App Security Testing Cheat Sheet

Hi,

I thought to prepare a brief cheat sheet for Application Security Testing.

Please have a look and drop in your views. In case you wish to use it for your testing, please drop me a mail at dharmeshmm at gmail dot com to notify me about it.

Authentication Checks

1. Login and Change Password pages on SSL?
2. All sensitive pages (accepting SSN, Credit Card) over SSL?
3. Strong Password Policy? (Joe Accounts/Blank Passwords/Max Password Age/Min Password Age, etc)
4. Is Forgot Password page secure?
5. Password Change forced on 1st login?
6. Re-authenticate before moving to sensitive pages (Edit Account Info?)
7. Prompts old password before changing password?
8. Has "Remember Me" feature? If so, how's password stored?
9. Warns before allowing "Remember Me"?
10. Has CAPTCHA to prevent password guessing?
11. Does show error msgs like "Invalid User/Invalid Password"?
12. Can auth. be by-passed for priviledged URL's?
13. Is AutoComplete set to OFF?
14. Is password re-submitted on 'Back/Refresh' of browser?
15. SQL Injection in login?

Session Management

1. Is session id random enough?
2. Session Timeout present?
3. Stored in what form? (persistent cookie/in-memory cookie)?
4. Session Id expires on request tampering?
5. Sensitive data in cookie?
6. Can you see X user's data with Y's session id?
7. Session expires at server-side on logout?
8. Can logged out user's session be re-used?
9. Is new session id generated on login?
10. Is cookie over-written on logout?

SQL Injection Checks

1. SQL Injection : '
2. SQL Injection : ' OR 1=1 --
3. SQL Injection : '; waitfor delay'00:00:05'--

XSS Checks

1. XSS Javascript
2. XSS Encoded
3. XSS Cookie
4. Is CSRF possible?

Input Validation Checks

1. Use proxy to by-pass client side validation?
2. Generate errors for information disclosure?
3. Web Page source reveals sensitive application information
4. HTTP Headers manipulation
5. Viewstate manipulation
6. GET and POST parameter manipulation

Secure Storage Checks

1. Are passwords stored in clear text?
2. Is sensitive information like Credit Card encrypted?
3. What encryption algo used? Standard or Proprietary?
4. Is connection string in clear text?
5. Any passwords hard-coded in application?

Browser Checks
1. Check browser history? Are sensitive pages cached?
2. Is data cached by search engines or desktop search engine?
3. Any hard-coded secrets in javascripts?
4. Web Page code reveals sensitive comments?

File Checks

1. Is file upload /download allowed?
2. Can files be downloaded directly from URL?
3. Can malicious files be uploaded?


Environment Checks

1. Are default apps installed?
2. Are default accounts enabled? Do they have strong passwords?
3. Is firewall deployed?
4. Is code obfuscated?
5. Can detect server details using banner grabbing?
6. Are forms bot resistant?

In case you have your views, please feel free to write here or mail me at dharmeshmm at gmail dot com

Cheers,
Dharmesh.