This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Web Application Security Testing Cheat Sheet"

From OWASP
Jump to: navigation, search
(Purpose)
(Information Gathering)
Line 16: Line 16:
  
 
== Information Gathering ==
 
== Information Gathering ==
* Manually explore the site
+
Rendered Site Review
* [[Testing:_Spidering_and_googling | Spider/crawl]] for missed or hidden content
+
*     Manually explore the site
* [[Review_Webserver_Metafiles_for_Information_Leakage_(OTG-INFO-003)|Check the Webserver Metafiles]] for information leakage files that expose content, such as robots.txt, sitemap.xml, .DS_Store
+
*     [[Testing:_Spidering_and_googling | Spider/crawl]] for missed or hidden content
* [[Conduct_search_engine_discovery/reconnaissance_for_information_leakage_(OTG-INFO-001)|Check the caches of major search engines for publicly accessible sites]]
+
*     [[Review_Webserver_Metafiles_for_Information_Leakage_(OTG-INFO-003)|Check the Webserver Metafiles]] for information leakage files that expose content, such as robots.txt, sitemap.xml, .DS_Store
* Check for differences in content based on User Agent (eg, Mobile sites, access as a Search engine Crawler)
+
*     [[Conduct_search_engine_discovery/reconnaissance_for_information_leakage_(OTG-INFO-001)|Check the caches of major search engines for publicly accessible sites]]
* [[Review_webpage_comments_and_metadata_for_information_leakage_(OTG-INFO-005) | Check The Webpage Comments and Metadata for Information Leakage]]
+
*     Check for differences in content based on User Agent (eg, Mobile sites, access as a Search engine Crawler)
* [[Fingerprint_Web_Application_Framework_(OTG-INFO-008) | Check The Web Application Framework]]
+
*     [[Review_webpage_comments_and_metadata_for_information_leakage_(OTG-INFO-005) | Check The Webpage Comments and Metadata for Information Leakage]]
* [[Fingerprint_Web_Server_(OTG-INFO-002)|Perform Web Application Fingerprinting]]
+
 
* Identify technologies used
+
Development Review
* [[Test_Role_Definitions_(OTG-IDENT-001)|Identify user roles]]
+
*     [[Fingerprint_Web_Application_Framework_(OTG-INFO-008) | Check The Web Application Framework]]
* [[Identify_application_entry_points_(OTG-INFO-006) | Identify application entry points]]
+
*     [[Fingerprint_Web_Server_(OTG-INFO-002)|Perform Web Application Fingerprinting]]
* Identify client-side code
+
*     Identify technologies used
* Identify multiple versions/channels (e.g. web, mobile web, mobile app)
+
*     [[Test_Role_Definitions_(OTG-IDENT-001)|Identify user roles]]
* [[Web_Services | Identify web services]]
+
*     [[Identify_application_entry_points_(OTG-INFO-006) | Identify application entry points]]
* Identify co-hosted and related applications
+
*     Identify client-side code
* Identify all hostnames and ports
+
*     Identify multiple versions/channels (e.g. web, mobile web, mobile app)
* Identify third-party hosted content
+
 
 +
Hosting and Platform Review
 +
*     [[Web_Services | Identify web services]]
 +
*     Identify co-hosted and related applications
 +
*     Identify all hostnames and ports
 +
*     Identify third-party hosted content
  
 
== Configuration Management ==
 
== Configuration Management ==

Revision as of 19:12, 6 December 2015

Introduction

This cheat sheet provides a checklist of tasks to be performed during blackbox security testing of a web application.

Purpose

This checklist is intended to be used as an aide memoire for experienced pentesters and should be used in conjunction with the OWASP Testing Guide. It will be updated as the Testing Guide v4 is progressed.

The intention is that this guide will be available as an XML document, with scripts that convert it into formats such as pdf, Media Wiki markup, HTML etc.

This will allow it to be consumed within security tools as well as being available in a format suitable for printing.

All feedback or offers of help will be appreciated - and if you have specific changes you think should be made, please log in and make suggestions.

The Checklist

Information Gathering

Rendered Site Review

Development Review

Hosting and Platform Review

  • Identify web services
  • Identify co-hosted and related applications
  • Identify all hostnames and ports
  • Identify third-party hosted content

Configuration Management

Secure Transmission

Authentication

Session Management

Authorization

Data Validation

Denial of Service

Business Logic

Cryptography

Risky Functionality - File Uploads

Risky Functionality - Card Payment

Web Service Testing

HTML 5

Error Handling

Other Formats

  • DradisPro template format on github
  • Asana template on Templana (thanks to Bastien Siebman)

Authors and contributors

Simon Bennetts
Rory McCune
Colin Watson
Simone Onofri
Amro AlOlaqi

All above are authors of the Testing Guide v3

Ryan Dewhurst
Frank Catucci

Related articles

Other Cheatsheets

OWASP Cheat Sheets Project Homepage