├── README.md └── Reference_Guide.md /README.md: -------------------------------------------------------------------------------- 1 | # OWASP-Testing-Guide 2 | Summation of the OWASP Testing Guide for reference. 3 | 4 | Complete guide found here: https://www.owasp.org/images/1/19/OTGv4.pdf 5 | 6 | This is a generic list of things to check for, it's completely dynamic and is going to change for each web application that you assess. Its good to have a basic guide to buld off of and to make sure you don't miss anythng. 7 | -------------------------------------------------------------------------------- /Reference_Guide.md: -------------------------------------------------------------------------------- 1 | # Security Assessment Cheat Sheet 2 | 3 | *Not exactly to be used as a check list, just a rough guide.* 4 | 5 | *Character String= < ! # = / . “ - >* 6 | 7 | ## Passive: 8 | - [ ] Click through entire website. Get a feel for the cookies, URLs and areas that require authorization. 9 | - [ ] Identify web server type. 10 | - [ ] Check robots.txt 11 | - [ ] Check comments in source of all pages 12 | - [ ] Identify all parameters. Document which parameters are used for GET and POST. 13 | - [ ] Identify where cookies are set, modified or added to. 14 | - [ ] Identify where redirects, 400 and 500 type responses are returned during normal operations. 15 | - [ ] Note any strange headers. 16 | - [ ] Use a spider and look for paths to important functions. 17 | - [ ] Fingerprint the Application Framework 18 | * Look at x-powered-by: header, cookies, or source code, or ask the developer. 19 | * Run whatweb 20 | * dirb 21 | - [ ] Map application architecture 22 | - [ ] Review logs from Splunk, access.log etc 23 | 24 | ## Active: 25 | - [ ] Append .old or .bak to files 26 | - [ ] Run Nikto 27 | - [ ] If possible, ask for file system access to view directories of web server 28 | * If not possible, run word lists against web server with things like .jsp, .aspx etc and then again with .bak, .txt, .old etc appended to the end of those 29 | - [ ] Check for directory listing (dirb should note this) 30 | - [ ] Test HTTP Options, use arbitrary method names to attempt to bypass authentication pages 31 | - [ ] Verify HSTS (HTTP Strict Transport Security) 32 | * Look for Strict-Transport-Security header 33 | - [ ] Check for crossdomain.xml and clientaccesspolicy.xml for overly permissive rules. 34 | - [ ] Request or build a user roles vs permissions matrix 35 | - [ ] Check user registration for alignment with business policies. 36 | * Can users register for different roles? 37 | * Can the same user register multiple times? 38 | * Can user info be manipulated on creation? 39 | - [ ] Verify that only admins can provision accounts. 40 | * Test for indirect resources etc. 41 | - [ ] Check for messages upon failed logins, can an attacker enumerate usernames? 42 | - [ ] Possible enumerate by URI probing 43 | - [ ] Possible enumerate by forgot password function 44 | - [ ] Test for default credentials. 45 | - [ ] Check for account lock out mechanisms 46 | - [ ] Check site map with no authentication vs authenticated. See if any internal pages are reachable through forced browsing. 47 | * Replay adduser requests etc as non-authenticated user and low priv user and verify whether or not the new user was created. 48 | * Check for privilege escalation this way as well. 49 | - [ ] Check session cookie randomness. 50 | - [ ] If any pages have sensitive information, check for no-cache directive 51 | - [ ] Check password policy 52 | - [ ] Check reset password functionality. 53 | * Make sure it requires previous password or information required is secret. 54 | - [ ] Test for directory traversal in URI parameters and in cookies 55 | * Use Burp or dotdotpwn 56 | - [ ] Test for session fixation. Does cookie change upon login? What about logout? 57 | - [ ] Verify no session tokens are transmitted outside of the header 58 | - [ ] Verify tokens are sent via https when making an http request 59 | - [ ] Verify anti-CSRF functions are on sensitive pages. 60 | - [ ] Check for XSS 61 | * Reflected 62 | * Stored 63 | * DOM 64 | - [ ] Submit multiple URL parameters with the same name and investigate output. 65 | - [ ] Make a list of all parameters that make use of SQL Queries and test for SQL injection 66 | - [ ] Test for LDAP Injection 67 | * Look at Testing Guide for example 68 | - [ ] Test for XML Injection 69 | - [ ] Test for SSI Injection 70 | * In headers: 71 | - [ ] Test for XPath Injection. 72 | - [ ] Test for IMAP/SMTP Injection. 73 | - [ ] Test for code injection/command injection/LFI/RFI 74 | - [ ] Test upload for malicious files 75 | - [ ] Check URL redirects 76 | - [ ] Decompile .swf and other client side scripts. 77 | 78 | **O. W. A. S. P., “OWASP Testing Guide v4 Table of Contents,” OWASP Testing Guide v4. [Online]. Available: https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents. [Accessed: 16-Jun-2017].** 79 | --------------------------------------------------------------------------------