- Web Application Security Testing Methodologies
- Web Application Hacker's Handbook Testing Checklist
- Web Application Hacker's Handbook Chapter 20 Methodology
- The OWASP Testing Checklist
- Suites and Frameworks
- Standalone Scanning Tools
- Vulnerable Test Websites
- Utilities
- Browser Extensions
- Additional Resources
Security assessments in general, and certainly web security assessments, are nearly as much art as science, so everyone has their own favorite method. Below are a few of the main methodologies that are out there.
- Web Application Hacker's Handbook Testing Checklist
- Web Application Hacker's Handbook Chapter 20 Methodology
- The OWASP Testing Checklist
| WAHH Checklist | WAHH Chap. 20 | OWASP Checklist |
|
|
|
[ **Reproduced with permission from authors; copyright Dafydd Stuttard and Marcus Pinto ]
- Recon and Analysis
- Map visible content
- Discover hidden and default content
- Test for debug parameters
- Identify the technologies used
- Map the attack surface
- Test Handling of Access
- Authentication
- Test password quality rules
- Test for username enumeration
- Test resilience to password guessing
- Test any account recovery function
- Test any "remember me" function
- Test any impersonation function
- Test username uniqueness
- Check for unsafe distribution of credentials
- Test for fail-open conditions
- Test any multi-stage mechanisms
- Session Handling
- Test tokens for meaning
- Test tokens for predictability
- Check for insecure transmission of tokens
- Check for disclosure of tokens in logs
- Check mapping of tokens to sessions
- Check session termination
- Check for session fixation
- Check for cross-site request forgery
- Test for fail-open conditions
- Check cookie scope
- Access Controls
- Understand the access control requirements
- Test effectiveness of controls, using multiple accounts if possible
- Test for insecure access control methods (request parameters, Referer header, etc)
- Test the Handling of Input
- Fuzz all request parameters
- Test for SQL injection
- Identify all reflected data
- Test for reflected XSS
- Test for HTTP header injection
- Test for arbitrary redirection
- Test for stored attacks
- Test for OS command injection
- Test for path traversal
- Test for script injection
- Test for file inclusion
- Test for SMTP injection
- Test for native software flaws (buffer overflow, integer bugs, format strings)
- Test for SOAP injection
- Test for LDAP injection
- Test for XPath injection
- Test Application Logic
- Identify the logic attack surface
- Test transmission of data by the client
- Test for reliance on client-side input validation
- Test any thick-client components (Java, ActiveX, Flash)
- Test multi-stage processes for logic flaws
- Test handling of incomplete input
- Test trust boundaries
- Test transaction logic
- Assess Application Hosting
- Test segregation in shared infrastructures
- Test segregation between ASP-hosted applications
- Test for web server vulnerabilities
- Default credentials
- Default content
- Proxy functionality
- Virtual hosting mis-configuration
- Bugs in web server software
- Miscellaneous Tests
- Check for DOM-based attacks
- Check for frame injection
- Check for local privacy vulnerabilities
- Persistent cookies
- Caching
- Sensitive data in URL parameters
- Forms with autocomplete enabled
- Follow up any information leakage
- Check for weak SSL ciphers
[ **Reproduced with permission from authors; copyright Dafydd Stuttard and Marcus Pinto ]
Notice that this methodology is quite different from the checklist provided above. Also keep in mind that the book itself provides additional detailed steps in each of the sections listed. This is meant to help one compare methodology approaches, not to provide the actual content.
- Map the Application's Content
- Explore Visible Content
- Consult Public Resources
- Discover Hidden Content
- Discover Default Content
- Enumerate Identifier-Specified Functions
- Test for Debug Parameters
- Analyze the Application
- Identify Functionality
- Identify Data Entry Points
- Identify the Technologies Used
- Map the Attack Surface
- Test Client-side Controls
- Test Transmission of Data via the Client
- Test Client-side Control Over User Input
- Test Thick-client Components
- Test the Authentication Mechanism
- Understand the Mechanism
- Test Password Quality
- Test for Username Enumeration
- Test Resilience to Password Guessing
- Test Any Account Recovery Function
- Test Any Remember Me Function
- Test Any Impersonation Function
- Test Username Uniqueness
- Test Predictability of Auto-Generated Credentials
- Check for Unsafe Transmission of Credentials
- Test for Logic Flaws
- Exploit Any Vulnerabilities to Gain Unauthorized Access
- Test the Session Management Mechanism
- Understand the Mechanism
- Test Tokens for Meaning
- Test Tokens for Predictability
- Check for Insecure Transmission of Tokens
- Check for Disclosure of Tokens in Logs
- Check Mapping of Tokens to Sessions
- Test Session Termination
- Check for Session Fixation
- Check for XSRF
- Check Cookie Scope
- Test Access Controls
- Understand the Access Control Requirements
- Testing with Multiple Accounts
- Testing with Limited Access
- Test for Insecure Access Control Methods
- Test for Input-Based Vulnerabilities
- Fuzz All Request Parameters
- Test for SQL Injection
- Test for XSS and Other Response Injection
- Test for OS Command Injection
- Test for Path Traversal
- Test for Script Injection
- Test for File Inclusion
- Test for Function-Specific Input Vulnerabilities
- Test for SMTP Injection
- Test for Native Software Vulnerabilities
- Test for SOAP Injection
- Test for LDAP Injection
- Test for XPath Injection
- Test for Script Injection
- Test for File Inclusion
- Test for Logic Flaws
- Identify the Key Attack Surface
- Test Multistage Processes
- Test Handling of Incomplete Input
- Test Trust Boundaries
- Test Transaction Logic
- Test for Shared Hosting Vulnerabilities
- Test Segregation in Shared Infrastructures
- Test Segregation between ASP-Hosted Applications
- Test for Web Server Vulnerabilities
- Test for Default Credentials
- Test for Default Content
- Test for Dangerous HTTP Methods
- Test for Proxy Functionality
- Test for Virtual Hosting Misconfiguration
- Test for Web Server Software Bugs
- Miscellaneous Checks
- Check for DOM-based Attacks
- Check for Frame Injection
- Check for Local Privacy Vulnerabilities
- Follow Up Any Information Leakage
- Check for Weak SSL Ciphers
- Information Gathering
- Spiders, Robots, and Crawlers
- Search Engine Discovery/Reconnaissance
- Identify application entry points
- Testing for Web Application Fingerprint
- Application Discovery
- Analysis of Error Codes
- Configuration Management Testing
- SSL/TLS Testing (SSL Version, Algorithms, Key length, Digital Cert. Validity)
- DB Listener Testing
- Infrastructure Configuration Management Testing
- Application Configuration Management Testing
- Testing for File Extensions Handling
- Old, backup and unreferenced files
- Infrastructure and Application Admin Interfaces
- Testing for HTTP Methods and XST
- Authentication Testing
- Credentials transport over an encrypted channel
- Testing for user enumeration
- Testing for Guessable (Dictionary) User Account
- Brute Force Testing
- Testing for bypassing authentication schema
- Testing for vulnerable remember password and pwd reset
- Testing for Logout and Browser Cache Management
- Testing for CAPTCHA
- Testing Multiple Factors Authentication
- Testing for Race Conditions
- Session Management
- Testing for Session Management Schema
- Testing for Cookies attributes
- Testing for Session Fixation
- Testing for Exposed Session Variables
- Testing for CSRF
- Authorization Testing
- Testing for Business Logic
- Business Logic Testing
- Testing for Business Logic
- Data Validation Testing
- Testing for Reflected Cross Site Scripting
- Testing for Stored Cross Site Scripting
- Testing for DOM based Cross Site Scripting
- Testing for Cross Site Flashing
- SQL Injection
- LDAP Injection
- ORM Injection
- XML Injection
- SSI Injection
- XPath Injection
- IMAP/SMTP Injection
- Code Injection
- OS Commanding
- Buffer overflow
- Incubated vulnerability
- Testing for HTTP Splitting/Smuggling
- Denial of Service Testing
- Testing for SQL Wildcard Attacks
- Locking Customer Accounts
- Testing for DoS Buffer Overflows
- User Specified Object Allocation
- User Input as a Loop Counter
- Writing User Provided Data to Disk
- Failure to Release Resources
- Storing too Much Data in Session
- Web Services Testing
- WS Information Gathering
- Testing WSDL
- XML Structural Testing
- XML content-level Testing
- HTTP GET parameters/REST Testing
- Naughty SOAP attachments
- Replay Testing
- Web Services Testing
- WS Information Gathering
- Testing WSDL
- XML Structural Testing
- XML content-level Testing
- HTTP GET parameters/REST Testing
- Naughty SOAP attachments
- Replay Testing
- Web Services Testing
- AJAX Vulnerabilities
- AJAX Testing
- Burp Suite
The premier tool for performing manual web application vulnerability assessments and penetration tests. The pro version includes a scanner, and the Intruder tool makes the offering stand out amongst its peers. - HP WebInspect
An enterprise-focused tool suite that includes a scanner, proxy, and assorted other tools. - WebScarabNG
The latest version of this famous suite from OWASP. Includes a web services module that allows you to parse WSDLs and interact with their associated functions. - IBM AppScan
IBM's enterprise-focused suite. - Acunetix
Acunetix's enterprise-focused suite. - NTOSpider
NTObjectives's enterprise-focused suite. - W3af
w3af is a Web Application Attack and Audit Framework. The project's goal is to create a framework to find and exploit web application vulnerabilities that is easy to use and extend. - Websecurify
Websecurify is a powerful web application security testing environment designed from the ground up to provide the best combination of automatic and manual vulnerability testing technologies. - Samurai
Websecurify is a powerful web application security testing environment designed from the ground up to provide the best combination of automatic and manual vulnerability testing technologies. - Skipfish
A fully automated, active web application security reconnaissance tool written by Michal Zalewski of Google. - RAFT (Response Analysis and Further Testing Tool)
RAFT is a testing tool for the identification of vulnerabilities in web applications. RAFT is a suite of tools that utilize common shared elements to make testing and analysis easier. The tool provides visibility in to areas that other tools do not such as various client side storage. - Zed Attack Proxy (ZAP)
The Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing. ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.
- Nikto
Nikto is an command line Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 6400 potentially dangerous files/CGIs, checks for outdated versions of over 1000 servers, and version specific problems on over 270 servers. - Wikto
Wikto is Nikto for Windows - but with a couple of fancy extra features including Fuzzy logic error code checking, a back-end miner, Google assisted directory mining and real time HTTP request/response monitoring. Wikto is coded in C# and requires the .NET framework.
- Yehg.net Charset Encoder / String Encrypter
A online, feature-rich tool for changing the encoding of input.
- Websecurify Chrome Extension
The Chrome Extension version of the Websecurify tool. Performs a scan and tells you the results summary, but there's no authentication or detailed view of findings. It's more of a quick-touch option before you run a real tool. - XSS Me
The Firefox Extension. - SQL Inject Me
The Firefox Extension.
These sites are purposely vulnerable for the purpose of testing web app security scanners. They are designed for this purpose, but I'd check to make sure it's ok before scanning them (just to be sure).
Internet-accessible- Google Gruyere
This one is from Google and you can do it both online and as a local install. - zero.webappsecurity.com (HP)
I happen to know this one is o.k. to scan. - demo.testfire.net (IBM)
- test.acunetix.com (Acunetix)
- testphp.vulnweb.com (Acunetix)
- testasp.acunetix.com (Acunetix)
- testaspnet.acunetix.com (Acunetix)
- Cenzic's Crack Me Bank
- Hacker Test
This one is not like the others; it's not a full website you'd scan, but rather more like a puzzle where you proceed through various levels. - Hax.tor
Another challenge, similar to Hacker Test.
- Broken Web Apps Project (OWASP)
This is the one you want first; it has over a dozen broken web apps to play with. - Bonsai Moth
A VMware image with a collection of broken web applications that you can use for testing web scanners and static analysis tools as well as providing an intro to webappsec. - Web Security Dojo (Maven)
Similar to OWASP's Broken Web Apps project, i.e. multiple broken web apps in one place. - Webgoat (OWASP)
This is the grand pubah of the testing sites because it includes training with it. Note that it's on the Broken Web Apps image listed above. - Damn Vulnerable Web App
- BadStore
- Hackme Bank (McAfee)
- Hackme Casino (McAfee)
- Hackme Books (McAfee)
- Hackme Shipping (McAfee)
- Hackme Travel (McAfee)
- Moth (Bonsai)
- SecuriBench (Stanford)
- Vicnum (ipsaplus)
- Google Gruyere
This one is from Google and you can do it both online and as a local install.
http://danielmiessler.com/projects/webappsec_testing_resources/
