Web Application Security Checklist

OWASP Top 10

Injection
Cross Site Scripting (XSS)
Broken Auth and Session Mgmt
- OWASP: Top ten A3
- OWASP: Auth Cheat Sheet
Insecure Object Refs
- OWASP: Top ten A4
Cross Site Request Forgery (CSRF)
- OWASP: Top ten A5
- Wikipedia: CSRF
Security Misconfiguration
- OWASP: Top ten A6
Insecure Crypto Storage
- OWASP: Top ten A7
Failure to Restrict URL Access
- OWASP: Top ten A8
Insufficient Transport Layer Protection
- OWASP: Top ten A9
Unvalidated Redirects and Forwards
- OWASP: Top ten A10

Misc

Session Fixation
- OWASP: Session Fixation
Clickjacking
- OWASP: Clickjacking
- Youtube: Clickjacking DEMO
Load Testing Tools
- Grinder
- JMeter
- Tsung

Hacker's Methodology

Map the Application's Content
- Explore Visible Content
- Consult Public Recources
- Discover hidden Content
- Discover Default Content
- Enumerate Identifier-Specified Functions
- Test for Debug Parameters
Analyze the Application
- Identify Functionality
- Identify Data Entry Points
- Identify the Technologies Used
- Map the Attack Surface
Test Client-Side Controls
- Test Transmission of Data Via the Client
- Test Client-Side Controls Over User Input
- Test Browser Extension Components
Test the Authentication Mechanism
- Understand the Mechanism
- Test Password Quality
- Test for Username Enimertion
- Test Resilienve to Password Guessing
- Test Any Account Recovery Function
- Test Any Remember Me Function
- Test Any Impersonation Function
- Test Username Uniqueness
- Test Predictability of Autogenerated Credentials
- Check for Unsafe Transmission of Credentials
- Check for Unsafe Distribution of Credentials
- Test for Insecure Storage
- Test for Logic Flaws
- Exploit Any Vulnerabilities to Gain Unauthorized Access
Test the Session Management Mechanism
- Understand the Mechanism
- Test Tokens for Meaning
- Test Tokens for Predictability
- Check for Insecure Transmission of Tokens
- Check for Disclosure of Tokens in Logs
- Check Mapping of Tokens to Sessions
- Test Session Termination
- Test for Session Fixation
- Check for CSRF
- Check Cookie Scope
Test Access Control
- Understand the Access Control Requirements
- Test with Multiple Accounts
- Test with Limited Access
- Test for Insecure Access Control Methods
Test for Input-Based Vulnerabilities
- Fuzz All Request Parameters
- Test for SQL Injection
- Test for XSS and Other Response Injection
- Test for Path Traversal
- Test for Script Injection
- Test for File Inclusion
Test for Function-Specific Input Vulnerabilities
- Test for SMTP injection
- Test for Native Software Vulnerabilities
- Test for SOAP Injection
- Test for LDAP Injection
- Test for XPath Injection
- Test for Back-End Request Injection
- Test for XXE Injection
Test for Logic Flaws
- Identify the Key Attack Surface
- Test Multistage Processes
- Test Handling of Incomplete Input
- Test Trust Boundaries
- Test Transaction Logic
Test for Shared Hosting Vulnerabilities
- Test Segregation in Shared Infrastructure
- Test Segregation Between ASP-Hosted Applications
Test for Application Server Vulnerabilities
- Test for Default Credentials
- Test for Default Content
- Test for Dangerous HTTP Methods
- Test for Proxy Functionality
- Test for Virtual Hosting Misconfiguration
- Test for Web Server Software Bugs
- Test for Web Application Firewalling
Miscellaneous Checks
- Check for DOM-Based Attacks
- Check for Local Privacy Vulnerabilities
- Check for Weak SSL Chiphers
- Check for Same-Origin Policy Configuration
Follow Up Any Information Leakage

Resources

Top ten web hacking techniques of 2012
OWASP ZAP (proxy)
Burp Suite (proxy)
Crowbar/J-baah
Nikto
Nmap
Metasploit

Web application checklist by

Geir Harald Hansen g.h.hansen@usit.uio.no and Asbjørn Reglund Thorsen a.r.thorsen@usit.uio.no (@fuzzerman)