Introduction

This cheat sheet provides a checklist of tasks to be performed during blackbox security testing of a web application.

Purpose

This checklist is intended to be used as a memory aid for experienced pentesters. It should be used in conjunction with the . It will be updated as the Testing Guide v4 progresses.

The intention is that this guide will be available as an XML document, with scripts that convert it into formats such as PDF, MediaWiki markup, HTML, and so forth. This will allow it to be consumed within security tools as well as being available in a format suitable for printing.

All feedback or offers of help will be appreciated. If you have specific changes you think should be made, please log in and make suggestions.

The Checklist

Information Gathering

Rendered Site Review

• Manually explore the site
• for missed or hidden content
• Check the webserver metafiles\ “wikilink”) for information leakage files that expose content, such as robots.txt, sitemap.xml, and .DS_Store
• \ “wikilink”)
• Check for differences in content based on user agent (e.g. mobile sites, accessing as a search engine crawler)
• Check webpage comments and metadata for information leakage_\ “wikilink”)

• _\ “wikilink”)
• Perform web application fingerprinting\ “wikilink”)
• Identify technologies used
• \ “wikilink”)
• Identify application entry points_\ “wikilink”)
• Identify client-side code
• Identify multiple versions/channels (e.g. web, mobile web, mobile app)

Hosting and Platform Review

• Identify co-hosted and related applications
• Identify all hostnames and ports
• Identify third-party hosted content

Configuration Management

• Check for commonly used application and administrative URLs
• _\ “wikilink”)
• Check HTTP methods supported and Cross Site Tracing (XST)_\ “wikilink”)
• _\ “wikilink”)
• Test RIA cross domain policy_\ “wikilink”)
• Test for (e.g. CSP, X-Frame-Options, HSTS)
• Test for policies (e.g. Flash, Silverlight, robots)
• Check for sensitive data in client-side code (e.g. API keys, credentials)

Secure Transmission

Protocols and Encryption

• _\ “wikilink”)
• Check for digital certificate validity (duration, signature, and CN)
• Check that credentials are only delivered over HTTPS
• Check that the login form is delivered over HTTPS
• Check that session tokens are only delivered over HTTPS
• Check if HTTP Strict Transport Security (HSTS) in use_\ “wikilink”)
• _\ “wikilink”)
• Test web messaging (HTML5)\ “wikilink”)
• \ “wikilink”)

Web Services and REST

• Test for web service issues

Application Password Functionality

• \ “wikilink”)
• Test remember me functionality
• Test password reset and/or recovery
• Test password change process
• Test CAPTCHA
• Test multi-factor authentication
• Test for logout functionality presence
• Test for default logins
• Test for out-of-channel notification of account lockouts and successful password changes
• Test for consistent authentication across applications with shared authentication schema/SSO and alternative channels
• Test for weak security question/answer

Additional Authentication Functionality

• Test for user enumeration_\ “wikilink”)
• _\ “wikilink”)
• Test for brute force protection_\ “wikilink”)
• \ “wikilink”)
• Test for cache management on HTTP (eg Pragma, Expires, Max-age)
• Test for user-accessible authentication history

Session Management

• Establish how session management is handled in the application (eg, tokens in cookies, token in URL)
• \ “wikilink”)
• Check session cookie scope (path and domain)\ “wikilink”)
• Check session cookie duration (expires and max-age)
• \ “wikilink”)
• Check session termination after relative timeout\ “wikilink”)
• \ “wikilink”)
• Test to see if users can have multiple simultaneous sessions
• Test session cookies for randomness#SessionID_Predictability_and_Randomness\ “wikilink”)
• Confirm that new session tokens are issued on login, role change, and logout
• Test for consistent session management across applications with shared session management
• Test for session puzzling
• Test for CSRF and clickjacking

Authorization

• Test for path traversal\ “wikilink”)
• \ “wikilink”)
• Test for horizontal access control problems (between two users at the same privilege level)
• Test for missing authorization\ “wikilink”)
• \ “wikilink”)

Cryptography

• \ “wikilink”)
• Check for wrong algorithms usage depending on context
• Check for weak algorithms usage\ “wikilink”)
• Check for randomness functions

• Test for HTML Injection
• \ “wikilink”)
• Test for LDAP Injection
• Test for ORM Injection\ “wikilink”)
• \ “wikilink”)
• Test for XXE Injection
• Test for SSI Injection\ “wikilink”)
• \ “wikilink”)
• Test for XQuery Injection
• Test for IMAP/SMTP Injection\ “wikilink”)
• \ “wikilink”)
• Test for Expression Language Injection
• Test for Command Injection\ “wikilink”)

Other

• \ “wikilink”)
• Test for Stored Cross Site Scripting\ “wikilink”)
• \ “wikilink”)
• Test for Cross Site Flashing
• Test for Overflow (Stack, and Integer)
• Test for Format String
• Test for incubated vulnerabilities
• \ “wikilink”)
• Test for HTTP Verb Tampering
• Test for Open Redirection
• Test for Remote File Inclusion
• Compare client-side and server-side validation rules
• Test for HTTP parameter pollution
• Test for auto-binding
• Test for Mass Assignment
• Test for NULL/Invalid Session Cookie
• _\ “wikilink”)
• Test for the Circumvention of Work Flows_\ “wikilink”)
• _\ “wikilink”)
• Test That a Function or Feature Cannot Be Used Outside Of Limits_\ “wikilink”)
• _\ “wikilink”)
• Test for Web Storage SQL injection (HTML5)\ “wikilink”)

Denial of Service

• Test for anti-automation
• \ “wikilink”)
• Test for HTTP protocol DoS
• Test for SQL wildcard DoS

Specific Risky Functionality

File Uploads

• \ “wikilink”)
• Test that file size limits, upload frequency and total file counts are defined and are enforced
• Test that file contents match the defined file type
• Test that all file uploads have anti-virus scanning in place\ “wikilink”)
• _\ “wikilink”)
• Test that unsafe filenames are sanitized
• Test that uploaded files are not directly accessible within the web root
• Test that uploaded files are not served on the same hostname/port
• Test that files and other media are integrated with the authentication and authorization schemas

Payments

• Test for known vulnerabilities and configuration issues on Web Server and Web Application
• Test for default or guessable password
• Test for Injection vulnerabilities
• _\ “wikilink”)
• Test for Insecure Cryptographic Storage
• Test for Improper Error Handling
• Test for all vulnerabilities with a CVSS v2 score > 4.0
• Test for Authentication and Authorization issues
• \ “wikilink”)

Error Handling

• \ “wikilink”)
• Check for Stack Traces\ “wikilink”)

Other Formats

• DradisPro template format on github
• Asana template on (thanks to Bastien Siebman)

Authors and contributors

Rory McCune
Colin Watson
Simone Onofri

All above are authors of the Testing Guide v3

Related articles

• OWASP Testing Guide
• Mozilla

Other Cheatsheets

Category:OWASP_Breakers