This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Web Application Security Testing Cheat Sheet"

From OWASP
Jump to: navigation, search
Line 101: Line 101:
 
* [[Testing_for_Bypassing_Authorization_Schema_(OTG-AUTHZ-002)|Test for missing authorisation]]
 
* [[Testing_for_Bypassing_Authorization_Schema_(OTG-AUTHZ-002)|Test for missing authorisation]]
 
* [[Testing_for_Insecure_Direct_Object_References_(OTG-AUTHZ-004)|Test for Insecure Direct Object References]]
 
* [[Testing_for_Insecure_Direct_Object_References_(OTG-AUTHZ-004)|Test for Insecure Direct Object References]]
 +
 +
== Cryptography ==
 +
* [[Testing_for_Sensitive_information_sent_via_unencrypted_channels_(OTG-CRYPST-003)|Check if data which should be encrypted is not]]
 +
* Check for wrong algorithms usage depending on context
 +
* [[Testing_for_Weak_SSL/TLS_Ciphers,_Insufficient_Transport_Layer_Protection_(OTG-CRYPST-001)|Check for weak algorithms usage]]
 +
* [[Password_Storage_Cheat_Sheet#Use_a_cryptographically_strong_credential-specific_salt | Check for proper use of salting]]
 +
* [[Insecure_Randomness | Check for randomness functions]]
 +
  
 
== Data Validation ==
 
== Data Validation ==
Line 156: Line 164:
 
* [[Test_Upload_of_Malicious_Files_(OTG-BUSLOGIC-016) | Test upload of malicious files]]
 
* [[Test_Upload_of_Malicious_Files_(OTG-BUSLOGIC-016) | Test upload of malicious files]]
  
== Cryptography ==
 
* [[Testing_for_Sensitive_information_sent_via_unencrypted_channels_(OTG-CRYPST-003)|Check if data which should be encrypted is not]]
 
* Check for wrong algorithms usage depending on context
 
* [[Testing_for_Weak_SSL/TLS_Ciphers,_Insufficient_Transport_Layer_Protection_(OTG-CRYPST-001)|Check for weak algorithms usage]]
 
* [[Password_Storage_Cheat_Sheet#Use_a_cryptographically_strong_credential-specific_salt | Check for proper use of salting]]
 
* [[Insecure_Randomness | Check for randomness functions]]
 
  
== Risky Functionality - File Uploads ==
+
== Specific Risky Functionality ==
 +
''File Uploads''
 
* [[Test_Upload_of_Unexpected_File_Types_(OTG-BUSLOGIC-008)|Test that acceptable file types are whitelisted and non-whitelisted types are rejected]]
 
* [[Test_Upload_of_Unexpected_File_Types_(OTG-BUSLOGIC-008)|Test that acceptable file types are whitelisted and non-whitelisted types are rejected]]
 
* Test that file size limits, upload frequency and total file counts are defined and are enforced
 
* Test that file size limits, upload frequency and total file counts are defined and are enforced
Line 173: Line 176:
 
* Test that files and other media are integrated with the authentication and authorisation schemas
 
* Test that files and other media are integrated with the authentication and authorisation schemas
  
== Risky Functionality - Card Payment ==
+
== Risky Functionality==
 +
''Payments''
 
* Test for known vulnerabilities and configuration issues on Web Server and Web Application
 
* Test for known vulnerabilities and configuration issues on Web Server and Web Application
 
* Test for default or guessable password
 
* Test for default or guessable password

Revision as of 19:40, 6 December 2015

Introduction

This cheat sheet provides a checklist of tasks to be performed during blackbox security testing of a web application.

Purpose

This checklist is intended to be used as an aide memoire for experienced pentesters and should be used in conjunction with the OWASP Testing Guide. It will be updated as the Testing Guide v4 is progressed.

The intention is that this guide will be available as an XML document, with scripts that convert it into formats such as pdf, Media Wiki markup, HTML etc.

This will allow it to be consumed within security tools as well as being available in a format suitable for printing.

All feedback or offers of help will be appreciated - and if you have specific changes you think should be made, please log in and make suggestions.

The Checklist

Information Gathering

Rendered Site Review

Development Review

Hosting and Platform Review

  • Identify web services
  • Identify co-hosted and related applications
  • Identify all hostnames and ports
  • Identify third-party hosted content

Configuration Management

Secure Transmission

Authentication

Application Password Functionality

  • Test password quality rules
  • Test remember me functionality
  • Test password reset and/or recovery
  • Test password change process
  • Test CAPTCHA
  • Test multi factor authentication
  • Test for logout functionality presence
  • Test for default logins
  • Test for out-of channel notification of account lockouts and successful password changes
  • Test for consistent authentication across applications with shared authentication schema / SSO and alternative channels
  • Test for Weak security question/answer

Additional Authentication Functionality

Session Management

Authorization

Cryptography


Data Validation

Denial of Service

Business Logic


Specific Risky Functionality

File Uploads

Risky Functionality

Payments

Web Service Testing

HTML 5

Error Handling

Appendices

Other Formats

  • DradisPro template format on github
  • Asana template on Templana (thanks to Bastien Siebman)

Authors and contributors

Simon Bennetts
Rory McCune
Colin Watson
Simone Onofri
Amro AlOlaqi

All above are authors of the Testing Guide v3

Ryan Dewhurst
Frank Catucci

Related articles

Other Cheatsheets

OWASP Cheat Sheets Project Homepage