OWASP Web Application Security Testing Checklist
Information Gathering:
- Manually explore the site.
- Spider/crawl for missed or hidden content.
- Check for files that expose content, such as robots.txt, sitemap.xml, .DS_Store.
- Check the caches of major search engines for publicly accessible sites.
- Check for differences in content based on User Agent.
- Perform Web Application Fingerprinting .
- Identify technologies used.
- Identify user roles.
- Identify application entry points .
- Identify client-side code.
- Identify multiple versions/channels.
- Identify co-hosted and related applications.
- Identify all hostnames and ports.
- Identify third-party hosted content.
Configuration Management:
- Check for commonly used application and administrative URLs.
- Check for old, backup and unreferenced files.
- Check HTTP methods supported and Cross Site Tracing.
- Test file extensions handling.
- Test for security HTTP headers.
- Test for policies for example
Flash
,Silverlight
,Robots
. - Test for non-production data in live environment, and vice-versa.
- Check for sensitive data in client-side code for example
API keys
,Credentials
.
Secure Transmission:
- Check SSL Version, Algorithms, Key length.
- Check for Digital Certificate Validity.
- Check credentials only delivered over HTTPS.
- Check that the login form is delivered over HTTPS.
- Check session tokens only delivered over HTTPS.
- Check if HTTP Strict Transport Security (HSTS) in use.
Authentication:
- Test for user enumeration.
- Test for authentication bypass.
- Test for bruteforce protection.
- Test password quality rules.
- Test remember me functionality.
- Test for autocomplete on password forms/input.
- Test password reset and/or recovery.
- Test password change process.
- Test CAPTCHA.
- Test multi factor authentication.
- Test for logout functionality presence.
- Test for cache management on HTTP for example
Pragma
,Expires
,Max-age
. - Test for default logins.
- Test for user-accessible authentication history.
- Test for out-of channel notification of account lockouts and successful password changes.
- Test for consistent authentication across applications with shared authentication schema / SSO.
Session Management:
- Establish how session management is handled in the application for example
tokens in cookies
,token in URL
. - Check session tokens for cookie flags.
- Check session cookie scope.
- Check session cookie duration.
- Check session termination after a maximum lifetime.
- Check session termination after relative timeout.
- Check session termination after logout.
- Test to see if users can have multiple simultaneous sessions.
- Test session cookies for randomness.
- Confirm that new session tokens are issued on login, role change and logout.
- Test for consistent session management across applications with shared session management.
- Test for session puzzling.
- Test for CSRF and clickjacking.
Authorization:
- Test for path traversal.
- Test for bypassing authorization schema.
- Test for vertical Access control problems like
Privilege Escalation
. - Test for horizontal Access control problems.
- Test for missing authorization.
Data Validation:
- Test for Reflected Cross Site Scripting.
- Test for Stored Cross Site Scripting.
- Test for DOM based Cross Site Scripting.
- Test for Cross Site Flashing.
- Test for HTML Injection.
- Test for SQL Injection.
- Test for LDAP Injection.
- Test for ORM Injection.
- Test for XML Injection.
- Test for XXE Injection.
- Test for SSI Injection.
- Test for XPath Injection.
- Test for XQuery Injection.
- Test for IMAP/SMTP Injection.
- Test for Code Injection.
- Test for Expression Language Injection.
- Test for Command Injection.
- Test for Overflow.
- Test for incubated vulnerabilities.
- Test for HTTP Splitting/Smuggling.
- Test for HTTP Verb Tampering.
- Test for Open Redirection.
- Test for Local File Inclusion.
- Test for Remote File Inclusion.
- Compare client-side and server-side validation rules.
- Test for NoSQL injection.
- Test for HTTP parameter pollution.
- Test for auto-binding.
- Test for Mass Assignment.
- Test for NULL/Invalid Session Cookie.
Denial of Service:
- Test for anti-automation.
- Test for account lockout.
- Test for HTTP protocol DoS.
- Test for SQL wildcard DoS.
Business Logic:
- Test for feature misuse.
- Test for lack of non-repudiation.
- Test for trust relationships.
- Test for integrity of data.
- Test segregation of duties.
Cryptography:
- Check if data which should be encrypted is not.
- Check for wrong algorithms usage depending on context.
- Check for weak algorithms usage.
- Check for proper use of salting.
- Check for randomness functions.
Risky Functionality - File Uploads:
- Test that file size limits, upload frequency and total file counts are defined and are enforced
- Test that file contents match the defined file type.
- Test that all file uploads have Anti-Virus scanning in-place.
- Test that unsafe filenames are sanitized.
- Test that uploaded files are not directly accessible within the web root.
- Test that uploaded files are not served on the same hostname/port.
- Test that files and other media are integrated with the authentication and authorization schemas.
Risky Functionality - Card Payment:
- Test for known vulnerabilities and configuration issues on Web Server and Web Application.
- Test for default or guessable password.
- Test for non-production data in live environment, and vice-versa.
- Test for Injection vulnerabilities.
- Test for Buffer Overflows.
- Test for Insecure Cryptographic Storage.
- Test for Insufficient Transport Layer Protection.
- Test for Improper Error Handling.
- Test for all vulnerabilities with a CVSS v2 score > 4.0.
- Test for Authentication and Authorization issues.
- Test for CSRF.
HTML-5:
- Test Web Messaging.
- Test for Web Storage SQL injection.
- Check CORS implementation.
- Check Offline Web Application.