Scribd
Upload
191 views

Web Application Audit Checklist

This document provides a checklist for auditing the security of a web application. It covers basic configuration issues, authentication, session management, input handling, and output. The checklist includes questions about default content, directory indexing, server headers, security baselines, network architecture, authentication methods, session IDs, input sanitization, error handling, and encryption of sensitive output.

Uploaded by

mutlu gündoğdu
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
191 views

Web Application Audit Checklist

This document provides a checklist for auditing the security of a web application. It covers basic configuration issues, authentication, session management, input handling, and output. The checklist includes questions about default content, directory indexing, server headers, security baselines, network architecture, authentication methods, session IDs, input sanitization, error handling, and encryption of sensitive output.

Uploaded by

mutlu gündoğdu
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 2

Web Application Audit Checklist

Basic Configuration

• Is default content or sample content installed on the web server?


o If so, why is this necessary? Is any of this material executable code?
• Check that directory indexing has been disabled
• Compare the configuration of the server with manufacturer or community security
recommendations. Have appropriate controls and options been configured?
• Have the server headers been sanitized?
• What security baseline has been implemented on the underlying operating
system? Has the security of this configuration been audited?
• Does the network architecture support the security and information flow
requirements of the web architecture?
• Use at least one automated tool to evaluate the web site
o Are there any issues identified by the tools?
o What sorts of risks do these issues represent?
o What controls already exist to mitigate the risks?
o Are the responsible individuals capable of remediating the risks
identified?

Authentication
• Is authentication required? If so:
o How is authentication accomplished?
o If Basic authentication is used, is it appropriate for the level of sensitivity
for the data?
o If Basic is used, is SSL required?
o If forms are used, is the POST method used?
o If forms are used, is SSL required?
o If certificates are used, how are certificates controlled?
o If certificates are used, how is the CRL managed?
o How are account lockouts handled?
■ Are speed bump lockouts in use?

Session Management
• What session management and tracking technique is in use?
• Basic Authentication
o Is SSL required at all times after the username and password are
requested?

Aud5OHANDOUT_3_WebAppCkIst_A1 0_01 - 1
o Is there a sign off procedure to force the credentials to be dropped from
the browser?
o Is there some form of tracking in place to identify brute force password
guessing attempts?
o How are account lockouts handled?
• URL Rewriting/Hidden form fields
o Are the session IDs sufficiently random?
o Are the session IDs sufficiently large?
o Is the generation of the session ID based on any aspect of the user or
password information?
o Are session IDs sent over appropriately secure paths? If not, how is this
mitigated?
o How are account lockouts handled?
o Is there a clear sign off procedure to expire a session ID?
o Are session IDs perishable?
• Are the session IDs in the session token of sufficient length for the application?
• Are the session IDs secured appropriately based on cloning detection capabilities?
• What type of session hijacking/cloning detection capabilities exist?
• What actions does the application take when a session violation is detected?
• Are the session IDs sufficiently random?
• Do session IDs expire after some period of time?
• Is a valid session required in all appropriate circumstances? How is this enforced
or mediated?

Input
• How is input to the application sanitized?
• Is input sanitized in all cases, even if some cases have less restrictive rules?
• Is sensitive information always sent using a POST rather than a GET?
• How robust is the application when dealing with unexpected or illegal input?

Output
• How are error conditions handled?
• Is it possible to cause the application to generate an unhandled error?
• Is encryption used in all cases where sensitive information is returned?
• Are there any anti-caching techniques in use when sensitive information is
returned?
• Are all special characters properly stripped or escaped when returned in a web
page?

Aud5OHANDOUT_3_WebAppCkist_A 1 0_01 - 2

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy