This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Web Application Security Testing Cheat Sheet"
(Created page with "= DRAFT CHEAT SHEET - WORK IN PROGRESS = = Introduction = This cheat sheet provides a checklist of tasks to be performed when performing a blackbox security test of a web ap...") |
|||
Line 7: | Line 7: | ||
= Purpose = | = Purpose = | ||
− | This checklist is intended to be used as an aide memoire for | + | This checklist is intended to be used as an aide memoire for experienced pentesters and should be used in conjunction with the [[:Category:OWASP Testing Project|OWASP Testing Guide]]. It will be updated as the [[OWASP_Application_Testing_guide_v4|Testing Guide v4]] is progressed. |
The intention is that this guide will be available as an XML document, with scripts that convert it into formats such as pdf, Media Wiki markup, HTML etc. | The intention is that this guide will be available as an XML document, with scripts that convert it into formats such as pdf, Media Wiki markup, HTML etc. | ||
Line 21: | Line 21: | ||
* Spider/crawl for missed or hidden content | * Spider/crawl for missed or hidden content | ||
* Check for files that expose content, such as robots.txt, sitemap.xml, .DS_Store | * Check for files that expose content, such as robots.txt, sitemap.xml, .DS_Store | ||
− | * Check the caches of major search engines for | + | * Check the caches of major search engines for publicly accessible sites |
* Perform Web Application Fingerprinting | * Perform Web Application Fingerprinting | ||
* Identify technologies used | * Identify technologies used |
Revision as of 16:57, 25 July 2012
DRAFT CHEAT SHEET - WORK IN PROGRESS
Introduction
This cheat sheet provides a checklist of tasks to be performed when performing a blackbox security test of a web application.
Purpose
This checklist is intended to be used as an aide memoire for experienced pentesters and should be used in conjunction with the OWASP Testing Guide. It will be updated as the Testing Guide v4 is progressed.
The intention is that this guide will be available as an XML document, with scripts that convert it into formats such as pdf, Media Wiki markup, HTML etc.
This will allow it to be consumed within security tools as well as being available in a format suitable for printing.
It is currently at a very early stage, but any feedback or offers of help will be appreciated.
The Checklist
Information Gathering
- Manually explore the site
- Spider/crawl for missed or hidden content
- Check for files that expose content, such as robots.txt, sitemap.xml, .DS_Store
- Check the caches of major search engines for publicly accessible sites
- Perform Web Application Fingerprinting
- Identify technologies used
- Identify application entry points
Configuration Management
- Check for commonly used application and administrative URLs
- Check for old, backup and unreferenced files
- Check HTTP methods supported and Cross Site Tracing (XST)
- Test file extensions handling
Secure Transmission
- Check SSL Version, Algorithms, Key length, Digital Cert. Validity
- Check credentials only delivered over HTTPS
- Check session tokens only delivered over HTTPS
- Check if HTTP Strict Transport Security (HSTS) in use
Authentication
- Test for user enumeration
- Test for authentication bypass
- Test for bruteforce protection
- Test password quality rules
- Test remember me functionality
- Test password reset
- Test CAPTCHA
- Test multi factor authentication
- Test logout and cache management
Session Management
- TBA
Authorization
- TBA
Data Validation
- TBA
Denial of Service
- TBA
Business Logic
- TBA
Authors and primary contributors
Related articles
OWASP Testing Guide
Mozilla Web Security Verification
OWASP Cheat Sheets Project Homepage