Application security encompasses measures taken throughout the application's life-cycle to prevent exceptions in the security policy of an application or the underlying system (vulnerabilities) through flaws in the design, development, deployment, upgrade, or maintenance of the application.

Tuesday, May 31, 2011

20 Tips For Performing Manual Security Testing

  1. Web server fingerprinting and which HTTP methods are open in the web server( PUT, DELETE, TRACE are open in default configuration)
  2. Test for default pages ( like robots.txt, admin console pages, web server Default pages)
  3. Session related vulnerabilities. ( Session attributes are properly set or not)
  4. Session replay and simultaneous login.
  5. Session timeout is properly implemented or not?
  6. Testing for session fixation ( Session ID is changing or not after successful login)
  7. Session randomness.(  is it provided  by the framework or manually created ? )
  8. Cookie values ( if some critical information is stored in the cookie or not  ? cookie are persistent or non persistent)
  9. User name and password is transmitted in clear text not. (If encrypted then how strong the encryption is ? if the application is running in HTTPS then no need to check.)
  10. HTTPS runs on port 443 but some time developers forget to close the port 80 so may be the same application can be accessible form port 80.
  11. If HTTPS is enabled the check any critical data are passing through URL or not? (It can be shoulder surfed so it is not recommended).
  12. How the cache control is implemented? (Is any page has cached by the browser containing any critical information.)
  13. Force browsing. ( By typing the full URL in the browser without login or high privileged page)
  14. Privilege escalation by modifying parameter values.
  15. Broken links.
  16. Account lockout policy has been properly implemented or not.
  17. Password policy has been properly implemented or not.
  18. Is there any CAPTCHA implemented then test it is properly validated or not ? (Otherwise data base flooding will be possible. It is recommended to implement CAPTCHA in create user page.)
  19. For .NET application check the viewstate is encrypted or not ?
  20. Check the SSL strength supported by the server.( Some time in default configuration SSL server supports 40 bit, 56 bit, 60 bit encryptions. According to OWASP these are weak ciphers so check it ).

No comments:

Post a Comment