Checklist for Security testing in Web-Applications

Security tests are crucial in the testing process of any application. It provides us with an understanding of the vulnerabilities that must be handled before releasing them to the field. This article will review the main points and considerations that you should follow when executing this kind of test.

General Tests

• Validate that there is no sensitive data stored as a record in the registry.

• Validate that any security issue is documented in a corresponding log file.

• Validate that the site will run on a specific list of browsers (specified by the user); this list should not support old and insecure browser versions.

• Validate that the security logs are written and maintained with the relevant access permission.

Browser related tests

• Validate that the user will not see any sensitive/encrypted data in the web page URL.

• Validate that the user cannot manipulate the URL of the site with invalid Attributes.

• Validate that the “View source code” function does not reveal sensitive data.

• Validate that all data stored in the browser cookie is encrypted.

• Validate that all secured pages are configured to use the HTTPS protocol (instead of HTTP).

Malicious and 3rd part attacks

• Validate the resilience of the user passwords in case of “Guessing” attacks.

• Validate that your site can handle the Simple Object Access Protocol (SOAP).

• Validate that the network traffic between the client/Server is secured.

• Validate the system can handle the Denial of Service attacks (DOS).

• Validate the system can handle the Document Object Model (DMM).

• Validate the system can handle brute Force attacks.

• Validate the system can handle XPath injection.

• Validate the site against HTTP header injections.

• Validate that your site can handle script attacks.

• Run SQL injection attacks.

Security of the site host (Back End server)

• Validate that no authentication information is hardcoded on the site.

• Validate that the server is configured to run with the latest security updates.

• Validate that the client/Server communication is secured with the relevant certificate (in any case that the site is using this authentication method).

• In any case of a failure (Client/server Side), you must validate that the information displayed to the customer will not reveal the back end server information or any other sensitive data (404 error page will be just fine).

• Validate that the Back End server will decline files with the potential to cause damage (exe/bat).

Authentication and authorization test scenarios

• Validate that the authentication fields do not allow the autocomplete mechanism.

• Validate that the user answers the security questions before restarting his password.

• Validate that the authentication process is performed with an encrypted channel.

• Validate the authentication process that uses the “impersonation” method.

• Validate that every refresh of the site will trigger a new Captcha code.

• Validate that the security answers are not saved in DB as plain text.

• Validate that the data entered in the password field is masked.

• Validate that the user authentication data is not stored in cookies.

• Validate that the session tokens are transmitted insecure channels.

• Validate that the user authentication password is created based on predefined quality rules (Complexity, length, etc.).

• Login access should be prohibited when the user exceeds the number (usually 2-3) of unsuccessful attempts.

• Validate that when the user loses/change a current password, he cannot access the site with the old pass.

• Validate that the user can perform operations on the site based on the Role and permission rights.

• Validate that the “Reset” password function works when the user has lost his credentials.

• Validate that your site contains Captcha validation, so the spam bots do not spam your site.

Site Runtime session

• Validate that there is no trace of the user credential when he logout from the system.

• Validate that the cookie session is terminated in a defined time frame/log out.

• Validate that the security policies are enforced.

• Validate that if the user logged out of the site, he could not navigate the site without re-authentication.

• Validate the site's security when the user is moving from Secure to insecure pages.

Input Fields

• Validate that the user cannot overwrite the application files.

• Validate that the user cannot upload Folders (Files only).

• Validate that the site can handle empty inputs.

• Validate that the site can handle partial inputs.

• Validate that there is a filter between the Client/Back-end servers that filter any malicious files uploaded by the user.

• Validate that the site can handle malicious attack attempts on input fields (Usually via Scripts/HTML Tags).