tokens in cookies, token in URL)<br />
* [[Testing_for_cookies_attributes_(OTG-SESS-002)|Check session tokens for cookie flags (httpOnly and secure)]]<br />
* [[Testing_for_cookies_attributes_(OTG-SESS-002)|Check session cookie scope (path and domain)]]<br />
* Check session cookie duration (expires and max-age)<br />
* [[Test_Session_Timeout_(OTG-SESS-007)|Check session termination after a maximum lifetime]]<br />
* [[Test_Session_Timeout_(OTG-SESS-007)|Check session termination after relative timeout]]<br />
* [[Testing_for_logout_functionality_(OTG-SESS-006)|Check session termination after logout]]<br />
* Test to see if users can have multiple simultaneous sessions<br />
* [[Testing_for_Session_Management_Schema_(OTG-SESS-001)#Session_ID_Predictability_and_Randomness | Test session cookies for randomness]]<br />
* Confirm that new session tokens are issued on login, role change and logout<br />
* Test for consistent session management across applications with shared session management<br />
* Test for session puzzling<br />
* Test for CSRF and clickjacking<br />
<br />
== Authorization ==<br />
* [[Testing_Directory_traversal/file_include_(OTG-AUTHZ-001)|Test for path traversal]]<br />
* [[Testing_for_Privilege_escalation_(OTG-AUTHZ-003)|Test for vertical Access control problems (a.k.a. Privilege Escalation)]]<br />
* Test for horizontal Access control problems (between two users at the same privilege level)<br />
* [[Testing_for_Bypassing_Authorization_Schema_(OTG-AUTHZ-002)|Test for missing authorisation]]<br />
* [[Testing_for_Insecure_Direct_Object_References_(OTG-AUTHZ-004)|Test for Insecure Direct Object References]]<br />
<br />
== Cryptography ==<br />
* [[Testing_for_Sensitive_information_sent_via_unencrypted_channels_(OTG-CRYPST-003)|Check if data which should be encrypted is not]]<br />
* Check for wrong algorithms usage depending on context<br />
* [[Testing_for_Weak_SSL/TLS_Ciphers,_Insufficient_Transport_Layer_Protection_(OTG-CRYPST-001)|Check for weak algorithms usage]]<br />
* [[Password_Storage_Cheat_Sheet#Use_a_cryptographically_strong_credential-specific_salt | Check for proper use of salting]]<br />
* [[Insecure_Randomness | Check for randomness functions]]<br />
<br />
== Data Validation ==<br />
''Injection''<br />
* Test for HTML Injection<br />
* [[Testing_for_SQL_Injection_(OTG-INPVAL-005)|Test for SQL Injection]]<br />
* Test for LDAP Injection<br />
* [[Testing_for_ORM_Injection_(OTG-INPVAL-007)|Test for ORM Injection]]<br />
* [[Testing_for_XML_Injection_(OTG-INPVAL-008)|Test for XML Injection]]<br />
* Test for XXE Injection<br />
* [[Testing_for_SSI_Injection_(OTG-INPVAL-009)|Test for SSI Injection]]<br />
* [[Testing_for_XPath_Injection_(OTG-INPVAL-010)|Test for XPath Injection]]<br />
* Test for XQuery Injection<br />
* [[Testing_for_IMAP/SMTP_Injection_(OTG-INPVAL-011)|Test for IMAP/SMTP Injection]]<br />
* [[Testing_for_Code_Injection_(OTG-INPVAL-012)|Test for Code Injection]]<br />
* Test for Expression Language Injection<br />
* [[Testing_for_Command_Injection_(OTG-INPVAL-013)|Test for Command Injection]]<br />
* Test for NoSQL injection<br />
<br />
''Other''<br />
* [[Testing_for_Reflected_Cross_site_scripting_(OTG-INPVAL-001)|Test for Reflected Cross Site Scripting]]<br />
* [[Testing_for_Stored_Cross_site_scripting_(OTG-INPVAL-002)|Test for Stored Cross Site Scripting]]<br />
* [[Testing_for_DOM-based_Cross_site_scripting_(OTG-CLIENT-001)|Test for DOM based Cross Site Scripting]]<br />
* Test for Cross Site Flashing<br />
* Test for Overflow ([[Testing_for_Stack_Overflow|Stack]], [[Testing_for_Heap_Overflow|Heap]] and Integer)<br />
* [[Testing_for_Format_String|Test for Format String]]<br />
* Test for incubated vulnerabilities<br />
* [[Testing_for_HTTP_Splitting/Smuggling_(OTG-INPVAL-016)|Test for HTTP Splitting/Smuggling]]<br />
* Test for HTTP Verb Tampering<br />
* [[Top_10_2013-A10-Unvalidated_Redirects_and_Forwards|Test for Open Redirection]]<br />
* [[Testing_for_Local_File_Inclusion|Test for Local File Inclusion]]<br />
* [[Testing_for_Remote_File_Inclusion|Test for Remote File Inclusion]]<br />
* Compare client-side and server-side validation rules<br />
* Test for HTTP parameter pollution<br />
* Test for auto-binding<br />
* Test for Mass Assignment<br />
* Test for NULL/Invalid Session Cookie<br />
* [[Test_integrity_checks_(OTG-BUSLOGIC-003) | Test for integrity of data]]<br />
* [[Testing_for_the_Circumvention_of_Work_Flows_(OTG-BUSLOGIC-009) | Test for the Circumvention of Work Flows]]<br />
* [[Test_defenses_against_application_mis-use_(OTG-BUSLOGIC-011) | Test Defenses Against Application Mis-use]]<br />
* [[Test_number_of_times_a_function_can_be_used_limits_(OTG-BUSLOGIC-007) | Test That a Function or Feature Cannot Be Used Outside Of Limits]]<br />
* [[Test_for_Process_Timing_(OTG-BUSLOGIC-007) | Test for Process Timing]]<br />
* [[Test_Local_Storage_(OTG-CLIENT-012)|Test for Web Storage SQL injection (HTML5)]]<br />
* [[HTML5_Security_Cheat_Sheet#Offline_Applications | Check Offline Web Application]]<br />
<br />
== Denial of Service ==<br />
* Test for anti-automation<br />
* [[Testing_for_Weak_lock_out_mechanism_(OTG-AUTHN-003)|Test for account lockout]]<br />
* Test for HTTP protocol DoS<br />
* Test for SQL wildcard DoS<br />
<br />
== Specific Risky Functionality ==<br />
''File Uploads''<br />
* [[Test_Upload_of_Unexpected_File_Types_(OTG-BUSLOGIC-008)|Test that acceptable file types are whitelisted and non-whitelisted types are rejected]]<br />
* Test that file size limits, upload frequency and total file counts are defined and are enforced<br />
* Test that file contents match the defined file type<br />
* [[Test_Upload_of_Malicious_Files_(OTG-BUSLOGIC-009)|Test that all file uploads have Anti-Virus scanning in-place.]]<br />
* [[Test_Upload_of_Malicious_Files_(OTG-BUSLOGIC-016) | Test upload of malicious files]]<br />
* Test that unsafe filenames are sanitized<br />
* Test that uploaded files are not directly accessible within the web root<br />
* Test that uploaded files are not served on the same hostname/port<br />
* Test that files and other media are integrated with the authentication and authorisation schemas<br />
''Payments''<br />
* Test for known vulnerabilities and configuration issues on Web Server and Web Application<br />
* Test for default or guessable password<br />
* [[Injection_Flaws | Test for Injection vulnerabilities ]]<br />
* [[Testing_for_Buffer_Overflow_(OTG-INPVAL-014) | Test for Buffer Overflows]]<br />
* [[Top_10_2010-A7-Insecure_Cryptographic_Storage | Test for Insecure Cryptographic Storage]]<br />
* [[Top_10_2010-A9-Insufficient_Transport_Layer_Protection | Test for Insufficient Transport Layer Protection]]<br />
* [[Web_Application_Security_Testing_Cheat_Sheet#Error_Handling|Test for Improper Error Handling]]<br />
* Test for all vulnerabilities with a CVSS v2 score > 4.0<br />
* Test for Authentication and Authorization issues<br />
* [[Testing_for_CSRF_(OTG-SESS-005)|Test for CSRF]]<br />
<br />
== Error Handling==<br />
* [[Testing_for_Error_Code_(OTG-ERR-001)|Check for Error Codes]]<br />
* [[Testing_for_Stack_Traces_(OTG-ERR-002)|Check for Stack Traces]]<br />
<br />
<br />
= Appendices =<br />
<br />
== Other Formats ==<br />
* DradisPro template format [https://github.com/raesene/OWASP_Web_App_Testing_Cheatsheet_Converter/blob/master/OWASP_Web_Application_Testing_Cheat_Sheet.xml on github]<br />
* Asana template on [http://templana.com/templates/owasp-website-security-checklist/ Templana] (thanks to Bastien Siebman)<br />
<br />
== Authors and contributors ==<br />
<br />
[[User:Simon Bennetts|Simon Bennetts]]<br/><br />
[[User:Raesene|Rory McCune]] <br/><br />
Colin Watson<br/><br />
Simone Onofri<br/><br />
[[User:Amro_Ahmed|Amro AlOlaqi]] <br />
<br />
All above are authors of the [[OWASP_Testing_Guide_v3_Table_of_Contents | Testing Guide v3]] <br />
<br />
[[User:Ryan_Dewhurst|Ryan Dewhurst]]<br/><br />
[[User:Frank.catucci | Frank Catucci]]<br />
[[User:VinMiller | Vin Miller]]<br />
<br />
== Related articles ==<br />
<br />
* OWASP [[:Category:OWASP Testing Project|Testing Guide]]<br />
* Mozilla [https://wiki.mozilla.org/WebAppSec/Web_Security_Verification Web Security Verification]<br />
<br />
== Other Cheatsheets ==<br />
<br />
{{Cheatsheet_Navigation}}<br />
<br />
[[Category:Cheatsheets]] [[Category:OWASP_Breakers]]</div>VinMillerhttps://wiki.owasp.org/index.php?title=Web_Application_Security_Testing_Cheat_Sheet&diff=204655Web Application Security Testing Cheat Sheet2015-12-06T19:56:01Z<p>VinMiller: </p>
<hr />
<div>= Introduction =<br />
<br />
This cheat sheet provides a checklist of tasks to be performed during blackbox security testing of a web application.<br />
<br />
= Purpose =<br />
<br />
This checklist is intended to be used as an aide memoire for experienced pentesters and should be used in conjunction with the [[:Category:OWASP Testing Project|OWASP Testing Guide]]. It will be updated as the [[OWASP_Application_Testing_guide_v4|Testing Guide v4]] is progressed.<br />
<br />
The intention is that this guide will be available as an XML document, with scripts that convert it into formats such as pdf, Media Wiki markup, HTML etc. <br />
<br />
This will allow it to be consumed within security tools as well as being available in a format suitable for printing.<br />
<br />
All feedback or offers of help will be appreciated - and if you have specific changes you think should be made, please log in and make suggestions.<br />
<br />
= The Checklist =<br />
<br />
== Information Gathering ==<br />
''Rendered Site Review''<br />
* Manually explore the site<br />
* [[Testing:_Spidering_and_googling | Spider/crawl]] for missed or hidden content<br />
* [[Review_Webserver_Metafiles_for_Information_Leakage_(OTG-INFO-003)|Check the Webserver Metafiles]] for information leakage files that expose content, such as robots.txt, sitemap.xml, .DS_Store<br />
* [[Conduct_search_engine_discovery/reconnaissance_for_information_leakage_(OTG-INFO-001)|Check the caches of major search engines for publicly accessible sites]]<br />
* Check for differences in content based on User Agent (eg, Mobile sites, access as a Search engine Crawler)<br />
* [[Review_webpage_comments_and_metadata_for_information_leakage_(OTG-INFO-005) | Check The Webpage Comments and Metadata for Information Leakage]]<br />
<br />
''Development Review''<br />
* [[Fingerprint_Web_Application_Framework_(OTG-INFO-008) | Check The Web Application Framework]]<br />
* [[Fingerprint_Web_Server_(OTG-INFO-002)|Perform Web Application Fingerprinting]]<br />
* Identify technologies used<br />
* [[Test_Role_Definitions_(OTG-IDENT-001)|Identify user roles]]<br />
* [[Identify_application_entry_points_(OTG-INFO-006) | Identify application entry points]]<br />
* Identify client-side code<br />
* Identify multiple versions/channels (e.g. web, mobile web, mobile app)<br />
<br />
''Hosting and Platform Review''<br />
* [[Web_Services | Identify web services]]<br />
* Identify co-hosted and related applications<br />
* Identify all hostnames and ports<br />
* Identify third-party hosted content<br />
<br />
== Configuration Management ==<br />
* Check for commonly used application and administrative URLs<br />
* [[4.3.4_Review_Old,_Backup_and_Unreferenced_Files_for_Sensitive_Information_(OTG-CONFIG-004) | Check for old, backup and unreferenced files]]<br />
* [[Test_HTTP_Methods_(OTG-CONFIG-006) | Check HTTP methods supported and Cross Site Tracing (XST)]]<br />
* [[4.3.3_Test_File_Extensions_Handling_for_Sensitive_Information_(OTG-CONFIG-003) | Test file extensions handling]]<br />
* [[Test_RIA_cross_domain_policy_(OTG-CONFIG-008) | Test RIA cross domain policy]]<br />
* Test for [[List_of_useful_HTTP_headers | security HTTP headers]] (e.g. CSP, X-Frame-Options, HSTS)<br />
* Test for policies (e.g. Flash, Silverlight, robots)<br />
* Check for sensitive data in client-side code (e.g. API keys, credentials)<br />
<br />
== Secure Transmission ==<br />
''Protocols and Encryption''<br />
* [[Testing_for_Weak_SSL/TLS_Ciphers,_Insufficient_Transport_Layer_Protection_(OTG-CRYPST-001) | Check SSL Version, Algorithms, Key length]]<br />
* Check for Digital Certificate Validity (Duration, Signature and CN)<br />
* Check credentials only delivered over HTTPS<br />
* Check that the login form is delivered over HTTPS<br />
* Check session tokens only delivered over HTTPS<br />
* [[Test_HTTP_Strict_Transport_Security_(OTG-CONFIG-009) | Check if HTTP Strict Transport Security (HSTS) in use]]<br />
* [[Test_Ability_to_forge_requests_(OTG-BUSLOGIC-002) | Test ability to forge requests]]<br />
* [[Test_Web_Messaging_(OTG-CLIENT-011)|Test Web Messaging (HTML5)]]<br />
* [[Test_Cross_Origin_Resource_Sharing_(OTG-CLIENT-007)|Check CORS implementation (HTML5)]]<br />
<br />
''Web Services and REST''<br />
* [[Web_Service_Security_Testing_Cheat_Sheet | Test for Web Service Issues]]<br />
* [[REST_Assessment_Cheat_Sheet | Test REST]]<br />
<br />
== Authentication ==<br />
''Application Password Functionality''<br />
* [[Testing_for_Weak_password_policy_(OTG-AUTHN-007)|Test password quality rules]]<br />
* Test remember me functionality<br />
* Test password reset and/or recovery<br />
* Test password change process<br />
* Test CAPTCHA<br />
* Test multi factor authentication<br />
* Test for logout functionality presence<br />
* Test for default logins<br />
* Test for out-of channel notification of account lockouts and successful password changes<br />
* Test for consistent authentication across applications with shared authentication schema / SSO and alternative channels<br />
* Test for Weak security question/answer<br />
<br />
''Additional Authentication Functionality''<br />
* [[Testing_for_User_Enumeration_and_Guessable_User_Account_(OWASP-AT-002) | Test for user enumeration]]<br />
* [[Testing_for_Bypassing_Authentication_Schema_(OTG-AUTHN-004) | Test for authentication bypass]]<br />
* [[Testing_for_Brute_Force_(OWASP-AT-004) | Test for brute force protection]]<br />
* [[Testing_for_Credentials_Transported_over_an_Encrypted_Channel_(OTG-AUTHN-001)|Test for Credentials Transported over an Encrypted Channel]]<br />
* Test for cache management on HTTP (eg Pragma, Expires, Max-age)<br />
* Test for user-accessible authentication history<br />
<br />
== Session Management ==<br />
* Establish how session management is handled in the application (eg, tokens in cookies, token in URL)<br />
* [[Testing_for_cookies_attributes_(OTG-SESS-002)|Check session tokens for cookie flags (httpOnly and secure)]]<br />
* [[Testing_for_cookies_attributes_(OTG-SESS-002)|Check session cookie scope (path and domain)]]<br />
* Check session cookie duration (expires and max-age)<br />
* [[Test_Session_Timeout_(OTG-SESS-007)|Check session termination after a maximum lifetime]]<br />
* [[Test_Session_Timeout_(OTG-SESS-007)|Check session termination after relative timeout]]<br />
* [[Testing_for_logout_functionality_(OTG-SESS-006)|Check session termination after logout]]<br />
* Test to see if users can have multiple simultaneous sessions<br />
* [[Testing_for_Session_Management_Schema_(OTG-SESS-001)#Session_ID_Predictability_and_Randomness | Test session cookies for randomness]]<br />
* Confirm that new session tokens are issued on login, role change and logout<br />
* Test for consistent session management across applications with shared session management<br />
* Test for session puzzling<br />
* Test for CSRF and clickjacking<br />
<br />
== Authorization ==<br />
* [[Testing_Directory_traversal/file_include_(OTG-AUTHZ-001)|Test for path traversal]]<br />
* [[Testing_for_Privilege_escalation_(OTG-AUTHZ-003)|Test for vertical Access control problems (a.k.a. Privilege Escalation)]]<br />
* Test for horizontal Access control problems (between two users at the same privilege level)<br />
* [[Testing_for_Bypassing_Authorization_Schema_(OTG-AUTHZ-002)|Test for missing authorisation]]<br />
* [[Testing_for_Insecure_Direct_Object_References_(OTG-AUTHZ-004)|Test for Insecure Direct Object References]]<br />
<br />
== Cryptography ==<br />
* [[Testing_for_Sensitive_information_sent_via_unencrypted_channels_(OTG-CRYPST-003)|Check if data which should be encrypted is not]]<br />
* Check for wrong algorithms usage depending on context<br />
* [[Testing_for_Weak_SSL/TLS_Ciphers,_Insufficient_Transport_Layer_Protection_(OTG-CRYPST-001)|Check for weak algorithms usage]]<br />
* [[Password_Storage_Cheat_Sheet#Use_a_cryptographically_strong_credential-specific_salt | Check for proper use of salting]]<br />
* [[Insecure_Randomness | Check for randomness functions]]<br />
<br />
== Data Validation ==<br />
''Injection''<br />
* Test for HTML Injection<br />
* [[Testing_for_SQL_Injection_(OTG-INPVAL-005)|Test for SQL Injection]]<br />
* Test for LDAP Injection<br />
* [[Testing_for_ORM_Injection_(OTG-INPVAL-007)|Test for ORM Injection]]<br />
* [[Testing_for_XML_Injection_(OTG-INPVAL-008)|Test for XML Injection]]<br />
* Test for XXE Injection<br />
* [[Testing_for_SSI_Injection_(OTG-INPVAL-009)|Test for SSI Injection]]<br />
* [[Testing_for_XPath_Injection_(OTG-INPVAL-010)|Test for XPath Injection]]<br />
* Test for XQuery Injection<br />
* [[Testing_for_IMAP/SMTP_Injection_(OTG-INPVAL-011)|Test for IMAP/SMTP Injection]]<br />
* [[Testing_for_Code_Injection_(OTG-INPVAL-012)|Test for Code Injection]]<br />
* Test for Expression Language Injection<br />
* [[Testing_for_Command_Injection_(OTG-INPVAL-013)|Test for Command Injection]]<br />
* Test for NoSQL injection<br />
<br />
''Other''<br />
* [[Testing_for_Reflected_Cross_site_scripting_(OTG-INPVAL-001)|Test for Reflected Cross Site Scripting]]<br />
* [[Testing_for_Stored_Cross_site_scripting_(OTG-INPVAL-002)|Test for Stored Cross Site Scripting]]<br />
* [[Testing_for_DOM-based_Cross_site_scripting_(OTG-CLIENT-001)|Test for DOM based Cross Site Scripting]]<br />
* Test for Cross Site Flashing<br />
* Test for Overflow ([[Testing_for_Stack_Overflow|Stack]], [[Testing_for_Heap_Overflow|Heap]] and Integer)<br />
* [[Testing_for_Format_String|Test for Format String]]<br />
* Test for incubated vulnerabilities<br />
* [[Testing_for_HTTP_Splitting/Smuggling_(OTG-INPVAL-016)|Test for HTTP Splitting/Smuggling]]<br />
* Test for HTTP Verb Tampering<br />
* [[Top_10_2013-A10-Unvalidated_Redirects_and_Forwards|Test for Open Redirection]]<br />
* [[Testing_for_Local_File_Inclusion|Test for Local File Inclusion]]<br />
* [[Testing_for_Remote_File_Inclusion|Test for Remote File Inclusion]]<br />
* Compare client-side and server-side validation rules<br />
* Test for HTTP parameter pollution<br />
* Test for auto-binding<br />
* Test for Mass Assignment<br />
* Test for NULL/Invalid Session Cookie<br />
* [[Test_integrity_checks_(OTG-BUSLOGIC-003) | Test for integrity of data]]<br />
* [[Testing_for_the_Circumvention_of_Work_Flows_(OTG-BUSLOGIC-009) | Test for the Circumvention of Work Flows]]<br />
* [[Test_defenses_against_application_mis-use_(OTG-BUSLOGIC-011) | Test Defenses Against Application Mis-use]]<br />
* [[Test_number_of_times_a_function_can_be_used_limits_(OTG-BUSLOGIC-007) | Test That a Function or Feature Cannot Be Used Outside Of Limits]]<br />
* [[Test_for_Process_Timing_(OTG-BUSLOGIC-007) | Test for Process Timing]]<br />
* [[Test_Local_Storage_(OTG-CLIENT-012)|Test for Web Storage SQL injection (HTML5)]]<br />
* [[HTML5_Security_Cheat_Sheet#Offline_Applications | Check Offline Web Application]]<br />
<br />
== Denial of Service ==<br />
* Test for anti-automation<br />
* [[Testing_for_Weak_lock_out_mechanism_(OTG-AUTHN-003)|Test for account lockout]]<br />
* Test for HTTP protocol DoS<br />
* Test for SQL wildcard DoS<br />
<br />
== Specific Risky Functionality ==<br />
''File Uploads''<br />
* [[Test_Upload_of_Unexpected_File_Types_(OTG-BUSLOGIC-008)|Test that acceptable file types are whitelisted and non-whitelisted types are rejected]]<br />
* Test that file size limits, upload frequency and total file counts are defined and are enforced<br />
* Test that file contents match the defined file type<br />
* [[Test_Upload_of_Malicious_Files_(OTG-BUSLOGIC-009)|Test that all file uploads have Anti-Virus scanning in-place.]]<br />
* [[Test_Upload_of_Malicious_Files_(OTG-BUSLOGIC-016) | Test upload of malicious files]]<br />
* Test that unsafe filenames are sanitized<br />
* Test that uploaded files are not directly accessible within the web root<br />
* Test that uploaded files are not served on the same hostname/port<br />
* Test that files and other media are integrated with the authentication and authorisation schemas<br />
''Payments''<br />
* Test for known vulnerabilities and configuration issues on Web Server and Web Application<br />
* Test for default or guessable password<br />
* [[Injection_Flaws | Test for Injection vulnerabilities ]]<br />
* [[Testing_for_Buffer_Overflow_(OTG-INPVAL-014) | Test for Buffer Overflows]]<br />
* [[Top_10_2010-A7-Insecure_Cryptographic_Storage | Test for Insecure Cryptographic Storage]]<br />
* [[Top_10_2010-A9-Insufficient_Transport_Layer_Protection | Test for Insufficient Transport Layer Protection]]<br />
* [[Web_Application_Security_Testing_Cheat_Sheet#Error_Handling|Test for Improper Error Handling]]<br />
* Test for all vulnerabilities with a CVSS v2 score > 4.0<br />
* Test for Authentication and Authorization issues<br />
* [[Testing_for_CSRF_(OTG-SESS-005)|Test for CSRF]]<br />
<br />
== Error Handling==<br />
* [[Testing_for_Error_Code_(OTG-ERR-001)|Check for Error Codes]]<br />
* [[Testing_for_Stack_Traces_(OTG-ERR-002)|Check for Stack Traces]]<br />
<br />
<br />
= Appendices =<br />
<br />
== Other Formats ==<br />
* DradisPro template format [https://github.com/raesene/OWASP_Web_App_Testing_Cheatsheet_Converter/blob/master/OWASP_Web_Application_Testing_Cheat_Sheet.xml on github]<br />
* Asana template on [http://templana.com/templates/owasp-website-security-checklist/ Templana] (thanks to Bastien Siebman)<br />
<br />
== Authors and contributors ==<br />
<br />
[[User:Simon Bennetts|Simon Bennetts]]<br/><br />
[[User:Raesene|Rory McCune]] <br/><br />
Colin Watson<br/><br />
Simone Onofri<br/><br />
[[User:Amro_Ahmed|Amro AlOlaqi]] <br />
<br />
All above are authors of the [[OWASP_Testing_Guide_v3_Table_of_Contents | Testing Guide v3]] <br />
<br />
[[User:Ryan_Dewhurst|Ryan Dewhurst]]<br/><br />
[[User:Frank.catucci | Frank Catucci]]<br />
[[User:VinMiller | Vin Miller]]<br />
<br />
<br />
== Related articles ==<br />
<br />
* OWASP [[:Category:OWASP Testing Project|Testing Guide]]<br />
* Mozilla [https://wiki.mozilla.org/WebAppSec/Web_Security_Verification Web Security Verification]<br />
<br />
== Other Cheatsheets ==<br />
<br />
{{Cheatsheet_Navigation}}<br />
<br />
[[Category:Cheatsheets]] [[Category:OWASP_Breakers]]</div>VinMillerhttps://wiki.owasp.org/index.php?title=Web_Application_Security_Testing_Cheat_Sheet&diff=204654Web Application Security Testing Cheat Sheet2015-12-06T19:51:41Z<p>VinMiller: </p>
<hr />
<div>= Introduction =<br />
<br />
This cheat sheet provides a checklist of tasks to be performed during blackbox security testing of a web application.<br />
<br />
= Purpose =<br />
<br />
This checklist is intended to be used as an aide memoire for experienced pentesters and should be used in conjunction with the [[:Category:OWASP Testing Project|OWASP Testing Guide]]. It will be updated as the [[OWASP_Application_Testing_guide_v4|Testing Guide v4]] is progressed.<br />
<br />
The intention is that this guide will be available as an XML document, with scripts that convert it into formats such as pdf, Media Wiki markup, HTML etc. <br />
<br />
This will allow it to be consumed within security tools as well as being available in a format suitable for printing.<br />
<br />
All feedback or offers of help will be appreciated - and if you have specific changes you think should be made, please log in and make suggestions.<br />
<br />
= The Checklist =<br />
<br />
== Information Gathering ==<br />
''Rendered Site Review''<br />
* Manually explore the site<br />
* [[Testing:_Spidering_and_googling | Spider/crawl]] for missed or hidden content<br />
* [[Review_Webserver_Metafiles_for_Information_Leakage_(OTG-INFO-003)|Check the Webserver Metafiles]] for information leakage files that expose content, such as robots.txt, sitemap.xml, .DS_Store<br />
* [[Conduct_search_engine_discovery/reconnaissance_for_information_leakage_(OTG-INFO-001)|Check the caches of major search engines for publicly accessible sites]]<br />
* Check for differences in content based on User Agent (eg, Mobile sites, access as a Search engine Crawler)<br />
* [[Review_webpage_comments_and_metadata_for_information_leakage_(OTG-INFO-005) | Check The Webpage Comments and Metadata for Information Leakage]]<br />
<br />
''Development Review''<br />
* [[Fingerprint_Web_Application_Framework_(OTG-INFO-008) | Check The Web Application Framework]]<br />
* [[Fingerprint_Web_Server_(OTG-INFO-002)|Perform Web Application Fingerprinting]]<br />
* Identify technologies used<br />
* [[Test_Role_Definitions_(OTG-IDENT-001)|Identify user roles]]<br />
* [[Identify_application_entry_points_(OTG-INFO-006) | Identify application entry points]]<br />
* Identify client-side code<br />
* Identify multiple versions/channels (e.g. web, mobile web, mobile app)<br />
<br />
''Hosting and Platform Review''<br />
* [[Web_Services | Identify web services]]<br />
* Identify co-hosted and related applications<br />
* Identify all hostnames and ports<br />
* Identify third-party hosted content<br />
<br />
== Configuration Management ==<br />
* Check for commonly used application and administrative URLs<br />
* [[4.3.4_Review_Old,_Backup_and_Unreferenced_Files_for_Sensitive_Information_(OTG-CONFIG-004) | Check for old, backup and unreferenced files]]<br />
* [[Test_HTTP_Methods_(OTG-CONFIG-006) | Check HTTP methods supported and Cross Site Tracing (XST)]]<br />
* [[4.3.3_Test_File_Extensions_Handling_for_Sensitive_Information_(OTG-CONFIG-003) | Test file extensions handling]]<br />
* [[Test_RIA_cross_domain_policy_(OTG-CONFIG-008) | Test RIA cross domain policy]]<br />
* Test for [[List_of_useful_HTTP_headers | security HTTP headers]] (e.g. CSP, X-Frame-Options, HSTS)<br />
* Test for policies (e.g. Flash, Silverlight, robots)<br />
* Check for sensitive data in client-side code (e.g. API keys, credentials)<br />
<br />
== Secure Transmission ==<br />
''Protocols and Encryption''<br />
* [[Testing_for_Weak_SSL/TLS_Ciphers,_Insufficient_Transport_Layer_Protection_(OTG-CRYPST-001) | Check SSL Version, Algorithms, Key length]]<br />
* Check for Digital Certificate Validity (Duration, Signature and CN)<br />
* Check credentials only delivered over HTTPS<br />
* Check that the login form is delivered over HTTPS<br />
* Check session tokens only delivered over HTTPS<br />
* [[Test_HTTP_Strict_Transport_Security_(OTG-CONFIG-009) | Check if HTTP Strict Transport Security (HSTS) in use]]<br />
* [[Test_Ability_to_forge_requests_(OTG-BUSLOGIC-002) | Test ability to forge requests]]<br />
* [[Test_Web_Messaging_(OTG-CLIENT-011)|Test Web Messaging (HTML5)]]<br />
* [[Test_Cross_Origin_Resource_Sharing_(OTG-CLIENT-007)|Check CORS implementation (HTML5)]]<br />
<br />
''Web Services and REST''<br />
* [[Web_Service_Security_Testing_Cheat_Sheet | Test for Web Service Issues]]<br />
* [[REST_Assessment_Cheat_Sheet | Test REST]]<br />
<br />
== Authentication ==<br />
''Application Password Functionality''<br />
* [[Testing_for_Weak_password_policy_(OTG-AUTHN-007)|Test password quality rules]]<br />
* Test remember me functionality<br />
* Test password reset and/or recovery<br />
* Test password change process<br />
* Test CAPTCHA<br />
* Test multi factor authentication<br />
* Test for logout functionality presence<br />
* Test for default logins<br />
* Test for out-of channel notification of account lockouts and successful password changes<br />
* Test for consistent authentication across applications with shared authentication schema / SSO and alternative channels<br />
* Test for Weak security question/answer<br />
<br />
''Additional Authentication Functionality''<br />
* [[Testing_for_User_Enumeration_and_Guessable_User_Account_(OWASP-AT-002) | Test for user enumeration]]<br />
* [[Testing_for_Bypassing_Authentication_Schema_(OTG-AUTHN-004) | Test for authentication bypass]]<br />
* [[Testing_for_Brute_Force_(OWASP-AT-004) | Test for brute force protection]]<br />
* [[Testing_for_Credentials_Transported_over_an_Encrypted_Channel_(OTG-AUTHN-001)|Test for Credentials Transported over an Encrypted Channel]]<br />
* Test for cache management on HTTP (eg Pragma, Expires, Max-age)<br />
* Test for user-accessible authentication history<br />
<br />
== Session Management ==<br />
* Establish how session management is handled in the application (eg, tokens in cookies, token in URL)<br />
* [[Testing_for_cookies_attributes_(OTG-SESS-002)|Check session tokens for cookie flags (httpOnly and secure)]]<br />
* [[Testing_for_cookies_attributes_(OTG-SESS-002)|Check session cookie scope (path and domain)]]<br />
* Check session cookie duration (expires and max-age)<br />
* [[Test_Session_Timeout_(OTG-SESS-007)|Check session termination after a maximum lifetime]]<br />
* [[Test_Session_Timeout_(OTG-SESS-007)|Check session termination after relative timeout]]<br />
* [[Testing_for_logout_functionality_(OTG-SESS-006)|Check session termination after logout]]<br />
* Test to see if users can have multiple simultaneous sessions<br />
* [[Testing_for_Session_Management_Schema_(OTG-SESS-001)#Session_ID_Predictability_and_Randomness | Test session cookies for randomness]]<br />
* Confirm that new session tokens are issued on login, role change and logout<br />
* Test for consistent session management across applications with shared session management<br />
* Test for session puzzling<br />
* Test for CSRF and clickjacking<br />
<br />
== Authorization ==<br />
* [[Testing_Directory_traversal/file_include_(OTG-AUTHZ-001)|Test for path traversal]]<br />
* [[Testing_for_Privilege_escalation_(OTG-AUTHZ-003)|Test for vertical Access control problems (a.k.a. Privilege Escalation)]]<br />
* Test for horizontal Access control problems (between two users at the same privilege level)<br />
* [[Testing_for_Bypassing_Authorization_Schema_(OTG-AUTHZ-002)|Test for missing authorisation]]<br />
* [[Testing_for_Insecure_Direct_Object_References_(OTG-AUTHZ-004)|Test for Insecure Direct Object References]]<br />
<br />
== Cryptography ==<br />
* [[Testing_for_Sensitive_information_sent_via_unencrypted_channels_(OTG-CRYPST-003)|Check if data which should be encrypted is not]]<br />
* Check for wrong algorithms usage depending on context<br />
* [[Testing_for_Weak_SSL/TLS_Ciphers,_Insufficient_Transport_Layer_Protection_(OTG-CRYPST-001)|Check for weak algorithms usage]]<br />
* [[Password_Storage_Cheat_Sheet#Use_a_cryptographically_strong_credential-specific_salt | Check for proper use of salting]]<br />
* [[Insecure_Randomness | Check for randomness functions]]<br />
<br />
== Data Validation ==<br />
''Injection''<br />
* Test for HTML Injection<br />
* [[Testing_for_SQL_Injection_(OTG-INPVAL-005)|Test for SQL Injection]]<br />
* Test for LDAP Injection<br />
* [[Testing_for_ORM_Injection_(OTG-INPVAL-007)|Test for ORM Injection]]<br />
* [[Testing_for_XML_Injection_(OTG-INPVAL-008)|Test for XML Injection]]<br />
* Test for XXE Injection<br />
* [[Testing_for_SSI_Injection_(OTG-INPVAL-009)|Test for SSI Injection]]<br />
* [[Testing_for_XPath_Injection_(OTG-INPVAL-010)|Test for XPath Injection]]<br />
* Test for XQuery Injection<br />
* [[Testing_for_IMAP/SMTP_Injection_(OTG-INPVAL-011)|Test for IMAP/SMTP Injection]]<br />
* [[Testing_for_Code_Injection_(OTG-INPVAL-012)|Test for Code Injection]]<br />
* Test for Expression Language Injection<br />
* [[Testing_for_Command_Injection_(OTG-INPVAL-013)|Test for Command Injection]]<br />
* Test for NoSQL injection<br />
<br />
''Other''<br />
* [[Testing_for_Reflected_Cross_site_scripting_(OTG-INPVAL-001)|Test for Reflected Cross Site Scripting]]<br />
* [[Testing_for_Stored_Cross_site_scripting_(OTG-INPVAL-002)|Test for Stored Cross Site Scripting]]<br />
* [[Testing_for_DOM-based_Cross_site_scripting_(OTG-CLIENT-001)|Test for DOM based Cross Site Scripting]]<br />
* Test for Cross Site Flashing<br />
* Test for Overflow ([[Testing_for_Stack_Overflow|Stack]], [[Testing_for_Heap_Overflow|Heap]] and Integer)<br />
* [[Testing_for_Format_String|Test for Format String]]<br />
* Test for incubated vulnerabilities<br />
* [[Testing_for_HTTP_Splitting/Smuggling_(OTG-INPVAL-016)|Test for HTTP Splitting/Smuggling]]<br />
* Test for HTTP Verb Tampering<br />
* [[Top_10_2013-A10-Unvalidated_Redirects_and_Forwards|Test for Open Redirection]]<br />
* [[Testing_for_Local_File_Inclusion|Test for Local File Inclusion]]<br />
* [[Testing_for_Remote_File_Inclusion|Test for Remote File Inclusion]]<br />
* Compare client-side and server-side validation rules<br />
* Test for HTTP parameter pollution<br />
* Test for auto-binding<br />
* Test for Mass Assignment<br />
* Test for NULL/Invalid Session Cookie<br />
* [[Test_integrity_checks_(OTG-BUSLOGIC-003) | Test for integrity of data]]<br />
* [[Testing_for_the_Circumvention_of_Work_Flows_(OTG-BUSLOGIC-009) | Test for the Circumvention of Work Flows]]<br />
* [[Test_defenses_against_application_mis-use_(OTG-BUSLOGIC-011) | Test Defenses Against Application Mis-use]]<br />
* [[Test_Local_Storage_(OTG-CLIENT-012)|Test for Web Storage SQL injection (HTML5)]]<br />
* [[HTML5_Security_Cheat_Sheet#Offline_Applications | Check Offline Web Application]]<br />
<br />
== Denial of Service ==<br />
* Test for anti-automation<br />
* [[Testing_for_Weak_lock_out_mechanism_(OTG-AUTHN-003)|Test for account lockout]]<br />
* Test for HTTP protocol DoS<br />
* Test for SQL wildcard DoS<br />
<br />
== Specific Risky Functionality ==<br />
''File Uploads''<br />
* [[Test_Upload_of_Unexpected_File_Types_(OTG-BUSLOGIC-008)|Test that acceptable file types are whitelisted and non-whitelisted types are rejected]]<br />
* Test that file size limits, upload frequency and total file counts are defined and are enforced<br />
* Test that file contents match the defined file type<br />
* [[Test_Upload_of_Malicious_Files_(OTG-BUSLOGIC-009)|Test that all file uploads have Anti-Virus scanning in-place.]]<br />
* [[Test_Upload_of_Malicious_Files_(OTG-BUSLOGIC-016) | Test upload of malicious files]]<br />
* Test that unsafe filenames are sanitized<br />
* Test that uploaded files are not directly accessible within the web root<br />
* Test that uploaded files are not served on the same hostname/port<br />
* Test that files and other media are integrated with the authentication and authorisation schemas<br />
<br />
== Risky Functionality==<br />
''Payments''<br />
* Test for known vulnerabilities and configuration issues on Web Server and Web Application<br />
* Test for default or guessable password<br />
* [[Injection_Flaws | Test for Injection vulnerabilities ]]<br />
* [[Testing_for_Buffer_Overflow_(OTG-INPVAL-014) | Test for Buffer Overflows]]<br />
* [[Top_10_2010-A7-Insecure_Cryptographic_Storage | Test for Insecure Cryptographic Storage]]<br />
* [[Top_10_2010-A9-Insufficient_Transport_Layer_Protection | Test for Insufficient Transport Layer Protection]]<br />
* [[Web_Application_Security_Testing_Cheat_Sheet#Error_Handling|Test for Improper Error Handling]]<br />
* Test for all vulnerabilities with a CVSS v2 score > 4.0<br />
* Test for Authentication and Authorization issues<br />
* [[Testing_for_CSRF_(OTG-SESS-005)|Test for CSRF]]<br />
<br />
== Error Handling==<br />
* [[Testing_for_Error_Code_(OTG-ERR-001)|Check for Error Codes]]<br />
* [[Testing_for_Stack_Traces_(OTG-ERR-002)|Check for Stack Traces]]<br />
<br />
== Other==<br />
* [[Test_for_Process_Timing_(OTG-BUSLOGIC-007) | Test for Process Timing]]<br />
* [[Test_number_of_times_a_function_can_be_used_limits_(OTG-BUSLOGIC-007) | Test Number of Times a Function Can be Used Limits]]<br />
<br />
= Appendices =<br />
<br />
== Other Formats ==<br />
* DradisPro template format [https://github.com/raesene/OWASP_Web_App_Testing_Cheatsheet_Converter/blob/master/OWASP_Web_Application_Testing_Cheat_Sheet.xml on github]<br />
* Asana template on [http://templana.com/templates/owasp-website-security-checklist/ Templana] (thanks to Bastien Siebman)<br />
<br />
== Authors and contributors ==<br />
<br />
[[User:Simon Bennetts|Simon Bennetts]]<br/><br />
[[User:Raesene|Rory McCune]] <br/><br />
Colin Watson<br/><br />
Simone Onofri<br/><br />
[[User:Amro_Ahmed|Amro AlOlaqi]] <br />
<br />
All above are authors of the [[OWASP_Testing_Guide_v3_Table_of_Contents | Testing Guide v3]] <br />
<br />
[[User:Ryan_Dewhurst|Ryan Dewhurst]]<br/><br />
[[User:Frank.catucci | Frank Catucci]]<br />
[[User:VinMiller | Vin Miller]]<br />
<br />
<br />
== Related articles ==<br />
<br />
* OWASP [[:Category:OWASP Testing Project|Testing Guide]]<br />
* Mozilla [https://wiki.mozilla.org/WebAppSec/Web_Security_Verification Web Security Verification]<br />
<br />
== Other Cheatsheets ==<br />
<br />
{{Cheatsheet_Navigation}}<br />
<br />
[[Category:Cheatsheets]] [[Category:OWASP_Breakers]]</div>VinMillerhttps://wiki.owasp.org/index.php?title=Web_Application_Security_Testing_Cheat_Sheet&diff=204652Web Application Security Testing Cheat Sheet2015-12-06T19:41:15Z<p>VinMiller: </p>
<hr />
<div>= Introduction =<br />
<br />
This cheat sheet provides a checklist of tasks to be performed during blackbox security testing of a web application.<br />
<br />
= Purpose =<br />
<br />
This checklist is intended to be used as an aide memoire for experienced pentesters and should be used in conjunction with the [[:Category:OWASP Testing Project|OWASP Testing Guide]]. It will be updated as the [[OWASP_Application_Testing_guide_v4|Testing Guide v4]] is progressed.<br />
<br />
The intention is that this guide will be available as an XML document, with scripts that convert it into formats such as pdf, Media Wiki markup, HTML etc. <br />
<br />
This will allow it to be consumed within security tools as well as being available in a format suitable for printing.<br />
<br />
All feedback or offers of help will be appreciated - and if you have specific changes you think should be made, please log in and make suggestions.<br />
<br />
= The Checklist =<br />
<br />
== Information Gathering ==<br />
''Rendered Site Review''<br />
* Manually explore the site<br />
* [[Testing:_Spidering_and_googling | Spider/crawl]] for missed or hidden content<br />
* [[Review_Webserver_Metafiles_for_Information_Leakage_(OTG-INFO-003)|Check the Webserver Metafiles]] for information leakage files that expose content, such as robots.txt, sitemap.xml, .DS_Store<br />
* [[Conduct_search_engine_discovery/reconnaissance_for_information_leakage_(OTG-INFO-001)|Check the caches of major search engines for publicly accessible sites]]<br />
* Check for differences in content based on User Agent (eg, Mobile sites, access as a Search engine Crawler)<br />
* [[Review_webpage_comments_and_metadata_for_information_leakage_(OTG-INFO-005) | Check The Webpage Comments and Metadata for Information Leakage]]<br />
<br />
''Development Review''<br />
* [[Fingerprint_Web_Application_Framework_(OTG-INFO-008) | Check The Web Application Framework]]<br />
* [[Fingerprint_Web_Server_(OTG-INFO-002)|Perform Web Application Fingerprinting]]<br />
* Identify technologies used<br />
* [[Test_Role_Definitions_(OTG-IDENT-001)|Identify user roles]]<br />
* [[Identify_application_entry_points_(OTG-INFO-006) | Identify application entry points]]<br />
* Identify client-side code<br />
* Identify multiple versions/channels (e.g. web, mobile web, mobile app)<br />
<br />
''Hosting and Platform Review''<br />
* [[Web_Services | Identify web services]]<br />
* Identify co-hosted and related applications<br />
* Identify all hostnames and ports<br />
* Identify third-party hosted content<br />
<br />
== Configuration Management ==<br />
* Check for commonly used application and administrative URLs<br />
* [[4.3.4_Review_Old,_Backup_and_Unreferenced_Files_for_Sensitive_Information_(OTG-CONFIG-004) | Check for old, backup and unreferenced files]]<br />
* [[Test_HTTP_Methods_(OTG-CONFIG-006) | Check HTTP methods supported and Cross Site Tracing (XST)]]<br />
* [[4.3.3_Test_File_Extensions_Handling_for_Sensitive_Information_(OTG-CONFIG-003) | Test file extensions handling]]<br />
* [[Test_RIA_cross_domain_policy_(OTG-CONFIG-008) | Test RIA cross domain policy]]<br />
* Test for [[List_of_useful_HTTP_headers | security HTTP headers]] (e.g. CSP, X-Frame-Options, HSTS)<br />
* Test for policies (e.g. Flash, Silverlight, robots)<br />
* Test for non-production data in live environment, and vice-versa<br />
* Check for sensitive data in client-side code (e.g. API keys, credentials)<br />
<br />
== Secure Transmission ==<br />
* [[Testing_for_Weak_SSL/TLS_Ciphers,_Insufficient_Transport_Layer_Protection_(OTG-CRYPST-001) | Check SSL Version, Algorithms, Key length]]<br />
* Check for Digital Certificate Validity (Duration, Signature and CN)<br />
* Check credentials only delivered over HTTPS<br />
* Check that the login form is delivered over HTTPS<br />
* Check session tokens only delivered over HTTPS<br />
* [[Test_HTTP_Strict_Transport_Security_(OTG-CONFIG-009) | Check if HTTP Strict Transport Security (HSTS) in use]]<br />
<br />
== Authentication ==<br />
''Application Password Functionality''<br />
* [[Testing_for_Weak_password_policy_(OTG-AUTHN-007)|Test password quality rules]]<br />
* Test remember me functionality<br />
* Test password reset and/or recovery<br />
* Test password change process<br />
* Test CAPTCHA<br />
* Test multi factor authentication<br />
* Test for logout functionality presence<br />
* Test for default logins<br />
* Test for out-of channel notification of account lockouts and successful password changes<br />
* Test for consistent authentication across applications with shared authentication schema / SSO and alternative channels<br />
* Test for Weak security question/answer<br />
<br />
''Additional Authentication Functionality''<br />
* [[Testing_for_User_Enumeration_and_Guessable_User_Account_(OWASP-AT-002) | Test for user enumeration]]<br />
* [[Testing_for_Bypassing_Authentication_Schema_(OTG-AUTHN-004) | Test for authentication bypass]]<br />
* [[Testing_for_Brute_Force_(OWASP-AT-004) | Test for brute force protection]]<br />
* [[Testing_for_Credentials_Transported_over_an_Encrypted_Channel_(OTG-AUTHN-001)|Test for Credentials Transported over an Encrypted Channel]]<br />
* Test for cache management on HTTP (eg Pragma, Expires, Max-age)<br />
* Test for user-accessible authentication history<br />
<br />
== Session Management ==<br />
* Establish how session management is handled in the application (eg, tokens in cookies, token in URL)<br />
* [[Testing_for_cookies_attributes_(OTG-SESS-002)|Check session tokens for cookie flags (httpOnly and secure)]]<br />
* [[Testing_for_cookies_attributes_(OTG-SESS-002)|Check session cookie scope (path and domain)]]<br />
* Check session cookie duration (expires and max-age)<br />
* [[Test_Session_Timeout_(OTG-SESS-007)|Check session termination after a maximum lifetime]]<br />
* [[Test_Session_Timeout_(OTG-SESS-007)|Check session termination after relative timeout]]<br />
* [[Testing_for_logout_functionality_(OTG-SESS-006)|Check session termination after logout]]<br />
* Test to see if users can have multiple simultaneous sessions<br />
* [[Testing_for_Session_Management_Schema_(OTG-SESS-001)#Session_ID_Predictability_and_Randomness | Test session cookies for randomness]]<br />
* Confirm that new session tokens are issued on login, role change and logout<br />
* Test for consistent session management across applications with shared session management<br />
* Test for session puzzling<br />
* Test for CSRF and clickjacking<br />
<br />
== Authorization ==<br />
* [[Testing_Directory_traversal/file_include_(OTG-AUTHZ-001)|Test for path traversal]]<br />
* [[Testing_for_Privilege_escalation_(OTG-AUTHZ-003)|Test for vertical Access control problems (a.k.a. Privilege Escalation)]]<br />
* Test for horizontal Access control problems (between two users at the same privilege level)<br />
* [[Testing_for_Bypassing_Authorization_Schema_(OTG-AUTHZ-002)|Test for missing authorisation]]<br />
* [[Testing_for_Insecure_Direct_Object_References_(OTG-AUTHZ-004)|Test for Insecure Direct Object References]]<br />
<br />
== Cryptography ==<br />
* [[Testing_for_Sensitive_information_sent_via_unencrypted_channels_(OTG-CRYPST-003)|Check if data which should be encrypted is not]]<br />
* Check for wrong algorithms usage depending on context<br />
* [[Testing_for_Weak_SSL/TLS_Ciphers,_Insufficient_Transport_Layer_Protection_(OTG-CRYPST-001)|Check for weak algorithms usage]]<br />
* [[Password_Storage_Cheat_Sheet#Use_a_cryptographically_strong_credential-specific_salt | Check for proper use of salting]]<br />
* [[Insecure_Randomness | Check for randomness functions]]<br />
<br />
<br />
== Data Validation ==<br />
* [[Testing_for_Reflected_Cross_site_scripting_(OTG-INPVAL-001)|Test for Reflected Cross Site Scripting]]<br />
* [[Testing_for_Stored_Cross_site_scripting_(OTG-INPVAL-002)|Test for Stored Cross Site Scripting]]<br />
* [[Testing_for_DOM-based_Cross_site_scripting_(OTG-CLIENT-001)|Test for DOM based Cross Site Scripting]]<br />
* Test for Cross Site Flashing<br />
* Test for HTML Injection<br />
* [[Testing_for_SQL_Injection_(OTG-INPVAL-005)|Test for SQL Injection]]<br />
* Test for LDAP Injection<br />
* [[Testing_for_ORM_Injection_(OTG-INPVAL-007)|Test for ORM Injection]]<br />
* [[Testing_for_XML_Injection_(OTG-INPVAL-008)|Test for XML Injection]]<br />
* Test for XXE Injection<br />
* [[Testing_for_SSI_Injection_(OTG-INPVAL-009)|Test for SSI Injection]]<br />
* [[Testing_for_XPath_Injection_(OTG-INPVAL-010)|Test for XPath Injection]]<br />
* Test for XQuery Injection<br />
* [[Testing_for_IMAP/SMTP_Injection_(OTG-INPVAL-011)|Test for IMAP/SMTP Injection]]<br />
* [[Testing_for_Code_Injection_(OTG-INPVAL-012)|Test for Code Injection]]<br />
* Test for Expression Language Injection<br />
* [[Testing_for_Command_Injection_(OTG-INPVAL-013)|Test for Command Injection]]<br />
* Test for Overflow ([[Testing_for_Stack_Overflow|Stack]], [[Testing_for_Heap_Overflow|Heap]] and Integer)<br />
* [[Testing_for_Format_String|Test for Format String]]<br />
* Test for incubated vulnerabilities<br />
* [[Testing_for_HTTP_Splitting/Smuggling_(OTG-INPVAL-016)|Test for HTTP Splitting/Smuggling]]<br />
* Test for HTTP Verb Tampering<br />
* [[Top_10_2013-A10-Unvalidated_Redirects_and_Forwards|Test for Open Redirection]]<br />
* [[Testing_for_Local_File_Inclusion|Test for Local File Inclusion]]<br />
* [[Testing_for_Remote_File_Inclusion|Test for Remote File Inclusion]]<br />
* Compare client-side and server-side validation rules<br />
* Test for NoSQL injection<br />
* Test for HTTP parameter pollution<br />
* Test for auto-binding<br />
* Test for Mass Assignment<br />
* Test for NULL/Invalid Session Cookie<br />
<br />
== Denial of Service ==<br />
* Test for anti-automation<br />
* [[Testing_for_Weak_lock_out_mechanism_(OTG-AUTHN-003)|Test for account lockout]]<br />
* Test for HTTP protocol DoS<br />
* Test for SQL wildcard DoS<br />
<br />
== Business Logic ==<br />
* [[Test_business_logic_data_validation_(OTG-BUSLOGIC-001) | Test business logic data validation]] <br />
* [[Test_Ability_to_forge_requests_(OTG-BUSLOGIC-002) | Test ability to forge requests]]<br />
* Test for feature misuse<br />
* Test for lack of non-repudiation<br />
* Test for trust relationships<br />
* [[Test_integrity_checks_(OTG-BUSLOGIC-003) | Test for integrity of data]]<br />
* Test segregation of duties<br />
* [[Test_for_Process_Timing_(OTG-BUSLOGIC-007) | Test for Process Timing]]<br />
* [[Test_number_of_times_a_function_can_be_used_limits_(OTG-BUSLOGIC-007) | Test Number of Times a Function Can be Used Limits]]<br />
* [[Testing_for_the_Circumvention_of_Work_Flows_(OTG-BUSLOGIC-009) | Test for the Circumvention of Work Flows]]<br />
* [[Test_defenses_against_application_mis-use_(OTG-BUSLOGIC-011) | Test Defenses Against Application Mis-use]]<br />
* [[Test_Upload_of_Unexpected_File_Types_(OTG-BUSLOGIC-015) | Test Upload of Unexpected File Types]]<br />
* [[Test_Upload_of_Malicious_Files_(OTG-BUSLOGIC-016) | Test upload of malicious files]]<br />
<br />
<br />
== Specific Risky Functionality ==<br />
''File Uploads''<br />
* [[Test_Upload_of_Unexpected_File_Types_(OTG-BUSLOGIC-008)|Test that acceptable file types are whitelisted and non-whitelisted types are rejected]]<br />
* Test that file size limits, upload frequency and total file counts are defined and are enforced<br />
* Test that file contents match the defined file type<br />
* [[Test_Upload_of_Malicious_Files_(OTG-BUSLOGIC-009)|Test that all file uploads have Anti-Virus scanning in-place.]]<br />
* Test that unsafe filenames are sanitised<br />
* Test that uploaded files are not directly accessible within the web root<br />
* Test that uploaded files are not served on the same hostname/port<br />
* Test that files and other media are integrated with the authentication and authorisation schemas<br />
<br />
== Risky Functionality==<br />
''Payments''<br />
* Test for known vulnerabilities and configuration issues on Web Server and Web Application<br />
* Test for default or guessable password<br />
* Test for non-production data in live environment, and vice-versa<br />
* [[Injection_Flaws | Test for Injection vulnerabilities ]]<br />
* [[Testing_for_Buffer_Overflow_(OTG-INPVAL-014) | Test for Buffer Overflows]]<br />
* [[Top_10_2010-A7-Insecure_Cryptographic_Storage | Test for Insecure Cryptographic Storage]]<br />
* [[Top_10_2010-A9-Insufficient_Transport_Layer_Protection | Test for Insufficient Transport Layer Protection]]<br />
* [[Web_Application_Security_Testing_Cheat_Sheet#Error_Handling|Test for Improper Error Handling]]<br />
* Test for all vulnerabilities with a CVSS v2 score > 4.0<br />
* Test for Authentication and Authorization issues<br />
* [[Testing_for_CSRF_(OTG-SESS-005)|Test for CSRF]]<br />
<br />
== Web Service Testing ==<br />
* [[Web_Service_Security_Testing_Cheat_Sheet | Test for Web Service Issues]]<br />
* [[REST_Assessment_Cheat_Sheet | Test REST]]<br />
<br />
== HTML 5==<br />
* [[Test_Web_Messaging_(OTG-CLIENT-011)|Test Web Messaging]]<br />
* [[Test_Local_Storage_(OTG-CLIENT-012)|Test for Web Storage SQL injection]]<br />
* [[Test_Cross_Origin_Resource_Sharing_(OTG-CLIENT-007)|Check CORS implementation]]<br />
* [[HTML5_Security_Cheat_Sheet#Offline_Applications | Check Offline Web Application]]<br />
<br />
== Error Handling==<br />
* [[Testing_for_Error_Code_(OTG-ERR-001)|Check for Error Codes]]<br />
* [[Testing_for_Stack_Traces_(OTG-ERR-002)|Check for Stack Traces]]<br />
<br />
= Appendices =<br />
<br />
<br />
== Other Formats ==<br />
* DradisPro template format [https://github.com/raesene/OWASP_Web_App_Testing_Cheatsheet_Converter/blob/master/OWASP_Web_Application_Testing_Cheat_Sheet.xml on github]<br />
* Asana template on [http://templana.com/templates/owasp-website-security-checklist/ Templana] (thanks to Bastien Siebman)<br />
<br />
== Authors and contributors ==<br />
<br />
[[User:Simon Bennetts|Simon Bennetts]]<br/><br />
[[User:Raesene|Rory McCune]] <br/><br />
Colin Watson<br/><br />
Simone Onofri<br/><br />
[[User:Amro_Ahmed|Amro AlOlaqi]] <br />
<br />
All above are authors of the [[OWASP_Testing_Guide_v3_Table_of_Contents | Testing Guide v3]] <br />
<br />
[[User:Ryan_Dewhurst|Ryan Dewhurst]]<br/><br />
[[User:Frank.catucci | Frank Catucci]]<br />
[[User:VinMiller | Vin Miller]]<br />
<br />
<br />
== Related articles ==<br />
<br />
* OWASP [[:Category:OWASP Testing Project|Testing Guide]]<br />
* Mozilla [https://wiki.mozilla.org/WebAppSec/Web_Security_Verification Web Security Verification]<br />
<br />
== Other Cheatsheets ==<br />
<br />
{{Cheatsheet_Navigation}}<br />
<br />
[[Category:Cheatsheets]] [[Category:OWASP_Breakers]]</div>VinMillerhttps://wiki.owasp.org/index.php?title=Web_Application_Security_Testing_Cheat_Sheet&diff=204651Web Application Security Testing Cheat Sheet2015-12-06T19:40:30Z<p>VinMiller: </p>
<hr />
<div>= Introduction =<br />
<br />
This cheat sheet provides a checklist of tasks to be performed during blackbox security testing of a web application.<br />
<br />
= Purpose =<br />
<br />
This checklist is intended to be used as an aide memoire for experienced pentesters and should be used in conjunction with the [[:Category:OWASP Testing Project|OWASP Testing Guide]]. It will be updated as the [[OWASP_Application_Testing_guide_v4|Testing Guide v4]] is progressed.<br />
<br />
The intention is that this guide will be available as an XML document, with scripts that convert it into formats such as pdf, Media Wiki markup, HTML etc. <br />
<br />
This will allow it to be consumed within security tools as well as being available in a format suitable for printing.<br />
<br />
All feedback or offers of help will be appreciated - and if you have specific changes you think should be made, please log in and make suggestions.<br />
<br />
= The Checklist =<br />
<br />
== Information Gathering ==<br />
''Rendered Site Review''<br />
* Manually explore the site<br />
* [[Testing:_Spidering_and_googling | Spider/crawl]] for missed or hidden content<br />
* [[Review_Webserver_Metafiles_for_Information_Leakage_(OTG-INFO-003)|Check the Webserver Metafiles]] for information leakage files that expose content, such as robots.txt, sitemap.xml, .DS_Store<br />
* [[Conduct_search_engine_discovery/reconnaissance_for_information_leakage_(OTG-INFO-001)|Check the caches of major search engines for publicly accessible sites]]<br />
* Check for differences in content based on User Agent (eg, Mobile sites, access as a Search engine Crawler)<br />
* [[Review_webpage_comments_and_metadata_for_information_leakage_(OTG-INFO-005) | Check The Webpage Comments and Metadata for Information Leakage]]<br />
<br />
''Development Review''<br />
* [[Fingerprint_Web_Application_Framework_(OTG-INFO-008) | Check The Web Application Framework]]<br />
* [[Fingerprint_Web_Server_(OTG-INFO-002)|Perform Web Application Fingerprinting]]<br />
* Identify technologies used<br />
* [[Test_Role_Definitions_(OTG-IDENT-001)|Identify user roles]]<br />
* [[Identify_application_entry_points_(OTG-INFO-006) | Identify application entry points]]<br />
* Identify client-side code<br />
* Identify multiple versions/channels (e.g. web, mobile web, mobile app)<br />
<br />
''Hosting and Platform Review''<br />
* [[Web_Services | Identify web services]]<br />
* Identify co-hosted and related applications<br />
* Identify all hostnames and ports<br />
* Identify third-party hosted content<br />
<br />
== Configuration Management ==<br />
* Check for commonly used application and administrative URLs<br />
* [[4.3.4_Review_Old,_Backup_and_Unreferenced_Files_for_Sensitive_Information_(OTG-CONFIG-004) | Check for old, backup and unreferenced files]]<br />
* [[Test_HTTP_Methods_(OTG-CONFIG-006) | Check HTTP methods supported and Cross Site Tracing (XST)]]<br />
* [[4.3.3_Test_File_Extensions_Handling_for_Sensitive_Information_(OTG-CONFIG-003) | Test file extensions handling]]<br />
* [[Test_RIA_cross_domain_policy_(OTG-CONFIG-008) | Test RIA cross domain policy]]<br />
* Test for [[List_of_useful_HTTP_headers | security HTTP headers]] (e.g. CSP, X-Frame-Options, HSTS)<br />
* Test for policies (e.g. Flash, Silverlight, robots)<br />
* Test for non-production data in live environment, and vice-versa<br />
* Check for sensitive data in client-side code (e.g. API keys, credentials)<br />
<br />
== Secure Transmission ==<br />
* [[Testing_for_Weak_SSL/TLS_Ciphers,_Insufficient_Transport_Layer_Protection_(OTG-CRYPST-001) | Check SSL Version, Algorithms, Key length]]<br />
* Check for Digital Certificate Validity (Duration, Signature and CN)<br />
* Check credentials only delivered over HTTPS<br />
* Check that the login form is delivered over HTTPS<br />
* Check session tokens only delivered over HTTPS<br />
* [[Test_HTTP_Strict_Transport_Security_(OTG-CONFIG-009) | Check if HTTP Strict Transport Security (HSTS) in use]]<br />
<br />
== Authentication ==<br />
''Application Password Functionality''<br />
* [[Testing_for_Weak_password_policy_(OTG-AUTHN-007)|Test password quality rules]]<br />
* Test remember me functionality<br />
* Test password reset and/or recovery<br />
* Test password change process<br />
* Test CAPTCHA<br />
* Test multi factor authentication<br />
* Test for logout functionality presence<br />
* Test for default logins<br />
* Test for out-of channel notification of account lockouts and successful password changes<br />
* Test for consistent authentication across applications with shared authentication schema / SSO and alternative channels<br />
* Test for Weak security question/answer<br />
<br />
''Additional Authentication Functionality''<br />
* [[Testing_for_User_Enumeration_and_Guessable_User_Account_(OWASP-AT-002) | Test for user enumeration]]<br />
* [[Testing_for_Bypassing_Authentication_Schema_(OTG-AUTHN-004) | Test for authentication bypass]]<br />
* [[Testing_for_Brute_Force_(OWASP-AT-004) | Test for brute force protection]]<br />
* [[Testing_for_Credentials_Transported_over_an_Encrypted_Channel_(OTG-AUTHN-001)|Test for Credentials Transported over an Encrypted Channel]]<br />
* Test for cache management on HTTP (eg Pragma, Expires, Max-age)<br />
* Test for user-accessible authentication history<br />
<br />
== Session Management ==<br />
* Establish how session management is handled in the application (eg, tokens in cookies, token in URL)<br />
* [[Testing_for_cookies_attributes_(OTG-SESS-002)|Check session tokens for cookie flags (httpOnly and secure)]]<br />
* [[Testing_for_cookies_attributes_(OTG-SESS-002)|Check session cookie scope (path and domain)]]<br />
* Check session cookie duration (expires and max-age)<br />
* [[Test_Session_Timeout_(OTG-SESS-007)|Check session termination after a maximum lifetime]]<br />
* [[Test_Session_Timeout_(OTG-SESS-007)|Check session termination after relative timeout]]<br />
* [[Testing_for_logout_functionality_(OTG-SESS-006)|Check session termination after logout]]<br />
* Test to see if users can have multiple simultaneous sessions<br />
* [[Testing_for_Session_Management_Schema_(OTG-SESS-001)#Session_ID_Predictability_and_Randomness | Test session cookies for randomness]]<br />
* Confirm that new session tokens are issued on login, role change and logout<br />
* Test for consistent session management across applications with shared session management<br />
* Test for session puzzling<br />
* Test for CSRF and clickjacking<br />
<br />
== Authorization ==<br />
* [[Testing_Directory_traversal/file_include_(OTG-AUTHZ-001)|Test for path traversal]]<br />
* [[Testing_for_Privilege_escalation_(OTG-AUTHZ-003)|Test for vertical Access control problems (a.k.a. Privilege Escalation)]]<br />
* Test for horizontal Access control problems (between two users at the same privilege level)<br />
* [[Testing_for_Bypassing_Authorization_Schema_(OTG-AUTHZ-002)|Test for missing authorisation]]<br />
* [[Testing_for_Insecure_Direct_Object_References_(OTG-AUTHZ-004)|Test for Insecure Direct Object References]]<br />
<br />
== Cryptography ==<br />
* [[Testing_for_Sensitive_information_sent_via_unencrypted_channels_(OTG-CRYPST-003)|Check if data which should be encrypted is not]]<br />
* Check for wrong algorithms usage depending on context<br />
* [[Testing_for_Weak_SSL/TLS_Ciphers,_Insufficient_Transport_Layer_Protection_(OTG-CRYPST-001)|Check for weak algorithms usage]]<br />
* [[Password_Storage_Cheat_Sheet#Use_a_cryptographically_strong_credential-specific_salt | Check for proper use of salting]]<br />
* [[Insecure_Randomness | Check for randomness functions]]<br />
<br />
<br />
== Data Validation ==<br />
* [[Testing_for_Reflected_Cross_site_scripting_(OTG-INPVAL-001)|Test for Reflected Cross Site Scripting]]<br />
* [[Testing_for_Stored_Cross_site_scripting_(OTG-INPVAL-002)|Test for Stored Cross Site Scripting]]<br />
* [[Testing_for_DOM-based_Cross_site_scripting_(OTG-CLIENT-001)|Test for DOM based Cross Site Scripting]]<br />
* Test for Cross Site Flashing<br />
* Test for HTML Injection<br />
* [[Testing_for_SQL_Injection_(OTG-INPVAL-005)|Test for SQL Injection]]<br />
* Test for LDAP Injection<br />
* [[Testing_for_ORM_Injection_(OTG-INPVAL-007)|Test for ORM Injection]]<br />
* [[Testing_for_XML_Injection_(OTG-INPVAL-008)|Test for XML Injection]]<br />
* Test for XXE Injection<br />
* [[Testing_for_SSI_Injection_(OTG-INPVAL-009)|Test for SSI Injection]]<br />
* [[Testing_for_XPath_Injection_(OTG-INPVAL-010)|Test for XPath Injection]]<br />
* Test for XQuery Injection<br />
* [[Testing_for_IMAP/SMTP_Injection_(OTG-INPVAL-011)|Test for IMAP/SMTP Injection]]<br />
* [[Testing_for_Code_Injection_(OTG-INPVAL-012)|Test for Code Injection]]<br />
* Test for Expression Language Injection<br />
* [[Testing_for_Command_Injection_(OTG-INPVAL-013)|Test for Command Injection]]<br />
* Test for Overflow ([[Testing_for_Stack_Overflow|Stack]], [[Testing_for_Heap_Overflow|Heap]] and Integer)<br />
* [[Testing_for_Format_String|Test for Format String]]<br />
* Test for incubated vulnerabilities<br />
* [[Testing_for_HTTP_Splitting/Smuggling_(OTG-INPVAL-016)|Test for HTTP Splitting/Smuggling]]<br />
* Test for HTTP Verb Tampering<br />
* [[Top_10_2013-A10-Unvalidated_Redirects_and_Forwards|Test for Open Redirection]]<br />
* [[Testing_for_Local_File_Inclusion|Test for Local File Inclusion]]<br />
* [[Testing_for_Remote_File_Inclusion|Test for Remote File Inclusion]]<br />
* Compare client-side and server-side validation rules<br />
* Test for NoSQL injection<br />
* Test for HTTP parameter pollution<br />
* Test for auto-binding<br />
* Test for Mass Assignment<br />
* Test for NULL/Invalid Session Cookie<br />
<br />
== Denial of Service ==<br />
* Test for anti-automation<br />
* [[Testing_for_Weak_lock_out_mechanism_(OTG-AUTHN-003)|Test for account lockout]]<br />
* Test for HTTP protocol DoS<br />
* Test for SQL wildcard DoS<br />
<br />
== Business Logic ==<br />
* [[Test_business_logic_data_validation_(OTG-BUSLOGIC-001) | Test business logic data validation]] <br />
* [[Test_Ability_to_forge_requests_(OTG-BUSLOGIC-002) | Test ability to forge requests]]<br />
* Test for feature misuse<br />
* Test for lack of non-repudiation<br />
* Test for trust relationships<br />
* [[Test_integrity_checks_(OTG-BUSLOGIC-003) | Test for integrity of data]]<br />
* Test segregation of duties<br />
* [[Test_for_Process_Timing_(OTG-BUSLOGIC-007) | Test for Process Timing]]<br />
* [[Test_number_of_times_a_function_can_be_used_limits_(OTG-BUSLOGIC-007) | Test Number of Times a Function Can be Used Limits]]<br />
* [[Testing_for_the_Circumvention_of_Work_Flows_(OTG-BUSLOGIC-009) | Test for the Circumvention of Work Flows]]<br />
* [[Test_defenses_against_application_mis-use_(OTG-BUSLOGIC-011) | Test Defenses Against Application Mis-use]]<br />
* [[Test_Upload_of_Unexpected_File_Types_(OTG-BUSLOGIC-015) | Test Upload of Unexpected File Types]]<br />
* [[Test_Upload_of_Malicious_Files_(OTG-BUSLOGIC-016) | Test upload of malicious files]]<br />
<br />
<br />
== Specific Risky Functionality ==<br />
''File Uploads''<br />
* [[Test_Upload_of_Unexpected_File_Types_(OTG-BUSLOGIC-008)|Test that acceptable file types are whitelisted and non-whitelisted types are rejected]]<br />
* Test that file size limits, upload frequency and total file counts are defined and are enforced<br />
* Test that file contents match the defined file type<br />
* [[Test_Upload_of_Malicious_Files_(OTG-BUSLOGIC-009)|Test that all file uploads have Anti-Virus scanning in-place.]]<br />
* Test that unsafe filenames are sanitised<br />
* Test that uploaded files are not directly accessible within the web root<br />
* Test that uploaded files are not served on the same hostname/port<br />
* Test that files and other media are integrated with the authentication and authorisation schemas<br />
<br />
== Risky Functionality==<br />
''Payments''<br />
* Test for known vulnerabilities and configuration issues on Web Server and Web Application<br />
* Test for default or guessable password<br />
* Test for non-production data in live environment, and vice-versa<br />
* [[Injection_Flaws | Test for Injection vulnerabilities ]]<br />
* [[Testing_for_Buffer_Overflow_(OTG-INPVAL-014) | Test for Buffer Overflows]]<br />
* [[Top_10_2010-A7-Insecure_Cryptographic_Storage | Test for Insecure Cryptographic Storage]]<br />
* [[Top_10_2010-A9-Insufficient_Transport_Layer_Protection | Test for Insufficient Transport Layer Protection]]<br />
* [[Web_Application_Security_Testing_Cheat_Sheet#Error_Handling|Test for Improper Error Handling]]<br />
* Test for all vulnerabilities with a CVSS v2 score > 4.0<br />
* Test for Authentication and Authorization issues<br />
* [[Testing_for_CSRF_(OTG-SESS-005)|Test for CSRF]]<br />
<br />
== Web Service Testing ==<br />
* [[Web_Service_Security_Testing_Cheat_Sheet | Test for Web Service Issues]]<br />
* [[REST_Assessment_Cheat_Sheet | Test REST]]<br />
<br />
== HTML 5==<br />
* [[Test_Web_Messaging_(OTG-CLIENT-011)|Test Web Messaging]]<br />
* [[Test_Local_Storage_(OTG-CLIENT-012)|Test for Web Storage SQL injection]]<br />
* [[Test_Cross_Origin_Resource_Sharing_(OTG-CLIENT-007)|Check CORS implementation]]<br />
* [[HTML5_Security_Cheat_Sheet#Offline_Applications | Check Offline Web Application]]<br />
<br />
== Error Handling==<br />
* [[Testing_for_Error_Code_(OTG-ERR-001)|Check for Error Codes]]<br />
* [[Testing_for_Stack_Traces_(OTG-ERR-002)|Check for Stack Traces]]<br />
<br />
= Appendices =<br />
<br />
<br />
== Other Formats ==<br />
* DradisPro template format [https://github.com/raesene/OWASP_Web_App_Testing_Cheatsheet_Converter/blob/master/OWASP_Web_Application_Testing_Cheat_Sheet.xml on github]<br />
* Asana template on [http://templana.com/templates/owasp-website-security-checklist/ Templana] (thanks to Bastien Siebman)<br />
<br />
== Authors and contributors ==<br />
<br />
[[User:Simon Bennetts|Simon Bennetts]]<br/><br />
[[User:Raesene|Rory McCune]] <br/><br />
Colin Watson<br/><br />
Simone Onofri<br/><br />
[[User:Amro_Ahmed|Amro AlOlaqi]] <br />
<br />
All above are authors of the [[OWASP_Testing_Guide_v3_Table_of_Contents | Testing Guide v3]] <br />
<br />
[[User:Ryan_Dewhurst|Ryan Dewhurst]]<br/><br />
[[User:Frank.catucci | Frank Catucci]]<br />
<br />
== Related articles ==<br />
<br />
* OWASP [[:Category:OWASP Testing Project|Testing Guide]]<br />
* Mozilla [https://wiki.mozilla.org/WebAppSec/Web_Security_Verification Web Security Verification]<br />
<br />
== Other Cheatsheets ==<br />
<br />
{{Cheatsheet_Navigation}}<br />
<br />
[[Category:Cheatsheets]] [[Category:OWASP_Breakers]]</div>VinMillerhttps://wiki.owasp.org/index.php?title=Web_Application_Security_Testing_Cheat_Sheet&diff=204650Web Application Security Testing Cheat Sheet2015-12-06T19:39:09Z<p>VinMiller: </p>
<hr />
<div>= Introduction =<br />
<br />
This cheat sheet provides a checklist of tasks to be performed during blackbox security testing of a web application.<br />
<br />
= Purpose =<br />
<br />
This checklist is intended to be used as an aide memoire for experienced pentesters and should be used in conjunction with the [[:Category:OWASP Testing Project|OWASP Testing Guide]]. It will be updated as the [[OWASP_Application_Testing_guide_v4|Testing Guide v4]] is progressed.<br />
<br />
The intention is that this guide will be available as an XML document, with scripts that convert it into formats such as pdf, Media Wiki markup, HTML etc. <br />
<br />
This will allow it to be consumed within security tools as well as being available in a format suitable for printing.<br />
<br />
All feedback or offers of help will be appreciated - and if you have specific changes you think should be made, please log in and make suggestions.<br />
<br />
= The Checklist =<br />
<br />
== Information Gathering ==<br />
''Rendered Site Review''<br />
* Manually explore the site<br />
* [[Testing:_Spidering_and_googling | Spider/crawl]] for missed or hidden content<br />
* [[Review_Webserver_Metafiles_for_Information_Leakage_(OTG-INFO-003)|Check the Webserver Metafiles]] for information leakage files that expose content, such as robots.txt, sitemap.xml, .DS_Store<br />
* [[Conduct_search_engine_discovery/reconnaissance_for_information_leakage_(OTG-INFO-001)|Check the caches of major search engines for publicly accessible sites]]<br />
* Check for differences in content based on User Agent (eg, Mobile sites, access as a Search engine Crawler)<br />
* [[Review_webpage_comments_and_metadata_for_information_leakage_(OTG-INFO-005) | Check The Webpage Comments and Metadata for Information Leakage]]<br />
<br />
''Development Review''<br />
* [[Fingerprint_Web_Application_Framework_(OTG-INFO-008) | Check The Web Application Framework]]<br />
* [[Fingerprint_Web_Server_(OTG-INFO-002)|Perform Web Application Fingerprinting]]<br />
* Identify technologies used<br />
* [[Test_Role_Definitions_(OTG-IDENT-001)|Identify user roles]]<br />
* [[Identify_application_entry_points_(OTG-INFO-006) | Identify application entry points]]<br />
* Identify client-side code<br />
* Identify multiple versions/channels (e.g. web, mobile web, mobile app)<br />
<br />
''Hosting and Platform Review''<br />
* [[Web_Services | Identify web services]]<br />
* Identify co-hosted and related applications<br />
* Identify all hostnames and ports<br />
* Identify third-party hosted content<br />
<br />
== Configuration Management ==<br />
* Check for commonly used application and administrative URLs<br />
* [[4.3.4_Review_Old,_Backup_and_Unreferenced_Files_for_Sensitive_Information_(OTG-CONFIG-004) | Check for old, backup and unreferenced files]]<br />
* [[Test_HTTP_Methods_(OTG-CONFIG-006) | Check HTTP methods supported and Cross Site Tracing (XST)]]<br />
* [[4.3.3_Test_File_Extensions_Handling_for_Sensitive_Information_(OTG-CONFIG-003) | Test file extensions handling]]<br />
* [[Test_RIA_cross_domain_policy_(OTG-CONFIG-008) | Test RIA cross domain policy]]<br />
* Test for [[List_of_useful_HTTP_headers | security HTTP headers]] (e.g. CSP, X-Frame-Options, HSTS)<br />
* Test for policies (e.g. Flash, Silverlight, robots)<br />
* Test for non-production data in live environment, and vice-versa<br />
* Check for sensitive data in client-side code (e.g. API keys, credentials)<br />
<br />
== Secure Transmission ==<br />
* [[Testing_for_Weak_SSL/TLS_Ciphers,_Insufficient_Transport_Layer_Protection_(OTG-CRYPST-001) | Check SSL Version, Algorithms, Key length]]<br />
* Check for Digital Certificate Validity (Duration, Signature and CN)<br />
* Check credentials only delivered over HTTPS<br />
* Check that the login form is delivered over HTTPS<br />
* Check session tokens only delivered over HTTPS<br />
* [[Test_HTTP_Strict_Transport_Security_(OTG-CONFIG-009) | Check if HTTP Strict Transport Security (HSTS) in use]]<br />
<br />
== Authentication ==<br />
''Application Password Functionality''<br />
* [[Testing_for_Weak_password_policy_(OTG-AUTHN-007)|Test password quality rules]]<br />
* Test remember me functionality<br />
* Test password reset and/or recovery<br />
* Test password change process<br />
* Test CAPTCHA<br />
* Test multi factor authentication<br />
* Test for logout functionality presence<br />
* Test for default logins<br />
* Test for out-of channel notification of account lockouts and successful password changes<br />
* Test for consistent authentication across applications with shared authentication schema / SSO and alternative channels<br />
* Test for Weak security question/answer<br />
<br />
''Additional Authentication Functionality''<br />
* [[Testing_for_User_Enumeration_and_Guessable_User_Account_(OWASP-AT-002) | Test for user enumeration]]<br />
* [[Testing_for_Bypassing_Authentication_Schema_(OTG-AUTHN-004) | Test for authentication bypass]]<br />
* [[Testing_for_Brute_Force_(OWASP-AT-004) | Test for brute force protection]]<br />
* [[Testing_for_Credentials_Transported_over_an_Encrypted_Channel_(OTG-AUTHN-001)|Test for Credentials Transported over an Encrypted Channel]]<br />
* Test for cache management on HTTP (eg Pragma, Expires, Max-age)<br />
* Test for user-accessible authentication history<br />
<br />
== Session Management ==<br />
* Establish how session management is handled in the application (eg, tokens in cookies, token in URL)<br />
* [[Testing_for_cookies_attributes_(OTG-SESS-002)|Check session tokens for cookie flags (httpOnly and secure)]]<br />
* [[Testing_for_cookies_attributes_(OTG-SESS-002)|Check session cookie scope (path and domain)]]<br />
* Check session cookie duration (expires and max-age)<br />
* [[Test_Session_Timeout_(OTG-SESS-007)|Check session termination after a maximum lifetime]]<br />
* [[Test_Session_Timeout_(OTG-SESS-007)|Check session termination after relative timeout]]<br />
* [[Testing_for_logout_functionality_(OTG-SESS-006)|Check session termination after logout]]<br />
* Test to see if users can have multiple simultaneous sessions<br />
* [[Testing_for_Session_Management_Schema_(OTG-SESS-001)#Session_ID_Predictability_and_Randomness | Test session cookies for randomness]]<br />
* Confirm that new session tokens are issued on login, role change and logout<br />
* Test for consistent session management across applications with shared session management<br />
* Test for session puzzling<br />
* Test for CSRF and clickjacking<br />
<br />
== Authorization ==<br />
* [[Testing_Directory_traversal/file_include_(OTG-AUTHZ-001)|Test for path traversal]]<br />
* [[Testing_for_Privilege_escalation_(OTG-AUTHZ-003)|Test for vertical Access control problems (a.k.a. Privilege Escalation)]]<br />
* Test for horizontal Access control problems (between two users at the same privilege level)<br />
* [[Testing_for_Bypassing_Authorization_Schema_(OTG-AUTHZ-002)|Test for missing authorisation]]<br />
* [[Testing_for_Insecure_Direct_Object_References_(OTG-AUTHZ-004)|Test for Insecure Direct Object References]]<br />
<br />
== Data Validation ==<br />
* [[Testing_for_Reflected_Cross_site_scripting_(OTG-INPVAL-001)|Test for Reflected Cross Site Scripting]]<br />
* [[Testing_for_Stored_Cross_site_scripting_(OTG-INPVAL-002)|Test for Stored Cross Site Scripting]]<br />
* [[Testing_for_DOM-based_Cross_site_scripting_(OTG-CLIENT-001)|Test for DOM based Cross Site Scripting]]<br />
* Test for Cross Site Flashing<br />
* Test for HTML Injection<br />
* [[Testing_for_SQL_Injection_(OTG-INPVAL-005)|Test for SQL Injection]]<br />
* Test for LDAP Injection<br />
* [[Testing_for_ORM_Injection_(OTG-INPVAL-007)|Test for ORM Injection]]<br />
* [[Testing_for_XML_Injection_(OTG-INPVAL-008)|Test for XML Injection]]<br />
* Test for XXE Injection<br />
* [[Testing_for_SSI_Injection_(OTG-INPVAL-009)|Test for SSI Injection]]<br />
* [[Testing_for_XPath_Injection_(OTG-INPVAL-010)|Test for XPath Injection]]<br />
* Test for XQuery Injection<br />
* [[Testing_for_IMAP/SMTP_Injection_(OTG-INPVAL-011)|Test for IMAP/SMTP Injection]]<br />
* [[Testing_for_Code_Injection_(OTG-INPVAL-012)|Test for Code Injection]]<br />
* Test for Expression Language Injection<br />
* [[Testing_for_Command_Injection_(OTG-INPVAL-013)|Test for Command Injection]]<br />
* Test for Overflow ([[Testing_for_Stack_Overflow|Stack]], [[Testing_for_Heap_Overflow|Heap]] and Integer)<br />
* [[Testing_for_Format_String|Test for Format String]]<br />
* Test for incubated vulnerabilities<br />
* [[Testing_for_HTTP_Splitting/Smuggling_(OTG-INPVAL-016)|Test for HTTP Splitting/Smuggling]]<br />
* Test for HTTP Verb Tampering<br />
* [[Top_10_2013-A10-Unvalidated_Redirects_and_Forwards|Test for Open Redirection]]<br />
* [[Testing_for_Local_File_Inclusion|Test for Local File Inclusion]]<br />
* [[Testing_for_Remote_File_Inclusion|Test for Remote File Inclusion]]<br />
* Compare client-side and server-side validation rules<br />
* Test for NoSQL injection<br />
* Test for HTTP parameter pollution<br />
* Test for auto-binding<br />
* Test for Mass Assignment<br />
* Test for NULL/Invalid Session Cookie<br />
<br />
== Denial of Service ==<br />
* Test for anti-automation<br />
* [[Testing_for_Weak_lock_out_mechanism_(OTG-AUTHN-003)|Test for account lockout]]<br />
* Test for HTTP protocol DoS<br />
* Test for SQL wildcard DoS<br />
<br />
== Business Logic ==<br />
* [[Test_business_logic_data_validation_(OTG-BUSLOGIC-001) | Test business logic data validation]] <br />
* [[Test_Ability_to_forge_requests_(OTG-BUSLOGIC-002) | Test ability to forge requests]]<br />
* Test for feature misuse<br />
* Test for lack of non-repudiation<br />
* Test for trust relationships<br />
* [[Test_integrity_checks_(OTG-BUSLOGIC-003) | Test for integrity of data]]<br />
* Test segregation of duties<br />
* [[Test_for_Process_Timing_(OTG-BUSLOGIC-007) | Test for Process Timing]]<br />
* [[Test_number_of_times_a_function_can_be_used_limits_(OTG-BUSLOGIC-007) | Test Number of Times a Function Can be Used Limits]]<br />
* [[Testing_for_the_Circumvention_of_Work_Flows_(OTG-BUSLOGIC-009) | Test for the Circumvention of Work Flows]]<br />
* [[Test_defenses_against_application_mis-use_(OTG-BUSLOGIC-011) | Test Defenses Against Application Mis-use]]<br />
* [[Test_Upload_of_Unexpected_File_Types_(OTG-BUSLOGIC-015) | Test Upload of Unexpected File Types]]<br />
* [[Test_Upload_of_Malicious_Files_(OTG-BUSLOGIC-016) | Test upload of malicious files]]<br />
<br />
== Cryptography ==<br />
* [[Testing_for_Sensitive_information_sent_via_unencrypted_channels_(OTG-CRYPST-003)|Check if data which should be encrypted is not]]<br />
* Check for wrong algorithms usage depending on context<br />
* [[Testing_for_Weak_SSL/TLS_Ciphers,_Insufficient_Transport_Layer_Protection_(OTG-CRYPST-001)|Check for weak algorithms usage]]<br />
* [[Password_Storage_Cheat_Sheet#Use_a_cryptographically_strong_credential-specific_salt | Check for proper use of salting]]<br />
* [[Insecure_Randomness | Check for randomness functions]]<br />
<br />
== Risky Functionality - File Uploads ==<br />
* [[Test_Upload_of_Unexpected_File_Types_(OTG-BUSLOGIC-008)|Test that acceptable file types are whitelisted and non-whitelisted types are rejected]]<br />
* Test that file size limits, upload frequency and total file counts are defined and are enforced<br />
* Test that file contents match the defined file type<br />
* [[Test_Upload_of_Malicious_Files_(OTG-BUSLOGIC-009)|Test that all file uploads have Anti-Virus scanning in-place.]]<br />
* Test that unsafe filenames are sanitised<br />
* Test that uploaded files are not directly accessible within the web root<br />
* Test that uploaded files are not served on the same hostname/port<br />
* Test that files and other media are integrated with the authentication and authorisation schemas<br />
<br />
== Risky Functionality - Card Payment ==<br />
* Test for known vulnerabilities and configuration issues on Web Server and Web Application<br />
* Test for default or guessable password<br />
* Test for non-production data in live environment, and vice-versa<br />
* [[Injection_Flaws | Test for Injection vulnerabilities ]]<br />
* [[Testing_for_Buffer_Overflow_(OTG-INPVAL-014) | Test for Buffer Overflows]]<br />
* [[Top_10_2010-A7-Insecure_Cryptographic_Storage | Test for Insecure Cryptographic Storage]]<br />
* [[Top_10_2010-A9-Insufficient_Transport_Layer_Protection | Test for Insufficient Transport Layer Protection]]<br />
* [[Web_Application_Security_Testing_Cheat_Sheet#Error_Handling|Test for Improper Error Handling]]<br />
* Test for all vulnerabilities with a CVSS v2 score > 4.0<br />
* Test for Authentication and Authorization issues<br />
* [[Testing_for_CSRF_(OTG-SESS-005)|Test for CSRF]]<br />
<br />
== Web Service Testing ==<br />
* [[Web_Service_Security_Testing_Cheat_Sheet | Test for Web Service Issues]]<br />
* [[REST_Assessment_Cheat_Sheet | Test REST]]<br />
<br />
== HTML 5==<br />
* [[Test_Web_Messaging_(OTG-CLIENT-011)|Test Web Messaging]]<br />
* [[Test_Local_Storage_(OTG-CLIENT-012)|Test for Web Storage SQL injection]]<br />
* [[Test_Cross_Origin_Resource_Sharing_(OTG-CLIENT-007)|Check CORS implementation]]<br />
* [[HTML5_Security_Cheat_Sheet#Offline_Applications | Check Offline Web Application]]<br />
<br />
== Error Handling==<br />
* [[Testing_for_Error_Code_(OTG-ERR-001)|Check for Error Codes]]<br />
* [[Testing_for_Stack_Traces_(OTG-ERR-002)|Check for Stack Traces]]<br />
<br />
= Appendices =<br />
<br />
<br />
== Other Formats ==<br />
* DradisPro template format [https://github.com/raesene/OWASP_Web_App_Testing_Cheatsheet_Converter/blob/master/OWASP_Web_Application_Testing_Cheat_Sheet.xml on github]<br />
* Asana template on [http://templana.com/templates/owasp-website-security-checklist/ Templana] (thanks to Bastien Siebman)<br />
<br />
== Authors and contributors ==<br />
<br />
[[User:Simon Bennetts|Simon Bennetts]]<br/><br />
[[User:Raesene|Rory McCune]] <br/><br />
Colin Watson<br/><br />
Simone Onofri<br/><br />
[[User:Amro_Ahmed|Amro AlOlaqi]] <br />
<br />
All above are authors of the [[OWASP_Testing_Guide_v3_Table_of_Contents | Testing Guide v3]] <br />
<br />
[[User:Ryan_Dewhurst|Ryan Dewhurst]]<br/><br />
[[User:Frank.catucci | Frank Catucci]]<br />
<br />
== Related articles ==<br />
<br />
* OWASP [[:Category:OWASP Testing Project|Testing Guide]]<br />
* Mozilla [https://wiki.mozilla.org/WebAppSec/Web_Security_Verification Web Security Verification]<br />
<br />
== Other Cheatsheets ==<br />
<br />
{{Cheatsheet_Navigation}}<br />
<br />
[[Category:Cheatsheets]] [[Category:OWASP_Breakers]]</div>VinMillerhttps://wiki.owasp.org/index.php?title=Web_Application_Security_Testing_Cheat_Sheet&diff=204649Web Application Security Testing Cheat Sheet2015-12-06T19:38:12Z<p>VinMiller: /* Authentication */</p>
<hr />
<div>= Introduction =<br />
<br />
This cheat sheet provides a checklist of tasks to be performed during blackbox security testing of a web application.<br />
<br />
= Purpose =<br />
<br />
This checklist is intended to be used as an aide memoire for experienced pentesters and should be used in conjunction with the [[:Category:OWASP Testing Project|OWASP Testing Guide]]. It will be updated as the [[OWASP_Application_Testing_guide_v4|Testing Guide v4]] is progressed.<br />
<br />
The intention is that this guide will be available as an XML document, with scripts that convert it into formats such as pdf, Media Wiki markup, HTML etc. <br />
<br />
This will allow it to be consumed within security tools as well as being available in a format suitable for printing.<br />
<br />
All feedback or offers of help will be appreciated - and if you have specific changes you think should be made, please log in and make suggestions.<br />
<br />
= The Checklist =<br />
<br />
== Information Gathering ==<br />
''Rendered Site Review''<br />
* Manually explore the site<br />
* [[Testing:_Spidering_and_googling | Spider/crawl]] for missed or hidden content<br />
* [[Review_Webserver_Metafiles_for_Information_Leakage_(OTG-INFO-003)|Check the Webserver Metafiles]] for information leakage files that expose content, such as robots.txt, sitemap.xml, .DS_Store<br />
* [[Conduct_search_engine_discovery/reconnaissance_for_information_leakage_(OTG-INFO-001)|Check the caches of major search engines for publicly accessible sites]]<br />
* Check for differences in content based on User Agent (eg, Mobile sites, access as a Search engine Crawler)<br />
* [[Review_webpage_comments_and_metadata_for_information_leakage_(OTG-INFO-005) | Check The Webpage Comments and Metadata for Information Leakage]]<br />
<br />
''Development Review''<br />
* [[Fingerprint_Web_Application_Framework_(OTG-INFO-008) | Check The Web Application Framework]]<br />
* [[Fingerprint_Web_Server_(OTG-INFO-002)|Perform Web Application Fingerprinting]]<br />
* Identify technologies used<br />
* [[Test_Role_Definitions_(OTG-IDENT-001)|Identify user roles]]<br />
* [[Identify_application_entry_points_(OTG-INFO-006) | Identify application entry points]]<br />
* Identify client-side code<br />
* Identify multiple versions/channels (e.g. web, mobile web, mobile app)<br />
<br />
''Hosting and Platform Review''<br />
* [[Web_Services | Identify web services]]<br />
* Identify co-hosted and related applications<br />
* Identify all hostnames and ports<br />
* Identify third-party hosted content<br />
<br />
== Configuration Management ==<br />
* Check for commonly used application and administrative URLs<br />
* [[4.3.4_Review_Old,_Backup_and_Unreferenced_Files_for_Sensitive_Information_(OTG-CONFIG-004) | Check for old, backup and unreferenced files]]<br />
* [[Test_HTTP_Methods_(OTG-CONFIG-006) | Check HTTP methods supported and Cross Site Tracing (XST)]]<br />
* [[4.3.3_Test_File_Extensions_Handling_for_Sensitive_Information_(OTG-CONFIG-003) | Test file extensions handling]]<br />
* [[Test_RIA_cross_domain_policy_(OTG-CONFIG-008) | Test RIA cross domain policy]]<br />
* Test for [[List_of_useful_HTTP_headers | security HTTP headers]] (e.g. CSP, X-Frame-Options, HSTS)<br />
* Test for policies (e.g. Flash, Silverlight, robots)<br />
* Test for non-production data in live environment, and vice-versa<br />
* Check for sensitive data in client-side code (e.g. API keys, credentials)<br />
<br />
== Secure Transmission ==<br />
* [[Testing_for_Weak_SSL/TLS_Ciphers,_Insufficient_Transport_Layer_Protection_(OTG-CRYPST-001) | Check SSL Version, Algorithms, Key length]]<br />
* Check for Digital Certificate Validity (Duration, Signature and CN)<br />
* Check credentials only delivered over HTTPS<br />
* Check that the login form is delivered over HTTPS<br />
* Check session tokens only delivered over HTTPS<br />
* [[Test_HTTP_Strict_Transport_Security_(OTG-CONFIG-009) | Check if HTTP Strict Transport Security (HSTS) in use]]<br />
<br />
== Authentication ==<br />
''Application Password Functionality''<br />
* [[Testing_for_Weak_password_policy_(OTG-AUTHN-007)|Test password quality rules]]<br />
* Test remember me functionality<br />
* Test password reset and/or recovery<br />
* Test password change process<br />
* Test CAPTCHA<br />
* Test multi factor authentication<br />
* Test for logout functionality presence<br />
* Test for default logins<br />
* Test for out-of channel notification of account lockouts and successful password changes<br />
* Test for consistent authentication across applications with shared authentication schema / SSO and alternative channels<br />
* Test for Weak security question/answer<br />
<br />
''Additional Authentication Functionality''<br />
* [[Testing_for_User_Enumeration_and_Guessable_User_Account_(OWASP-AT-002) | Test for user enumeration]]<br />
* [[Testing_for_Bypassing_Authentication_Schema_(OTG-AUTHN-004) | Test for authentication bypass]]<br />
* [[Testing_for_Brute_Force_(OWASP-AT-004) | Test for brute force protection]]<br />
* [[Testing_for_Credentials_Transported_over_an_Encrypted_Channel_(OTG-AUTHN-001)|Test for Credentials Transported over an Encrypted Channel]]<br />
* Test for cache management on HTTP (eg Pragma, Expires, Max-age)<br />
* Test for user-accessible authentication history<br />
<br />
== Session Management ==<br />
* Establish how session management is handled in the application (eg, tokens in cookies, token in URL)<br />
* [[Testing_for_cookies_attributes_(OTG-SESS-002)|Check session tokens for cookie flags (httpOnly and secure)]]<br />
* [[Testing_for_cookies_attributes_(OTG-SESS-002)|Check session cookie scope (path and domain)]]<br />
* Check session cookie duration (expires and max-age)<br />
* [[Test_Session_Timeout_(OTG-SESS-007)|Check session termination after a maximum lifetime]]<br />
* [[Test_Session_Timeout_(OTG-SESS-007)|Check session termination after relative timeout]]<br />
* [[Testing_for_logout_functionality_(OTG-SESS-006)|Check session termination after logout]]<br />
* Test to see if users can have multiple simultaneous sessions<br />
* [[Testing_for_Session_Management_Schema_(OTG-SESS-001)#Session_ID_Predictability_and_Randomness | Test session cookies for randomness]]<br />
* Confirm that new session tokens are issued on login, role change and logout<br />
* Test for consistent session management across applications with shared session management<br />
* Test for session puzzling<br />
* Test for CSRF and clickjacking<br />
<br />
== Authorization ==<br />
* [[Testing_Directory_traversal/file_include_(OTG-AUTHZ-001)|Test for path traversal]]<br />
* [[Testing_for_Privilege_escalation_(OTG-AUTHZ-003)|Test for vertical Access control problems (a.k.a. Privilege Escalation)]]<br />
* Test for horizontal Access control problems (between two users at the same privilege level)<br />
* [[Testing_for_Bypassing_Authorization_Schema_(OTG-AUTHZ-002)|Test for missing authorisation]]<br />
* [[Testing_for_Insecure_Direct_Object_References_(OTG-AUTHZ-004)|Test for Insecure Direct Object References]]<br />
<br />
== Data Validation ==<br />
* [[Testing_for_Reflected_Cross_site_scripting_(OTG-INPVAL-001)|Test for Reflected Cross Site Scripting]]<br />
* [[Testing_for_Stored_Cross_site_scripting_(OTG-INPVAL-002)|Test for Stored Cross Site Scripting]]<br />
* [[Testing_for_DOM-based_Cross_site_scripting_(OTG-CLIENT-001)|Test for DOM based Cross Site Scripting]]<br />
* Test for Cross Site Flashing<br />
* Test for HTML Injection<br />
* [[Testing_for_SQL_Injection_(OTG-INPVAL-005)|Test for SQL Injection]]<br />
* Test for LDAP Injection<br />
* [[Testing_for_ORM_Injection_(OTG-INPVAL-007)|Test for ORM Injection]]<br />
* [[Testing_for_XML_Injection_(OTG-INPVAL-008)|Test for XML Injection]]<br />
* Test for XXE Injection<br />
* [[Testing_for_SSI_Injection_(OTG-INPVAL-009)|Test for SSI Injection]]<br />
* [[Testing_for_XPath_Injection_(OTG-INPVAL-010)|Test for XPath Injection]]<br />
* Test for XQuery Injection<br />
* [[Testing_for_IMAP/SMTP_Injection_(OTG-INPVAL-011)|Test for IMAP/SMTP Injection]]<br />
* [[Testing_for_Code_Injection_(OTG-INPVAL-012)|Test for Code Injection]]<br />
* Test for Expression Language Injection<br />
* [[Testing_for_Command_Injection_(OTG-INPVAL-013)|Test for Command Injection]]<br />
* Test for Overflow ([[Testing_for_Stack_Overflow|Stack]], [[Testing_for_Heap_Overflow|Heap]] and Integer)<br />
* [[Testing_for_Format_String|Test for Format String]]<br />
* Test for incubated vulnerabilities<br />
* [[Testing_for_HTTP_Splitting/Smuggling_(OTG-INPVAL-016)|Test for HTTP Splitting/Smuggling]]<br />
* Test for HTTP Verb Tampering<br />
* [[Top_10_2013-A10-Unvalidated_Redirects_and_Forwards|Test for Open Redirection]]<br />
* [[Testing_for_Local_File_Inclusion|Test for Local File Inclusion]]<br />
* [[Testing_for_Remote_File_Inclusion|Test for Remote File Inclusion]]<br />
* Compare client-side and server-side validation rules<br />
* Test for NoSQL injection<br />
* Test for HTTP parameter pollution<br />
* Test for auto-binding<br />
* Test for Mass Assignment<br />
* Test for NULL/Invalid Session Cookie<br />
<br />
== Denial of Service ==<br />
* Test for anti-automation<br />
* [[Testing_for_Weak_lock_out_mechanism_(OTG-AUTHN-003)|Test for account lockout]]<br />
* Test for HTTP protocol DoS<br />
* Test for SQL wildcard DoS<br />
<br />
== Business Logic ==<br />
* [[Test_business_logic_data_validation_(OTG-BUSLOGIC-001) | Test business logic data validation]] <br />
* [[Test_Ability_to_forge_requests_(OTG-BUSLOGIC-002) | Test ability to forge requests]]<br />
* Test for feature misuse<br />
* Test for lack of non-repudiation<br />
* Test for trust relationships<br />
* [[Test_integrity_checks_(OTG-BUSLOGIC-003) | Test for integrity of data]]<br />
* Test segregation of duties<br />
* [[Test_for_Process_Timing_(OTG-BUSLOGIC-007) | Test for Process Timing]]<br />
* [[Test_number_of_times_a_function_can_be_used_limits_(OTG-BUSLOGIC-007) | Test Number of Times a Function Can be Used Limits]]<br />
* [[Testing_for_the_Circumvention_of_Work_Flows_(OTG-BUSLOGIC-009) | Test for the Circumvention of Work Flows]]<br />
* [[Test_defenses_against_application_mis-use_(OTG-BUSLOGIC-011) | Test Defenses Against Application Mis-use]]<br />
* [[Test_Upload_of_Unexpected_File_Types_(OTG-BUSLOGIC-015) | Test Upload of Unexpected File Types]]<br />
* [[Test_Upload_of_Malicious_Files_(OTG-BUSLOGIC-016) | Test upload of malicious files]]<br />
<br />
== Cryptography ==<br />
* [[Testing_for_Sensitive_information_sent_via_unencrypted_channels_(OTG-CRYPST-003)|Check if data which should be encrypted is not]]<br />
* Check for wrong algorithms usage depending on context<br />
* [[Testing_for_Weak_SSL/TLS_Ciphers,_Insufficient_Transport_Layer_Protection_(OTG-CRYPST-001)|Check for weak algorithms usage]]<br />
* [[Password_Storage_Cheat_Sheet#Use_a_cryptographically_strong_credential-specific_salt | Check for proper use of salting]]<br />
* [[Insecure_Randomness | Check for randomness functions]]<br />
<br />
== Risky Functionality - File Uploads ==<br />
* [[Test_Upload_of_Unexpected_File_Types_(OTG-BUSLOGIC-008)|Test that acceptable file types are whitelisted and non-whitelisted types are rejected]]<br />
* Test that file size limits, upload frequency and total file counts are defined and are enforced<br />
* Test that file contents match the defined file type<br />
* [[Test_Upload_of_Malicious_Files_(OTG-BUSLOGIC-009)|Test that all file uploads have Anti-Virus scanning in-place.]]<br />
* Test that unsafe filenames are sanitised<br />
* Test that uploaded files are not directly accessible within the web root<br />
* Test that uploaded files are not served on the same hostname/port<br />
* Test that files and other media are integrated with the authentication and authorisation schemas<br />
<br />
== Risky Functionality - Card Payment ==<br />
* Test for known vulnerabilities and configuration issues on Web Server and Web Application<br />
* Test for default or guessable password<br />
* Test for non-production data in live environment, and vice-versa<br />
* [[Injection_Flaws | Test for Injection vulnerabilities ]]<br />
* [[Testing_for_Buffer_Overflow_(OTG-INPVAL-014) | Test for Buffer Overflows]]<br />
* [[Top_10_2010-A7-Insecure_Cryptographic_Storage | Test for Insecure Cryptographic Storage]]<br />
* [[Top_10_2010-A9-Insufficient_Transport_Layer_Protection | Test for Insufficient Transport Layer Protection]]<br />
* [[Web_Application_Security_Testing_Cheat_Sheet#Error_Handling|Test for Improper Error Handling]]<br />
* Test for all vulnerabilities with a CVSS v2 score > 4.0<br />
* Test for Authentication and Authorization issues<br />
* [[Testing_for_CSRF_(OTG-SESS-005)|Test for CSRF]]<br />
<br />
== Web Service Testing ==<br />
* [[Web_Service_Security_Testing_Cheat_Sheet | Test for Web Service Issues]]<br />
* [[REST_Assessment_Cheat_Sheet | Test REST]]<br />
<br />
== HTML 5==<br />
* [[Test_Web_Messaging_(OTG-CLIENT-011)|Test Web Messaging]]<br />
* [[Test_Local_Storage_(OTG-CLIENT-012)|Test for Web Storage SQL injection]]<br />
* [[Test_Cross_Origin_Resource_Sharing_(OTG-CLIENT-007)|Check CORS implementation]]<br />
* [[HTML5_Security_Cheat_Sheet#Offline_Applications | Check Offline Web Application]]<br />
<br />
== Error Handling==<br />
* [[Testing_for_Error_Code_(OTG-ERR-001)|Check for Error Codes]]<br />
* [[Testing_for_Stack_Traces_(OTG-ERR-002)|Check for Stack Traces]]<br />
<br />
== Other Formats ==<br />
* DradisPro template format [https://github.com/raesene/OWASP_Web_App_Testing_Cheatsheet_Converter/blob/master/OWASP_Web_Application_Testing_Cheat_Sheet.xml on github]<br />
* Asana template on [http://templana.com/templates/owasp-website-security-checklist/ Templana] (thanks to Bastien Siebman)<br />
<br />
== Authors and contributors ==<br />
<br />
[[User:Simon Bennetts|Simon Bennetts]]<br/><br />
[[User:Raesene|Rory McCune]] <br/><br />
Colin Watson<br/><br />
Simone Onofri<br/><br />
[[User:Amro_Ahmed|Amro AlOlaqi]] <br />
<br />
All above are authors of the [[OWASP_Testing_Guide_v3_Table_of_Contents | Testing Guide v3]] <br />
<br />
[[User:Ryan_Dewhurst|Ryan Dewhurst]]<br/><br />
[[User:Frank.catucci | Frank Catucci]]<br />
<br />
== Related articles ==<br />
<br />
* OWASP [[:Category:OWASP Testing Project|Testing Guide]]<br />
* Mozilla [https://wiki.mozilla.org/WebAppSec/Web_Security_Verification Web Security Verification]<br />
<br />
== Other Cheatsheets ==<br />
<br />
{{Cheatsheet_Navigation}}<br />
<br />
[[Category:Cheatsheets]] [[Category:OWASP_Breakers]]</div>VinMillerhttps://wiki.owasp.org/index.php?title=Web_Application_Security_Testing_Cheat_Sheet&diff=204648Web Application Security Testing Cheat Sheet2015-12-06T19:13:38Z<p>VinMiller: /* Information Gathering */</p>
<hr />
<div>= Introduction =<br />
<br />
This cheat sheet provides a checklist of tasks to be performed during blackbox security testing of a web application.<br />
<br />
= Purpose =<br />
<br />
This checklist is intended to be used as an aide memoire for experienced pentesters and should be used in conjunction with the [[:Category:OWASP Testing Project|OWASP Testing Guide]]. It will be updated as the [[OWASP_Application_Testing_guide_v4|Testing Guide v4]] is progressed.<br />
<br />
The intention is that this guide will be available as an XML document, with scripts that convert it into formats such as pdf, Media Wiki markup, HTML etc. <br />
<br />
This will allow it to be consumed within security tools as well as being available in a format suitable for printing.<br />
<br />
All feedback or offers of help will be appreciated - and if you have specific changes you think should be made, please log in and make suggestions.<br />
<br />
= The Checklist =<br />
<br />
== Information Gathering ==<br />
''Rendered Site Review''<br />
* Manually explore the site<br />
* [[Testing:_Spidering_and_googling | Spider/crawl]] for missed or hidden content<br />
* [[Review_Webserver_Metafiles_for_Information_Leakage_(OTG-INFO-003)|Check the Webserver Metafiles]] for information leakage files that expose content, such as robots.txt, sitemap.xml, .DS_Store<br />
* [[Conduct_search_engine_discovery/reconnaissance_for_information_leakage_(OTG-INFO-001)|Check the caches of major search engines for publicly accessible sites]]<br />
* Check for differences in content based on User Agent (eg, Mobile sites, access as a Search engine Crawler)<br />
* [[Review_webpage_comments_and_metadata_for_information_leakage_(OTG-INFO-005) | Check The Webpage Comments and Metadata for Information Leakage]]<br />
<br />
''Development Review''<br />
* [[Fingerprint_Web_Application_Framework_(OTG-INFO-008) | Check The Web Application Framework]]<br />
* [[Fingerprint_Web_Server_(OTG-INFO-002)|Perform Web Application Fingerprinting]]<br />
* Identify technologies used<br />
* [[Test_Role_Definitions_(OTG-IDENT-001)|Identify user roles]]<br />
* [[Identify_application_entry_points_(OTG-INFO-006) | Identify application entry points]]<br />
* Identify client-side code<br />
* Identify multiple versions/channels (e.g. web, mobile web, mobile app)<br />
<br />
''Hosting and Platform Review''<br />
* [[Web_Services | Identify web services]]<br />
* Identify co-hosted and related applications<br />
* Identify all hostnames and ports<br />
* Identify third-party hosted content<br />
<br />
== Configuration Management ==<br />
* Check for commonly used application and administrative URLs<br />
* [[4.3.4_Review_Old,_Backup_and_Unreferenced_Files_for_Sensitive_Information_(OTG-CONFIG-004) | Check for old, backup and unreferenced files]]<br />
* [[Test_HTTP_Methods_(OTG-CONFIG-006) | Check HTTP methods supported and Cross Site Tracing (XST)]]<br />
* [[4.3.3_Test_File_Extensions_Handling_for_Sensitive_Information_(OTG-CONFIG-003) | Test file extensions handling]]<br />
* [[Test_RIA_cross_domain_policy_(OTG-CONFIG-008) | Test RIA cross domain policy]]<br />
* Test for [[List_of_useful_HTTP_headers | security HTTP headers]] (e.g. CSP, X-Frame-Options, HSTS)<br />
* Test for policies (e.g. Flash, Silverlight, robots)<br />
* Test for non-production data in live environment, and vice-versa<br />
* Check for sensitive data in client-side code (e.g. API keys, credentials)<br />
<br />
== Secure Transmission ==<br />
* [[Testing_for_Weak_SSL/TLS_Ciphers,_Insufficient_Transport_Layer_Protection_(OTG-CRYPST-001) | Check SSL Version, Algorithms, Key length]]<br />
* Check for Digital Certificate Validity (Duration, Signature and CN)<br />
* Check credentials only delivered over HTTPS<br />
* Check that the login form is delivered over HTTPS<br />
* Check session tokens only delivered over HTTPS<br />
* [[Test_HTTP_Strict_Transport_Security_(OTG-CONFIG-009) | Check if HTTP Strict Transport Security (HSTS) in use]]<br />
<br />
== Authentication ==<br />
* [[Testing_for_User_Enumeration_and_Guessable_User_Account_(OWASP-AT-002) | Test for user enumeration]]<br />
* [[Testing_for_Bypassing_Authentication_Schema_(OTG-AUTHN-004) | Test for authentication bypass]]<br />
* [[Testing_for_Brute_Force_(OWASP-AT-004) | Test for brute force protection]]<br />
* [[Testing_for_Credentials_Transported_over_an_Encrypted_Channel_(OTG-AUTHN-001)|Test for Credentials Transported over an Encrypted Channel]]<br />
* [[Testing_for_Weak_password_policy_(OTG-AUTHN-007)|Test password quality rules<br />
* Test remember me functionality]]<br />
* Test password reset and/or recovery<br />
* Test password change process<br />
* Test CAPTCHA<br />
* Test multi factor authentication<br />
* Test for logout functionality presence<br />
* Test for cache management on HTTP (eg Pragma, Expires, Max-age)<br />
* Test for default logins<br />
* Test for user-accessible authentication history<br />
* Test for out-of channel notification of account lockouts and successful password changes<br />
* Test for consistent authentication across applications with shared authentication schema / SSO and alternative channels<br />
* Test for Weak security question/answer<br />
<br />
== Session Management ==<br />
* Establish how session management is handled in the application (eg, tokens in cookies, token in URL)<br />
* [[Testing_for_cookies_attributes_(OTG-SESS-002)|Check session tokens for cookie flags (httpOnly and secure)]]<br />
* [[Testing_for_cookies_attributes_(OTG-SESS-002)|Check session cookie scope (path and domain)]]<br />
* Check session cookie duration (expires and max-age)<br />
* [[Test_Session_Timeout_(OTG-SESS-007)|Check session termination after a maximum lifetime]]<br />
* [[Test_Session_Timeout_(OTG-SESS-007)|Check session termination after relative timeout]]<br />
* [[Testing_for_logout_functionality_(OTG-SESS-006)|Check session termination after logout]]<br />
* Test to see if users can have multiple simultaneous sessions<br />
* [[Testing_for_Session_Management_Schema_(OTG-SESS-001)#Session_ID_Predictability_and_Randomness | Test session cookies for randomness]]<br />
* Confirm that new session tokens are issued on login, role change and logout<br />
* Test for consistent session management across applications with shared session management<br />
* Test for session puzzling<br />
* Test for CSRF and clickjacking<br />
<br />
== Authorization ==<br />
* [[Testing_Directory_traversal/file_include_(OTG-AUTHZ-001)|Test for path traversal]]<br />
* [[Testing_for_Privilege_escalation_(OTG-AUTHZ-003)|Test for vertical Access control problems (a.k.a. Privilege Escalation)]]<br />
* Test for horizontal Access control problems (between two users at the same privilege level)<br />
* [[Testing_for_Bypassing_Authorization_Schema_(OTG-AUTHZ-002)|Test for missing authorisation]]<br />
* [[Testing_for_Insecure_Direct_Object_References_(OTG-AUTHZ-004)|Test for Insecure Direct Object References]]<br />
<br />
== Data Validation ==<br />
* [[Testing_for_Reflected_Cross_site_scripting_(OTG-INPVAL-001)|Test for Reflected Cross Site Scripting]]<br />
* [[Testing_for_Stored_Cross_site_scripting_(OTG-INPVAL-002)|Test for Stored Cross Site Scripting]]<br />
* [[Testing_for_DOM-based_Cross_site_scripting_(OTG-CLIENT-001)|Test for DOM based Cross Site Scripting]]<br />
* Test for Cross Site Flashing<br />
* Test for HTML Injection<br />
* [[Testing_for_SQL_Injection_(OTG-INPVAL-005)|Test for SQL Injection]]<br />
* Test for LDAP Injection<br />
* [[Testing_for_ORM_Injection_(OTG-INPVAL-007)|Test for ORM Injection]]<br />
* [[Testing_for_XML_Injection_(OTG-INPVAL-008)|Test for XML Injection]]<br />
* Test for XXE Injection<br />
* [[Testing_for_SSI_Injection_(OTG-INPVAL-009)|Test for SSI Injection]]<br />
* [[Testing_for_XPath_Injection_(OTG-INPVAL-010)|Test for XPath Injection]]<br />
* Test for XQuery Injection<br />
* [[Testing_for_IMAP/SMTP_Injection_(OTG-INPVAL-011)|Test for IMAP/SMTP Injection]]<br />
* [[Testing_for_Code_Injection_(OTG-INPVAL-012)|Test for Code Injection]]<br />
* Test for Expression Language Injection<br />
* [[Testing_for_Command_Injection_(OTG-INPVAL-013)|Test for Command Injection]]<br />
* Test for Overflow ([[Testing_for_Stack_Overflow|Stack]], [[Testing_for_Heap_Overflow|Heap]] and Integer)<br />
* [[Testing_for_Format_String|Test for Format String]]<br />
* Test for incubated vulnerabilities<br />
* [[Testing_for_HTTP_Splitting/Smuggling_(OTG-INPVAL-016)|Test for HTTP Splitting/Smuggling]]<br />
* Test for HTTP Verb Tampering<br />
* [[Top_10_2013-A10-Unvalidated_Redirects_and_Forwards|Test for Open Redirection]]<br />
* [[Testing_for_Local_File_Inclusion|Test for Local File Inclusion]]<br />
* [[Testing_for_Remote_File_Inclusion|Test for Remote File Inclusion]]<br />
* Compare client-side and server-side validation rules<br />
* Test for NoSQL injection<br />
* Test for HTTP parameter pollution<br />
* Test for auto-binding<br />
* Test for Mass Assignment<br />
* Test for NULL/Invalid Session Cookie<br />
<br />
== Denial of Service ==<br />
* Test for anti-automation<br />
* [[Testing_for_Weak_lock_out_mechanism_(OTG-AUTHN-003)|Test for account lockout]]<br />
* Test for HTTP protocol DoS<br />
* Test for SQL wildcard DoS<br />
<br />
== Business Logic ==<br />
* [[Test_business_logic_data_validation_(OTG-BUSLOGIC-001) | Test business logic data validation]] <br />
* [[Test_Ability_to_forge_requests_(OTG-BUSLOGIC-002) | Test ability to forge requests]]<br />
* Test for feature misuse<br />
* Test for lack of non-repudiation<br />
* Test for trust relationships<br />
* [[Test_integrity_checks_(OTG-BUSLOGIC-003) | Test for integrity of data]]<br />
* Test segregation of duties<br />
* [[Test_for_Process_Timing_(OTG-BUSLOGIC-007) | Test for Process Timing]]<br />
* [[Test_number_of_times_a_function_can_be_used_limits_(OTG-BUSLOGIC-007) | Test Number of Times a Function Can be Used Limits]]<br />
* [[Testing_for_the_Circumvention_of_Work_Flows_(OTG-BUSLOGIC-009) | Test for the Circumvention of Work Flows]]<br />
* [[Test_defenses_against_application_mis-use_(OTG-BUSLOGIC-011) | Test Defenses Against Application Mis-use]]<br />
* [[Test_Upload_of_Unexpected_File_Types_(OTG-BUSLOGIC-015) | Test Upload of Unexpected File Types]]<br />
* [[Test_Upload_of_Malicious_Files_(OTG-BUSLOGIC-016) | Test upload of malicious files]]<br />
<br />
== Cryptography ==<br />
* [[Testing_for_Sensitive_information_sent_via_unencrypted_channels_(OTG-CRYPST-003)|Check if data which should be encrypted is not]]<br />
* Check for wrong algorithms usage depending on context<br />
* [[Testing_for_Weak_SSL/TLS_Ciphers,_Insufficient_Transport_Layer_Protection_(OTG-CRYPST-001)|Check for weak algorithms usage]]<br />
* [[Password_Storage_Cheat_Sheet#Use_a_cryptographically_strong_credential-specific_salt | Check for proper use of salting]]<br />
* [[Insecure_Randomness | Check for randomness functions]]<br />
<br />
== Risky Functionality - File Uploads ==<br />
* [[Test_Upload_of_Unexpected_File_Types_(OTG-BUSLOGIC-008)|Test that acceptable file types are whitelisted and non-whitelisted types are rejected]]<br />
* Test that file size limits, upload frequency and total file counts are defined and are enforced<br />
* Test that file contents match the defined file type<br />
* [[Test_Upload_of_Malicious_Files_(OTG-BUSLOGIC-009)|Test that all file uploads have Anti-Virus scanning in-place.]]<br />
* Test that unsafe filenames are sanitised<br />
* Test that uploaded files are not directly accessible within the web root<br />
* Test that uploaded files are not served on the same hostname/port<br />
* Test that files and other media are integrated with the authentication and authorisation schemas<br />
<br />
== Risky Functionality - Card Payment ==<br />
* Test for known vulnerabilities and configuration issues on Web Server and Web Application<br />
* Test for default or guessable password<br />
* Test for non-production data in live environment, and vice-versa<br />
* [[Injection_Flaws | Test for Injection vulnerabilities ]]<br />
* [[Testing_for_Buffer_Overflow_(OTG-INPVAL-014) | Test for Buffer Overflows]]<br />
* [[Top_10_2010-A7-Insecure_Cryptographic_Storage | Test for Insecure Cryptographic Storage]]<br />
* [[Top_10_2010-A9-Insufficient_Transport_Layer_Protection | Test for Insufficient Transport Layer Protection]]<br />
* [[Web_Application_Security_Testing_Cheat_Sheet#Error_Handling|Test for Improper Error Handling]]<br />
* Test for all vulnerabilities with a CVSS v2 score > 4.0<br />
* Test for Authentication and Authorization issues<br />
* [[Testing_for_CSRF_(OTG-SESS-005)|Test for CSRF]]<br />
<br />
== Web Service Testing ==<br />
* [[Web_Service_Security_Testing_Cheat_Sheet | Test for Web Service Issues]]<br />
* [[REST_Assessment_Cheat_Sheet | Test REST]]<br />
<br />
== HTML 5==<br />
* [[Test_Web_Messaging_(OTG-CLIENT-011)|Test Web Messaging]]<br />
* [[Test_Local_Storage_(OTG-CLIENT-012)|Test for Web Storage SQL injection]]<br />
* [[Test_Cross_Origin_Resource_Sharing_(OTG-CLIENT-007)|Check CORS implementation]]<br />
* [[HTML5_Security_Cheat_Sheet#Offline_Applications | Check Offline Web Application]]<br />
<br />
== Error Handling==<br />
* [[Testing_for_Error_Code_(OTG-ERR-001)|Check for Error Codes]]<br />
* [[Testing_for_Stack_Traces_(OTG-ERR-002)|Check for Stack Traces]]<br />
<br />
== Other Formats ==<br />
* DradisPro template format [https://github.com/raesene/OWASP_Web_App_Testing_Cheatsheet_Converter/blob/master/OWASP_Web_Application_Testing_Cheat_Sheet.xml on github]<br />
* Asana template on [http://templana.com/templates/owasp-website-security-checklist/ Templana] (thanks to Bastien Siebman)<br />
<br />
== Authors and contributors ==<br />
<br />
[[User:Simon Bennetts|Simon Bennetts]]<br/><br />
[[User:Raesene|Rory McCune]] <br/><br />
Colin Watson<br/><br />
Simone Onofri<br/><br />
[[User:Amro_Ahmed|Amro AlOlaqi]] <br />
<br />
All above are authors of the [[OWASP_Testing_Guide_v3_Table_of_Contents | Testing Guide v3]] <br />
<br />
[[User:Ryan_Dewhurst|Ryan Dewhurst]]<br/><br />
[[User:Frank.catucci | Frank Catucci]]<br />
<br />
== Related articles ==<br />
<br />
* OWASP [[:Category:OWASP Testing Project|Testing Guide]]<br />
* Mozilla [https://wiki.mozilla.org/WebAppSec/Web_Security_Verification Web Security Verification]<br />
<br />
== Other Cheatsheets ==<br />
<br />
{{Cheatsheet_Navigation}}<br />
<br />
[[Category:Cheatsheets]] [[Category:OWASP_Breakers]]</div>VinMillerhttps://wiki.owasp.org/index.php?title=Web_Application_Security_Testing_Cheat_Sheet&diff=204647Web Application Security Testing Cheat Sheet2015-12-06T19:12:15Z<p>VinMiller: /* Information Gathering */</p>
<hr />
<div>= Introduction =<br />
<br />
This cheat sheet provides a checklist of tasks to be performed during blackbox security testing of a web application.<br />
<br />
= Purpose =<br />
<br />
This checklist is intended to be used as an aide memoire for experienced pentesters and should be used in conjunction with the [[:Category:OWASP Testing Project|OWASP Testing Guide]]. It will be updated as the [[OWASP_Application_Testing_guide_v4|Testing Guide v4]] is progressed.<br />
<br />
The intention is that this guide will be available as an XML document, with scripts that convert it into formats such as pdf, Media Wiki markup, HTML etc. <br />
<br />
This will allow it to be consumed within security tools as well as being available in a format suitable for printing.<br />
<br />
All feedback or offers of help will be appreciated - and if you have specific changes you think should be made, please log in and make suggestions.<br />
<br />
= The Checklist =<br />
<br />
== Information Gathering ==<br />
Rendered Site Review <br />
* Manually explore the site<br />
* [[Testing:_Spidering_and_googling | Spider/crawl]] for missed or hidden content<br />
* [[Review_Webserver_Metafiles_for_Information_Leakage_(OTG-INFO-003)|Check the Webserver Metafiles]] for information leakage files that expose content, such as robots.txt, sitemap.xml, .DS_Store<br />
* [[Conduct_search_engine_discovery/reconnaissance_for_information_leakage_(OTG-INFO-001)|Check the caches of major search engines for publicly accessible sites]]<br />
* Check for differences in content based on User Agent (eg, Mobile sites, access as a Search engine Crawler)<br />
* [[Review_webpage_comments_and_metadata_for_information_leakage_(OTG-INFO-005) | Check The Webpage Comments and Metadata for Information Leakage]]<br />
<br />
Development Review<br />
* [[Fingerprint_Web_Application_Framework_(OTG-INFO-008) | Check The Web Application Framework]]<br />
* [[Fingerprint_Web_Server_(OTG-INFO-002)|Perform Web Application Fingerprinting]]<br />
* Identify technologies used<br />
* [[Test_Role_Definitions_(OTG-IDENT-001)|Identify user roles]]<br />
* [[Identify_application_entry_points_(OTG-INFO-006) | Identify application entry points]]<br />
* Identify client-side code<br />
* Identify multiple versions/channels (e.g. web, mobile web, mobile app)<br />
<br />
Hosting and Platform Review<br />
* [[Web_Services | Identify web services]]<br />
* Identify co-hosted and related applications<br />
* Identify all hostnames and ports<br />
* Identify third-party hosted content<br />
<br />
== Configuration Management ==<br />
* Check for commonly used application and administrative URLs<br />
* [[4.3.4_Review_Old,_Backup_and_Unreferenced_Files_for_Sensitive_Information_(OTG-CONFIG-004) | Check for old, backup and unreferenced files]]<br />
* [[Test_HTTP_Methods_(OTG-CONFIG-006) | Check HTTP methods supported and Cross Site Tracing (XST)]]<br />
* [[4.3.3_Test_File_Extensions_Handling_for_Sensitive_Information_(OTG-CONFIG-003) | Test file extensions handling]]<br />
* [[Test_RIA_cross_domain_policy_(OTG-CONFIG-008) | Test RIA cross domain policy]]<br />
* Test for [[List_of_useful_HTTP_headers | security HTTP headers]] (e.g. CSP, X-Frame-Options, HSTS)<br />
* Test for policies (e.g. Flash, Silverlight, robots)<br />
* Test for non-production data in live environment, and vice-versa<br />
* Check for sensitive data in client-side code (e.g. API keys, credentials)<br />
<br />
== Secure Transmission ==<br />
* [[Testing_for_Weak_SSL/TLS_Ciphers,_Insufficient_Transport_Layer_Protection_(OTG-CRYPST-001) | Check SSL Version, Algorithms, Key length]]<br />
* Check for Digital Certificate Validity (Duration, Signature and CN)<br />
* Check credentials only delivered over HTTPS<br />
* Check that the login form is delivered over HTTPS<br />
* Check session tokens only delivered over HTTPS<br />
* [[Test_HTTP_Strict_Transport_Security_(OTG-CONFIG-009) | Check if HTTP Strict Transport Security (HSTS) in use]]<br />
<br />
== Authentication ==<br />
* [[Testing_for_User_Enumeration_and_Guessable_User_Account_(OWASP-AT-002) | Test for user enumeration]]<br />
* [[Testing_for_Bypassing_Authentication_Schema_(OTG-AUTHN-004) | Test for authentication bypass]]<br />
* [[Testing_for_Brute_Force_(OWASP-AT-004) | Test for brute force protection]]<br />
* [[Testing_for_Credentials_Transported_over_an_Encrypted_Channel_(OTG-AUTHN-001)|Test for Credentials Transported over an Encrypted Channel]]<br />
* [[Testing_for_Weak_password_policy_(OTG-AUTHN-007)|Test password quality rules<br />
* Test remember me functionality]]<br />
* Test password reset and/or recovery<br />
* Test password change process<br />
* Test CAPTCHA<br />
* Test multi factor authentication<br />
* Test for logout functionality presence<br />
* Test for cache management on HTTP (eg Pragma, Expires, Max-age)<br />
* Test for default logins<br />
* Test for user-accessible authentication history<br />
* Test for out-of channel notification of account lockouts and successful password changes<br />
* Test for consistent authentication across applications with shared authentication schema / SSO and alternative channels<br />
* Test for Weak security question/answer<br />
<br />
== Session Management ==<br />
* Establish how session management is handled in the application (eg, tokens in cookies, token in URL)<br />
* [[Testing_for_cookies_attributes_(OTG-SESS-002)|Check session tokens for cookie flags (httpOnly and secure)]]<br />
* [[Testing_for_cookies_attributes_(OTG-SESS-002)|Check session cookie scope (path and domain)]]<br />
* Check session cookie duration (expires and max-age)<br />
* [[Test_Session_Timeout_(OTG-SESS-007)|Check session termination after a maximum lifetime]]<br />
* [[Test_Session_Timeout_(OTG-SESS-007)|Check session termination after relative timeout]]<br />
* [[Testing_for_logout_functionality_(OTG-SESS-006)|Check session termination after logout]]<br />
* Test to see if users can have multiple simultaneous sessions<br />
* [[Testing_for_Session_Management_Schema_(OTG-SESS-001)#Session_ID_Predictability_and_Randomness | Test session cookies for randomness]]<br />
* Confirm that new session tokens are issued on login, role change and logout<br />
* Test for consistent session management across applications with shared session management<br />
* Test for session puzzling<br />
* Test for CSRF and clickjacking<br />
<br />
== Authorization ==<br />
* [[Testing_Directory_traversal/file_include_(OTG-AUTHZ-001)|Test for path traversal]]<br />
* [[Testing_for_Privilege_escalation_(OTG-AUTHZ-003)|Test for vertical Access control problems (a.k.a. Privilege Escalation)]]<br />
* Test for horizontal Access control problems (between two users at the same privilege level)<br />
* [[Testing_for_Bypassing_Authorization_Schema_(OTG-AUTHZ-002)|Test for missing authorisation]]<br />
* [[Testing_for_Insecure_Direct_Object_References_(OTG-AUTHZ-004)|Test for Insecure Direct Object References]]<br />
<br />
== Data Validation ==<br />
* [[Testing_for_Reflected_Cross_site_scripting_(OTG-INPVAL-001)|Test for Reflected Cross Site Scripting]]<br />
* [[Testing_for_Stored_Cross_site_scripting_(OTG-INPVAL-002)|Test for Stored Cross Site Scripting]]<br />
* [[Testing_for_DOM-based_Cross_site_scripting_(OTG-CLIENT-001)|Test for DOM based Cross Site Scripting]]<br />
* Test for Cross Site Flashing<br />
* Test for HTML Injection<br />
* [[Testing_for_SQL_Injection_(OTG-INPVAL-005)|Test for SQL Injection]]<br />
* Test for LDAP Injection<br />
* [[Testing_for_ORM_Injection_(OTG-INPVAL-007)|Test for ORM Injection]]<br />
* [[Testing_for_XML_Injection_(OTG-INPVAL-008)|Test for XML Injection]]<br />
* Test for XXE Injection<br />
* [[Testing_for_SSI_Injection_(OTG-INPVAL-009)|Test for SSI Injection]]<br />
* [[Testing_for_XPath_Injection_(OTG-INPVAL-010)|Test for XPath Injection]]<br />
* Test for XQuery Injection<br />
* [[Testing_for_IMAP/SMTP_Injection_(OTG-INPVAL-011)|Test for IMAP/SMTP Injection]]<br />
* [[Testing_for_Code_Injection_(OTG-INPVAL-012)|Test for Code Injection]]<br />
* Test for Expression Language Injection<br />
* [[Testing_for_Command_Injection_(OTG-INPVAL-013)|Test for Command Injection]]<br />
* Test for Overflow ([[Testing_for_Stack_Overflow|Stack]], [[Testing_for_Heap_Overflow|Heap]] and Integer)<br />
* [[Testing_for_Format_String|Test for Format String]]<br />
* Test for incubated vulnerabilities<br />
* [[Testing_for_HTTP_Splitting/Smuggling_(OTG-INPVAL-016)|Test for HTTP Splitting/Smuggling]]<br />
* Test for HTTP Verb Tampering<br />
* [[Top_10_2013-A10-Unvalidated_Redirects_and_Forwards|Test for Open Redirection]]<br />
* [[Testing_for_Local_File_Inclusion|Test for Local File Inclusion]]<br />
* [[Testing_for_Remote_File_Inclusion|Test for Remote File Inclusion]]<br />
* Compare client-side and server-side validation rules<br />
* Test for NoSQL injection<br />
* Test for HTTP parameter pollution<br />
* Test for auto-binding<br />
* Test for Mass Assignment<br />
* Test for NULL/Invalid Session Cookie<br />
<br />
== Denial of Service ==<br />
* Test for anti-automation<br />
* [[Testing_for_Weak_lock_out_mechanism_(OTG-AUTHN-003)|Test for account lockout]]<br />
* Test for HTTP protocol DoS<br />
* Test for SQL wildcard DoS<br />
<br />
== Business Logic ==<br />
* [[Test_business_logic_data_validation_(OTG-BUSLOGIC-001) | Test business logic data validation]] <br />
* [[Test_Ability_to_forge_requests_(OTG-BUSLOGIC-002) | Test ability to forge requests]]<br />
* Test for feature misuse<br />
* Test for lack of non-repudiation<br />
* Test for trust relationships<br />
* [[Test_integrity_checks_(OTG-BUSLOGIC-003) | Test for integrity of data]]<br />
* Test segregation of duties<br />
* [[Test_for_Process_Timing_(OTG-BUSLOGIC-007) | Test for Process Timing]]<br />
* [[Test_number_of_times_a_function_can_be_used_limits_(OTG-BUSLOGIC-007) | Test Number of Times a Function Can be Used Limits]]<br />
* [[Testing_for_the_Circumvention_of_Work_Flows_(OTG-BUSLOGIC-009) | Test for the Circumvention of Work Flows]]<br />
* [[Test_defenses_against_application_mis-use_(OTG-BUSLOGIC-011) | Test Defenses Against Application Mis-use]]<br />
* [[Test_Upload_of_Unexpected_File_Types_(OTG-BUSLOGIC-015) | Test Upload of Unexpected File Types]]<br />
* [[Test_Upload_of_Malicious_Files_(OTG-BUSLOGIC-016) | Test upload of malicious files]]<br />
<br />
== Cryptography ==<br />
* [[Testing_for_Sensitive_information_sent_via_unencrypted_channels_(OTG-CRYPST-003)|Check if data which should be encrypted is not]]<br />
* Check for wrong algorithms usage depending on context<br />
* [[Testing_for_Weak_SSL/TLS_Ciphers,_Insufficient_Transport_Layer_Protection_(OTG-CRYPST-001)|Check for weak algorithms usage]]<br />
* [[Password_Storage_Cheat_Sheet#Use_a_cryptographically_strong_credential-specific_salt | Check for proper use of salting]]<br />
* [[Insecure_Randomness | Check for randomness functions]]<br />
<br />
== Risky Functionality - File Uploads ==<br />
* [[Test_Upload_of_Unexpected_File_Types_(OTG-BUSLOGIC-008)|Test that acceptable file types are whitelisted and non-whitelisted types are rejected]]<br />
* Test that file size limits, upload frequency and total file counts are defined and are enforced<br />
* Test that file contents match the defined file type<br />
* [[Test_Upload_of_Malicious_Files_(OTG-BUSLOGIC-009)|Test that all file uploads have Anti-Virus scanning in-place.]]<br />
* Test that unsafe filenames are sanitised<br />
* Test that uploaded files are not directly accessible within the web root<br />
* Test that uploaded files are not served on the same hostname/port<br />
* Test that files and other media are integrated with the authentication and authorisation schemas<br />
<br />
== Risky Functionality - Card Payment ==<br />
* Test for known vulnerabilities and configuration issues on Web Server and Web Application<br />
* Test for default or guessable password<br />
* Test for non-production data in live environment, and vice-versa<br />
* [[Injection_Flaws | Test for Injection vulnerabilities ]]<br />
* [[Testing_for_Buffer_Overflow_(OTG-INPVAL-014) | Test for Buffer Overflows]]<br />
* [[Top_10_2010-A7-Insecure_Cryptographic_Storage | Test for Insecure Cryptographic Storage]]<br />
* [[Top_10_2010-A9-Insufficient_Transport_Layer_Protection | Test for Insufficient Transport Layer Protection]]<br />
* [[Web_Application_Security_Testing_Cheat_Sheet#Error_Handling|Test for Improper Error Handling]]<br />
* Test for all vulnerabilities with a CVSS v2 score > 4.0<br />
* Test for Authentication and Authorization issues<br />
* [[Testing_for_CSRF_(OTG-SESS-005)|Test for CSRF]]<br />
<br />
== Web Service Testing ==<br />
* [[Web_Service_Security_Testing_Cheat_Sheet | Test for Web Service Issues]]<br />
* [[REST_Assessment_Cheat_Sheet | Test REST]]<br />
<br />
== HTML 5==<br />
* [[Test_Web_Messaging_(OTG-CLIENT-011)|Test Web Messaging]]<br />
* [[Test_Local_Storage_(OTG-CLIENT-012)|Test for Web Storage SQL injection]]<br />
* [[Test_Cross_Origin_Resource_Sharing_(OTG-CLIENT-007)|Check CORS implementation]]<br />
* [[HTML5_Security_Cheat_Sheet#Offline_Applications | Check Offline Web Application]]<br />
<br />
== Error Handling==<br />
* [[Testing_for_Error_Code_(OTG-ERR-001)|Check for Error Codes]]<br />
* [[Testing_for_Stack_Traces_(OTG-ERR-002)|Check for Stack Traces]]<br />
<br />
== Other Formats ==<br />
* DradisPro template format [https://github.com/raesene/OWASP_Web_App_Testing_Cheatsheet_Converter/blob/master/OWASP_Web_Application_Testing_Cheat_Sheet.xml on github]<br />
* Asana template on [http://templana.com/templates/owasp-website-security-checklist/ Templana] (thanks to Bastien Siebman)<br />
<br />
== Authors and contributors ==<br />
<br />
[[User:Simon Bennetts|Simon Bennetts]]<br/><br />
[[User:Raesene|Rory McCune]] <br/><br />
Colin Watson<br/><br />
Simone Onofri<br/><br />
[[User:Amro_Ahmed|Amro AlOlaqi]] <br />
<br />
All above are authors of the [[OWASP_Testing_Guide_v3_Table_of_Contents | Testing Guide v3]] <br />
<br />
[[User:Ryan_Dewhurst|Ryan Dewhurst]]<br/><br />
[[User:Frank.catucci | Frank Catucci]]<br />
<br />
== Related articles ==<br />
<br />
* OWASP [[:Category:OWASP Testing Project|Testing Guide]]<br />
* Mozilla [https://wiki.mozilla.org/WebAppSec/Web_Security_Verification Web Security Verification]<br />
<br />
== Other Cheatsheets ==<br />
<br />
{{Cheatsheet_Navigation}}<br />
<br />
[[Category:Cheatsheets]] [[Category:OWASP_Breakers]]</div>VinMillerhttps://wiki.owasp.org/index.php?title=Web_Application_Security_Testing_Cheat_Sheet&diff=204646Web Application Security Testing Cheat Sheet2015-12-06T19:08:20Z<p>VinMiller: /* Purpose */</p>
<hr />
<div>= Introduction =<br />
<br />
This cheat sheet provides a checklist of tasks to be performed during blackbox security testing of a web application.<br />
<br />
= Purpose =<br />
<br />
This checklist is intended to be used as an aide memoire for experienced pentesters and should be used in conjunction with the [[:Category:OWASP Testing Project|OWASP Testing Guide]]. It will be updated as the [[OWASP_Application_Testing_guide_v4|Testing Guide v4]] is progressed.<br />
<br />
The intention is that this guide will be available as an XML document, with scripts that convert it into formats such as pdf, Media Wiki markup, HTML etc. <br />
<br />
This will allow it to be consumed within security tools as well as being available in a format suitable for printing.<br />
<br />
All feedback or offers of help will be appreciated - and if you have specific changes you think should be made, please log in and make suggestions.<br />
<br />
= The Checklist =<br />
<br />
== Information Gathering ==<br />
* Manually explore the site<br />
* [[Testing:_Spidering_and_googling | Spider/crawl]] for missed or hidden content<br />
* [[Review_Webserver_Metafiles_for_Information_Leakage_(OTG-INFO-003)|Check the Webserver Metafiles]] for information leakage files that expose content, such as robots.txt, sitemap.xml, .DS_Store<br />
* [[Conduct_search_engine_discovery/reconnaissance_for_information_leakage_(OTG-INFO-001)|Check the caches of major search engines for publicly accessible sites]]<br />
* Check for differences in content based on User Agent (eg, Mobile sites, access as a Search engine Crawler)<br />
* [[Review_webpage_comments_and_metadata_for_information_leakage_(OTG-INFO-005) | Check The Webpage Comments and Metadata for Information Leakage]]<br />
* [[Fingerprint_Web_Application_Framework_(OTG-INFO-008) | Check The Web Application Framework]]<br />
* [[Fingerprint_Web_Server_(OTG-INFO-002)|Perform Web Application Fingerprinting]]<br />
* Identify technologies used<br />
* [[Test_Role_Definitions_(OTG-IDENT-001)|Identify user roles]]<br />
* [[Identify_application_entry_points_(OTG-INFO-006) | Identify application entry points]]<br />
* Identify client-side code<br />
* Identify multiple versions/channels (e.g. web, mobile web, mobile app)<br />
* [[Web_Services | Identify web services]]<br />
* Identify co-hosted and related applications<br />
* Identify all hostnames and ports<br />
* Identify third-party hosted content<br />
<br />
== Configuration Management ==<br />
* Check for commonly used application and administrative URLs<br />
* [[4.3.4_Review_Old,_Backup_and_Unreferenced_Files_for_Sensitive_Information_(OTG-CONFIG-004) | Check for old, backup and unreferenced files]]<br />
* [[Test_HTTP_Methods_(OTG-CONFIG-006) | Check HTTP methods supported and Cross Site Tracing (XST)]]<br />
* [[4.3.3_Test_File_Extensions_Handling_for_Sensitive_Information_(OTG-CONFIG-003) | Test file extensions handling]]<br />
* [[Test_RIA_cross_domain_policy_(OTG-CONFIG-008) | Test RIA cross domain policy]]<br />
* Test for [[List_of_useful_HTTP_headers | security HTTP headers]] (e.g. CSP, X-Frame-Options, HSTS)<br />
* Test for policies (e.g. Flash, Silverlight, robots)<br />
* Test for non-production data in live environment, and vice-versa<br />
* Check for sensitive data in client-side code (e.g. API keys, credentials)<br />
<br />
== Secure Transmission ==<br />
* [[Testing_for_Weak_SSL/TLS_Ciphers,_Insufficient_Transport_Layer_Protection_(OTG-CRYPST-001) | Check SSL Version, Algorithms, Key length]]<br />
* Check for Digital Certificate Validity (Duration, Signature and CN)<br />
* Check credentials only delivered over HTTPS<br />
* Check that the login form is delivered over HTTPS<br />
* Check session tokens only delivered over HTTPS<br />
* [[Test_HTTP_Strict_Transport_Security_(OTG-CONFIG-009) | Check if HTTP Strict Transport Security (HSTS) in use]]<br />
<br />
== Authentication ==<br />
* [[Testing_for_User_Enumeration_and_Guessable_User_Account_(OWASP-AT-002) | Test for user enumeration]]<br />
* [[Testing_for_Bypassing_Authentication_Schema_(OTG-AUTHN-004) | Test for authentication bypass]]<br />
* [[Testing_for_Brute_Force_(OWASP-AT-004) | Test for brute force protection]]<br />
* [[Testing_for_Credentials_Transported_over_an_Encrypted_Channel_(OTG-AUTHN-001)|Test for Credentials Transported over an Encrypted Channel]]<br />
* [[Testing_for_Weak_password_policy_(OTG-AUTHN-007)|Test password quality rules<br />
* Test remember me functionality]]<br />
* Test password reset and/or recovery<br />
* Test password change process<br />
* Test CAPTCHA<br />
* Test multi factor authentication<br />
* Test for logout functionality presence<br />
* Test for cache management on HTTP (eg Pragma, Expires, Max-age)<br />
* Test for default logins<br />
* Test for user-accessible authentication history<br />
* Test for out-of channel notification of account lockouts and successful password changes<br />
* Test for consistent authentication across applications with shared authentication schema / SSO and alternative channels<br />
* Test for Weak security question/answer<br />
<br />
== Session Management ==<br />
* Establish how session management is handled in the application (eg, tokens in cookies, token in URL)<br />
* [[Testing_for_cookies_attributes_(OTG-SESS-002)|Check session tokens for cookie flags (httpOnly and secure)]]<br />
* [[Testing_for_cookies_attributes_(OTG-SESS-002)|Check session cookie scope (path and domain)]]<br />
* Check session cookie duration (expires and max-age)<br />
* [[Test_Session_Timeout_(OTG-SESS-007)|Check session termination after a maximum lifetime]]<br />
* [[Test_Session_Timeout_(OTG-SESS-007)|Check session termination after relative timeout]]<br />
* [[Testing_for_logout_functionality_(OTG-SESS-006)|Check session termination after logout]]<br />
* Test to see if users can have multiple simultaneous sessions<br />
* [[Testing_for_Session_Management_Schema_(OTG-SESS-001)#Session_ID_Predictability_and_Randomness | Test session cookies for randomness]]<br />
* Confirm that new session tokens are issued on login, role change and logout<br />
* Test for consistent session management across applications with shared session management<br />
* Test for session puzzling<br />
* Test for CSRF and clickjacking<br />
<br />
== Authorization ==<br />
* [[Testing_Directory_traversal/file_include_(OTG-AUTHZ-001)|Test for path traversal]]<br />
* [[Testing_for_Privilege_escalation_(OTG-AUTHZ-003)|Test for vertical Access control problems (a.k.a. Privilege Escalation)]]<br />
* Test for horizontal Access control problems (between two users at the same privilege level)<br />
* [[Testing_for_Bypassing_Authorization_Schema_(OTG-AUTHZ-002)|Test for missing authorisation]]<br />
* [[Testing_for_Insecure_Direct_Object_References_(OTG-AUTHZ-004)|Test for Insecure Direct Object References]]<br />
<br />
== Data Validation ==<br />
* [[Testing_for_Reflected_Cross_site_scripting_(OTG-INPVAL-001)|Test for Reflected Cross Site Scripting]]<br />
* [[Testing_for_Stored_Cross_site_scripting_(OTG-INPVAL-002)|Test for Stored Cross Site Scripting]]<br />
* [[Testing_for_DOM-based_Cross_site_scripting_(OTG-CLIENT-001)|Test for DOM based Cross Site Scripting]]<br />
* Test for Cross Site Flashing<br />
* Test for HTML Injection<br />
* [[Testing_for_SQL_Injection_(OTG-INPVAL-005)|Test for SQL Injection]]<br />
* Test for LDAP Injection<br />
* [[Testing_for_ORM_Injection_(OTG-INPVAL-007)|Test for ORM Injection]]<br />
* [[Testing_for_XML_Injection_(OTG-INPVAL-008)|Test for XML Injection]]<br />
* Test for XXE Injection<br />
* [[Testing_for_SSI_Injection_(OTG-INPVAL-009)|Test for SSI Injection]]<br />
* [[Testing_for_XPath_Injection_(OTG-INPVAL-010)|Test for XPath Injection]]<br />
* Test for XQuery Injection<br />
* [[Testing_for_IMAP/SMTP_Injection_(OTG-INPVAL-011)|Test for IMAP/SMTP Injection]]<br />
* [[Testing_for_Code_Injection_(OTG-INPVAL-012)|Test for Code Injection]]<br />
* Test for Expression Language Injection<br />
* [[Testing_for_Command_Injection_(OTG-INPVAL-013)|Test for Command Injection]]<br />
* Test for Overflow ([[Testing_for_Stack_Overflow|Stack]], [[Testing_for_Heap_Overflow|Heap]] and Integer)<br />
* [[Testing_for_Format_String|Test for Format String]]<br />
* Test for incubated vulnerabilities<br />
* [[Testing_for_HTTP_Splitting/Smuggling_(OTG-INPVAL-016)|Test for HTTP Splitting/Smuggling]]<br />
* Test for HTTP Verb Tampering<br />
* [[Top_10_2013-A10-Unvalidated_Redirects_and_Forwards|Test for Open Redirection]]<br />
* [[Testing_for_Local_File_Inclusion|Test for Local File Inclusion]]<br />
* [[Testing_for_Remote_File_Inclusion|Test for Remote File Inclusion]]<br />
* Compare client-side and server-side validation rules<br />
* Test for NoSQL injection<br />
* Test for HTTP parameter pollution<br />
* Test for auto-binding<br />
* Test for Mass Assignment<br />
* Test for NULL/Invalid Session Cookie<br />
<br />
== Denial of Service ==<br />
* Test for anti-automation<br />
* [[Testing_for_Weak_lock_out_mechanism_(OTG-AUTHN-003)|Test for account lockout]]<br />
* Test for HTTP protocol DoS<br />
* Test for SQL wildcard DoS<br />
<br />
== Business Logic ==<br />
* [[Test_business_logic_data_validation_(OTG-BUSLOGIC-001) | Test business logic data validation]] <br />
* [[Test_Ability_to_forge_requests_(OTG-BUSLOGIC-002) | Test ability to forge requests]]<br />
* Test for feature misuse<br />
* Test for lack of non-repudiation<br />
* Test for trust relationships<br />
* [[Test_integrity_checks_(OTG-BUSLOGIC-003) | Test for integrity of data]]<br />
* Test segregation of duties<br />
* [[Test_for_Process_Timing_(OTG-BUSLOGIC-007) | Test for Process Timing]]<br />
* [[Test_number_of_times_a_function_can_be_used_limits_(OTG-BUSLOGIC-007) | Test Number of Times a Function Can be Used Limits]]<br />
* [[Testing_for_the_Circumvention_of_Work_Flows_(OTG-BUSLOGIC-009) | Test for the Circumvention of Work Flows]]<br />
* [[Test_defenses_against_application_mis-use_(OTG-BUSLOGIC-011) | Test Defenses Against Application Mis-use]]<br />
* [[Test_Upload_of_Unexpected_File_Types_(OTG-BUSLOGIC-015) | Test Upload of Unexpected File Types]]<br />
* [[Test_Upload_of_Malicious_Files_(OTG-BUSLOGIC-016) | Test upload of malicious files]]<br />
<br />
== Cryptography ==<br />
* [[Testing_for_Sensitive_information_sent_via_unencrypted_channels_(OTG-CRYPST-003)|Check if data which should be encrypted is not]]<br />
* Check for wrong algorithms usage depending on context<br />
* [[Testing_for_Weak_SSL/TLS_Ciphers,_Insufficient_Transport_Layer_Protection_(OTG-CRYPST-001)|Check for weak algorithms usage]]<br />
* [[Password_Storage_Cheat_Sheet#Use_a_cryptographically_strong_credential-specific_salt | Check for proper use of salting]]<br />
* [[Insecure_Randomness | Check for randomness functions]]<br />
<br />
== Risky Functionality - File Uploads ==<br />
* [[Test_Upload_of_Unexpected_File_Types_(OTG-BUSLOGIC-008)|Test that acceptable file types are whitelisted and non-whitelisted types are rejected]]<br />
* Test that file size limits, upload frequency and total file counts are defined and are enforced<br />
* Test that file contents match the defined file type<br />
* [[Test_Upload_of_Malicious_Files_(OTG-BUSLOGIC-009)|Test that all file uploads have Anti-Virus scanning in-place.]]<br />
* Test that unsafe filenames are sanitised<br />
* Test that uploaded files are not directly accessible within the web root<br />
* Test that uploaded files are not served on the same hostname/port<br />
* Test that files and other media are integrated with the authentication and authorisation schemas<br />
<br />
== Risky Functionality - Card Payment ==<br />
* Test for known vulnerabilities and configuration issues on Web Server and Web Application<br />
* Test for default or guessable password<br />
* Test for non-production data in live environment, and vice-versa<br />
* [[Injection_Flaws | Test for Injection vulnerabilities ]]<br />
* [[Testing_for_Buffer_Overflow_(OTG-INPVAL-014) | Test for Buffer Overflows]]<br />
* [[Top_10_2010-A7-Insecure_Cryptographic_Storage | Test for Insecure Cryptographic Storage]]<br />
* [[Top_10_2010-A9-Insufficient_Transport_Layer_Protection | Test for Insufficient Transport Layer Protection]]<br />
* [[Web_Application_Security_Testing_Cheat_Sheet#Error_Handling|Test for Improper Error Handling]]<br />
* Test for all vulnerabilities with a CVSS v2 score > 4.0<br />
* Test for Authentication and Authorization issues<br />
* [[Testing_for_CSRF_(OTG-SESS-005)|Test for CSRF]]<br />
<br />
== Web Service Testing ==<br />
* [[Web_Service_Security_Testing_Cheat_Sheet | Test for Web Service Issues]]<br />
* [[REST_Assessment_Cheat_Sheet | Test REST]]<br />
<br />
== HTML 5==<br />
* [[Test_Web_Messaging_(OTG-CLIENT-011)|Test Web Messaging]]<br />
* [[Test_Local_Storage_(OTG-CLIENT-012)|Test for Web Storage SQL injection]]<br />
* [[Test_Cross_Origin_Resource_Sharing_(OTG-CLIENT-007)|Check CORS implementation]]<br />
* [[HTML5_Security_Cheat_Sheet#Offline_Applications | Check Offline Web Application]]<br />
<br />
== Error Handling==<br />
* [[Testing_for_Error_Code_(OTG-ERR-001)|Check for Error Codes]]<br />
* [[Testing_for_Stack_Traces_(OTG-ERR-002)|Check for Stack Traces]]<br />
<br />
== Other Formats ==<br />
* DradisPro template format [https://github.com/raesene/OWASP_Web_App_Testing_Cheatsheet_Converter/blob/master/OWASP_Web_Application_Testing_Cheat_Sheet.xml on github]<br />
* Asana template on [http://templana.com/templates/owasp-website-security-checklist/ Templana] (thanks to Bastien Siebman)<br />
<br />
== Authors and contributors ==<br />
<br />
[[User:Simon Bennetts|Simon Bennetts]]<br/><br />
[[User:Raesene|Rory McCune]] <br/><br />
Colin Watson<br/><br />
Simone Onofri<br/><br />
[[User:Amro_Ahmed|Amro AlOlaqi]] <br />
<br />
All above are authors of the [[OWASP_Testing_Guide_v3_Table_of_Contents | Testing Guide v3]] <br />
<br />
[[User:Ryan_Dewhurst|Ryan Dewhurst]]<br/><br />
[[User:Frank.catucci | Frank Catucci]]<br />
<br />
== Related articles ==<br />
<br />
* OWASP [[:Category:OWASP Testing Project|Testing Guide]]<br />
* Mozilla [https://wiki.mozilla.org/WebAppSec/Web_Security_Verification Web Security Verification]<br />
<br />
== Other Cheatsheets ==<br />
<br />
{{Cheatsheet_Navigation}}<br />
<br />
[[Category:Cheatsheets]] [[Category:OWASP_Breakers]]</div>VinMillerhttps://wiki.owasp.org/index.php?title=Talk:Web_Application_Security_Testing_Cheat_Sheet&diff=204621Talk:Web Application Security Testing Cheat Sheet2015-12-05T18:43:51Z<p>VinMiller: /* Overall structure of the document */</p>
<hr />
<div>I’ve been reviewing this document in hopes of getting it out of Draft status by the end of the year. <br />
<br />
My comments fall into three overall categories:<br />
1) Overall structure of the document<br />
2) Excluding some items that seem to me beyond the scope of security and venture into business or functional-spec testing (important topics, but not security-focused per se)<br />
3) Various other details.<br />
<br />
== Overall structure of the document ==<br />
I like the checklist-oriented approach of this document, and I like most of the overall category breakdown. But I have a few comments:<br />
* Right now, the contents list three sections: [1] Introduction, [2] Purpose, and [3] The Checklist. However, this checklist piece includes credits/authors etc. I believe we need to move these to a new fourth section: “[4] Appendices”<br />
* I also believe that readers would be well served by seeing some of these categories split further into subcategories.<br />
<br />
So right now the overall order of the categories is this:<br />
<br />
1 Introduction<br />
<br />
2 Purpose<br />
<br />
3 The Checklist<br />
<br />
-- -- 3.1 Information Gathering<br />
<br />
-- -- 3.2 Configuration Management<br />
<br />
-- -- 3.3 Secure Transmission <br />
<br />
-- -- 3.4 Authentication<br />
<br />
-- -- 3.5 Session Management<br />
<br />
-- -- 3.6 Authorization<br />
<br />
-- -- 3.7 Data Validation<br />
<br />
-- -- 3.8 Denial of Service<br />
<br />
-- -- 3.9 Business Logic<br />
<br />
-- -- 3.10 Cryptography<br />
<br />
-- -- 3.11 Risky Functionality - File Uploads<br />
<br />
-- -- 3.12 Risky Functionality - Card Payment<br />
<br />
-- -- 3.13 Web Service Testing<br />
<br />
-- -- 3.14 HTML 5<br />
<br />
-- -- 3.15 Error Handling<br />
<br />
-- -- 3.16 Other Formats<br />
<br />
-- -- 3.17 Authors and contributors<br />
<br />
-- -- 3.18 Related articles<br />
<br />
-- -- 3.19 Other Cheatsheets<br />
<br />
<br />
<br />
<br />
I’d suggest a change to the following (Note that some of my comments further below actually would modify this further still):<br />
<br />
1 Introduction<br />
<br />
2 Purpose<br />
<br />
3 The Checklist<br />
<br />
-- -- 3.1 Information Gathering<br />
<br />
-- -- -- -- Rendered Site Review<br />
<br />
-- -- -- -- Development Review<br />
<br />
-- -- -- -- Hosting and Platform Review<br />
<br />
-- -- 3.2 Configuration Management<br />
<br />
-- -- 3.3 Secure Transmission<br />
<br />
-- -- 3.4 Authentication<br />
<br />
-- -- -- -- Application Password Functionality<br />
<br />
-- -- -- -- Additional Authentication Functionality<br />
<br />
-- -- 3.5 Authorization<br />
<br />
-- -- 3.6 Cryptography<br />
<br />
-- -- 3.7 Session Management<br />
<br />
-- -- 3.8 Data Validation<br />
<br />
-- -- 3.9 Denial of Service<br />
<br />
-- -- 3.10 Business Logic<br />
<br />
-- -- 3.11 Specific Risky Functionality<br />
<br />
-- -- -- -- File Uploads<br />
<br />
-- -- -- -- Payments<br />
<br />
-- -- 3.12 Web Service Testing<br />
<br />
-- -- 3.13 HTML 5<br />
<br />
-- -- 3.14 Error Handling<br />
<br />
4 Appendices<br />
<br />
-- -- 4.1 Other Formats<br />
<br />
-- -- 4.2 Authors and Contributors<br />
<br />
-- -- 4.3 Related Articles<br />
<br />
-- -- 4.4 Other cheatsheets<br />
<br />
<br />
I would also remove HTML5 and distribute its contents under other categories. (Place WebStorage Injection under Data Validation, etc.)<br />
<br />
== Excluding some items that seem to me beyond the scope of security and venture into business or functional-spec testing (important topics, but not security-focused per se) ==<br />
There are a few items in here that seem to me to go beyond the bounds of security. I recognize that part of the value of a checklist is to be comprehensive but I also think this level of comprehensiveness needs to be balanced by focus (in our case, a security focus):<br />
* Under “Configuration Management” we have listed “Test for non-production data in live environment, and vice-versa.” This seems more of a business-testing issue to me (are the data accurate) rather than security. While this could have a security impact – such as incorrect passwords or exposure of data-- I think that other points of the cheatsheet would in fact catch these issues.(I really worry that this bloats the checklist and opens a bit of a pandora’s box – for instance I could make an argument, along the same lines, that “badly labelled textboxes” could also cause a security issue – if “last name” is marked “password” a user could store their password in cleartext… but presumably correct labelling is a business-testing issue rather than a specific security-testing issue)<br />
<br />
* The entire “Business Logic” category also seems problematic to me in this context. Several of these items are not security focused while others could belong in other categories (“Test for integrity of data” seems to belong in Data Validation to me, while “Test Upload Of Unexpected File Types” belongs under “Risky Functionality: File Uploads”). I would remove this category and relocate relevant bullet points to other areas.<br />
<br />
== Various other details ==<br />
* Under “Purpose” the sentence “All feedback or offers of help will be appreciated - and if you have specific chances you think should be made, just get stuck in.” sounds awkward to me: I suggest “All feedback or offers of help will be appreciated - and if you have specific changes you think should be made, please log in and make suggestions.”<br />
* I’d include a point under authentication regarding Oauth2 and/or SAML: “Test oAuth2 and/or SAML approaches, and ensure that most appropriate methods and scopes are used.”<br />
* I’d include a point on regarding network rights on the host (what user account is the app run under, and are the rights appropriate - for example, excluding Execute rights for the user an app is run under is yet another safeguard against malicious file upload)<br />
<br />
<br />
- VM</div>VinMillerhttps://wiki.owasp.org/index.php?title=Talk:Web_Application_Security_Testing_Cheat_Sheet&diff=204620Talk:Web Application Security Testing Cheat Sheet2015-12-05T18:43:31Z<p>VinMiller: /* Various other details */</p>
<hr />
<div>I’ve been reviewing this document in hopes of getting it out of Draft status by the end of the year. <br />
<br />
My comments fall into three overall categories:<br />
1) Overall structure of the document<br />
2) Excluding some items that seem to me beyond the scope of security and venture into business or functional-spec testing (important topics, but not security-focused per se)<br />
3) Various other details.<br />
<br />
== Overall structure of the document ==<br />
I like the checklist-oriented approach of this document, and I like most of the overall category breakdown. But I have a few comments:<br />
* Right now, the contents list three sections: [1] Introduction, [2] Purpose, and [3] The Checklist. However, this checklist piece includes credits/authors etc. I believe we need to move these to a new fourth section: “[4] Appendices”<br />
* I also believe that readers would be well served by seeing some of these categories split further into subcategories.<br />
<br />
So right now the overall order of the categories is this:<br />
<br />
1 Introduction<br />
<br />
2 Purpose<br />
<br />
3 The Checklist<br />
<br />
-- -- 3.1 Information Gathering<br />
<br />
-- -- 3.2 Configuration Management<br />
<br />
-- -- 3.3 Secure Transmission <br />
<br />
-- -- 3.4 Authentication<br />
<br />
-- -- 3.5 Session Management<br />
<br />
-- -- 3.6 Authorization<br />
<br />
-- -- 3.7 Data Validation<br />
<br />
-- -- 3.8 Denial of Service<br />
<br />
-- -- 3.9 Business Logic<br />
<br />
-- -- 3.10 Cryptography<br />
<br />
-- -- 3.11 Risky Functionality - File Uploads<br />
<br />
-- -- 3.12 Risky Functionality - Card Payment<br />
<br />
-- -- 3.13 Web Service Testing<br />
<br />
-- -- 3.14 HTML 5<br />
<br />
-- -- 3.15 Error Handling<br />
<br />
-- -- 3.16 Other Formats<br />
<br />
-- -- 3.17 Authors and contributors<br />
<br />
-- -- 3.18 Related articles<br />
<br />
-- -- 3.19 Other Cheatsheets<br />
<br />
I’d suggest a change to the following (Note that some of my comments further below actually would modify this further still):<br />
<br />
1 Introduction<br />
<br />
2 Purpose<br />
<br />
3 The Checklist<br />
<br />
-- -- 3.1 Information Gathering<br />
<br />
-- -- -- -- Rendered Site Review<br />
<br />
-- -- -- -- Development Review<br />
<br />
-- -- -- -- Hosting and Platform Review<br />
<br />
-- -- 3.2 Configuration Management<br />
<br />
-- -- 3.3 Secure Transmission<br />
<br />
-- -- 3.4 Authentication<br />
<br />
-- -- -- -- Application Password Functionality<br />
<br />
-- -- -- -- Additional Authentication Functionality<br />
<br />
-- -- 3.5 Authorization<br />
<br />
-- -- 3.6 Cryptography<br />
<br />
-- -- 3.7 Session Management<br />
<br />
-- -- 3.8 Data Validation<br />
<br />
-- -- 3.9 Denial of Service<br />
<br />
-- -- 3.10 Business Logic<br />
<br />
-- -- 3.11 Specific Risky Functionality<br />
<br />
-- -- -- -- File Uploads<br />
<br />
-- -- -- -- Payments<br />
<br />
-- -- 3.12 Web Service Testing<br />
<br />
-- -- 3.13 HTML 5<br />
<br />
-- -- 3.14 Error Handling<br />
<br />
4 Appendices<br />
<br />
-- -- 4.1 Other Formats<br />
<br />
-- -- 4.2 Authors and Contributors<br />
<br />
-- -- 4.3 Related Articles<br />
<br />
-- -- 4.4 Other cheatsheets<br />
<br />
<br />
I would also remove HTML5 and distribute its contents under other categories. (Place WebStorage Injection under Data Validation, etc.)<br />
<br />
== Excluding some items that seem to me beyond the scope of security and venture into business or functional-spec testing (important topics, but not security-focused per se) ==<br />
There are a few items in here that seem to me to go beyond the bounds of security. I recognize that part of the value of a checklist is to be comprehensive but I also think this level of comprehensiveness needs to be balanced by focus (in our case, a security focus):<br />
* Under “Configuration Management” we have listed “Test for non-production data in live environment, and vice-versa.” This seems more of a business-testing issue to me (are the data accurate) rather than security. While this could have a security impact – such as incorrect passwords or exposure of data-- I think that other points of the cheatsheet would in fact catch these issues.(I really worry that this bloats the checklist and opens a bit of a pandora’s box – for instance I could make an argument, along the same lines, that “badly labelled textboxes” could also cause a security issue – if “last name” is marked “password” a user could store their password in cleartext… but presumably correct labelling is a business-testing issue rather than a specific security-testing issue)<br />
<br />
* The entire “Business Logic” category also seems problematic to me in this context. Several of these items are not security focused while others could belong in other categories (“Test for integrity of data” seems to belong in Data Validation to me, while “Test Upload Of Unexpected File Types” belongs under “Risky Functionality: File Uploads”). I would remove this category and relocate relevant bullet points to other areas.<br />
<br />
== Various other details ==<br />
* Under “Purpose” the sentence “All feedback or offers of help will be appreciated - and if you have specific chances you think should be made, just get stuck in.” sounds awkward to me: I suggest “All feedback or offers of help will be appreciated - and if you have specific changes you think should be made, please log in and make suggestions.”<br />
* I’d include a point under authentication regarding Oauth2 and/or SAML: “Test oAuth2 and/or SAML approaches, and ensure that most appropriate methods and scopes are used.”<br />
* I’d include a point on regarding network rights on the host (what user account is the app run under, and are the rights appropriate - for example, excluding Execute rights for the user an app is run under is yet another safeguard against malicious file upload)<br />
<br />
<br />
- VM</div>VinMillerhttps://wiki.owasp.org/index.php?title=Talk:Web_Application_Security_Testing_Cheat_Sheet&diff=204619Talk:Web Application Security Testing Cheat Sheet2015-12-05T18:43:09Z<p>VinMiller: /* Overall structure of the document */</p>
<hr />
<div>I’ve been reviewing this document in hopes of getting it out of Draft status by the end of the year. <br />
<br />
My comments fall into three overall categories:<br />
1) Overall structure of the document<br />
2) Excluding some items that seem to me beyond the scope of security and venture into business or functional-spec testing (important topics, but not security-focused per se)<br />
3) Various other details.<br />
<br />
== Overall structure of the document ==<br />
I like the checklist-oriented approach of this document, and I like most of the overall category breakdown. But I have a few comments:<br />
* Right now, the contents list three sections: [1] Introduction, [2] Purpose, and [3] The Checklist. However, this checklist piece includes credits/authors etc. I believe we need to move these to a new fourth section: “[4] Appendices”<br />
* I also believe that readers would be well served by seeing some of these categories split further into subcategories.<br />
<br />
So right now the overall order of the categories is this:<br />
<br />
1 Introduction<br />
<br />
2 Purpose<br />
<br />
3 The Checklist<br />
<br />
-- -- 3.1 Information Gathering<br />
<br />
-- -- 3.2 Configuration Management<br />
<br />
-- -- 3.3 Secure Transmission <br />
<br />
-- -- 3.4 Authentication<br />
<br />
-- -- 3.5 Session Management<br />
<br />
-- -- 3.6 Authorization<br />
<br />
-- -- 3.7 Data Validation<br />
<br />
-- -- 3.8 Denial of Service<br />
<br />
-- -- 3.9 Business Logic<br />
<br />
-- -- 3.10 Cryptography<br />
<br />
-- -- 3.11 Risky Functionality - File Uploads<br />
<br />
-- -- 3.12 Risky Functionality - Card Payment<br />
<br />
-- -- 3.13 Web Service Testing<br />
<br />
-- -- 3.14 HTML 5<br />
<br />
-- -- 3.15 Error Handling<br />
<br />
-- -- 3.16 Other Formats<br />
<br />
-- -- 3.17 Authors and contributors<br />
<br />
-- -- 3.18 Related articles<br />
<br />
-- -- 3.19 Other Cheatsheets<br />
<br />
I’d suggest a change to the following (Note that some of my comments further below actually would modify this further still):<br />
<br />
1 Introduction<br />
<br />
2 Purpose<br />
<br />
3 The Checklist<br />
<br />
-- -- 3.1 Information Gathering<br />
<br />
-- -- -- -- Rendered Site Review<br />
<br />
-- -- -- -- Development Review<br />
<br />
-- -- -- -- Hosting and Platform Review<br />
<br />
-- -- 3.2 Configuration Management<br />
<br />
-- -- 3.3 Secure Transmission<br />
<br />
-- -- 3.4 Authentication<br />
<br />
-- -- -- -- Application Password Functionality<br />
<br />
-- -- -- -- Additional Authentication Functionality<br />
<br />
-- -- 3.5 Authorization<br />
<br />
-- -- 3.6 Cryptography<br />
<br />
-- -- 3.7 Session Management<br />
<br />
-- -- 3.8 Data Validation<br />
<br />
-- -- 3.9 Denial of Service<br />
<br />
-- -- 3.10 Business Logic<br />
<br />
-- -- 3.11 Specific Risky Functionality<br />
<br />
-- -- -- -- File Uploads<br />
<br />
-- -- -- -- Payments<br />
<br />
-- -- 3.12 Web Service Testing<br />
<br />
-- -- 3.13 HTML 5<br />
<br />
-- -- 3.14 Error Handling<br />
<br />
4 Appendices<br />
<br />
-- -- 4.1 Other Formats<br />
<br />
-- -- 4.2 Authors and Contributors<br />
<br />
-- -- 4.3 Related Articles<br />
<br />
-- -- 4.4 Other cheatsheets<br />
<br />
<br />
I would also remove HTML5 and distribute its contents under other categories. (Place WebStorage Injection under Data Validation, etc.)<br />
<br />
== Excluding some items that seem to me beyond the scope of security and venture into business or functional-spec testing (important topics, but not security-focused per se) ==<br />
There are a few items in here that seem to me to go beyond the bounds of security. I recognize that part of the value of a checklist is to be comprehensive but I also think this level of comprehensiveness needs to be balanced by focus (in our case, a security focus):<br />
* Under “Configuration Management” we have listed “Test for non-production data in live environment, and vice-versa.” This seems more of a business-testing issue to me (are the data accurate) rather than security. While this could have a security impact – such as incorrect passwords or exposure of data-- I think that other points of the cheatsheet would in fact catch these issues.(I really worry that this bloats the checklist and opens a bit of a pandora’s box – for instance I could make an argument, along the same lines, that “badly labelled textboxes” could also cause a security issue – if “last name” is marked “password” a user could store their password in cleartext… but presumably correct labelling is a business-testing issue rather than a specific security-testing issue)<br />
<br />
* The entire “Business Logic” category also seems problematic to me in this context. Several of these items are not security focused while others could belong in other categories (“Test for integrity of data” seems to belong in Data Validation to me, while “Test Upload Of Unexpected File Types” belongs under “Risky Functionality: File Uploads”). I would remove this category and relocate relevant bullet points to other areas.<br />
<br />
== Various other details ==<br />
* Under “Purpose” the sentence “All feedback or offers of help will be appreciated - and if you have specific chances you think should be made, just get stuck in.” sounds awkward to me: I suggest “All feedback or offers of help will be appreciated - and if you have specific changes you think should be made, please log in and make suggestions.”<br />
* I’d include a point under authentication regarding Oauth2 and/or SAML: “Test oAuth2 and/or SAML approaches, and ensure that most appropriate methods and scopes are used.”<br />
* I’d include a point on regarding network rights on the host (what user account is the app run under, and are the rights appropriate (for example, excluding Execute rights for the user an app is run under is yet another safeguard against malicious file upload)<br />
<br />
<br />
- VM</div>VinMillerhttps://wiki.owasp.org/index.php?title=Talk:Web_Application_Security_Testing_Cheat_Sheet&diff=204618Talk:Web Application Security Testing Cheat Sheet2015-12-05T18:42:48Z<p>VinMiller: /* Excluding some items that seem to me beyond the scope of security and venture into business or functional-spec testing (important topics, but not security-focused per se) */</p>
<hr />
<div>I’ve been reviewing this document in hopes of getting it out of Draft status by the end of the year. <br />
<br />
My comments fall into three overall categories:<br />
1) Overall structure of the document<br />
2) Excluding some items that seem to me beyond the scope of security and venture into business or functional-spec testing (important topics, but not security-focused per se)<br />
3) Various other details.<br />
<br />
== Overall structure of the document ==<br />
I like the checklist-oriented approach of this document, and I like most of the overall category breakdown. But I have a few comments:<br />
* Right now, the contents list three sections: [1] Introduction, [2] Purpose, and [3] The Checklist. However, this checklist piece includes credits/authors etc. I believe we need to move these to a new fourth section: “[4] Appendices”<br />
* I also believe that readers would be well served by seeing some of these categories split further into subcategories.<br />
<br />
So right now the overall order of the categories is this:<br />
<br />
1 Introduction<br />
<br />
2 Purpose<br />
<br />
3 The Checklist<br />
<br />
-- -- 3.1 Information Gathering<br />
<br />
-- -- 3.2 Configuration Management<br />
<br />
-- -- 3.3 Secure Transmission <br />
<br />
-- -- 3.4 Authentication<br />
<br />
-- -- 3.5 Session Management<br />
<br />
-- -- 3.6 Authorization<br />
<br />
-- -- 3.7 Data Validation<br />
<br />
-- -- 3.8 Denial of Service<br />
<br />
-- -- 3.9 Business Logic<br />
<br />
-- -- 3.10 Cryptography<br />
<br />
-- -- 3.11 Risky Functionality - File Uploads<br />
<br />
-- -- 3.12 Risky Functionality - Card Payment<br />
<br />
-- -- 3.13 Web Service Testing<br />
<br />
-- -- 3.14 HTML 5<br />
<br />
-- -- 3.15 Error Handling<br />
<br />
-- -- 3.16 Other Formats<br />
<br />
-- -- 3.17 Authors and contributors<br />
<br />
-- -- 3.18 Related articles<br />
<br />
-- -- 3.19 Other Cheatsheets<br />
<br />
I’d suggest a change to the following (Note that some of my comments further below actually would modify this further still):<br />
<br />
1 Introduction<br />
<br />
2 Purpose<br />
<br />
3 The Checklist<br />
<br />
-- -- 3.1 Information Gathering<br />
<br />
-- -- -- -- Rendered Site Review<br />
<br />
-- -- -- -- Development Review<br />
<br />
-- -- -- -- Hosting and Platform Review<br />
<br />
-- -- 3.2 Configuration Management<br />
<br />
-- -- 3.3 Secure Transmission<br />
<br />
-- -- 3.4 Authentication<br />
<br />
-- -- -- -- Application Password Functionality<br />
<br />
-- -- -- -- Additional Authentication Functionality<br />
<br />
-- -- 3.5 Authorization<br />
<br />
-- -- 3.6 Cryptography<br />
<br />
-- -- 3.7 Session Management<br />
<br />
-- -- 3.8 Data Validation<br />
<br />
-- -- 3.9 Denial of Service<br />
<br />
-- -- 3.10 Business Logic<br />
<br />
-- -- 3.11 Specific Risky Functionality<br />
<br />
-- -- -- -- File Uploads<br />
<br />
-- -- -- -- Payments<br />
<br />
-- -- 3.13 Web Service Testing<br />
<br />
-- -- 3.14 HTML 5<br />
<br />
-- -- 3.15 Error Handling<br />
<br />
4 Appendices<br />
<br />
-- -- 4.1 Other Formats<br />
<br />
-- -- 4.2 Authors and Contributors<br />
<br />
-- -- 4.3 Related Articles<br />
<br />
-- -- 4.4 Other cheatsheets<br />
<br />
<br />
I would also remove HTML5 and distribute its contents under other categories. (Place WebStorage Injection under Data Validation, etc.)<br />
<br />
<br />
== Excluding some items that seem to me beyond the scope of security and venture into business or functional-spec testing (important topics, but not security-focused per se) ==<br />
There are a few items in here that seem to me to go beyond the bounds of security. I recognize that part of the value of a checklist is to be comprehensive but I also think this level of comprehensiveness needs to be balanced by focus (in our case, a security focus):<br />
* Under “Configuration Management” we have listed “Test for non-production data in live environment, and vice-versa.” This seems more of a business-testing issue to me (are the data accurate) rather than security. While this could have a security impact – such as incorrect passwords or exposure of data-- I think that other points of the cheatsheet would in fact catch these issues.(I really worry that this bloats the checklist and opens a bit of a pandora’s box – for instance I could make an argument, along the same lines, that “badly labelled textboxes” could also cause a security issue – if “last name” is marked “password” a user could store their password in cleartext… but presumably correct labelling is a business-testing issue rather than a specific security-testing issue)<br />
<br />
* The entire “Business Logic” category also seems problematic to me in this context. Several of these items are not security focused while others could belong in other categories (“Test for integrity of data” seems to belong in Data Validation to me, while “Test Upload Of Unexpected File Types” belongs under “Risky Functionality: File Uploads”). I would remove this category and relocate relevant bullet points to other areas.<br />
<br />
== Various other details ==<br />
* Under “Purpose” the sentence “All feedback or offers of help will be appreciated - and if you have specific chances you think should be made, just get stuck in.” sounds awkward to me: I suggest “All feedback or offers of help will be appreciated - and if you have specific changes you think should be made, please log in and make suggestions.”<br />
* I’d include a point under authentication regarding Oauth2 and/or SAML: “Test oAuth2 and/or SAML approaches, and ensure that most appropriate methods and scopes are used.”<br />
* I’d include a point on regarding network rights on the host (what user account is the app run under, and are the rights appropriate (for example, excluding Execute rights for the user an app is run under is yet another safeguard against malicious file upload)<br />
<br />
<br />
- VM</div>VinMillerhttps://wiki.owasp.org/index.php?title=Talk:Web_Application_Security_Testing_Cheat_Sheet&diff=204617Talk:Web Application Security Testing Cheat Sheet2015-12-05T18:39:35Z<p>VinMiller: Proposed changes and cleanups as we move to get this out of Draft status</p>
<hr />
<div>I’ve been reviewing this document in hopes of getting it out of Draft status by the end of the year. <br />
<br />
My comments fall into three overall categories:<br />
1) Overall structure of the document<br />
2) Excluding some items that seem to me beyond the scope of security and venture into business or functional-spec testing (important topics, but not security-focused per se)<br />
3) Various other details.<br />
<br />
== Overall structure of the document ==<br />
I like the checklist-oriented approach of this document, and I like most of the overall category breakdown. But I have a few comments:<br />
* Right now, the contents list three sections: [1] Introduction, [2] Purpose, and [3] The Checklist. However, this checklist piece includes credits/authors etc. I believe we need to move these to a new fourth section: “[4] Appendices”<br />
* I also believe that readers would be well served by seeing some of these categories split further into subcategories.<br />
<br />
So right now the overall order of the categories is this:<br />
<br />
1 Introduction<br />
<br />
2 Purpose<br />
<br />
3 The Checklist<br />
<br />
-- -- 3.1 Information Gathering<br />
<br />
-- -- 3.2 Configuration Management<br />
<br />
-- -- 3.3 Secure Transmission <br />
<br />
-- -- 3.4 Authentication<br />
<br />
-- -- 3.5 Session Management<br />
<br />
-- -- 3.6 Authorization<br />
<br />
-- -- 3.7 Data Validation<br />
<br />
-- -- 3.8 Denial of Service<br />
<br />
-- -- 3.9 Business Logic<br />
<br />
-- -- 3.10 Cryptography<br />
<br />
-- -- 3.11 Risky Functionality - File Uploads<br />
<br />
-- -- 3.12 Risky Functionality - Card Payment<br />
<br />
-- -- 3.13 Web Service Testing<br />
<br />
-- -- 3.14 HTML 5<br />
<br />
-- -- 3.15 Error Handling<br />
<br />
-- -- 3.16 Other Formats<br />
<br />
-- -- 3.17 Authors and contributors<br />
<br />
-- -- 3.18 Related articles<br />
<br />
-- -- 3.19 Other Cheatsheets<br />
<br />
I’d suggest a change to the following (Note that some of my comments further below actually would modify this further still):<br />
<br />
1 Introduction<br />
<br />
2 Purpose<br />
<br />
3 The Checklist<br />
<br />
-- -- 3.1 Information Gathering<br />
<br />
-- -- -- -- Rendered Site Review<br />
<br />
-- -- -- -- Development Review<br />
<br />
-- -- -- -- Hosting and Platform Review<br />
<br />
-- -- 3.2 Configuration Management<br />
<br />
-- -- 3.3 Secure Transmission<br />
<br />
-- -- 3.4 Authentication<br />
<br />
-- -- -- -- Application Password Functionality<br />
<br />
-- -- -- -- Additional Authentication Functionality<br />
<br />
-- -- 3.5 Authorization<br />
<br />
-- -- 3.6 Cryptography<br />
<br />
-- -- 3.7 Session Management<br />
<br />
-- -- 3.8 Data Validation<br />
<br />
-- -- 3.9 Denial of Service<br />
<br />
-- -- 3.10 Business Logic<br />
<br />
-- -- 3.11 Specific Risky Functionality<br />
<br />
-- -- -- -- File Uploads<br />
<br />
-- -- -- -- Payments<br />
<br />
-- -- 3.13 Web Service Testing<br />
<br />
-- -- 3.14 HTML 5<br />
<br />
-- -- 3.15 Error Handling<br />
<br />
4 Appendices<br />
<br />
-- -- 4.1 Other Formats<br />
<br />
-- -- 4.2 Authors and Contributors<br />
<br />
-- -- 4.3 Related Articles<br />
<br />
-- -- 4.4 Other cheatsheets<br />
<br />
<br />
I would also remove HTML5 and distribute its contents under other categories. (Place WebStorage Injection under Data Validation, etc.)<br />
<br />
<br />
== Excluding some items that seem to me beyond the scope of security and venture into business or functional-spec testing (important topics, but not security-focused per se) ==<br />
There are a few items in here that seem to me to go beyond the bounds of security. I recognize that part of the value of a checklist is to be comprehensive but I also think this level of comprehensiveness needs to be balanced by focus (in our case, a security focus):<br />
* Under “Configuration Management” we have listed “Test for non-production data in live environment, and vice-versa.” This seems more of a business-testing issue to me (are the data accurate) rather than security. While this could have a security impact – such as incorrect passwords or exposure of data-- I think that other points of the cheatsheet would in fact catch these issues.(I really worry that this bloats the checklist and opens a bit of a pandora’s box – for instance I could make an argument, along the same lines, that “badly labelled textboxes” could also cause a security issue – if “last name” is marked “password” a user could store their password in cleartext… but presumably correct labelling is a business-testing issue rather than a specific security-testing issue)<br />
<br />
* The entire “Business Logic” category also seems problematic to me in this context. Several of these items are not security focus while others could belong in other categories (“Test for integrity of data” seems to belong in Data Validation to me, while “Test Upload Of Unexpected File Types” belongs under “Risky Functionality: File Uploads”. I would remove this category and relocate relevant bullet points to other areas.<br />
<br />
<br />
== Various other details ==<br />
* Under “Purpose” the sentence “All feedback or offers of help will be appreciated - and if you have specific chances you think should be made, just get stuck in.” sounds awkward to me: I suggest “All feedback or offers of help will be appreciated - and if you have specific changes you think should be made, please log in and make suggestions.”<br />
* I’d include a point under authentication regarding Oauth2 and/or SAML: “Test oAuth2 and/or SAML approaches, and ensure that most appropriate methods and scopes are used.”<br />
* I’d include a point on regarding network rights on the host (what user account is the app run under, and are the rights appropriate (for example, excluding Execute rights for the user an app is run under is yet another safeguard against malicious file upload)<br />
<br />
<br />
- VM</div>VinMillerhttps://wiki.owasp.org/index.php?title=Application_Security_Architecture_Cheat_Sheet&diff=204206Application Security Architecture Cheat Sheet2015-12-01T21:46:37Z<p>VinMiller: /* Authors and Primary Editors */</p>
<hr />
<div><br/><br />
= DRAFT CHEAT SHEET - WORK IN PROGRESS =<br />
<br />
<br/><br />
= Introduction = <br />
<br />
This cheat sheet offers tips for the initial design and review of an application's security architecture.<br />
<br />
<br/><br />
= Business Requirements = <br />
<br />
== Business Model ==<br />
<br />
* What is the application's primary business purpose?<br />
* How will the application make money?<br />
* What are the planned business milestones for developing or improving the application?<br />
* How is the application marketed?<br />
* What key benefits does application offer its users?<br />
* What business continuity provisions have been defined for the application?<br />
* What geographic areas does the application service?<br />
<br />
== Data Essentials ==<br />
<br />
* What data does the application receive, produce, and process?<br />
* How can the data be classified into categories according to its sensitivity?<br />
* How might an attacker benefit from capturing or modifying the data?<br />
* What data backup and retention requirements have been defined for the application?<br />
<br />
== End‐Users ==<br />
<br />
* Who are the application's end‐users?<br />
* How do the end‐users interact with the application?<br />
* What security expectations do the end‐users have?<br />
<br />
== Partners ==<br />
<br />
* Which third parties supply data to the application?<br />
* Which third parties receive data from the applications?<br />
* Which third parties process the application's data?<br />
* What mechanisms are used to share data with third‐parties besides the application itself (EDI transmissions, FTP file processing, vendor-exposed API's, etc.)?<br />
* What security requirements do the partners impose?<br />
<br />
== Administrators ==<br />
<br />
* Who has administrative capabilities in the application?<br />
* What administrative capabilities does the application offer?<br />
<br />
== Regulations ==<br />
<br />
* In what industries does the application operate?<br />
* What security‐related regulations apply?<br />
* What auditing and compliance regulations apply?<br />
* How will changes to regulatory requirements be communicated, managed and implemented over time?<br />
<br/><br />
<br />
= Infrastructure Requirements = <br />
<br />
== Network ==<br />
* What details regarding routing, switching, firewalling, and load‐balancing have been defined?<br />
* What network design supports the application?<br />
* What core network devices support the application?<br />
* What network performance requirements exist?<br />
* What private and public network links support the application?<br />
<br />
== Systems ==<br />
* What operating systems support the application?<br />
* What hardware requirements have been defined?<br />
* What details regarding required OS components and lock‐down needs have been defined?<br />
<br />
== Infrastructure Monitoring ==<br />
* What network and system performance monitoring requirements have been defined?<br />
* What mechanisms exist to detect malicious code or compromised application components?<br />
* What network and system security monitoring requirements have been defined?<br />
<br />
== Virtualization and Externalization ==<br />
* What aspects of the application lend themselves to virtualization?<br />
* What virtualization requirements have been defined for the application?<br />
* What aspects of the product may or may not be hosted via the cloud computing model? <br />
* If applicable, what approach(es) to cloud computing will be taken (Managed Hosting versus "Pure" Cloud, a "full machine" approach such as AWS-EC2 versus a "hosted database" approach such as AWS-RDS and Azure, etc)? <br />
* How will the advantages and constraints of each approach be weighed and decided upon?<br />
<br />
<br/><br />
<br />
= Application Requirements =<br />
<br />
== Environment ==<br />
* What frameworks and programming languages have been used to create the application?<br />
* What process, code, or infrastructure dependencies have been defined for the application?<br />
* What databases and application servers support the application?<br />
* How will database connection strings, encryption keys, and other sensitive components be stored, accessed, and protected from unauthorized detection?<br />
<br />
== Data Processing ==<br />
* What data entry paths does the application support?<br />
* What data output paths does the application support?<br />
* How does data flow across the application's internal components?<br />
* What data input validation requirements have been defined?<br />
* What data does the application store and how?<br />
* What data is or may need to be encrypted and what key management requirements have been defined?<br />
* What capabilities exist to detect the leakage of sensitive data?<br />
* What encryption requirements have been defined for data in transit - including transmission over WAN, LAN, SecureFTP, or publicly accessible protocols such as http: and https:?<br />
<br />
== Access ==<br />
* What user privilege levels does the application support?<br />
* What user identification and authentication requirements have been defined?<br />
* What user authorization requirements have been defined?<br />
* What session management requirements have been defined?<br />
* What access requirements have been defined for URI and Service calls?<br />
* What user access restrictions have been defined?<br />
* How are user identities maintained throughout transaction calls?<br />
== Application Monitoring ==<br />
* What application auditing requirements have been defined?<br />
* What application performance monitoring requirements have been defined?<br />
* What application security monitoring requirements have been defined?<br />
* What application error handling and logging requirements have been defined? What processes are in place to show an end user only the minimum required information upon an error, and not to expose facets of application design, security, and implementation?<br />
* How are audit and debug logs accessed, stored, and secured?<br />
<br />
== Application Design ==<br />
* What application design review practices have been defined and executed?<br />
* How is intermediate or in-process data stored in the application components' memory and in cache?<br />
* How many logical tiers group the application's components?<br />
* What staging, testing, and Quality Assurance requirements have been defined?<br />
<br />
<br/><br />
= Security Program Requirements =<br />
<br />
== Operations ==<br />
* What is the process for identifying and addressing vulnerabilities in the application?<br />
* What is the process for identifying and addressing vulnerabilities in network and system components?<br />
* What access to system and network administrators have to the application's sensitive data?<br />
* What security incident requirements have been defined?<br />
* How do administrators access production infrastructure to manage it?<br />
* What physical controls restrict access to the application's components and data?<br />
* What is the process for granting access to the environment hosting the application?<br />
<br />
== Change Management ==<br />
* How are changes to the code controlled?<br />
* How are changes to the infrastructure controlled?<br />
* How is code deployed to production?<br />
* What mechanisms exist to detect violations of change management practices?<br />
<br />
== Software Development ==<br />
* What data is available to developers for testing?<br />
* How do developers assist with troubleshooting and debugging the application?<br />
* What requirements have been defined for controlling access to the applications source code?<br />
* What secure coding processes have been established?<br />
<br />
== Corporate ==<br />
* What corporate security program requirements have been defined?<br />
* What security training do developers and administrators undergo?<br />
* Which personnel oversees security processes and requirements related to the application?<br />
* What employee initiation and termination procedures have been defined?<br />
* What application requirements impose the need to enforce the principle of separation of duties?<br />
* What controls exist to protect a compromised in the corporate environment from affecting production?<br />
* What security governance requirements have been defined?<br />
<br />
= Authors and Primary Editors =<br />
[http://www.zeltser.com Lenny Zeltser - First Draft 2012]<br />
<br />
[mailto:tony.turner@owasp.org Tony Turner - 2015 Format Change and Revisions]<br />
<br />
Vin Miller - 2015 Revisions<br />
<br />
= Other Cheatsheets =<br />
{{Cheatsheet_Navigation}} <br />
<br />
[[Category:Cheatsheets]]</div>VinMillerhttps://wiki.owasp.org/index.php?title=Application_Security_Architecture_Cheat_Sheet&diff=204205Application Security Architecture Cheat Sheet2015-12-01T21:46:22Z<p>VinMiller: /* Authors and Primary Editors */</p>
<hr />
<div><br/><br />
= DRAFT CHEAT SHEET - WORK IN PROGRESS =<br />
<br />
<br/><br />
= Introduction = <br />
<br />
This cheat sheet offers tips for the initial design and review of an application's security architecture.<br />
<br />
<br/><br />
= Business Requirements = <br />
<br />
== Business Model ==<br />
<br />
* What is the application's primary business purpose?<br />
* How will the application make money?<br />
* What are the planned business milestones for developing or improving the application?<br />
* How is the application marketed?<br />
* What key benefits does application offer its users?<br />
* What business continuity provisions have been defined for the application?<br />
* What geographic areas does the application service?<br />
<br />
== Data Essentials ==<br />
<br />
* What data does the application receive, produce, and process?<br />
* How can the data be classified into categories according to its sensitivity?<br />
* How might an attacker benefit from capturing or modifying the data?<br />
* What data backup and retention requirements have been defined for the application?<br />
<br />
== End‐Users ==<br />
<br />
* Who are the application's end‐users?<br />
* How do the end‐users interact with the application?<br />
* What security expectations do the end‐users have?<br />
<br />
== Partners ==<br />
<br />
* Which third parties supply data to the application?<br />
* Which third parties receive data from the applications?<br />
* Which third parties process the application's data?<br />
* What mechanisms are used to share data with third‐parties besides the application itself (EDI transmissions, FTP file processing, vendor-exposed API's, etc.)?<br />
* What security requirements do the partners impose?<br />
<br />
== Administrators ==<br />
<br />
* Who has administrative capabilities in the application?<br />
* What administrative capabilities does the application offer?<br />
<br />
== Regulations ==<br />
<br />
* In what industries does the application operate?<br />
* What security‐related regulations apply?<br />
* What auditing and compliance regulations apply?<br />
* How will changes to regulatory requirements be communicated, managed and implemented over time?<br />
<br/><br />
<br />
= Infrastructure Requirements = <br />
<br />
== Network ==<br />
* What details regarding routing, switching, firewalling, and load‐balancing have been defined?<br />
* What network design supports the application?<br />
* What core network devices support the application?<br />
* What network performance requirements exist?<br />
* What private and public network links support the application?<br />
<br />
== Systems ==<br />
* What operating systems support the application?<br />
* What hardware requirements have been defined?<br />
* What details regarding required OS components and lock‐down needs have been defined?<br />
<br />
== Infrastructure Monitoring ==<br />
* What network and system performance monitoring requirements have been defined?<br />
* What mechanisms exist to detect malicious code or compromised application components?<br />
* What network and system security monitoring requirements have been defined?<br />
<br />
== Virtualization and Externalization ==<br />
* What aspects of the application lend themselves to virtualization?<br />
* What virtualization requirements have been defined for the application?<br />
* What aspects of the product may or may not be hosted via the cloud computing model? <br />
* If applicable, what approach(es) to cloud computing will be taken (Managed Hosting versus "Pure" Cloud, a "full machine" approach such as AWS-EC2 versus a "hosted database" approach such as AWS-RDS and Azure, etc)? <br />
* How will the advantages and constraints of each approach be weighed and decided upon?<br />
<br />
<br/><br />
<br />
= Application Requirements =<br />
<br />
== Environment ==<br />
* What frameworks and programming languages have been used to create the application?<br />
* What process, code, or infrastructure dependencies have been defined for the application?<br />
* What databases and application servers support the application?<br />
* How will database connection strings, encryption keys, and other sensitive components be stored, accessed, and protected from unauthorized detection?<br />
<br />
== Data Processing ==<br />
* What data entry paths does the application support?<br />
* What data output paths does the application support?<br />
* How does data flow across the application's internal components?<br />
* What data input validation requirements have been defined?<br />
* What data does the application store and how?<br />
* What data is or may need to be encrypted and what key management requirements have been defined?<br />
* What capabilities exist to detect the leakage of sensitive data?<br />
* What encryption requirements have been defined for data in transit - including transmission over WAN, LAN, SecureFTP, or publicly accessible protocols such as http: and https:?<br />
<br />
== Access ==<br />
* What user privilege levels does the application support?<br />
* What user identification and authentication requirements have been defined?<br />
* What user authorization requirements have been defined?<br />
* What session management requirements have been defined?<br />
* What access requirements have been defined for URI and Service calls?<br />
* What user access restrictions have been defined?<br />
* How are user identities maintained throughout transaction calls?<br />
== Application Monitoring ==<br />
* What application auditing requirements have been defined?<br />
* What application performance monitoring requirements have been defined?<br />
* What application security monitoring requirements have been defined?<br />
* What application error handling and logging requirements have been defined? What processes are in place to show an end user only the minimum required information upon an error, and not to expose facets of application design, security, and implementation?<br />
* How are audit and debug logs accessed, stored, and secured?<br />
<br />
== Application Design ==<br />
* What application design review practices have been defined and executed?<br />
* How is intermediate or in-process data stored in the application components' memory and in cache?<br />
* How many logical tiers group the application's components?<br />
* What staging, testing, and Quality Assurance requirements have been defined?<br />
<br />
<br/><br />
= Security Program Requirements =<br />
<br />
== Operations ==<br />
* What is the process for identifying and addressing vulnerabilities in the application?<br />
* What is the process for identifying and addressing vulnerabilities in network and system components?<br />
* What access to system and network administrators have to the application's sensitive data?<br />
* What security incident requirements have been defined?<br />
* How do administrators access production infrastructure to manage it?<br />
* What physical controls restrict access to the application's components and data?<br />
* What is the process for granting access to the environment hosting the application?<br />
<br />
== Change Management ==<br />
* How are changes to the code controlled?<br />
* How are changes to the infrastructure controlled?<br />
* How is code deployed to production?<br />
* What mechanisms exist to detect violations of change management practices?<br />
<br />
== Software Development ==<br />
* What data is available to developers for testing?<br />
* How do developers assist with troubleshooting and debugging the application?<br />
* What requirements have been defined for controlling access to the applications source code?<br />
* What secure coding processes have been established?<br />
<br />
== Corporate ==<br />
* What corporate security program requirements have been defined?<br />
* What security training do developers and administrators undergo?<br />
* Which personnel oversees security processes and requirements related to the application?<br />
* What employee initiation and termination procedures have been defined?<br />
* What application requirements impose the need to enforce the principle of separation of duties?<br />
* What controls exist to protect a compromised in the corporate environment from affecting production?<br />
* What security governance requirements have been defined?<br />
<br />
= Authors and Primary Editors =<br />
[http://www.zeltser.com Lenny Zeltser - First Draft 2012]<br />
<br />
[mailto:tony.turner@owasp.org Tony Turner - 2015 Format Change and Revisions]<br />
<br />
[Vin Miller - 2015 Revisions]<br />
<br />
= Other Cheatsheets =<br />
{{Cheatsheet_Navigation}} <br />
<br />
[[Category:Cheatsheets]]</div>VinMillerhttps://wiki.owasp.org/index.php?title=Application_Security_Architecture_Cheat_Sheet&diff=204204Application Security Architecture Cheat Sheet2015-12-01T21:45:19Z<p>VinMiller: /* Partners */</p>
<hr />
<div><br/><br />
= DRAFT CHEAT SHEET - WORK IN PROGRESS =<br />
<br />
<br/><br />
= Introduction = <br />
<br />
This cheat sheet offers tips for the initial design and review of an application's security architecture.<br />
<br />
<br/><br />
= Business Requirements = <br />
<br />
== Business Model ==<br />
<br />
* What is the application's primary business purpose?<br />
* How will the application make money?<br />
* What are the planned business milestones for developing or improving the application?<br />
* How is the application marketed?<br />
* What key benefits does application offer its users?<br />
* What business continuity provisions have been defined for the application?<br />
* What geographic areas does the application service?<br />
<br />
== Data Essentials ==<br />
<br />
* What data does the application receive, produce, and process?<br />
* How can the data be classified into categories according to its sensitivity?<br />
* How might an attacker benefit from capturing or modifying the data?<br />
* What data backup and retention requirements have been defined for the application?<br />
<br />
== End‐Users ==<br />
<br />
* Who are the application's end‐users?<br />
* How do the end‐users interact with the application?<br />
* What security expectations do the end‐users have?<br />
<br />
== Partners ==<br />
<br />
* Which third parties supply data to the application?<br />
* Which third parties receive data from the applications?<br />
* Which third parties process the application's data?<br />
* What mechanisms are used to share data with third‐parties besides the application itself (EDI transmissions, FTP file processing, vendor-exposed API's, etc.)?<br />
* What security requirements do the partners impose?<br />
<br />
== Administrators ==<br />
<br />
* Who has administrative capabilities in the application?<br />
* What administrative capabilities does the application offer?<br />
<br />
== Regulations ==<br />
<br />
* In what industries does the application operate?<br />
* What security‐related regulations apply?<br />
* What auditing and compliance regulations apply?<br />
* How will changes to regulatory requirements be communicated, managed and implemented over time?<br />
<br/><br />
<br />
= Infrastructure Requirements = <br />
<br />
== Network ==<br />
* What details regarding routing, switching, firewalling, and load‐balancing have been defined?<br />
* What network design supports the application?<br />
* What core network devices support the application?<br />
* What network performance requirements exist?<br />
* What private and public network links support the application?<br />
<br />
== Systems ==<br />
* What operating systems support the application?<br />
* What hardware requirements have been defined?<br />
* What details regarding required OS components and lock‐down needs have been defined?<br />
<br />
== Infrastructure Monitoring ==<br />
* What network and system performance monitoring requirements have been defined?<br />
* What mechanisms exist to detect malicious code or compromised application components?<br />
* What network and system security monitoring requirements have been defined?<br />
<br />
== Virtualization and Externalization ==<br />
* What aspects of the application lend themselves to virtualization?<br />
* What virtualization requirements have been defined for the application?<br />
* What aspects of the product may or may not be hosted via the cloud computing model? <br />
* If applicable, what approach(es) to cloud computing will be taken (Managed Hosting versus "Pure" Cloud, a "full machine" approach such as AWS-EC2 versus a "hosted database" approach such as AWS-RDS and Azure, etc)? <br />
* How will the advantages and constraints of each approach be weighed and decided upon?<br />
<br />
<br/><br />
<br />
= Application Requirements =<br />
<br />
== Environment ==<br />
* What frameworks and programming languages have been used to create the application?<br />
* What process, code, or infrastructure dependencies have been defined for the application?<br />
* What databases and application servers support the application?<br />
* How will database connection strings, encryption keys, and other sensitive components be stored, accessed, and protected from unauthorized detection?<br />
<br />
== Data Processing ==<br />
* What data entry paths does the application support?<br />
* What data output paths does the application support?<br />
* How does data flow across the application's internal components?<br />
* What data input validation requirements have been defined?<br />
* What data does the application store and how?<br />
* What data is or may need to be encrypted and what key management requirements have been defined?<br />
* What capabilities exist to detect the leakage of sensitive data?<br />
* What encryption requirements have been defined for data in transit - including transmission over WAN, LAN, SecureFTP, or publicly accessible protocols such as http: and https:?<br />
<br />
== Access ==<br />
* What user privilege levels does the application support?<br />
* What user identification and authentication requirements have been defined?<br />
* What user authorization requirements have been defined?<br />
* What session management requirements have been defined?<br />
* What access requirements have been defined for URI and Service calls?<br />
* What user access restrictions have been defined?<br />
* How are user identities maintained throughout transaction calls?<br />
== Application Monitoring ==<br />
* What application auditing requirements have been defined?<br />
* What application performance monitoring requirements have been defined?<br />
* What application security monitoring requirements have been defined?<br />
* What application error handling and logging requirements have been defined? What processes are in place to show an end user only the minimum required information upon an error, and not to expose facets of application design, security, and implementation?<br />
* How are audit and debug logs accessed, stored, and secured?<br />
<br />
== Application Design ==<br />
* What application design review practices have been defined and executed?<br />
* How is intermediate or in-process data stored in the application components' memory and in cache?<br />
* How many logical tiers group the application's components?<br />
* What staging, testing, and Quality Assurance requirements have been defined?<br />
<br />
<br/><br />
= Security Program Requirements =<br />
<br />
== Operations ==<br />
* What is the process for identifying and addressing vulnerabilities in the application?<br />
* What is the process for identifying and addressing vulnerabilities in network and system components?<br />
* What access to system and network administrators have to the application's sensitive data?<br />
* What security incident requirements have been defined?<br />
* How do administrators access production infrastructure to manage it?<br />
* What physical controls restrict access to the application's components and data?<br />
* What is the process for granting access to the environment hosting the application?<br />
<br />
== Change Management ==<br />
* How are changes to the code controlled?<br />
* How are changes to the infrastructure controlled?<br />
* How is code deployed to production?<br />
* What mechanisms exist to detect violations of change management practices?<br />
<br />
== Software Development ==<br />
* What data is available to developers for testing?<br />
* How do developers assist with troubleshooting and debugging the application?<br />
* What requirements have been defined for controlling access to the applications source code?<br />
* What secure coding processes have been established?<br />
<br />
== Corporate ==<br />
* What corporate security program requirements have been defined?<br />
* What security training do developers and administrators undergo?<br />
* Which personnel oversees security processes and requirements related to the application?<br />
* What employee initiation and termination procedures have been defined?<br />
* What application requirements impose the need to enforce the principle of separation of duties?<br />
* What controls exist to protect a compromised in the corporate environment from affecting production?<br />
* What security governance requirements have been defined?<br />
<br />
= Authors and Primary Editors =<br />
[http://www.zeltser.com Lenny Zeltser - First Draft 2012]<br />
<br />
[mailto:tony.turner@owasp.org Tony Turner - 2015 Format Change and Revisions]<br />
<br />
= Other Cheatsheets =<br />
{{Cheatsheet_Navigation}} <br />
<br />
[[Category:Cheatsheets]]</div>VinMillerhttps://wiki.owasp.org/index.php?title=Application_Security_Architecture_Cheat_Sheet&diff=204203Application Security Architecture Cheat Sheet2015-12-01T21:44:50Z<p>VinMiller: /* Application Monitoring */</p>
<hr />
<div><br/><br />
= DRAFT CHEAT SHEET - WORK IN PROGRESS =<br />
<br />
<br/><br />
= Introduction = <br />
<br />
This cheat sheet offers tips for the initial design and review of an application's security architecture.<br />
<br />
<br/><br />
= Business Requirements = <br />
<br />
== Business Model ==<br />
<br />
* What is the application's primary business purpose?<br />
* How will the application make money?<br />
* What are the planned business milestones for developing or improving the application?<br />
* How is the application marketed?<br />
* What key benefits does application offer its users?<br />
* What business continuity provisions have been defined for the application?<br />
* What geographic areas does the application service?<br />
<br />
== Data Essentials ==<br />
<br />
* What data does the application receive, produce, and process?<br />
* How can the data be classified into categories according to its sensitivity?<br />
* How might an attacker benefit from capturing or modifying the data?<br />
* What data backup and retention requirements have been defined for the application?<br />
<br />
== End‐Users ==<br />
<br />
* Who are the application's end‐users?<br />
* How do the end‐users interact with the application?<br />
* What security expectations do the end‐users have?<br />
<br />
== Partners ==<br />
<br />
* Which third parties supply data to the application?<br />
* Which third parties receive data from the applications?<br />
* Which third parties process the application's data?<br />
* What mechanisms are used to share data with third‐parties besides the application itself? (EDI transmissions, FTP file processing, vendor-exposed API's, etc.)<br />
* What security requirements do the partners impose?<br />
<br />
== Administrators ==<br />
<br />
* Who has administrative capabilities in the application?<br />
* What administrative capabilities does the application offer?<br />
<br />
== Regulations ==<br />
<br />
* In what industries does the application operate?<br />
* What security‐related regulations apply?<br />
* What auditing and compliance regulations apply?<br />
* How will changes to regulatory requirements be communicated, managed and implemented over time?<br />
<br/><br />
<br />
= Infrastructure Requirements = <br />
<br />
== Network ==<br />
* What details regarding routing, switching, firewalling, and load‐balancing have been defined?<br />
* What network design supports the application?<br />
* What core network devices support the application?<br />
* What network performance requirements exist?<br />
* What private and public network links support the application?<br />
<br />
== Systems ==<br />
* What operating systems support the application?<br />
* What hardware requirements have been defined?<br />
* What details regarding required OS components and lock‐down needs have been defined?<br />
<br />
== Infrastructure Monitoring ==<br />
* What network and system performance monitoring requirements have been defined?<br />
* What mechanisms exist to detect malicious code or compromised application components?<br />
* What network and system security monitoring requirements have been defined?<br />
<br />
== Virtualization and Externalization ==<br />
* What aspects of the application lend themselves to virtualization?<br />
* What virtualization requirements have been defined for the application?<br />
* What aspects of the product may or may not be hosted via the cloud computing model? <br />
* If applicable, what approach(es) to cloud computing will be taken (Managed Hosting versus "Pure" Cloud, a "full machine" approach such as AWS-EC2 versus a "hosted database" approach such as AWS-RDS and Azure, etc)? <br />
* How will the advantages and constraints of each approach be weighed and decided upon?<br />
<br />
<br/><br />
<br />
= Application Requirements =<br />
<br />
== Environment ==<br />
* What frameworks and programming languages have been used to create the application?<br />
* What process, code, or infrastructure dependencies have been defined for the application?<br />
* What databases and application servers support the application?<br />
* How will database connection strings, encryption keys, and other sensitive components be stored, accessed, and protected from unauthorized detection?<br />
<br />
== Data Processing ==<br />
* What data entry paths does the application support?<br />
* What data output paths does the application support?<br />
* How does data flow across the application's internal components?<br />
* What data input validation requirements have been defined?<br />
* What data does the application store and how?<br />
* What data is or may need to be encrypted and what key management requirements have been defined?<br />
* What capabilities exist to detect the leakage of sensitive data?<br />
* What encryption requirements have been defined for data in transit - including transmission over WAN, LAN, SecureFTP, or publicly accessible protocols such as http: and https:?<br />
<br />
== Access ==<br />
* What user privilege levels does the application support?<br />
* What user identification and authentication requirements have been defined?<br />
* What user authorization requirements have been defined?<br />
* What session management requirements have been defined?<br />
* What access requirements have been defined for URI and Service calls?<br />
* What user access restrictions have been defined?<br />
* How are user identities maintained throughout transaction calls?<br />
== Application Monitoring ==<br />
* What application auditing requirements have been defined?<br />
* What application performance monitoring requirements have been defined?<br />
* What application security monitoring requirements have been defined?<br />
* What application error handling and logging requirements have been defined? What processes are in place to show an end user only the minimum required information upon an error, and not to expose facets of application design, security, and implementation?<br />
* How are audit and debug logs accessed, stored, and secured?<br />
<br />
== Application Design ==<br />
* What application design review practices have been defined and executed?<br />
* How is intermediate or in-process data stored in the application components' memory and in cache?<br />
* How many logical tiers group the application's components?<br />
* What staging, testing, and Quality Assurance requirements have been defined?<br />
<br />
<br/><br />
= Security Program Requirements =<br />
<br />
== Operations ==<br />
* What is the process for identifying and addressing vulnerabilities in the application?<br />
* What is the process for identifying and addressing vulnerabilities in network and system components?<br />
* What access to system and network administrators have to the application's sensitive data?<br />
* What security incident requirements have been defined?<br />
* How do administrators access production infrastructure to manage it?<br />
* What physical controls restrict access to the application's components and data?<br />
* What is the process for granting access to the environment hosting the application?<br />
<br />
== Change Management ==<br />
* How are changes to the code controlled?<br />
* How are changes to the infrastructure controlled?<br />
* How is code deployed to production?<br />
* What mechanisms exist to detect violations of change management practices?<br />
<br />
== Software Development ==<br />
* What data is available to developers for testing?<br />
* How do developers assist with troubleshooting and debugging the application?<br />
* What requirements have been defined for controlling access to the applications source code?<br />
* What secure coding processes have been established?<br />
<br />
== Corporate ==<br />
* What corporate security program requirements have been defined?<br />
* What security training do developers and administrators undergo?<br />
* Which personnel oversees security processes and requirements related to the application?<br />
* What employee initiation and termination procedures have been defined?<br />
* What application requirements impose the need to enforce the principle of separation of duties?<br />
* What controls exist to protect a compromised in the corporate environment from affecting production?<br />
* What security governance requirements have been defined?<br />
<br />
= Authors and Primary Editors =<br />
[http://www.zeltser.com Lenny Zeltser - First Draft 2012]<br />
<br />
[mailto:tony.turner@owasp.org Tony Turner - 2015 Format Change and Revisions]<br />
<br />
= Other Cheatsheets =<br />
{{Cheatsheet_Navigation}} <br />
<br />
[[Category:Cheatsheets]]</div>VinMillerhttps://wiki.owasp.org/index.php?title=Application_Security_Architecture_Cheat_Sheet&diff=204202Application Security Architecture Cheat Sheet2015-12-01T21:44:20Z<p>VinMiller: /* Data Processing */</p>
<hr />
<div><br/><br />
= DRAFT CHEAT SHEET - WORK IN PROGRESS =<br />
<br />
<br/><br />
= Introduction = <br />
<br />
This cheat sheet offers tips for the initial design and review of an application's security architecture.<br />
<br />
<br/><br />
= Business Requirements = <br />
<br />
== Business Model ==<br />
<br />
* What is the application's primary business purpose?<br />
* How will the application make money?<br />
* What are the planned business milestones for developing or improving the application?<br />
* How is the application marketed?<br />
* What key benefits does application offer its users?<br />
* What business continuity provisions have been defined for the application?<br />
* What geographic areas does the application service?<br />
<br />
== Data Essentials ==<br />
<br />
* What data does the application receive, produce, and process?<br />
* How can the data be classified into categories according to its sensitivity?<br />
* How might an attacker benefit from capturing or modifying the data?<br />
* What data backup and retention requirements have been defined for the application?<br />
<br />
== End‐Users ==<br />
<br />
* Who are the application's end‐users?<br />
* How do the end‐users interact with the application?<br />
* What security expectations do the end‐users have?<br />
<br />
== Partners ==<br />
<br />
* Which third parties supply data to the application?<br />
* Which third parties receive data from the applications?<br />
* Which third parties process the application's data?<br />
* What mechanisms are used to share data with third‐parties besides the application itself? (EDI transmissions, FTP file processing, vendor-exposed API's, etc.)<br />
* What security requirements do the partners impose?<br />
<br />
== Administrators ==<br />
<br />
* Who has administrative capabilities in the application?<br />
* What administrative capabilities does the application offer?<br />
<br />
== Regulations ==<br />
<br />
* In what industries does the application operate?<br />
* What security‐related regulations apply?<br />
* What auditing and compliance regulations apply?<br />
* How will changes to regulatory requirements be communicated, managed and implemented over time?<br />
<br/><br />
<br />
= Infrastructure Requirements = <br />
<br />
== Network ==<br />
* What details regarding routing, switching, firewalling, and load‐balancing have been defined?<br />
* What network design supports the application?<br />
* What core network devices support the application?<br />
* What network performance requirements exist?<br />
* What private and public network links support the application?<br />
<br />
== Systems ==<br />
* What operating systems support the application?<br />
* What hardware requirements have been defined?<br />
* What details regarding required OS components and lock‐down needs have been defined?<br />
<br />
== Infrastructure Monitoring ==<br />
* What network and system performance monitoring requirements have been defined?<br />
* What mechanisms exist to detect malicious code or compromised application components?<br />
* What network and system security monitoring requirements have been defined?<br />
<br />
== Virtualization and Externalization ==<br />
* What aspects of the application lend themselves to virtualization?<br />
* What virtualization requirements have been defined for the application?<br />
* What aspects of the product may or may not be hosted via the cloud computing model? <br />
* If applicable, what approach(es) to cloud computing will be taken (Managed Hosting versus "Pure" Cloud, a "full machine" approach such as AWS-EC2 versus a "hosted database" approach such as AWS-RDS and Azure, etc)? <br />
* How will the advantages and constraints of each approach be weighed and decided upon?<br />
<br />
<br/><br />
<br />
= Application Requirements =<br />
<br />
== Environment ==<br />
* What frameworks and programming languages have been used to create the application?<br />
* What process, code, or infrastructure dependencies have been defined for the application?<br />
* What databases and application servers support the application?<br />
* How will database connection strings, encryption keys, and other sensitive components be stored, accessed, and protected from unauthorized detection?<br />
<br />
== Data Processing ==<br />
* What data entry paths does the application support?<br />
* What data output paths does the application support?<br />
* How does data flow across the application's internal components?<br />
* What data input validation requirements have been defined?<br />
* What data does the application store and how?<br />
* What data is or may need to be encrypted and what key management requirements have been defined?<br />
* What capabilities exist to detect the leakage of sensitive data?<br />
* What encryption requirements have been defined for data in transit - including transmission over WAN, LAN, SecureFTP, or publicly accessible protocols such as http: and https:?<br />
<br />
== Access ==<br />
* What user privilege levels does the application support?<br />
* What user identification and authentication requirements have been defined?<br />
* What user authorization requirements have been defined?<br />
* What session management requirements have been defined?<br />
* What access requirements have been defined for URI and Service calls?<br />
* What user access restrictions have been defined?<br />
* How are user identities maintained throughout transaction calls?<br />
== Application Monitoring ==<br />
* What application auditing requirements have been defined?<br />
* What application performance monitoring requirements have been defined?<br />
* What application security monitoring requirements have been defined?<br />
* What application error handling and logging requirements have been defined?<br />
* How are audit and debug logs accessed, stored, and secured?<br />
<br />
== Application Design ==<br />
* What application design review practices have been defined and executed?<br />
* How is intermediate or in-process data stored in the application components' memory and in cache?<br />
* How many logical tiers group the application's components?<br />
* What staging, testing, and Quality Assurance requirements have been defined?<br />
<br />
<br/><br />
= Security Program Requirements =<br />
<br />
== Operations ==<br />
* What is the process for identifying and addressing vulnerabilities in the application?<br />
* What is the process for identifying and addressing vulnerabilities in network and system components?<br />
* What access to system and network administrators have to the application's sensitive data?<br />
* What security incident requirements have been defined?<br />
* How do administrators access production infrastructure to manage it?<br />
* What physical controls restrict access to the application's components and data?<br />
* What is the process for granting access to the environment hosting the application?<br />
<br />
== Change Management ==<br />
* How are changes to the code controlled?<br />
* How are changes to the infrastructure controlled?<br />
* How is code deployed to production?<br />
* What mechanisms exist to detect violations of change management practices?<br />
<br />
== Software Development ==<br />
* What data is available to developers for testing?<br />
* How do developers assist with troubleshooting and debugging the application?<br />
* What requirements have been defined for controlling access to the applications source code?<br />
* What secure coding processes have been established?<br />
<br />
== Corporate ==<br />
* What corporate security program requirements have been defined?<br />
* What security training do developers and administrators undergo?<br />
* Which personnel oversees security processes and requirements related to the application?<br />
* What employee initiation and termination procedures have been defined?<br />
* What application requirements impose the need to enforce the principle of separation of duties?<br />
* What controls exist to protect a compromised in the corporate environment from affecting production?<br />
* What security governance requirements have been defined?<br />
<br />
= Authors and Primary Editors =<br />
[http://www.zeltser.com Lenny Zeltser - First Draft 2012]<br />
<br />
[mailto:tony.turner@owasp.org Tony Turner - 2015 Format Change and Revisions]<br />
<br />
= Other Cheatsheets =<br />
{{Cheatsheet_Navigation}} <br />
<br />
[[Category:Cheatsheets]]</div>VinMillerhttps://wiki.owasp.org/index.php?title=Application_Security_Architecture_Cheat_Sheet&diff=204201Application Security Architecture Cheat Sheet2015-12-01T21:43:49Z<p>VinMiller: /* Environment */</p>
<hr />
<div><br/><br />
= DRAFT CHEAT SHEET - WORK IN PROGRESS =<br />
<br />
<br/><br />
= Introduction = <br />
<br />
This cheat sheet offers tips for the initial design and review of an application's security architecture.<br />
<br />
<br/><br />
= Business Requirements = <br />
<br />
== Business Model ==<br />
<br />
* What is the application's primary business purpose?<br />
* How will the application make money?<br />
* What are the planned business milestones for developing or improving the application?<br />
* How is the application marketed?<br />
* What key benefits does application offer its users?<br />
* What business continuity provisions have been defined for the application?<br />
* What geographic areas does the application service?<br />
<br />
== Data Essentials ==<br />
<br />
* What data does the application receive, produce, and process?<br />
* How can the data be classified into categories according to its sensitivity?<br />
* How might an attacker benefit from capturing or modifying the data?<br />
* What data backup and retention requirements have been defined for the application?<br />
<br />
== End‐Users ==<br />
<br />
* Who are the application's end‐users?<br />
* How do the end‐users interact with the application?<br />
* What security expectations do the end‐users have?<br />
<br />
== Partners ==<br />
<br />
* Which third parties supply data to the application?<br />
* Which third parties receive data from the applications?<br />
* Which third parties process the application's data?<br />
* What mechanisms are used to share data with third‐parties besides the application itself? (EDI transmissions, FTP file processing, vendor-exposed API's, etc.)<br />
* What security requirements do the partners impose?<br />
<br />
== Administrators ==<br />
<br />
* Who has administrative capabilities in the application?<br />
* What administrative capabilities does the application offer?<br />
<br />
== Regulations ==<br />
<br />
* In what industries does the application operate?<br />
* What security‐related regulations apply?<br />
* What auditing and compliance regulations apply?<br />
* How will changes to regulatory requirements be communicated, managed and implemented over time?<br />
<br/><br />
<br />
= Infrastructure Requirements = <br />
<br />
== Network ==<br />
* What details regarding routing, switching, firewalling, and load‐balancing have been defined?<br />
* What network design supports the application?<br />
* What core network devices support the application?<br />
* What network performance requirements exist?<br />
* What private and public network links support the application?<br />
<br />
== Systems ==<br />
* What operating systems support the application?<br />
* What hardware requirements have been defined?<br />
* What details regarding required OS components and lock‐down needs have been defined?<br />
<br />
== Infrastructure Monitoring ==<br />
* What network and system performance monitoring requirements have been defined?<br />
* What mechanisms exist to detect malicious code or compromised application components?<br />
* What network and system security monitoring requirements have been defined?<br />
<br />
== Virtualization and Externalization ==<br />
* What aspects of the application lend themselves to virtualization?<br />
* What virtualization requirements have been defined for the application?<br />
* What aspects of the product may or may not be hosted via the cloud computing model? <br />
* If applicable, what approach(es) to cloud computing will be taken (Managed Hosting versus "Pure" Cloud, a "full machine" approach such as AWS-EC2 versus a "hosted database" approach such as AWS-RDS and Azure, etc)? <br />
* How will the advantages and constraints of each approach be weighed and decided upon?<br />
<br />
<br/><br />
<br />
= Application Requirements =<br />
<br />
== Environment ==<br />
* What frameworks and programming languages have been used to create the application?<br />
* What process, code, or infrastructure dependencies have been defined for the application?<br />
* What databases and application servers support the application?<br />
* How will database connection strings, encryption keys, and other sensitive components be stored, accessed, and protected from unauthorized detection?<br />
<br />
== Data Processing ==<br />
* What data entry paths does the application support?<br />
* What data output paths does the application support?<br />
* How does data flow across the application's internal components?<br />
* What data input validation requirements have been defined?<br />
* What data does the application store and how?<br />
* What data is or may need to be encrypted and what key management requirements have been defined?<br />
* What capabilities exist to detect the leakage of sensitive data?<br />
* What encryption requirements have been defined for data in transit over WAN and LAN links?<br />
== Access ==<br />
* What user privilege levels does the application support?<br />
* What user identification and authentication requirements have been defined?<br />
* What user authorization requirements have been defined?<br />
* What session management requirements have been defined?<br />
* What access requirements have been defined for URI and Service calls?<br />
* What user access restrictions have been defined?<br />
* How are user identities maintained throughout transaction calls?<br />
== Application Monitoring ==<br />
* What application auditing requirements have been defined?<br />
* What application performance monitoring requirements have been defined?<br />
* What application security monitoring requirements have been defined?<br />
* What application error handling and logging requirements have been defined?<br />
* How are audit and debug logs accessed, stored, and secured?<br />
<br />
== Application Design ==<br />
* What application design review practices have been defined and executed?<br />
* How is intermediate or in-process data stored in the application components' memory and in cache?<br />
* How many logical tiers group the application's components?<br />
* What staging, testing, and Quality Assurance requirements have been defined?<br />
<br />
<br/><br />
= Security Program Requirements =<br />
<br />
== Operations ==<br />
* What is the process for identifying and addressing vulnerabilities in the application?<br />
* What is the process for identifying and addressing vulnerabilities in network and system components?<br />
* What access to system and network administrators have to the application's sensitive data?<br />
* What security incident requirements have been defined?<br />
* How do administrators access production infrastructure to manage it?<br />
* What physical controls restrict access to the application's components and data?<br />
* What is the process for granting access to the environment hosting the application?<br />
<br />
== Change Management ==<br />
* How are changes to the code controlled?<br />
* How are changes to the infrastructure controlled?<br />
* How is code deployed to production?<br />
* What mechanisms exist to detect violations of change management practices?<br />
<br />
== Software Development ==<br />
* What data is available to developers for testing?<br />
* How do developers assist with troubleshooting and debugging the application?<br />
* What requirements have been defined for controlling access to the applications source code?<br />
* What secure coding processes have been established?<br />
<br />
== Corporate ==<br />
* What corporate security program requirements have been defined?<br />
* What security training do developers and administrators undergo?<br />
* Which personnel oversees security processes and requirements related to the application?<br />
* What employee initiation and termination procedures have been defined?<br />
* What application requirements impose the need to enforce the principle of separation of duties?<br />
* What controls exist to protect a compromised in the corporate environment from affecting production?<br />
* What security governance requirements have been defined?<br />
<br />
= Authors and Primary Editors =<br />
[http://www.zeltser.com Lenny Zeltser - First Draft 2012]<br />
<br />
[mailto:tony.turner@owasp.org Tony Turner - 2015 Format Change and Revisions]<br />
<br />
= Other Cheatsheets =<br />
{{Cheatsheet_Navigation}} <br />
<br />
[[Category:Cheatsheets]]</div>VinMillerhttps://wiki.owasp.org/index.php?title=Application_Security_Architecture_Cheat_Sheet&diff=204200Application Security Architecture Cheat Sheet2015-12-01T21:43:25Z<p>VinMiller: /* Virtualization and Externalization */</p>
<hr />
<div><br/><br />
= DRAFT CHEAT SHEET - WORK IN PROGRESS =<br />
<br />
<br/><br />
= Introduction = <br />
<br />
This cheat sheet offers tips for the initial design and review of an application's security architecture.<br />
<br />
<br/><br />
= Business Requirements = <br />
<br />
== Business Model ==<br />
<br />
* What is the application's primary business purpose?<br />
* How will the application make money?<br />
* What are the planned business milestones for developing or improving the application?<br />
* How is the application marketed?<br />
* What key benefits does application offer its users?<br />
* What business continuity provisions have been defined for the application?<br />
* What geographic areas does the application service?<br />
<br />
== Data Essentials ==<br />
<br />
* What data does the application receive, produce, and process?<br />
* How can the data be classified into categories according to its sensitivity?<br />
* How might an attacker benefit from capturing or modifying the data?<br />
* What data backup and retention requirements have been defined for the application?<br />
<br />
== End‐Users ==<br />
<br />
* Who are the application's end‐users?<br />
* How do the end‐users interact with the application?<br />
* What security expectations do the end‐users have?<br />
<br />
== Partners ==<br />
<br />
* Which third parties supply data to the application?<br />
* Which third parties receive data from the applications?<br />
* Which third parties process the application's data?<br />
* What mechanisms are used to share data with third‐parties besides the application itself? (EDI transmissions, FTP file processing, vendor-exposed API's, etc.)<br />
* What security requirements do the partners impose?<br />
<br />
== Administrators ==<br />
<br />
* Who has administrative capabilities in the application?<br />
* What administrative capabilities does the application offer?<br />
<br />
== Regulations ==<br />
<br />
* In what industries does the application operate?<br />
* What security‐related regulations apply?<br />
* What auditing and compliance regulations apply?<br />
* How will changes to regulatory requirements be communicated, managed and implemented over time?<br />
<br/><br />
<br />
= Infrastructure Requirements = <br />
<br />
== Network ==<br />
* What details regarding routing, switching, firewalling, and load‐balancing have been defined?<br />
* What network design supports the application?<br />
* What core network devices support the application?<br />
* What network performance requirements exist?<br />
* What private and public network links support the application?<br />
<br />
== Systems ==<br />
* What operating systems support the application?<br />
* What hardware requirements have been defined?<br />
* What details regarding required OS components and lock‐down needs have been defined?<br />
<br />
== Infrastructure Monitoring ==<br />
* What network and system performance monitoring requirements have been defined?<br />
* What mechanisms exist to detect malicious code or compromised application components?<br />
* What network and system security monitoring requirements have been defined?<br />
<br />
== Virtualization and Externalization ==<br />
* What aspects of the application lend themselves to virtualization?<br />
* What virtualization requirements have been defined for the application?<br />
* What aspects of the product may or may not be hosted via the cloud computing model? <br />
* If applicable, what approach(es) to cloud computing will be taken (Managed Hosting versus "Pure" Cloud, a "full machine" approach such as AWS-EC2 versus a "hosted database" approach such as AWS-RDS and Azure, etc)? <br />
* How will the advantages and constraints of each approach be weighed and decided upon?<br />
<br />
<br/><br />
<br />
= Application Requirements =<br />
<br />
== Environment ==<br />
* What frameworks and programming languages have been used to create the application?<br />
* What process, code, or infrastructure dependencies have been defined for the application?<br />
* What databases and application servers support the application?<br />
<br />
== Data Processing ==<br />
* What data entry paths does the application support?<br />
* What data output paths does the application support?<br />
* How does data flow across the application's internal components?<br />
* What data input validation requirements have been defined?<br />
* What data does the application store and how?<br />
* What data is or may need to be encrypted and what key management requirements have been defined?<br />
* What capabilities exist to detect the leakage of sensitive data?<br />
* What encryption requirements have been defined for data in transit over WAN and LAN links?<br />
== Access ==<br />
* What user privilege levels does the application support?<br />
* What user identification and authentication requirements have been defined?<br />
* What user authorization requirements have been defined?<br />
* What session management requirements have been defined?<br />
* What access requirements have been defined for URI and Service calls?<br />
* What user access restrictions have been defined?<br />
* How are user identities maintained throughout transaction calls?<br />
== Application Monitoring ==<br />
* What application auditing requirements have been defined?<br />
* What application performance monitoring requirements have been defined?<br />
* What application security monitoring requirements have been defined?<br />
* What application error handling and logging requirements have been defined?<br />
* How are audit and debug logs accessed, stored, and secured?<br />
<br />
== Application Design ==<br />
* What application design review practices have been defined and executed?<br />
* How is intermediate or in-process data stored in the application components' memory and in cache?<br />
* How many logical tiers group the application's components?<br />
* What staging, testing, and Quality Assurance requirements have been defined?<br />
<br />
<br/><br />
= Security Program Requirements =<br />
<br />
== Operations ==<br />
* What is the process for identifying and addressing vulnerabilities in the application?<br />
* What is the process for identifying and addressing vulnerabilities in network and system components?<br />
* What access to system and network administrators have to the application's sensitive data?<br />
* What security incident requirements have been defined?<br />
* How do administrators access production infrastructure to manage it?<br />
* What physical controls restrict access to the application's components and data?<br />
* What is the process for granting access to the environment hosting the application?<br />
<br />
== Change Management ==<br />
* How are changes to the code controlled?<br />
* How are changes to the infrastructure controlled?<br />
* How is code deployed to production?<br />
* What mechanisms exist to detect violations of change management practices?<br />
<br />
== Software Development ==<br />
* What data is available to developers for testing?<br />
* How do developers assist with troubleshooting and debugging the application?<br />
* What requirements have been defined for controlling access to the applications source code?<br />
* What secure coding processes have been established?<br />
<br />
== Corporate ==<br />
* What corporate security program requirements have been defined?<br />
* What security training do developers and administrators undergo?<br />
* Which personnel oversees security processes and requirements related to the application?<br />
* What employee initiation and termination procedures have been defined?<br />
* What application requirements impose the need to enforce the principle of separation of duties?<br />
* What controls exist to protect a compromised in the corporate environment from affecting production?<br />
* What security governance requirements have been defined?<br />
<br />
= Authors and Primary Editors =<br />
[http://www.zeltser.com Lenny Zeltser - First Draft 2012]<br />
<br />
[mailto:tony.turner@owasp.org Tony Turner - 2015 Format Change and Revisions]<br />
<br />
= Other Cheatsheets =<br />
{{Cheatsheet_Navigation}} <br />
<br />
[[Category:Cheatsheets]]</div>VinMillerhttps://wiki.owasp.org/index.php?title=Application_Security_Architecture_Cheat_Sheet&diff=204199Application Security Architecture Cheat Sheet2015-12-01T21:41:49Z<p>VinMiller: /* Regulations */</p>
<hr />
<div><br/><br />
= DRAFT CHEAT SHEET - WORK IN PROGRESS =<br />
<br />
<br/><br />
= Introduction = <br />
<br />
This cheat sheet offers tips for the initial design and review of an application's security architecture.<br />
<br />
<br/><br />
= Business Requirements = <br />
<br />
== Business Model ==<br />
<br />
* What is the application's primary business purpose?<br />
* How will the application make money?<br />
* What are the planned business milestones for developing or improving the application?<br />
* How is the application marketed?<br />
* What key benefits does application offer its users?<br />
* What business continuity provisions have been defined for the application?<br />
* What geographic areas does the application service?<br />
<br />
== Data Essentials ==<br />
<br />
* What data does the application receive, produce, and process?<br />
* How can the data be classified into categories according to its sensitivity?<br />
* How might an attacker benefit from capturing or modifying the data?<br />
* What data backup and retention requirements have been defined for the application?<br />
<br />
== End‐Users ==<br />
<br />
* Who are the application's end‐users?<br />
* How do the end‐users interact with the application?<br />
* What security expectations do the end‐users have?<br />
<br />
== Partners ==<br />
<br />
* Which third parties supply data to the application?<br />
* Which third parties receive data from the applications?<br />
* Which third parties process the application's data?<br />
* What mechanisms are used to share data with third‐parties besides the application itself? (EDI transmissions, FTP file processing, vendor-exposed API's, etc.)<br />
* What security requirements do the partners impose?<br />
<br />
== Administrators ==<br />
<br />
* Who has administrative capabilities in the application?<br />
* What administrative capabilities does the application offer?<br />
<br />
== Regulations ==<br />
<br />
* In what industries does the application operate?<br />
* What security‐related regulations apply?<br />
* What auditing and compliance regulations apply?<br />
* How will changes to regulatory requirements be communicated, managed and implemented over time?<br />
<br/><br />
<br />
= Infrastructure Requirements = <br />
<br />
== Network ==<br />
* What details regarding routing, switching, firewalling, and load‐balancing have been defined?<br />
* What network design supports the application?<br />
* What core network devices support the application?<br />
* What network performance requirements exist?<br />
* What private and public network links support the application?<br />
<br />
== Systems ==<br />
* What operating systems support the application?<br />
* What hardware requirements have been defined?<br />
* What details regarding required OS components and lock‐down needs have been defined?<br />
<br />
== Infrastructure Monitoring ==<br />
* What network and system performance monitoring requirements have been defined?<br />
* What mechanisms exist to detect malicious code or compromised application components?<br />
* What network and system security monitoring requirements have been defined?<br />
<br />
== Virtualization and Externalization ==<br />
* What aspects of the application lend themselves to virtualization?<br />
* What virtualization requirements have been defined for the application?<br />
* What aspects of the product may or may not be hosted via the cloud computing model?<br />
<br />
<br/><br />
= Application Requirements =<br />
<br />
== Environment ==<br />
* What frameworks and programming languages have been used to create the application?<br />
* What process, code, or infrastructure dependencies have been defined for the application?<br />
* What databases and application servers support the application?<br />
<br />
== Data Processing ==<br />
* What data entry paths does the application support?<br />
* What data output paths does the application support?<br />
* How does data flow across the application's internal components?<br />
* What data input validation requirements have been defined?<br />
* What data does the application store and how?<br />
* What data is or may need to be encrypted and what key management requirements have been defined?<br />
* What capabilities exist to detect the leakage of sensitive data?<br />
* What encryption requirements have been defined for data in transit over WAN and LAN links?<br />
== Access ==<br />
* What user privilege levels does the application support?<br />
* What user identification and authentication requirements have been defined?<br />
* What user authorization requirements have been defined?<br />
* What session management requirements have been defined?<br />
* What access requirements have been defined for URI and Service calls?<br />
* What user access restrictions have been defined?<br />
* How are user identities maintained throughout transaction calls?<br />
== Application Monitoring ==<br />
* What application auditing requirements have been defined?<br />
* What application performance monitoring requirements have been defined?<br />
* What application security monitoring requirements have been defined?<br />
* What application error handling and logging requirements have been defined?<br />
* How are audit and debug logs accessed, stored, and secured?<br />
<br />
== Application Design ==<br />
* What application design review practices have been defined and executed?<br />
* How is intermediate or in-process data stored in the application components' memory and in cache?<br />
* How many logical tiers group the application's components?<br />
* What staging, testing, and Quality Assurance requirements have been defined?<br />
<br />
<br/><br />
= Security Program Requirements =<br />
<br />
== Operations ==<br />
* What is the process for identifying and addressing vulnerabilities in the application?<br />
* What is the process for identifying and addressing vulnerabilities in network and system components?<br />
* What access to system and network administrators have to the application's sensitive data?<br />
* What security incident requirements have been defined?<br />
* How do administrators access production infrastructure to manage it?<br />
* What physical controls restrict access to the application's components and data?<br />
* What is the process for granting access to the environment hosting the application?<br />
<br />
== Change Management ==<br />
* How are changes to the code controlled?<br />
* How are changes to the infrastructure controlled?<br />
* How is code deployed to production?<br />
* What mechanisms exist to detect violations of change management practices?<br />
<br />
== Software Development ==<br />
* What data is available to developers for testing?<br />
* How do developers assist with troubleshooting and debugging the application?<br />
* What requirements have been defined for controlling access to the applications source code?<br />
* What secure coding processes have been established?<br />
<br />
== Corporate ==<br />
* What corporate security program requirements have been defined?<br />
* What security training do developers and administrators undergo?<br />
* Which personnel oversees security processes and requirements related to the application?<br />
* What employee initiation and termination procedures have been defined?<br />
* What application requirements impose the need to enforce the principle of separation of duties?<br />
* What controls exist to protect a compromised in the corporate environment from affecting production?<br />
* What security governance requirements have been defined?<br />
<br />
= Authors and Primary Editors =<br />
[http://www.zeltser.com Lenny Zeltser - First Draft 2012]<br />
<br />
[mailto:tony.turner@owasp.org Tony Turner - 2015 Format Change and Revisions]<br />
<br />
= Other Cheatsheets =<br />
{{Cheatsheet_Navigation}} <br />
<br />
[[Category:Cheatsheets]]</div>VinMillerhttps://wiki.owasp.org/index.php?title=Application_Security_Architecture_Cheat_Sheet&diff=204198Application Security Architecture Cheat Sheet2015-12-01T21:41:20Z<p>VinMiller: /* Partners */</p>
<hr />
<div><br/><br />
= DRAFT CHEAT SHEET - WORK IN PROGRESS =<br />
<br />
<br/><br />
= Introduction = <br />
<br />
This cheat sheet offers tips for the initial design and review of an application's security architecture.<br />
<br />
<br/><br />
= Business Requirements = <br />
<br />
== Business Model ==<br />
<br />
* What is the application's primary business purpose?<br />
* How will the application make money?<br />
* What are the planned business milestones for developing or improving the application?<br />
* How is the application marketed?<br />
* What key benefits does application offer its users?<br />
* What business continuity provisions have been defined for the application?<br />
* What geographic areas does the application service?<br />
<br />
== Data Essentials ==<br />
<br />
* What data does the application receive, produce, and process?<br />
* How can the data be classified into categories according to its sensitivity?<br />
* How might an attacker benefit from capturing or modifying the data?<br />
* What data backup and retention requirements have been defined for the application?<br />
<br />
== End‐Users ==<br />
<br />
* Who are the application's end‐users?<br />
* How do the end‐users interact with the application?<br />
* What security expectations do the end‐users have?<br />
<br />
== Partners ==<br />
<br />
* Which third parties supply data to the application?<br />
* Which third parties receive data from the applications?<br />
* Which third parties process the application's data?<br />
* What mechanisms are used to share data with third‐parties besides the application itself? (EDI transmissions, FTP file processing, vendor-exposed API's, etc.)<br />
* What security requirements do the partners impose?<br />
<br />
== Administrators ==<br />
<br />
* Who has administrative capabilities in the application?<br />
* What administrative capabilities does the application offer?<br />
<br />
== Regulations ==<br />
<br />
* In what industries does the application operate?<br />
* What security‐related regulations apply?<br />
* What auditing and compliance regulations apply?<br />
<br />
<br/><br />
= Infrastructure Requirements = <br />
<br />
== Network ==<br />
* What details regarding routing, switching, firewalling, and load‐balancing have been defined?<br />
* What network design supports the application?<br />
* What core network devices support the application?<br />
* What network performance requirements exist?<br />
* What private and public network links support the application?<br />
<br />
== Systems ==<br />
* What operating systems support the application?<br />
* What hardware requirements have been defined?<br />
* What details regarding required OS components and lock‐down needs have been defined?<br />
<br />
== Infrastructure Monitoring ==<br />
* What network and system performance monitoring requirements have been defined?<br />
* What mechanisms exist to detect malicious code or compromised application components?<br />
* What network and system security monitoring requirements have been defined?<br />
<br />
== Virtualization and Externalization ==<br />
* What aspects of the application lend themselves to virtualization?<br />
* What virtualization requirements have been defined for the application?<br />
* What aspects of the product may or may not be hosted via the cloud computing model?<br />
<br />
<br/><br />
= Application Requirements =<br />
<br />
== Environment ==<br />
* What frameworks and programming languages have been used to create the application?<br />
* What process, code, or infrastructure dependencies have been defined for the application?<br />
* What databases and application servers support the application?<br />
<br />
== Data Processing ==<br />
* What data entry paths does the application support?<br />
* What data output paths does the application support?<br />
* How does data flow across the application's internal components?<br />
* What data input validation requirements have been defined?<br />
* What data does the application store and how?<br />
* What data is or may need to be encrypted and what key management requirements have been defined?<br />
* What capabilities exist to detect the leakage of sensitive data?<br />
* What encryption requirements have been defined for data in transit over WAN and LAN links?<br />
== Access ==<br />
* What user privilege levels does the application support?<br />
* What user identification and authentication requirements have been defined?<br />
* What user authorization requirements have been defined?<br />
* What session management requirements have been defined?<br />
* What access requirements have been defined for URI and Service calls?<br />
* What user access restrictions have been defined?<br />
* How are user identities maintained throughout transaction calls?<br />
== Application Monitoring ==<br />
* What application auditing requirements have been defined?<br />
* What application performance monitoring requirements have been defined?<br />
* What application security monitoring requirements have been defined?<br />
* What application error handling and logging requirements have been defined?<br />
* How are audit and debug logs accessed, stored, and secured?<br />
<br />
== Application Design ==<br />
* What application design review practices have been defined and executed?<br />
* How is intermediate or in-process data stored in the application components' memory and in cache?<br />
* How many logical tiers group the application's components?<br />
* What staging, testing, and Quality Assurance requirements have been defined?<br />
<br />
<br/><br />
= Security Program Requirements =<br />
<br />
== Operations ==<br />
* What is the process for identifying and addressing vulnerabilities in the application?<br />
* What is the process for identifying and addressing vulnerabilities in network and system components?<br />
* What access to system and network administrators have to the application's sensitive data?<br />
* What security incident requirements have been defined?<br />
* How do administrators access production infrastructure to manage it?<br />
* What physical controls restrict access to the application's components and data?<br />
* What is the process for granting access to the environment hosting the application?<br />
<br />
== Change Management ==<br />
* How are changes to the code controlled?<br />
* How are changes to the infrastructure controlled?<br />
* How is code deployed to production?<br />
* What mechanisms exist to detect violations of change management practices?<br />
<br />
== Software Development ==<br />
* What data is available to developers for testing?<br />
* How do developers assist with troubleshooting and debugging the application?<br />
* What requirements have been defined for controlling access to the applications source code?<br />
* What secure coding processes have been established?<br />
<br />
== Corporate ==<br />
* What corporate security program requirements have been defined?<br />
* What security training do developers and administrators undergo?<br />
* Which personnel oversees security processes and requirements related to the application?<br />
* What employee initiation and termination procedures have been defined?<br />
* What application requirements impose the need to enforce the principle of separation of duties?<br />
* What controls exist to protect a compromised in the corporate environment from affecting production?<br />
* What security governance requirements have been defined?<br />
<br />
= Authors and Primary Editors =<br />
[http://www.zeltser.com Lenny Zeltser - First Draft 2012]<br />
<br />
[mailto:tony.turner@owasp.org Tony Turner - 2015 Format Change and Revisions]<br />
<br />
= Other Cheatsheets =<br />
{{Cheatsheet_Navigation}} <br />
<br />
[[Category:Cheatsheets]]</div>VinMillerhttps://wiki.owasp.org/index.php?title=Talk:Application_Security_Architecture_Cheat_Sheet&diff=203387Talk:Application Security Architecture Cheat Sheet2015-11-14T17:45:51Z<p>VinMiller: /* Suggested Changes/Additions */ new section</p>
<hr />
<div>I noticed some thing are missing here - taking a page from OWASP SAMM. Any application architecture must always begin with requirements.<br />
I have found requirements to come from the following sources:<br />
<br />
- Laws<br />
- Standards <br />
- Business Policies <br />
- Customers<br />
- Operations <br />
- Business Stakeholders<br />
- Project Stakeholders<br />
<br />
All of these governance issues inform the rest of the architecture - in other words it is cross-cutting.<br />
Layers in the architecture cake are:<br />
<br />
- Business View (Context)<br />
- Architect View (Concept)<br />
- Designers View (Logical)<br />
- Builders View (Physical)<br />
- Trade View (Component)<br />
- Facilities View (Operational)<br />
<br />
== Suggested Changes/Additions ==<br />
<br />
As we gear up to get this sheet out of Draft mode, hopefully by end of year, I have a few comments. I have not suggested these edits directly on the page yet as I welcome preliminary discussion:<br />
<br />
'''[[Overall Comments]]'''<br />
<br />
I really like the organization and layout of this particular Cheat Sheet. It's extensive, but that's appropriate to the overarching topic at hand. <br />
<br />
I do wonder, though, if we should provide examples at certain points. I have found in the past that doing so on application developer checklists/cheat-sheets can help trigger a thought in the reader's mind. By way of example, take this point:<br />
"What mechanisms are used to share data with third‐parties besides the application itself?"<br />
<br />
It could prove useful to provide examples -- rather than risk a reader glossing over it a bit or misunderstanding the intent. So perhaps that could be modified to this:<br />
"What mechanisms are used to share data with third‐parties besides the application itself? (EDI transmissions, FTP file processing, vendor-exposed API's, etc.)"<br />
<br />
I'm interested in folks' opinions on this. The risk with including examples is that examples are not (by nature) all-inclusive. But if our target for this includes a wide range of developers and managers, examples could help spur internal team discussion.<br />
<br />
<br />
'''[[Specific Section Edits and Suggestions for Additions]]'''<br />
<br />
Under Business Requirements, I believe that an additional point is warranted under Regulations: "How will changes to regulatory requirements be communicated, managed and implemented over time?" <br />
<br />
Under Infrastucture | Virtualization and Externalization, I would modify this point: <br />
"What aspects of the product may or may not be hosted via the cloud computing model?" <br />
... to include a reference to the distinction between "pure" cloud services like AWS and Managed Hosting Cloud Services that allow greater control over administration etc. So perhaps this:<br />
"What aspects of the product may or may not be hosted via the cloud computing model? If applicable, what approach(es) to cloud computing will be taken (Managed Hosting versus "Pure" Cloud, a 'full machine' approach such as AWS-EC2 versus a 'hosted database' approach such as AWS-RDS and Azure, etc)? How will the advantages and constraints of each model be weighed and decided upon?"<br />
<br />
Under Application Requirements | Environment I would add an additional point: "How will database connection strings, encryption keys, and other sensitive components be stored, accessed, and protected from unauthorized detection?"<br />
<br />
Under Application Requirements | Data Processing I would modify the following:<br />
"What encryption requirements have been defined for data in transit over WAN and LAN links?"<br />
...to include public access via http or https (technically I guess this could be considered WAN but I think making it more clear would be helpful). So, perhaps the following:<br />
"What encryption requirements have been defined for data in transit - including transmission over WAN, LAN, SecureFTP, or publicly accessible protocols such as http: and https:?"<br />
<br />
Under Application Requirements | Application Monitoring, I would modify the following: <br />
"What application error handling and logging requirements have been defined?"<br />
...to specify that sensitive information should be kept away from unauthorized eyes. So maybe this:<br />
"What application error handling and logging requirements have been defined? What processes are in place to show an end user only the minimum required information upon an error, and not to expose facets of application design, security, and implementation?"<br />
<br />
<br />
<br />
- VM</div>VinMiller