This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Web Application Security Testing Cheat Sheet"

From OWASP
Jump to: navigation, search
m
m (Some updates to grammar.)
Line 5: Line 5:
 
= Purpose =
 
= Purpose =
  
This checklist is intended to be used as an aide memoire for experienced pentesters and should be used in conjunction with the [[:Category:OWASP Testing Project|OWASP Testing Guide]]. It will be updated as the [[OWASP_Application_Testing_guide_v4|Testing Guide v4]] is progressed.
+
This checklist is intended to be used as a memory aid for experienced pentesters. It should be used in conjunction with the [[:Category:OWASP Testing Project|OWASP Testing Guide]]. It will be updated as the [[OWASP_Application_Testing_guide_v4|Testing Guide v4]] progresses.
  
The intention is that this guide will be available as an XML document, with scripts that convert it into formats such as pdf, Media Wiki markup, HTML etc.  
+
The intention is that this guide will be available as an XML document, with scripts that convert it into formats such as PDF, MediaWiki markup, HTML, and so forth. This will allow it to be consumed within security tools as well as being available in a format suitable for printing.  
  
This will allow it to be consumed within security tools as well as being available in a format suitable for printing.
+
All feedback or offers of help will be appreciated. If you have specific changes you think should be made, please log in and make suggestions.
 
 
All feedback or offers of help will be appreciated - and if you have specific changes you think should be made, please log in and make suggestions.
 
  
 
= The Checklist =
 
= The Checklist =
Line 18: Line 16:
 
''Rendered Site Review''
 
''Rendered Site Review''
 
*      Manually explore the site
 
*      Manually explore the site
*      [[Testing:_Spidering_and_googling | Spider/crawl]] for missed or hidden content
+
*      [[Testing:_Spidering_and_googling |Spider/crawl]] for missed or hidden content
*      [[Review_Webserver_Metafiles_for_Information_Leakage_(OTG-INFO-003)|Check the Webserver Metafiles]] for information leakage files that expose content, such as robots.txt, sitemap.xml, .DS_Store
+
*      [[Review_Webserver_Metafiles_for_Information_Leakage_(OTG-INFO-003)|Check the webserver metafiles]] for information leakage files that expose content, such as robots.txt, sitemap.xml, and .DS_Store
 
*      [[Conduct_search_engine_discovery/reconnaissance_for_information_leakage_(OTG-INFO-001)|Check the caches of major search engines for publicly accessible sites]]
 
*      [[Conduct_search_engine_discovery/reconnaissance_for_information_leakage_(OTG-INFO-001)|Check the caches of major search engines for publicly accessible sites]]
*      Check for differences in content based on User Agent (eg, Mobile sites, access as a Search engine Crawler)
+
*      Check for differences in content based on user agent (e.g. mobile sites, accessing as a search engine crawler)
*      [[Review_webpage_comments_and_metadata_for_information_leakage_(OTG-INFO-005) | Check The Webpage Comments and Metadata for Information Leakage]]
+
*      [[Review_webpage_comments_and_metadata_for_information_leakage_(OTG-INFO-005) |Check webpage comments and metadata for information leakage]]
  
 
''Development Review''
 
''Development Review''
*      [[Fingerprint_Web_Application_Framework_(OTG-INFO-008) | Check The Web Application Framework]]
+
*      [[Fingerprint_Web_Application_Framework_(OTG-INFO-008) |Check the web application framework]]
*      [[Fingerprint_Web_Server_(OTG-INFO-002)|Perform Web Application Fingerprinting]]
+
*      [[Fingerprint_Web_Server_(OTG-INFO-002)|Perform web application fingerprinting]]
 
*      Identify technologies used
 
*      Identify technologies used
 
*      [[Test_Role_Definitions_(OTG-IDENT-001)|Identify user roles]]
 
*      [[Test_Role_Definitions_(OTG-IDENT-001)|Identify user roles]]
*      [[Identify_application_entry_points_(OTG-INFO-006) | Identify application entry points]]
+
*      [[Identify_application_entry_points_(OTG-INFO-006) |Identify application entry points]]
 
*      Identify client-side code
 
*      Identify client-side code
 
*      Identify multiple versions/channels (e.g. web, mobile web, mobile app)
 
*      Identify multiple versions/channels (e.g. web, mobile web, mobile app)
  
 
''Hosting and Platform Review''
 
''Hosting and Platform Review''
*      [[Web_Services | Identify web services]]
+
*      [[Web_Services |Identify web services]]
 
*      Identify co-hosted and related applications
 
*      Identify co-hosted and related applications
 
*      Identify all hostnames and ports
 
*      Identify all hostnames and ports
Line 41: Line 39:
 
== Configuration Management ==
 
== Configuration Management ==
 
* Check for commonly used application and administrative URLs
 
* Check for commonly used application and administrative URLs
* [[4.3.4_Review_Old,_Backup_and_Unreferenced_Files_for_Sensitive_Information_(OTG-CONFIG-004) | Check for old, backup and unreferenced files]]
+
* [[4.3.4_Review_Old,_Backup_and_Unreferenced_Files_for_Sensitive_Information_(OTG-CONFIG-004) |Check for old, backup, and unreferenced files]]
* [[Test_HTTP_Methods_(OTG-CONFIG-006) | Check HTTP methods supported and Cross Site Tracing (XST)]]
+
* [[Test_HTTP_Methods_(OTG-CONFIG-006) |Check HTTP methods supported and Cross Site Tracing (XST)]]
* [[4.3.3_Test_File_Extensions_Handling_for_Sensitive_Information_(OTG-CONFIG-003) | Test file extensions handling]]
+
* [[4.3.3_Test_File_Extensions_Handling_for_Sensitive_Information_(OTG-CONFIG-003) |Test file extensions handling]]
* [[Test_RIA_cross_domain_policy_(OTG-CONFIG-008) | Test RIA cross domain policy]]
+
* [[Test_RIA_cross_domain_policy_(OTG-CONFIG-008) |Test RIA cross domain policy]]
* Test for [[List_of_useful_HTTP_headers | security HTTP headers]] (e.g. CSP, X-Frame-Options, HSTS)
+
* Test for [[List_of_useful_HTTP_headers |security HTTP headers]] (e.g. CSP, X-Frame-Options, HSTS)
 
* Test for policies (e.g. Flash, Silverlight, robots)
 
* Test for policies (e.g. Flash, Silverlight, robots)
 
* Check for sensitive data in client-side code (e.g. API keys, credentials)
 
* Check for sensitive data in client-side code (e.g. API keys, credentials)
Line 51: Line 49:
 
== Secure Transmission ==
 
== Secure Transmission ==
 
''Protocols and Encryption''
 
''Protocols and Encryption''
* [[Testing_for_Weak_SSL/TLS_Ciphers,_Insufficient_Transport_Layer_Protection_(OTG-CRYPST-001) | Check SSL Version, Algorithms, Key length]]
+
* [[Testing_for_Weak_SSL/TLS_Ciphers,_Insufficient_Transport_Layer_Protection_(OTG-CRYPST-001) |Check SSL version, algorithms, and key length]]
* Check for Digital Certificate Validity (Duration, Signature and CN)
+
* Check for digital certificate validity (duration, signature, and CN)
* Check credentials only delivered over HTTPS
+
* Check that credentials are only delivered over HTTPS
 
* Check that the login form is delivered over HTTPS
 
* Check that the login form is delivered over HTTPS
* Check session tokens only delivered over HTTPS
+
* Check that session tokens are only delivered over HTTPS
* [[Test_HTTP_Strict_Transport_Security_(OTG-CONFIG-009) | Check if HTTP Strict Transport Security (HSTS) in use]]
+
* [[Test_HTTP_Strict_Transport_Security_(OTG-CONFIG-009) |Check if HTTP Strict Transport Security (HSTS) in use]]
* [[Test_Ability_to_forge_requests_(OTG-BUSLOGIC-002) | Test ability to forge requests]]
+
* [[Test_Ability_to_forge_requests_(OTG-BUSLOGIC-002) |Test ability to forge requests]]
* [[Test_Web_Messaging_(OTG-CLIENT-011)|Test Web Messaging (HTML5)]]
+
* [[Test_Web_Messaging_(OTG-CLIENT-011)|Test web messaging (HTML5)]]
 
* [[Test_Cross_Origin_Resource_Sharing_(OTG-CLIENT-007)|Check CORS implementation (HTML5)]]
 
* [[Test_Cross_Origin_Resource_Sharing_(OTG-CLIENT-007)|Check CORS implementation (HTML5)]]
  
 
''Web Services and REST''
 
''Web Services and REST''
* [[Web_Service_Security_Testing_Cheat_Sheet | Test for Web Service Issues]]
+
* [[Web_Service_Security_Testing_Cheat_Sheet | Test for web service issues]]
 
* [[REST_Assessment_Cheat_Sheet | Test REST]]
 
* [[REST_Assessment_Cheat_Sheet | Test REST]]
  
Line 72: Line 70:
 
* Test password change process
 
* Test password change process
 
* Test CAPTCHA
 
* Test CAPTCHA
* Test multi factor authentication
+
* Test multi-factor authentication
 
* Test for logout functionality presence
 
* Test for logout functionality presence
 
* Test for default logins
 
* Test for default logins
* Test for out-of channel notification of account lockouts and successful password changes
+
* Test for out-of-channel notification of account lockouts and successful password changes
* Test for consistent authentication across applications with shared authentication schema / SSO and alternative channels
+
* Test for consistent authentication across applications with shared authentication schema/SSO and alternative channels
* Test for Weak security question/answer
+
* Test for weak security question/answer
  
 
''Additional Authentication Functionality''
 
''Additional Authentication Functionality''
Line 83: Line 81:
 
* [[Testing_for_Bypassing_Authentication_Schema_(OTG-AUTHN-004) | Test for authentication bypass]]
 
* [[Testing_for_Bypassing_Authentication_Schema_(OTG-AUTHN-004) | Test for authentication bypass]]
 
* [[Testing_for_Brute_Force_(OWASP-AT-004) | Test for brute force protection]]
 
* [[Testing_for_Brute_Force_(OWASP-AT-004) | Test for brute force protection]]
* [[Testing_for_Credentials_Transported_over_an_Encrypted_Channel_(OTG-AUTHN-001)|Test for Credentials Transported over an Encrypted Channel]]
+
* [[Testing_for_Credentials_Transported_over_an_Encrypted_Channel_(OTG-AUTHN-001)|Test for credentials transported over an encrypted channel]]
 
* Test for cache management on HTTP (eg Pragma, Expires, Max-age)
 
* Test for cache management on HTTP (eg Pragma, Expires, Max-age)
 
* Test for user-accessible authentication history
 
* Test for user-accessible authentication history
Line 96: Line 94:
 
* [[Testing_for_logout_functionality_(OTG-SESS-006)|Check session termination after logout]]
 
* [[Testing_for_logout_functionality_(OTG-SESS-006)|Check session termination after logout]]
 
* Test to see if users can have multiple simultaneous sessions
 
* Test to see if users can have multiple simultaneous sessions
* [[Testing_for_Session_Management_Schema_(OTG-SESS-001)#Session_ID_Predictability_and_Randomness | Test session cookies for randomness]]
+
* [[Testing_for_Session_Management_Schema_(OTG-SESS-001)#Session_ID_Predictability_and_Randomness |Test session cookies for randomness]]
* Confirm that new session tokens are issued on login, role change and logout
+
* Confirm that new session tokens are issued on login, role change, and logout
 
* Test for consistent session management across applications with shared session management
 
* Test for consistent session management across applications with shared session management
 
* Test for session puzzling
 
* Test for session puzzling
Line 104: Line 102:
 
== Authorization ==
 
== Authorization ==
 
* [[Testing_Directory_traversal/file_include_(OTG-AUTHZ-001)|Test for path traversal]]
 
* [[Testing_Directory_traversal/file_include_(OTG-AUTHZ-001)|Test for path traversal]]
* [[Testing_for_Privilege_escalation_(OTG-AUTHZ-003)|Test for vertical Access control problems (a.k.a. Privilege Escalation)]]
+
* [[Testing_for_Privilege_escalation_(OTG-AUTHZ-003)|Test for vertical access control problems (a.k.a. privilege escalation)]]
* Test for horizontal Access control problems (between two users at the same privilege level)
+
* Test for horizontal access control problems (between two users at the same privilege level)
* [[Testing_for_Bypassing_Authorization_Schema_(OTG-AUTHZ-002)|Test for missing authorisation]]
+
* [[Testing_for_Bypassing_Authorization_Schema_(OTG-AUTHZ-002)|Test for missing authorization]]
* [[Testing_for_Insecure_Direct_Object_References_(OTG-AUTHZ-004)|Test for Insecure Direct Object References]]
+
* [[Testing_for_Insecure_Direct_Object_References_(OTG-AUTHZ-004)|Test for insecure direct object references]]
  
 
== Cryptography ==
 
== Cryptography ==
Line 113: Line 111:
 
* Check for wrong algorithms usage depending on context
 
* Check for wrong algorithms usage depending on context
 
* [[Testing_for_Weak_SSL/TLS_Ciphers,_Insufficient_Transport_Layer_Protection_(OTG-CRYPST-001)|Check for weak algorithms usage]]
 
* [[Testing_for_Weak_SSL/TLS_Ciphers,_Insufficient_Transport_Layer_Protection_(OTG-CRYPST-001)|Check for weak algorithms usage]]
* [[Password_Storage_Cheat_Sheet#Use_a_cryptographically_strong_credential-specific_salt | Check for proper use of salting]]
+
* [[Password_Storage_Cheat_Sheet#Use_a_cryptographically_strong_credential-specific_salt |Check for proper use of salting]]
* [[Insecure_Randomness | Check for randomness functions]]
+
* [[Insecure_Randomness |Check for randomness functions]]
  
 
== Data Validation ==
 
== Data Validation ==
Line 170: Line 168:
 
* Test that file size limits, upload frequency and total file counts are defined and are enforced
 
* Test that file size limits, upload frequency and total file counts are defined and are enforced
 
* Test that file contents match the defined file type
 
* Test that file contents match the defined file type
* [[Test_Upload_of_Malicious_Files_(OTG-BUSLOGIC-009)|Test that all file uploads have Anti-Virus scanning in-place.]]
+
* [[Test_Upload_of_Malicious_Files_(OTG-BUSLOGIC-009)|Test that all file uploads have anti-virus scanning in place]]
 
* [[Test_Upload_of_Malicious_Files_(OTG-BUSLOGIC-016) | Test upload of malicious files]]
 
* [[Test_Upload_of_Malicious_Files_(OTG-BUSLOGIC-016) | Test upload of malicious files]]
 
* Test that unsafe filenames are sanitized
 
* Test that unsafe filenames are sanitized
 
* Test that uploaded files are not directly accessible within the web root
 
* Test that uploaded files are not directly accessible within the web root
 
* Test that uploaded files are not served on the same hostname/port
 
* Test that uploaded files are not served on the same hostname/port
* Test that files and other media are integrated with the authentication and authorisation schemas
+
* Test that files and other media are integrated with the authentication and authorization schemas
 
''Payments''
 
''Payments''
 
* Test for known vulnerabilities and configuration issues on Web Server and Web Application
 
* Test for known vulnerabilities and configuration issues on Web Server and Web Application
 
* Test for default or guessable password
 
* Test for default or guessable password
* [[Injection_Flaws | Test for Injection vulnerabilities ]]
+
* [[Injection_Flaws |Test for Injection vulnerabilities]]
* [[Testing_for_Buffer_Overflow_(OTG-INPVAL-014) | Test for Buffer Overflows]]
+
* [[Testing_for_Buffer_Overflow_(OTG-INPVAL-014) |Test for Buffer Overflows]]
* [[Top_10_2010-A7-Insecure_Cryptographic_Storage | Test for Insecure Cryptographic Storage]]
+
* [[Top_10_2010-A7-Insecure_Cryptographic_Storage |Test for Insecure Cryptographic Storage]]
 
* [[Top_10_2010-A9-Insufficient_Transport_Layer_Protection | Test for Insufficient Transport Layer Protection]]
 
* [[Top_10_2010-A9-Insufficient_Transport_Layer_Protection | Test for Insufficient Transport Layer Protection]]
 
* [[Web_Application_Security_Testing_Cheat_Sheet#Error_Handling|Test for Improper Error Handling]]
 
* [[Web_Application_Security_Testing_Cheat_Sheet#Error_Handling|Test for Improper Error Handling]]
Line 199: Line 197:
 
= Authors and contributors =
 
= Authors and contributors =
  
[[User:Simon Bennetts|Simon Bennetts]]<br/>
+
[[User:Simon Bennetts|Simon Bennetts]]<br />
[[User:Raesene|Rory McCune]] <br/>
+
[[User:Raesene|Rory McCune]] <br />
Colin Watson<br/>
+
Colin Watson<br />
Simone Onofri<br/>
+
Simone Onofri<br />
 
[[User:Amro_Ahmed|Amro AlOlaqi]]  
 
[[User:Amro_Ahmed|Amro AlOlaqi]]  
  
 
All above are authors of the [[OWASP_Testing_Guide_v3_Table_of_Contents | Testing Guide v3]]  
 
All above are authors of the [[OWASP_Testing_Guide_v3_Table_of_Contents | Testing Guide v3]]  
  
[[User:Ryan_Dewhurst|Ryan Dewhurst]]<br/>
+
[[User:Ryan_Dewhurst|Ryan Dewhurst]]<br />
[[User:Frank.catucci | Frank Catucci]]<br/>
+
[[User:Frank.catucci | Frank Catucci]]<br />
 
[[User:VinMiller | Vin Miller]]
 
[[User:VinMiller | Vin Miller]]
  
Line 220: Line 218:
 
{{Cheatsheet_Navigation}}
 
{{Cheatsheet_Navigation}}
  
[[Category:Cheatsheets]] [[Category:OWASP_Breakers]]
+
[[Category:Cheatsheets]]  
 +
[[Category:OWASP_Breakers]]

Revision as of 17:55, 29 December 2017

Introduction

This cheat sheet provides a checklist of tasks to be performed during blackbox security testing of a web application.

Purpose

This checklist is intended to be used as a memory aid for experienced pentesters. It should be used in conjunction with the OWASP Testing Guide. It will be updated as the Testing Guide v4 progresses.

The intention is that this guide will be available as an XML document, with scripts that convert it into formats such as PDF, MediaWiki markup, HTML, and so forth. This will allow it to be consumed within security tools as well as being available in a format suitable for printing.

All feedback or offers of help will be appreciated. If you have specific changes you think should be made, please log in and make suggestions.

The Checklist

Information Gathering

Rendered Site Review

Development Review

Hosting and Platform Review

  • Identify web services
  • Identify co-hosted and related applications
  • Identify all hostnames and ports
  • Identify third-party hosted content

Configuration Management

Secure Transmission

Protocols and Encryption

Web Services and REST

Authentication

Application Password Functionality

  • Test password quality rules
  • Test remember me functionality
  • Test password reset and/or recovery
  • Test password change process
  • Test CAPTCHA
  • Test multi-factor authentication
  • Test for logout functionality presence
  • Test for default logins
  • Test for out-of-channel notification of account lockouts and successful password changes
  • Test for consistent authentication across applications with shared authentication schema/SSO and alternative channels
  • Test for weak security question/answer

Additional Authentication Functionality

Session Management

Authorization

Cryptography

Data Validation

Injection

Other

Denial of Service

Specific Risky Functionality

File Uploads

Payments

Error Handling


Other Formats

  • DradisPro template format on github
  • Asana template on Templana (thanks to Bastien Siebman)

Authors and contributors

Simon Bennetts
Rory McCune
Colin Watson
Simone Onofri
Amro AlOlaqi

All above are authors of the Testing Guide v3

Ryan Dewhurst
Frank Catucci
Vin Miller

Related articles

Other Cheatsheets

OWASP Cheat Sheets Project Homepage


V - T - E Cheat Sheets
Developer / Builder
Assessment / Breaker
Mobile
OpSec / Defender
Draft and Beta
All Pages In This Category
Retrieved from "https://wiki.owasp.org/index.php?title=Web_Application_Security_Testing_Cheat_Sheet&oldid=236456"