Principal steps for web application security testing

Share this…

Each security analysis of a web application must include the steps recommended by computer security experts. The vulnerability analysis tools developed by the International Institute of Cyber Security follow the following phases.


For information gathering information security experts recommend.

  • Manually browse the site
  • Spider / crawl for lost or hidden content
  • Look for files that expose content
  • Check the caches of the main search engines for public access sites
  • Check the differences in content according to the user agent (eg, Mobile sites, access as a search engine crawler)
  • Make a web application fingerprint
  • Identify the technologies used
  • Identify user roles
  • Identify the entry points of the application
  • Identify the client-side code
  • Identify multiple versions / channels (for example, web, mobile web, mobile application, web services)
  • Identify co-hosted and related applications
  • Identify all host names and ports
  • Identify content hosted by third parties

In terms of configuration management

  • Verify commonly used administrative and application URLs
  • Verify old, backup and non-referenced files
  • Check compatible HTTP methods and Cross Site Tracing (XST)
  • Test test file extensions
  • Test of security HTTP headers (for example, CSP, X-Frame-Options, HSTS)
  • Test policies (for example, Flash, Silverlight, robots)
  • Proof of no production data in the live environment, and vice versa
  • Check for confidential data in the client-side code (for example, API keys, credentials)

Secure transmission

  • Check SSL Version, Algorithms, Key length
  • Verify the validity of the digital certificate (duration, signature and CN)
  • Verify credentials only delivered through HTTPS
  • Check that the login form is delivered through HTTPS
  • Check session tokens only delivered through HTTPS
  • Verify if HTTP Strict Transport Security (HSTS) is in use

For the authentication

  • Test for user enumeration
  • Authentication bypass test
  • Brute force protection test
  • Test password quality rules
  • Try to remind me of the functionality
  • Autocomplete test in forms / password entry
  • Test reset and / or password recovery
  • Test password change process
  • CAPTCHA test
  • Multi-factor authentication test
  • Proof of presence of session closing functionality
  • HTTP cache management test (for example, Pragma, Expires, maximum age)
  • Testing default logins
  • Authentication history test accessible to the user
  • Test notification outside the channel of account locks and successful password changes
  • Authentication test consisting of all applications with shared authentication scheme / SSO

For the session management

  • Set how the session is managed in the application (eg, Tokens in cookies, token in URL)
  • Check session tokens for cookie flags (httpOnly and secure)
  • Check the scope of the cookie of the session (route and domain)
  • Check the duration of the cookie session (expires and max-age)
  • Verify the termination of the session after a maximum service life
  • Check the end of the session after the relative wait time
  • Check the end of the session after the end of session
  • Test to see if users can have multiple simultaneous sessions
  • Test session cookies by randomness
  • Confirm that new session tokens are issued at login, change of function, and logout
  • Session management test consistent in all applications with shared session management
  • Test to disconcert the session
  • CSRF and clickjacking test

In the authorization

  • Transverse travel test
  • Test to bypass the authorization scheme
  • Test of vertical problems of access control (a.k.a. Privilege Escalation)
  • Test of horizontal access control problems (between two users at the same privilege level)
  • Proof of lack of authorization

In terms of Data validation, the information security professionals suggest:

  • Cross-site scripting test mirrored
  • Test for cross-stored site scripts
  • Test of DOM-based scripts.
  • Cross-site flicker test
  • HTML Injection Test
  • SQL Injection Test
  • LDAP Injection Test
  • Test for injection of ORM
  • XML Injection Test
  • Injection test XXE
  • SSI Injection Test
  • XPath Injection Test
  • Test for XQuery Injection
  • Test for IMAP / SMTP injection
  • Code Injection Test
  • Expression language injection test
  • Command Injection Test
  • Overflow test (stack, heap and integer)
  • Format string test
  • Test of incubated vulnerabilities
  • HTTP Splitting / Smuggling test
  • HTTP verb manipulation test
  • Open redirection test
  • Test for the inclusion of local files
  • Remote file inclusion test
  • Compare the validation rules on the client side and on the server side
  • Test for NoSQL injection
  • Pollution test by HTTP parameter
  • Self-binding test
  • Mass assignment test
  • NULL test / invalid session cookie

Denial of service

  • Anti-automation test
  • Test for account blocking
  • Test for the HTTP DoS protocol
  • SQL wildcard DoS test

Business logic

  • Proof of incorrect use of features
  • Test for lack of non-repudiation
  • Test of trust relationships
  • Data integrity test
  • Proof of segregation of tasks

For the cryptography

  • Check if the data that must be encrypted is not
  • Check the use of incorrect algorithms according to the context
  • Verify the use of weak algorithms
  • Verify the proper use of salting
  • Verify random functions

Risky functionality: uploading files

  • Prove that acceptable file types are included in the whitelist
  • Test that file size limits, load frequency, and total file count are defined and met
  • Test that the content of the file matches the type of file defined
  • Test that all file uploads have an in-place antivirus scan.
  • Test that insecure file names are disinfected
  • Proof that the uploaded files are not directly accessible from the web root
  • Proof that the uploaded files are not served in the same host / port name
  • Test that files and other media are integrated with authentication and authorization schemes

Risky functionality – Card payment

  • Test for known vulnerabilities and configuration problems in the web server and the web application
  • Default or guessable password test
  • Proof of no production data in the live environment, and vice versa
  • Injection vulnerability testing
  • Buffer overflow test
  • Unsafe cryptographic storage test
  • Proof of insufficient protection of the transport layer
  • Incorrect error handling test
  • Test all vulnerabilities with a CVSS score v2> 4.0
  • Test authentication and authorization issues
  • Test for CSRF

For HTML 5

  • Web messaging test
  • Test for SQL injection of web storage
  • Check the implementation of CORS
  • Check web application offline