[OWASP-TESTING] Web App Pen Testing Checklist

Glyn Geoghegan glyng at moiler.com
Wed Mar 10 18:43:37 EST 2004

We currently use a rough 'crib sheet' of questions at Corsaire, relating to
Authentication and Authorisation, Session Management, Input & Output
Validation and presentation issues.  Some of the questions relate to the way
the site operates (e.g. how are users registered, what session tokens are
there and how are they issued) and others relate to the security concerns
(e.g. is there an account lockout, are 'secure' tags used on cookies, are
session IDs provably random).

That's the kind of approach I was taking in the session management testing
chapter I produced.  The categories below map to the sections & questions in
that draft chapter.  The login one isn't written yet.

The test categories in use on the current draft are as follows:

- Authentication and Authorisation

Login Credentials
Test login credential issuance and administration

Test users of different privilege	

Test the processes for login, logout, lockout etc.

Password Quality
Review the strength of permitted passwords

Password Privacy 
Test how passwords are stored, handled and passed within the application
(e.g. use of encryption, back-end password storage)

Password Recovery
Test the recovery procedure

Determine where re-authentication is used (e.g. on password change) and if
the method is secure.

- Session management

Session ID Analysis
Observe the Session IDs and determine the format, type and test for any
information leakage (e.g. encoded user data)

Which COTS session management (if any) are in use?

How are session IDs created, e.g. are they random or static, are user
details used in their creation?

Test the generation and issuance of Session IDs (e.g. when and how)

Test the effectiveness of session revocation and its use from client and
server perspectives

Determine and test the security of Session IDs in transit (e.g. encryption,
secure tags, caching)

Test issues related to how Session IDs stored and tracked, such as multiple
user sessions and server-side resource to track and control them.

Test the impact of portability and hi-jack

Test expiration times and mechanisms for reasonableness and effectiveness.

Glyn Geoghegan

> -----Original Message-----
> From: owasp-testing-admin at lists.sourceforge.net 
> [mailto:owasp-testing-admin at lists.sourceforge.net] On Behalf 
> Of Mark Curphey
> Sent: 10 March 2004 09:31
> To: owasp-testing at lists.sourceforge.net
> Subject: [OWASP-TESTING] Web App Pen Testing Checklist
> I am working in the draft but I was approached by two big 
> banks today who both asked me if OWASP would develpo the same thing. 
> They basically want a checklist of things that should be 
> tested for in a web app pen test so that they can use it to 
> request services and get consistency as well as compare 
> internal tests. 
> I think this is something we as a testing group can turn 
> around really quick and release without too much of a 
> problem. What do you think ? Anyone got a starting template ?
> An example would be
> Session Management
> Test Mechanism
> Test Time Out Value
> Test Entropy of Tokens
> Test Tokens sent over SSL
> Test .......
> -------------------------------------------------------
> This SF.Net email is sponsored by: IBM Linux Tutorials Free 
> Linux tutorial presented by Daniel Robbins, President and CEO 
> of GenToo technologies. Learn everything from fundamentals to 
> system administration.http://ads.osdn.com/?ad_id70&alloc_id638&op=ick
> _______________________________________________
> owasp-testing mailing list
> owasp-testing at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/owasp-testing

More information about the Owasp-testing mailing list