|
|
(24 intermediate revisions by 4 users not shown) |
Line 1: |
Line 1: |
− | = DRAFT CHEAT SHEET - WORK IN PROGRESS = | + | __NOTOC__ |
| + | <div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Cheatsheets-header.jpg|link=]]</div> |
| | | |
− | = Introduction =
| + | The Cheat Sheet Series project has been moved to [https://github.com/OWASP/CheatSheetSeries GitHub]! |
| | | |
− | This cheat sheet provides a checklist of tasks to be performed when performing a blackbox security test of a web application.
| + | An [https://github.com/OWASP/CheatSheetSeries/issues/13 open discussion] is pending about to exclude or not this cheat sheet of the V2 of the project. |
− | | |
− | = Purpose =
| |
− | | |
− | This checklist is intended to be used as an aide memoire for experienced pentesters and should be used in conjunction with the [[:Category:OWASP Testing Project|OWASP Testing Guide]]. It will be updated as the [[OWASP_Application_Testing_guide_v4|Testing Guide v4]] is progressed.
| |
− | | |
− | The intention is that this guide will be available as an XML document, with scripts that convert it into formats such as pdf, Media Wiki markup, HTML etc.
| |
− | | |
− | This will allow it to be consumed within security tools as well as being available in a format suitable for printing.
| |
− | | |
− | All feedback or offers of help will be appreciated - and if you have specific chances you think should be made, just get stuck in.
| |
− | | |
− | = The Checklist =
| |
− | | |
− | == Information Gathering ==
| |
− | * Manually explore the site
| |
− | * [[Testing:_Spidering_and_googling | Spider/crawl]] for missed or hidden content
| |
− | * [[Review_Webserver_Metafiles_for_Information_Leakage_(OTG-INFO-003)|Check the Webserver Metafiles]] for information leakage files that expose content, such as robots.txt, sitemap.xml, .DS_Store
| |
− | * [[Conduct_search_engine_discovery/reconnaissance_for_information_leakage_(OTG-INFO-001)|Check the caches of major search engines for publicly accessible sites]]
| |
− | * Check for differences in content based on User Agent (eg, Mobile sites, access as a Search engine Crawler)
| |
− | * [[Review_webpage_comments_and_metadata_for_information_leakage_(OTG-INFO-005) | Check The Webpage Comments and Metadata for Information Leakage]]
| |
− | * [[Fingerprint_Web_Application_Framework_(OTG-INFO-008) | Check The Web Application Framework]]
| |
− | * [[Fingerprint_Web_Server_(OTG-INFO-002)|Perform Web Application Fingerprinting]]
| |
− | * Identify technologies used
| |
− | * [[Test_Role_Definitions_(OTG-IDENT-001)|Identify user roles]]
| |
− | * [[Identify_application_entry_points_(OTG-INFO-006) | Identify application entry points]]
| |
− | * Identify client-side code
| |
− | * Identify multiple versions/channels (e.g. web, mobile web, mobile app)
| |
− | * [[Web_Services | Identify web services]]
| |
− | * Identify co-hosted and related applications
| |
− | * Identify all hostnames and ports
| |
− | * Identify third-party hosted content
| |
− | | |
− | == Configuration Management ==
| |
− | * Check for commonly used application and administrative URLs
| |
− | * [[4.3.4_Review_Old,_Backup_and_Unreferenced_Files_for_Sensitive_Information_(OTG-CONFIG-004) | Check for old, backup and unreferenced files]]
| |
− | * [[Test_HTTP_Methods_(OTG-CONFIG-006) | Check HTTP methods supported and Cross Site Tracing (XST)]]
| |
− | * [[4.3.3_Test_File_Extensions_Handling_for_Sensitive_Information_(OTG-CONFIG-003) | Test file extensions handling]]
| |
− | * [[Test_RIA_cross_domain_policy_(OTG-CONFIG-008) | Test RIA cross domain policy]]
| |
− | * Test for [[List_of_useful_HTTP_headers | security HTTP headers]] (e.g. CSP, X-Frame-Options, HSTS)
| |
− | * Test for policies (e.g. Flash, Silverlight, robots)
| |
− | * Test for non-production data in live environment, and vice-versa
| |
− | * Check for sensitive data in client-side code (e.g. API keys, credentials)
| |
− | | |
− | == Secure Transmission ==
| |
− | * [[Testing_for_Weak_SSL/TLS_Ciphers,_Insufficient_Transport_Layer_Protection_(OTG-CRYPST-001) | Check SSL Version, Algorithms, Key length]]
| |
− | * Check for Digital Certificate Validity (Duration, Signature and CN)
| |
− | * Check credentials only delivered over HTTPS
| |
− | * Check that the login form is delivered over HTTPS
| |
− | * Check session tokens only delivered over HTTPS
| |
− | * [[Test_HTTP_Strict_Transport_Security_(OTG-CONFIG-009) | Check if HTTP Strict Transport Security (HSTS) in use]]
| |
− | | |
− | == Authentication ==
| |
− | * [[Testing_for_User_Enumeration_and_Guessable_User_Account_(OWASP-AT-002) | Test for user enumeration]]
| |
− | * [[Testing_for_Bypassing_Authentication_Schema_(OTG-AUTHN-004) | Test for authentication bypass]]
| |
− | * [[Testing_for_Brute_Force_(OWASP-AT-004) | Test for brute force protection]]
| |
− | * [[Testing_for_Credentials_Transported_over_an_Encrypted_Channel_(OTG-AUTHN-001)|Test for Credentials Transported over an Encrypted Channel]]
| |
− | * [[Testing_for_Weak_password_policy_(OTG-AUTHN-007)|Test password quality rules
| |
− | * Test remember me functionality]]
| |
− | * Test password reset and/or recovery
| |
− | * Test password change process
| |
− | * Test CAPTCHA
| |
− | * Test multi factor authentication
| |
− | * Test for logout functionality presence
| |
− | * Test for cache management on HTTP (eg Pragma, Expires, Max-age)
| |
− | * Test for default logins
| |
− | * Test for user-accessible authentication history
| |
− | * Test for out-of channel notification of account lockouts and successful password changes
| |
− | * Test for consistent authentication across applications with shared authentication schema / SSO and alternative channels
| |
− | * Test for Weak security question/answer
| |
− | | |
− | == Session Management ==
| |
− | * Establish how session management is handled in the application (eg, tokens in cookies, token in URL)
| |
− | * [[Testing_for_cookies_attributes_(OTG-SESS-002)|Check session tokens for cookie flags (httpOnly and secure)]]
| |
− | * [[Testing_for_cookies_attributes_(OTG-SESS-002)|Check session cookie scope (path and domain)]]
| |
− | * Check session cookie duration (expires and max-age)
| |
− | * [[Test_Session_Timeout_(OTG-SESS-007)|Check session termination after a maximum lifetime]]
| |
− | * [[Test_Session_Timeout_(OTG-SESS-007)|Check session termination after relative timeout]]
| |
− | * [[Testing_for_logout_functionality_(OTG-SESS-006)|Check session termination after logout]]
| |
− | * Test to see if users can have multiple simultaneous sessions
| |
− | * Test session cookies for randomness
| |
− | * Confirm that new session tokens are issued on login, role change and logout
| |
− | * Test for consistent session management across applications with shared session management
| |
− | * Test for session puzzling
| |
− | * Test for CSRF and clickjacking
| |
− | | |
− | == Authorization ==
| |
− | * [[Testing_Directory_traversal/file_include_(OTG-AUTHZ-001)|Test for path traversal]]
| |
− | * [[Testing_for_Privilege_escalation_(OTG-AUTHZ-003)|Test for vertical Access control problems (a.k.a. Privilege Escalation)]]
| |
− | * Test for horizontal Access control problems (between two users at the same privilege level)
| |
− | * [[Testing_for_Bypassing_Authorization_Schema_(OTG-AUTHZ-002)|Test for missing authorisation]]
| |
− | * [[Testing_for_Insecure_Direct_Object_References_(OTG-AUTHZ-004)|Test for Insecure Direct Object References]]
| |
− | | |
− | == Data Validation ==
| |
− | * [[Testing_for_Reflected_Cross_site_scripting_(OTG-INPVAL-001)|Test for Reflected Cross Site Scripting]]
| |
− | * [[Testing_for_Stored_Cross_site_scripting_(OTG-INPVAL-002)|Test for Stored Cross Site Scripting]]
| |
− | * [[Testing_for_DOM-based_Cross_site_scripting_(OTG-CLIENT-001)|Test for DOM based Cross Site Scripting]]
| |
− | * Test for Cross Site Flashing
| |
− | * Test for HTML Injection
| |
− | * [[Testing_for_SQL_Injection_(OTG-INPVAL-005)|Test for SQL Injection]]
| |
− | * Test for LDAP Injection
| |
− | * [[Testing_for_ORM_Injection_(OTG-INPVAL-007)|Test for ORM Injection]]
| |
− | * [[Testing_for_XML_Injection_(OTG-INPVAL-008)|Test for XML Injection]]
| |
− | * Test for XXE Injection
| |
− | * [[Testing_for_SSI_Injection_(OTG-INPVAL-009)|Test for SSI Injection]]
| |
− | * [[Testing_for_XPath_Injection_(OTG-INPVAL-010)|Test for XPath Injection]]
| |
− | * Test for XQuery Injection
| |
− | * [[Testing_for_IMAP/SMTP_Injection_(OTG-INPVAL-011)|Test for IMAP/SMTP Injection]]
| |
− | * [[Testing_for_Code_Injection_(OTG-INPVAL-012)|Test for Code Injection]]
| |
− | * Test for Expression Language Injection
| |
− | * [[Testing_for_Command_Injection_(OTG-INPVAL-013)|Test for Command Injection]]
| |
− | * Test for Overflow ([[Testing_for_Stack_Overflow|Stack]], [[Testing_for_Heap_Overflow|Heap]] and Integer)
| |
− | * [[Testing_for_Format_String|Test for Format String]]
| |
− | * Test for incubated vulnerabilities
| |
− | * [[Testing_for_HTTP_Splitting/Smuggling_(OTG-INPVAL-016)|Test for HTTP Splitting/Smuggling]]
| |
− | * Test for HTTP Verb Tampering
| |
− | * [[Top_10_2013-A10-Unvalidated_Redirects_and_Forwards|Test for Open Redirection]]
| |
− | * [[Testing_for_Local_File_Inclusion|Test for Local File Inclusion]]
| |
− | * [[Testing_for_Remote_File_Inclusion|Test for Remote File Inclusion]]
| |
− | * Compare client-side and server-side validation rules
| |
− | * Test for NoSQL injection
| |
− | * Test for HTTP parameter pollution
| |
− | * Test for auto-binding
| |
− | * Test for Mass Assignment
| |
− | * Test for NULL/Invalid Session Cookie
| |
− | | |
− | == Denial of Service ==
| |
− | * Test for anti-automation
| |
− | * [[Testing_for_Weak_lock_out_mechanism_(OTG-AUTHN-003)|Test for account lockout]]
| |
− | * Test for HTTP protocol DoS
| |
− | * Test for SQL wildcard DoS
| |
− | | |
− | == Business Logic ==
| |
− | * Test for feature misuse
| |
− | * Test for lack of non-repudiation
| |
− | * Test for trust relationships
| |
− | * [[Test_integrity_checks_(OTG-BUSLOGIC-003) | Test for integrity of data]]
| |
− | * Test segregation of duties
| |
− | * Test for Process Timing
| |
− | * Test Number of Times a Function Can be Used Limits
| |
− | * Test for the Circumvention of Work Flows
| |
− | * [[Test_defenses_against_application_mis-use_(OTG-BUSLOGIC-011) | Test Defenses Against Application Mis-use]]
| |
− | * Test Upload of Unexpected File Types
| |
− | | |
− | == Cryptography ==
| |
− | * [[Testing_for_Sensitive_information_sent_via_unencrypted_channels_(OTG-CRYPST-003)|Check if data which should be encrypted is not]]
| |
− | * Check for wrong algorithms usage depending on context
| |
− | * [[Testing_for_Weak_SSL/TLS_Ciphers,_Insufficient_Transport_Layer_Protection_(OTG-CRYPST-001)|Check for weak algorithms usage]]
| |
− | * [[Password_Storage_Cheat_Sheet#Use_a_cryptographically_strong_credential-specific_salt | Check for proper use of salting]]
| |
− | * [[Insecure_Randomness | Check for randomness functions]]
| |
− | | |
− | == Risky Functionality - File Uploads ==
| |
− | * [[Test_Upload_of_Unexpected_File_Types_(OTG-BUSLOGIC-008)|Test that acceptable file types are whitelisted and non-whitelisted types are rejected]]
| |
− | * Test that file size limits, upload frequency and total file counts are defined and are enforced
| |
− | * Test that file contents match the defined file type
| |
− | * [[Test_Upload_of_Malicious_Files_(OTG-BUSLOGIC-009)|Test that all file uploads have Anti-Virus scanning in-place.]]
| |
− | * Test that unsafe filenames are sanitised
| |
− | * Test that uploaded files are not directly accessible within the web root
| |
− | * Test that uploaded files are not served on the same hostname/port
| |
− | * Test that files and other media are integrated with the authentication and authorisation schemas
| |
− | | |
− | == Risky Functionality - Card Payment ==
| |
− | * Test for known vulnerabilities and configuration issues on Web Server and Web Application
| |
− | * Test for default or guessable password
| |
− | * Test for non-production data in live environment, and vice-versa
| |
− | * [[Injection_Flaws | Test for Injection vulnerabilities ]]
| |
− | * [[Testing_for_Buffer_Overflow_(OTG-INPVAL-014) | Test for Buffer Overflows]]
| |
− | * [[Top_10_2010-A7-Insecure_Cryptographic_Storage | Test for Insecure Cryptographic Storage]]
| |
− | * [[Top_10_2010-A9-Insufficient_Transport_Layer_Protection | Test for Insufficient Transport Layer Protection]]
| |
− | * [[Web_Application_Security_Testing_Cheat_Sheet#Error_Handling|Test for Improper Error Handling]]
| |
− | * Test for all vulnerabilities with a CVSS v2 score > 4.0
| |
− | * Test for Authentication and Authorization issues
| |
− | * [[Testing_for_CSRF_(OTG-SESS-005)|Test for CSRF]]
| |
− | | |
− | == Web Service Testing ==
| |
− | * [[Web_Service_Security_Testing_Cheat_Sheet | Test for Web Service Issues]]
| |
− | * [[REST_Assessment_Cheat_Sheet | Test REST]]
| |
− | | |
− | == HTML 5==
| |
− | * [[Test_Web_Messaging_(OTG-CLIENT-011)|Test Web Messaging]]
| |
− | * [[Test_Local_Storage_(OTG-CLIENT-012)|Test for Web Storage SQL injection]]
| |
− | * [[Test_Cross_Origin_Resource_Sharing_(OTG-CLIENT-007)|Check CORS implementation]]
| |
− | * [[HTML5_Security_Cheat_Sheet#Offline_Applications | Check Offline Web Application]]
| |
− | | |
− | == Error Handling==
| |
− | * [[Testing_for_Error_Code_(OTG-ERR-001)|Check for Error Codes]]
| |
− | * [[Testing_for_Stack_Traces_(OTG-ERR-002)|Check for Stack Traces]]
| |
− | | |
− | == Other Formats ==
| |
− | * DradisPro template format [https://github.com/raesene/OWASP_Web_App_Testing_Cheatsheet_Converter/blob/master/OWASP_Web_Application_Testing_Cheat_Sheet.xml on github]
| |
− | * Asana template on [http://templana.com/templates/owasp-website-security-checklist/ Templana] (thanks to Bastien Siebman)
| |
− | | |
− | == Authors and contributors ==
| |
− | | |
− | [[User:Simon Bennetts|Simon Bennetts]]<br/>
| |
− | [[User:Raesene|Rory McCune]] <br/>
| |
− | Colin Watson<br/>
| |
− | Simone Onofri<br/>
| |
− | [[User:Amro_Ahmed|Amro AlOlaqi]]
| |
− | | |
− | All above are authors of the [[OWASP_Testing_Guide_v3_Table_of_Contents | Testing Guide v3]]
| |
− | | |
− | [[User:Ryan_Dewhurst|Ryan Dewhurst]]<br/>
| |
− | [[User:Frank.catucci | Frank Catucci]]
| |
− | | |
− | == Related articles ==
| |
− | | |
− | OWASP [[:Category:OWASP Testing Project|Testing Guide]]
| |
− | | |
− | Mozilla [https://wiki.mozilla.org/WebAppSec/Web_Security_Verification Web Security Verification]
| |
− | | |
− | {{Cheatsheet_Navigation}}
| |
− | | |
− | [[Category:Cheatsheets]] [[Category:OWASP_Breakers]]
| |