This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Web Application Security Testing Cheat Sheet"

From OWASP
Jump to: navigation, search
(Data Validation)
(Information Gathering)
Line 21: Line 21:
 
* [[Testing:_Spidering_and_googling | Spider/crawl]] for missed or hidden content
 
* [[Testing:_Spidering_and_googling | Spider/crawl]] for missed or hidden content
 
* [[Review_Webserver_Metafiles_for_Information_Leakage_(OTG-INFO-003)|Check the Webserver Metafiles]] for information leakage files that expose content, such as robots.txt, sitemap.xml, .DS_Store
 
* [[Review_Webserver_Metafiles_for_Information_Leakage_(OTG-INFO-003)|Check the Webserver Metafiles]] for information leakage files that expose content, such as robots.txt, sitemap.xml, .DS_Store
* Check the caches of major search engines for publicly accessible sites
+
* [[Conduct_search_engine_discovery/reconnaissance_for_information_leakage_(OTG-INFO-001)|Check the caches of major search engines for publicly accessible sites]]
 
* Check for differences in content based on User Agent (eg, Mobile sites, access as a Search engine Crawler)
 
* Check for differences in content based on User Agent (eg, Mobile sites, access as a Search engine Crawler)
 
* [[Review_webpage_comments_and_metadata_for_information_leakage_(OTG-INFO-005) | Check The Webpage Comments and Metadata for Information Leakage]]
 
* [[Review_webpage_comments_and_metadata_for_information_leakage_(OTG-INFO-005) | Check The Webpage Comments and Metadata for Information Leakage]]

Revision as of 17:05, 3 September 2015

DRAFT CHEAT SHEET - WORK IN PROGRESS

Introduction

This cheat sheet provides a checklist of tasks to be performed when performing a blackbox security test of a web application.

Purpose

This checklist is intended to be used as an aide memoire for experienced pentesters and should be used in conjunction with the OWASP Testing Guide. It will be updated as the Testing Guide v4 is progressed.

The intention is that this guide will be available as an XML document, with scripts that convert it into formats such as pdf, Media Wiki markup, HTML etc.

This will allow it to be consumed within security tools as well as being available in a format suitable for printing.

All feedback or offers of help will be appreciated - and if you have specific chances you think should be made, just get stuck in.

The Checklist

Information Gathering

Configuration Management

  • Check for commonly used application and administrative URLs
  • Check for old, backup and unreferenced files
  • Check HTTP methods supported and Cross Site Tracing (XST)
  • Test file extensions handling
  • Test RIA cross domain policy
  • Test for security HTTP headers (e.g. CSP, X-Frame-Options, HSTS)
  • Test for policies (e.g. Flash, Silverlight, robots)
  • Test for non-production data in live environment, and vice-versa
  • Check for sensitive data in client-side code (e.g. API keys, credentials)

Secure Transmission

  • Check SSL Version, Algorithms, Key length
  • Check for Digital Certificate Validity (Duration, Signature and CN)
  • Check credentials only delivered over HTTPS
  • Check that the login form is delivered over HTTPS
  • Check session tokens only delivered over HTTPS
  • Check if HTTP Strict Transport Security (HSTS) in use

Authentication

  • Test for user enumeration
  • Test for authentication bypass
  • Test for brute force protection
  • Test for Credentials Transported over an Encrypted Channel
  • Test password quality rules
  • Test remember me functionality
  • Test for autocomplete on password forms/input
  • Test password reset and/or recovery
  • Test password change process
  • Test CAPTCHA
  • Test multi factor authentication
  • Test for logout functionality presence
  • Test for cache management on HTTP (eg Pragma, Expires, Max-age)
  • Test for default logins
  • Test for user-accessible authentication history
  • Test for out-of channel notification of account lockouts and successful password changes
  • Test for consistent authentication across applications with shared authentication schema / SSO and alternative channels
  • Test for Weak security question/answer

Session Management

  • Establish how session management is handled in the application (eg, tokens in cookies, token in URL)
  • Check session tokens for cookie flags (httpOnly and secure)
  • Check session cookie scope (path and domain)
  • Check session cookie duration (expires and max-age)
  • Check session termination after a maximum lifetime
  • Check session termination after relative timeout
  • Check session termination after logout
  • Test to see if users can have multiple simultaneous sessions
  • Test session cookies for randomness
  • Confirm that new session tokens are issued on login, role change and logout
  • Test for consistent session management across applications with shared session management
  • Test for session puzzling
  • Test for CSRF and clickjacking

Authorization

  • Test for path traversal
  • Test for vertical Access control problems (a.k.a. Privilege Escalation)
  • Test for horizontal Access control problems (between two users at the same privilege level)
  • Test for missing authorisation
  • Test for Insecure Direct Object References

Data Validation

Denial of Service

Business Logic

  • Test for feature misuse
  • Test for lack of non-repudiation
  • Test for trust relationships
  • Test for integrity of data
  • Test segregation of duties
  • Test for Process Timing
  • Test Number of Times a Function Can be Used Limits
  • Test for the Circumvention of Work Flows
  • Test Defenses Against Application Mis-use
  • Test Upload of Unexpected File Types

Cryptography

Risky Functionality - File Uploads

Risky Functionality - Card Payment

HTML 5

Error Handling

Other Formats

  • DradisPro template format on github
  • Asana template on Templana (thanks to Bastien Siebman)

Authors and primary contributors

Simon Bennetts
Rory McCune
Colin Watson
Simone Onofri
Amro AlOlaqi


All the authors of the Testing Guide v3

Other Contributors

Ryan Dewhurst

Related articles

OWASP Testing Guide

Mozilla Web Security Verification

OWASP Cheat Sheets Project Homepage