Difference between revisions of "Web Application Security Testing Cheat Sheet"

From OWASP
Jump to: navigation, search
(Added link to my profile)
(Authors and contributors)
 
(82 intermediate revisions by 6 users not shown)
Line 1: Line 1:
= DRAFT CHEAT SHEET - WORK IN PROGRESS =
 
 
 
= Introduction =
 
= Introduction =
  
This cheat sheet provides a checklist of tasks to be performed when performing a blackbox security test of a web application.
+
This cheat sheet provides a checklist of tasks to be performed during blackbox security testing of a web application.
  
 
= Purpose =
 
= Purpose =
Line 13: Line 11:
 
This will allow it to be consumed within security tools as well as being available in a format suitable for printing.
 
This will allow it to be consumed within security tools as well as being available in a format suitable for printing.
  
All feedback or offers of help will be appreciated - and if you have specific chances you think should be made, just get stuck in.
+
All feedback or offers of help will be appreciated - and if you have specific changes you think should be made, please log in and make suggestions.
  
 
= The Checklist =
 
= The Checklist =
  
 
== Information Gathering ==
 
== Information Gathering ==
* Manually explore the site
+
''Rendered Site Review''
* Spider/crawl for missed or hidden content
+
*     Manually explore the site
* Check for files that expose content, such as robots.txt, sitemap.xml, .DS_Store
+
*     [[Testing:_Spidering_and_googling | Spider/crawl]] for missed or hidden content
* Check the caches of major search engines for publicly accessible sites
+
*     [[Review_Webserver_Metafiles_for_Information_Leakage_(OTG-INFO-003)|Check the Webserver Metafiles]] for information leakage files that expose content, such as robots.txt, sitemap.xml, .DS_Store
* Check for differences in content based on User Agent (eg, Mobile sites, access as a Search engine Crawler)
+
*     [[Conduct_search_engine_discovery/reconnaissance_for_information_leakage_(OTG-INFO-001)|Check the caches of major search engines for publicly accessible sites]]
* Perform Web Application Fingerprinting
+
*     Check for differences in content based on User Agent (eg, Mobile sites, access as a Search engine Crawler)
* Identify technologies used
+
*     [[Review_webpage_comments_and_metadata_for_information_leakage_(OTG-INFO-005) | Check The Webpage Comments and Metadata for Information Leakage]]
* Identify user roles
+
 
* Identify application entry points
+
''Development Review''
* Identify client-side code
+
*      [[Fingerprint_Web_Application_Framework_(OTG-INFO-008) | Check The Web Application Framework]]
* Identify multiple versions/channels (e.g. web, mobile web, mobile app, web services)
+
*      [[Fingerprint_Web_Server_(OTG-INFO-002)|Perform Web Application Fingerprinting]]
* Identify co-hosted and related applications
+
*     Identify technologies used
* Identify all hostnames and ports
+
*     [[Test_Role_Definitions_(OTG-IDENT-001)|Identify user roles]]
* Identify third-party hosted content
+
*     [[Identify_application_entry_points_(OTG-INFO-006) | Identify application entry points]]
 +
*     Identify client-side code
 +
*     Identify multiple versions/channels (e.g. web, mobile web, mobile app)
 +
 
 +
''Hosting and Platform Review''
 +
*      [[Web_Services | Identify web services]]
 +
*     Identify co-hosted and related applications
 +
*     Identify all hostnames and ports
 +
*     Identify third-party hosted content
  
 
== Configuration Management ==
 
== Configuration Management ==
 
* Check for commonly used application and administrative URLs
 
* Check for commonly used application and administrative URLs
* Check for old, backup and unreferenced files
+
* [[4.3.4_Review_Old,_Backup_and_Unreferenced_Files_for_Sensitive_Information_(OTG-CONFIG-004) | Check for old, backup and unreferenced files]]
* Check HTTP methods supported and Cross Site Tracing (XST)
+
* [[Test_HTTP_Methods_(OTG-CONFIG-006) | Check HTTP methods supported and Cross Site Tracing (XST)]]
* Test file extensions handling
+
* [[4.3.3_Test_File_Extensions_Handling_for_Sensitive_Information_(OTG-CONFIG-003) | Test file extensions handling]]
* Test for security HTTP headers (e.g. CSP, X-Frame-Options, HSTS)
+
* [[Test_RIA_cross_domain_policy_(OTG-CONFIG-008) | Test RIA cross domain policy]]
 +
* Test for [[List_of_useful_HTTP_headers | security HTTP headers]] (e.g. CSP, X-Frame-Options, HSTS)
 
* Test for policies (e.g. Flash, Silverlight, robots)
 
* Test for policies (e.g. Flash, Silverlight, robots)
* Test for non-production data in live environment, and vice-versa
 
 
* Check for sensitive data in client-side code (e.g. API keys, credentials)
 
* Check for sensitive data in client-side code (e.g. API keys, credentials)
  
 
== Secure Transmission ==
 
== Secure Transmission ==
* Check SSL Version, Algorithms, Key length
+
''Protocols and Encryption''
 +
* [[Testing_for_Weak_SSL/TLS_Ciphers,_Insufficient_Transport_Layer_Protection_(OTG-CRYPST-001) | Check SSL Version, Algorithms, Key length]]
 
* Check for Digital Certificate Validity (Duration, Signature and CN)
 
* Check for Digital Certificate Validity (Duration, Signature and CN)
 
* Check credentials only delivered over HTTPS
 
* Check credentials only delivered over HTTPS
 
* Check that the login form is delivered over HTTPS
 
* Check that the login form is delivered over HTTPS
 
* Check session tokens only delivered over HTTPS
 
* Check session tokens only delivered over HTTPS
* Check if HTTP Strict Transport Security (HSTS) in use
+
* [[Test_HTTP_Strict_Transport_Security_(OTG-CONFIG-009) | Check if HTTP Strict Transport Security (HSTS) in use]]
 +
* [[Test_Ability_to_forge_requests_(OTG-BUSLOGIC-002) | Test ability to forge requests]]
 +
* [[Test_Web_Messaging_(OTG-CLIENT-011)|Test Web Messaging (HTML5)]]
 +
* [[Test_Cross_Origin_Resource_Sharing_(OTG-CLIENT-007)|Check CORS implementation (HTML5)]]
 +
 
 +
''Web Services and REST''
 +
* [[Web_Service_Security_Testing_Cheat_Sheet | Test for Web Service Issues]]
 +
* [[REST_Assessment_Cheat_Sheet | Test REST]]
  
 
== Authentication ==
 
== Authentication ==
* Test for user enumeration
+
''Application Password Functionality''
* Test for authentication bypass
+
* [[Testing_for_Weak_password_policy_(OTG-AUTHN-007)|Test password quality rules]]
* Test for bruteforce protection
+
* Test password quality rules
+
 
* Test remember me functionality
 
* Test remember me functionality
* Test for autocomplete on password forms/input
 
 
* Test password reset and/or recovery
 
* Test password reset and/or recovery
 
* Test password change process
 
* Test password change process
Line 63: Line 74:
 
* Test multi factor authentication
 
* Test multi factor authentication
 
* Test for logout functionality presence
 
* Test for logout functionality presence
* Test for cache management on HTTP (eg Pragma, Expires, Max-age)
 
 
* Test for default logins
 
* Test for default logins
* Test for user-accessible authentication history
 
 
* Test for out-of channel notification of account lockouts and successful password changes
 
* Test for out-of channel notification of account lockouts and successful password changes
* Test for consistent authentication across applications with shared authentication schema / SSO
+
* Test for consistent authentication across applications with shared authentication schema / SSO and alternative channels
 +
* Test for Weak security question/answer
 +
 
 +
''Additional Authentication Functionality''
 +
* [[Testing_for_User_Enumeration_and_Guessable_User_Account_(OWASP-AT-002) | Test for user enumeration]]
 +
* [[Testing_for_Bypassing_Authentication_Schema_(OTG-AUTHN-004) | Test for authentication bypass]]
 +
* [[Testing_for_Brute_Force_(OWASP-AT-004) | Test for brute force protection]]
 +
* [[Testing_for_Credentials_Transported_over_an_Encrypted_Channel_(OTG-AUTHN-001)|Test for Credentials Transported over an Encrypted Channel]]
 +
* Test for cache management on HTTP (eg Pragma, Expires, Max-age)
 +
* Test for user-accessible authentication history
  
 
== Session Management ==
 
== Session Management ==
 
* Establish how session management is handled in the application (eg, tokens in cookies, token in URL)
 
* Establish how session management is handled in the application (eg, tokens in cookies, token in URL)
* Check session tokens for cookie flags (httpOnly and secure)
+
* [[Testing_for_cookies_attributes_(OTG-SESS-002)|Check session tokens for cookie flags (httpOnly and secure)]]
* Check session cookie scope (path and domain)
+
* [[Testing_for_cookies_attributes_(OTG-SESS-002)|Check session cookie scope (path and domain)]]
 
* Check session cookie duration (expires and max-age)
 
* Check session cookie duration (expires and max-age)
* Check session termination after a maximum lifetime
+
* [[Test_Session_Timeout_(OTG-SESS-007)|Check session termination after a maximum lifetime]]
* Check session termination after relative timeout
+
* [[Test_Session_Timeout_(OTG-SESS-007)|Check session termination after relative timeout]]
* Check session termination after logout
+
* [[Testing_for_logout_functionality_(OTG-SESS-006)|Check session termination after logout]]
 
* Test to see if users can have multiple simultaneous sessions
 
* Test to see if users can have multiple simultaneous sessions
* Test session cookies for randomness
+
* [[Testing_for_Session_Management_Schema_(OTG-SESS-001)#Session_ID_Predictability_and_Randomness | Test session cookies for randomness]]
 
* Confirm that new session tokens are issued on login, role change and logout
 
* Confirm that new session tokens are issued on login, role change and logout
 
* Test for consistent session management across applications with shared session management
 
* Test for consistent session management across applications with shared session management
Line 85: Line 103:
  
 
== Authorization ==
 
== Authorization ==
* Test for path traversal
+
* [[Testing_Directory_traversal/file_include_(OTG-AUTHZ-001)|Test for path traversal]]
* Test for bypassing authorization schema
+
* [[Testing_for_Privilege_escalation_(OTG-AUTHZ-003)|Test for vertical Access control problems (a.k.a. Privilege Escalation)]]
* Test for vertical Access control problems (a.k.a. Privilege Escalation)
+
 
* Test for horizontal Access control problems (between two users at the same privilege level)
 
* Test for horizontal Access control problems (between two users at the same privilege level)
* Test for missing authorization
+
* [[Testing_for_Bypassing_Authorization_Schema_(OTG-AUTHZ-002)|Test for missing authorisation]]
 +
* [[Testing_for_Insecure_Direct_Object_References_(OTG-AUTHZ-004)|Test for Insecure Direct Object References]]
 +
 
 +
== Cryptography ==
 +
* [[Testing_for_Sensitive_information_sent_via_unencrypted_channels_(OTG-CRYPST-003)|Check if data which should be encrypted is not]]
 +
* Check for wrong algorithms usage depending on context
 +
* [[Testing_for_Weak_SSL/TLS_Ciphers,_Insufficient_Transport_Layer_Protection_(OTG-CRYPST-001)|Check for weak algorithms usage]]
 +
* [[Password_Storage_Cheat_Sheet#Use_a_cryptographically_strong_credential-specific_salt | Check for proper use of salting]]
 +
* [[Insecure_Randomness | Check for randomness functions]]
  
 
== Data Validation ==
 
== Data Validation ==
* Test for Reflected Cross Site Scripting
+
''Injection''
* Test for Stored Cross Site Scripting
+
* Test for DOM based Cross Site Scripting
+
* Test for Cross Site Flashing
+
 
* Test for HTML Injection
 
* Test for HTML Injection
* Test for SQL Injection
+
* [[Testing_for_SQL_Injection_(OTG-INPVAL-005)|Test for SQL Injection]]
 
* Test for LDAP Injection
 
* Test for LDAP Injection
* Test for ORM Injection
+
* [[Testing_for_ORM_Injection_(OTG-INPVAL-007)|Test for ORM Injection]]
* Test for XML Injection
+
* [[Testing_for_XML_Injection_(OTG-INPVAL-008)|Test for XML Injection]]
 
* Test for XXE Injection
 
* Test for XXE Injection
* Test for SSI Injection
+
* [[Testing_for_SSI_Injection_(OTG-INPVAL-009)|Test for SSI Injection]]
* Test for XPath Injection
+
* [[Testing_for_XPath_Injection_(OTG-INPVAL-010)|Test for XPath Injection]]
 
* Test for XQuery Injection
 
* Test for XQuery Injection
* Test for IMAP/SMTP Injection
+
* [[Testing_for_IMAP/SMTP_Injection_(OTG-INPVAL-011)|Test for IMAP/SMTP Injection]]
* Test for Code Injection
+
* [[Testing_for_Code_Injection_(OTG-INPVAL-012)|Test for Code Injection]]
* Test for Command Injection
+
* Test for Expression Language Injection
* Test for Overflow (Stack, Heap and Integer)
+
* [[Testing_for_Command_Injection_(OTG-INPVAL-013)|Test for Command Injection]]
* Test for Format String
+
* Test for NoSQL injection
 +
 
 +
''Other''
 +
* [[Testing_for_Reflected_Cross_site_scripting_(OTG-INPVAL-001)|Test for Reflected Cross Site Scripting]]
 +
* [[Testing_for_Stored_Cross_site_scripting_(OTG-INPVAL-002)|Test for Stored Cross Site Scripting]]
 +
* [[Testing_for_DOM-based_Cross_site_scripting_(OTG-CLIENT-001)|Test for DOM based Cross Site Scripting]]
 +
* Test for Cross Site Flashing
 +
* Test for Overflow ([[Testing_for_Stack_Overflow|Stack]], [[Testing_for_Heap_Overflow|Heap]] and Integer)
 +
* [[Testing_for_Format_String|Test for Format String]]
 
* Test for incubated vulnerabilities
 
* Test for incubated vulnerabilities
* Test for HTTP Splitting/Smuggling
+
* [[Testing_for_HTTP_Splitting/Smuggling_(OTG-INPVAL-016)|Test for HTTP Splitting/Smuggling]]
 
* Test for HTTP Verb Tampering
 
* Test for HTTP Verb Tampering
* Test for Open Redirection
+
* [[Top_10_2013-A10-Unvalidated_Redirects_and_Forwards|Test for Open Redirection]]
* Test for Local File Inclusion
+
* [[Testing_for_Local_File_Inclusion|Test for Local File Inclusion]]
* Test for Remote File Inclusion
+
* [[Testing_for_Remote_File_Inclusion|Test for Remote File Inclusion]]
 
* Compare client-side and server-side validation rules
 
* Compare client-side and server-side validation rules
* Test for NoSQL injection
 
 
* Test for HTTP parameter pollution
 
* Test for HTTP parameter pollution
 
* Test for auto-binding
 
* Test for auto-binding
 
* Test for Mass Assignment
 
* Test for Mass Assignment
 
* Test for NULL/Invalid Session Cookie
 
* Test for NULL/Invalid Session Cookie
 +
* [[Test_integrity_checks_(OTG-BUSLOGIC-003) | Test for integrity of data]]
 +
* [[Testing_for_the_Circumvention_of_Work_Flows_(OTG-BUSLOGIC-009) | Test for the Circumvention of Work Flows]]
 +
* [[Test_defenses_against_application_mis-use_(OTG-BUSLOGIC-011) | Test Defenses Against Application Mis-use]]
 +
* [[Test_number_of_times_a_function_can_be_used_limits_(OTG-BUSLOGIC-007) | Test That a Function or Feature Cannot Be Used Outside Of Limits]]
 +
* [[Test_for_Process_Timing_(OTG-BUSLOGIC-007) | Test for Process Timing]]
 +
* [[Test_Local_Storage_(OTG-CLIENT-012)|Test for Web Storage SQL injection (HTML5)]]
 +
* [[HTML5_Security_Cheat_Sheet#Offline_Applications | Check Offline Web Application]]
  
 
== Denial of Service ==
 
== Denial of Service ==
 
* Test for anti-automation
 
* Test for anti-automation
* Test for account lockout
+
* [[Testing_for_Weak_lock_out_mechanism_(OTG-AUTHN-003)|Test for account lockout]]
 
* Test for HTTP protocol DoS
 
* Test for HTTP protocol DoS
 
* Test for SQL wildcard DoS
 
* Test for SQL wildcard DoS
  
== Business Logic ==
+
== Specific Risky Functionality ==
* Test for feature misuse
+
''File Uploads''
* Test for lack of non-repudiation
+
* [[Test_Upload_of_Unexpected_File_Types_(OTG-BUSLOGIC-008)|Test that acceptable file types are whitelisted and non-whitelisted types are rejected]]
* Test for trust relationships
+
* Test for integrity of data
+
* Test segregation of duties
+
 
+
== Cryptography ==
+
* Check if data which should be encrypted is not
+
* Check for wrong algorithms usage depending on context
+
* Check for weak algorithms usage
+
* Check for proper use of salting
+
* Check for randomness functions
+
 
+
== Risky Functionality - File Uploads ==
+
* Test that acceptable file types are whitelisted
+
 
* Test that file size limits, upload frequency and total file counts are defined and are enforced
 
* Test that file size limits, upload frequency and total file counts are defined and are enforced
 
* Test that file contents match the defined file type
 
* Test that file contents match the defined file type
* Test that all file uploads have Anti-Virus scanning in-place.
+
* [[Test_Upload_of_Malicious_Files_(OTG-BUSLOGIC-009)|Test that all file uploads have Anti-Virus scanning in-place.]]
* Test that unsafe filenames are sanitised
+
* [[Test_Upload_of_Malicious_Files_(OTG-BUSLOGIC-016) | Test upload of malicious files]]
 +
* Test that unsafe filenames are sanitized
 
* Test that uploaded files are not directly accessible within the web root
 
* Test that uploaded files are not directly accessible within the web root
 
* Test that uploaded files are not served on the same hostname/port
 
* Test that uploaded files are not served on the same hostname/port
 
* Test that files and other media are integrated with the authentication and authorisation schemas
 
* Test that files and other media are integrated with the authentication and authorisation schemas
 
+
''Payments''
== Risky Functionality - Card Payment ==
+
 
* Test for known vulnerabilities and configuration issues on Web Server and Web Application
 
* Test for known vulnerabilities and configuration issues on Web Server and Web Application
 
* Test for default or guessable password
 
* Test for default or guessable password
* Test for non-production data in live environment, and vice-versa
+
* [[Injection_Flaws | Test for Injection vulnerabilities ]]
* Test for Injection vulnerabilities  
+
* [[Testing_for_Buffer_Overflow_(OTG-INPVAL-014) | Test for Buffer Overflows]]
* Test for Buffer Overflows
+
* [[Top_10_2010-A7-Insecure_Cryptographic_Storage | Test for Insecure Cryptographic Storage]]
* Test for Insecure Cryptographic Storage
+
* [[Top_10_2010-A9-Insufficient_Transport_Layer_Protection | Test for Insufficient Transport Layer Protection]]
* Test for Insufficient Transport Layer Protection
+
* [[Web_Application_Security_Testing_Cheat_Sheet#Error_Handling|Test for Improper Error Handling]]
* Test for Improper Error Handling
+
 
* Test for all vulnerabilities with a CVSS v2 score > 4.0
 
* Test for all vulnerabilities with a CVSS v2 score > 4.0
 
* Test for Authentication and Authorization issues
 
* Test for Authentication and Authorization issues
* Test for CSRF
+
* [[Testing_for_CSRF_(OTG-SESS-005)|Test for CSRF]]
  
== HTML 5==
+
== Error Handling==
* Test Web Messaging
+
* [[Testing_for_Error_Code_(OTG-ERR-001)|Check for Error Codes]]
* Test for Web Storage SQL injection
+
* [[Testing_for_Stack_Traces_(OTG-ERR-002)|Check for Stack Traces]]
* Check CORS implementation
+
  
= Other Formats =
 
  
* Current cheat sheet in DradisPro template format [https://github.com/raesene/OWASP_Web_App_Testing_Cheatsheet_Converter/blob/master/OWASP_Web_Application_Testing_Cheat_Sheet.xml on github]
+
= Appendices =
  
= Authors and primary contributors =
+
== Other Formats ==
 +
* DradisPro template format [https://github.com/raesene/OWASP_Web_App_Testing_Cheatsheet_Converter/blob/master/OWASP_Web_Application_Testing_Cheat_Sheet.xml on github]
 +
* Asana template on [http://templana.com/templates/owasp-website-security-checklist/ Templana] (thanks to Bastien Siebman)
 +
 
 +
== Authors and contributors ==
  
 
[[User:Simon Bennetts|Simon Bennetts]]<br/>
 
[[User:Simon Bennetts|Simon Bennetts]]<br/>
Line 181: Line 205:
 
Colin Watson<br/>
 
Colin Watson<br/>
 
Simone Onofri<br/>
 
Simone Onofri<br/>
 +
[[User:Amro_Ahmed|Amro AlOlaqi]]
  
All the authors of theTesting Guide v3
+
All above are authors of the [[OWASP_Testing_Guide_v3_Table_of_Contents | Testing Guide v3]]
 
+
= Other Contributors =
+
  
[[User:Ryan_Dewhurst|Ryan Dewhurst]]  
+
[[User:Ryan_Dewhurst|Ryan Dewhurst]]<br/>
 +
[[User:Frank.catucci | Frank Catucci]]<br/>
 +
[[User:VinMiller | Vin Miller]]
  
= Related articles =
+
== Related articles ==
  
OWASP [[:Category:OWASP Testing Project|Testing Guide]]
+
* OWASP [[:Category:OWASP Testing Project|Testing Guide]]
 +
* Mozilla [https://wiki.mozilla.org/WebAppSec/Web_Security_Verification Web Security Verification]
  
Mozilla [https://wiki.mozilla.org/WebAppSec/Web_Security_Verification Web Security Verification]
+
== Other Cheatsheets ==
  
 
{{Cheatsheet_Navigation}}
 
{{Cheatsheet_Navigation}}
  
 
[[Category:Cheatsheets]] [[Category:OWASP_Breakers]]
 
[[Category:Cheatsheets]] [[Category:OWASP_Breakers]]

Latest revision as of 13:57, 6 December 2015

Introduction

This cheat sheet provides a checklist of tasks to be performed during blackbox security testing of a web application.

Purpose

This checklist is intended to be used as an aide memoire for experienced pentesters and should be used in conjunction with the OWASP Testing Guide. It will be updated as the Testing Guide v4 is progressed.

The intention is that this guide will be available as an XML document, with scripts that convert it into formats such as pdf, Media Wiki markup, HTML etc.

This will allow it to be consumed within security tools as well as being available in a format suitable for printing.

All feedback or offers of help will be appreciated - and if you have specific changes you think should be made, please log in and make suggestions.

The Checklist

Information Gathering

Rendered Site Review

Development Review

Hosting and Platform Review

  • Identify web services
  • Identify co-hosted and related applications
  • Identify all hostnames and ports
  • Identify third-party hosted content

Configuration Management

Secure Transmission

Protocols and Encryption

Web Services and REST

Authentication

Application Password Functionality

  • Test password quality rules
  • Test remember me functionality
  • Test password reset and/or recovery
  • Test password change process
  • Test CAPTCHA
  • Test multi factor authentication
  • Test for logout functionality presence
  • Test for default logins
  • Test for out-of channel notification of account lockouts and successful password changes
  • Test for consistent authentication across applications with shared authentication schema / SSO and alternative channels
  • Test for Weak security question/answer

Additional Authentication Functionality

Session Management

Authorization

Cryptography

Data Validation

Injection

Other

Denial of Service

Specific Risky Functionality

File Uploads

Payments

Error Handling


Appendices

Other Formats

  • DradisPro template format on github
  • Asana template on Templana (thanks to Bastien Siebman)

Authors and contributors

Simon Bennetts
Rory McCune
Colin Watson
Simone Onofri
Amro AlOlaqi

All above are authors of the Testing Guide v3

Ryan Dewhurst
Frank Catucci
Vin Miller

Related articles

Other Cheatsheets

OWASP Cheat Sheets Project Homepage