Difference between revisions of "Web Application Security Testing Cheat Sheet"

From OWASP
Jump to: navigation, search
(Session Management)
Line 46: Line 46:
 
* Test logout and cache management
 
* Test logout and cache management
 
== Session Management ==
 
== Session Management ==
* TBA
+
* Establish how session management is handled in the application (eg, tokens in cookies, token in URL)
 +
* Check session tokens for cookie flags (httpOnly and secure)
 +
* Check session cookie scope
 +
* Check session timeout duration
 +
* Test to see if users can have multiple simultaneous sessions
 +
* Test session cookies for randomness
 +
* Confirm that new session tokens are issued on login
 +
 
 
== Authorization ==
 
== Authorization ==
 
* TBA
 
* TBA

Revision as of 12:10, 25 July 2012

Contents

DRAFT CHEAT SHEET - WORK IN PROGRESS

Introduction

This cheat sheet provides a checklist of tasks to be performed when performing a blackbox security test of a web application.

Purpose

This checklist is intended to be used as an aide memoire for experienced pentesters and should be used in conjunction with the OWASP Testing Guide. It will be updated as the Testing Guide v4 is progressed.

The intention is that this guide will be available as an XML document, with scripts that convert it into formats such as pdf, Media Wiki markup, HTML etc.

This will allow it to be consumed within security tools as well as being available in a format suitable for printing.

It is currently at a very early stage, but any feedback or offers of help will be appreciated.

The Checklist

Information Gathering

  • Manually explore the site
  • Spider/crawl for missed or hidden content
  • Check for files that expose content, such as robots.txt, sitemap.xml, .DS_Store
  • Check the caches of major search engines for publicly accessible sites
  • Perform Web Application Fingerprinting
  • Identify technologies used
  • Identify application entry points

Configuration Management

  • Check for commonly used application and administrative URLs
  • Check for old, backup and unreferenced files
  • Check HTTP methods supported and Cross Site Tracing (XST)
  • Test file extensions handling

Secure Transmission

  • Check SSL Version, Algorithms, Key length, Digital Cert. Validity
  • Check credentials only delivered over HTTPS
  • Check session tokens only delivered over HTTPS
  • Check if HTTP Strict Transport Security (HSTS) in use

Authentication

  • Test for user enumeration
  • Test for authentication bypass
  • Test for bruteforce protection
  • Test password quality rules
  • Test remember me functionality
  • Test password reset
  • Test CAPTCHA
  • Test multi factor authentication
  • Test logout and cache management

Session Management

  • Establish how session management is handled in the application (eg, tokens in cookies, token in URL)
  • Check session tokens for cookie flags (httpOnly and secure)
  • Check session cookie scope
  • Check session timeout duration
  • Test to see if users can have multiple simultaneous sessions
  • Test session cookies for randomness
  • Confirm that new session tokens are issued on login

Authorization

  • TBA

Data Validation

  • TBA

Denial of Service

  • TBA

Business Logic

  • TBA

Authors and primary contributors

Simon Bennetts

Related articles

OWASP Testing Guide

Mozilla Web Security Verification

OWASP Cheat Sheets Project Homepage

Developer Cheat Sheets (Builder)

Assessment Cheat Sheets (Breaker)

Mobile Cheat Sheets

OpSec Cheat Sheets (Defender)

Draft Cheat Sheets