This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Web Application Security Testing Cheat Sheet"

From OWASP
Jump to: navigation, search
(Data Validation)
(Migration to GitHub of the project)
 
(108 intermediate revisions by 10 users not shown)
Line 1: Line 1:
= DRAFT CHEAT SHEET - WORK IN PROGRESS =
+
__NOTOC__
 +
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Cheatsheets-header.jpg|link=]]</div>
  
= Introduction =
+
The Cheat Sheet Series project has been moved to [https://github.com/OWASP/CheatSheetSeries GitHub]!
  
This cheat sheet provides a checklist of tasks to be performed when performing a blackbox security test of a web application.
+
An [https://github.com/OWASP/CheatSheetSeries/issues/13 open discussion] is pending about to exclude or not this cheat sheet of the V2 of the project.
 
 
= Purpose =
 
 
 
This checklist is intended to be used as an aide memoire for experienced pentesters and should be used in conjunction with the [[:Category:OWASP Testing Project|OWASP Testing Guide]]. It will be updated as the [[OWASP_Application_Testing_guide_v4|Testing Guide v4]] is progressed.
 
 
 
The intention is that this guide will be available as an XML document, with scripts that convert it into formats such as pdf, Media Wiki markup, HTML etc.
 
 
 
This will allow it to be consumed within security tools as well as being available in a format suitable for printing.
 
 
 
It is currently at a very early stage, but any feedback or offers of help will be appreciated.
 
 
 
= The Checklist =
 
 
 
== Information Gathering ==
 
* Manually explore the site
 
* Spider/crawl for missed or hidden content
 
* Check for files that expose content, such as robots.txt, sitemap.xml, .DS_Store
 
* Check the caches of major search engines for publicly accessible sites
 
* Perform Web Application Fingerprinting
 
* Identify technologies used
 
* Identify application entry points
 
== Configuration Management ==
 
* Check for commonly used application and administrative URLs
 
* Check for old, backup and unreferenced files
 
* Check HTTP methods supported and Cross Site Tracing (XST)
 
* Test file extensions handling
 
== Secure Transmission ==
 
* Check SSL Version, Algorithms, Key length, Digital Cert. Validity
 
* Check credentials only delivered over HTTPS
 
* Check session tokens only delivered over HTTPS
 
* Check if HTTP Strict Transport Security (HSTS) in use
 
== Authentication ==
 
* Test for user enumeration
 
* Test for authentication bypass
 
* Test for bruteforce protection
 
* Test password quality rules
 
* Test remember me functionality
 
* Test password reset
 
* Test CAPTCHA
 
* Test multi factor authentication
 
* Test logout and cache management
 
== Session Management ==
 
* Establish how session management is handled in the application (eg, tokens in cookies, token in URL)
 
* Check session tokens for cookie flags (httpOnly and secure)
 
* Check session cookie scope
 
* Check session timeout duration
 
* Test to see if users can have multiple simultaneous sessions
 
* Test session cookies for randomness
 
* Confirm that new session tokens are issued on login
 
== Authorization ==
 
* Test for path traversal
 
* Test for bypassing authorization schema
 
* Test for Privilege Escalation
 
* Test for horizontal Access control problems (between two users at the same privilege level)
 
 
 
== Data Validation ==
 
* Test for Reflected Cross Site Scripting
 
* Test for Stored Cross Site Scripting
 
* Test for DOM based Cross Site Scripting
 
* Test for Cross Site Flashing
 
* Test for SQL Injection
 
* Test for LDAP Injection
 
* Test for ORM Injection
 
* Test for XML Injection
 
* Test for SSI Injection
 
* Test for XPath Injection
 
* Test for IMAP/SMTP Injection
 
* Test for Code Injection
 
* Test for Command Injection
 
* Test for Buffer overflow
 
* Test for incubated vulnerabilities
 
* Test for HTTP Splitting/Smuggling
 
* Compare client-side and server-side validation rules
 
 
 
== Denial of Service ==
 
* TBA
 
== Business Logic ==
 
* TBA
 
== Risky Functionality - File Uploads ==
 
* Confirm that all file uploads have Anti-Virus scanning in-place.
 
* Confirm that uploaded files are not directly accessible within the web root.
 
 
 
= Authors and primary contributors =
 
 
 
[[User:Simon Bennetts|Simon Bennetts]]
 
 
 
= Related articles =
 
 
 
OWASP [[:Category:OWASP Testing Project|Testing Guide]]
 
 
 
Mozilla [https://wiki.mozilla.org/WebAppSec/Web_Security_Verification Web Security Verification]
 
 
 
{{Cheatsheet_Navigation}}
 
 
 
[[Category:Cheatsheets]] [[Category:OWASP_Breakers]]
 

Latest revision as of 10:27, 16 February 2019

Cheatsheets-header.jpg

The Cheat Sheet Series project has been moved to GitHub!

An open discussion is pending about to exclude or not this cheat sheet of the V2 of the project.