While testing any web application client many time ask to  do basic security testing. QA always confused with basic security checks need to be performed for any Web Applications. Following are some of the basic Security checks QA should perform. Thanks to Dharmesh Mehta …

Authentication Checks

1. Login and Change Password pages on SSL?
2. All sensitive pages (accepting SSN, Credit Card) over SSL?
3. Strong Password Policy? (Joe Accounts/Blank Passwords/Max Password Age/Min Password Age, etc)
4. Is Forgot Password page secure?
5. Password Change forced on 1st login?
6. Re-authenticate before moving to sensitive pages (Edit Account Info?)
7. Prompts old password before changing password?
8. Has “Remember Me” featured? If so, how’s password stored?
9. Warns before allowing “Remember Me”?
10. Has CAPTCHA to prevent password guessing?
11. Does show error msgs like “Invalid User/Invalid Password”?
12. Can auth. be by-passed for priviledged URL’s?
13. Is AutoComplete set to OFF?
14. Is password re-submitted on ‘Back/Refresh’ of browser?
15. SQL Injection in login?

Session Management

1. Is session id random enough?
2. Session Timeout present?
3. Stored in what form? (Persistent cookie/in-memory cookie)?
4. Session Id expires on request tampering?
5. Sensitive data in cookie?
6. Can you see X user’s data with Y’s session id?
7. Session expires at server-side on logout?
8. Can logged out user’s session be re-used?
9. Is new session id generated on login?
10. Is cookie over-written on logout?

SQL Injection Checks

1. SQL Injection : ‘
2. SQL Injection : ‘ OR 1=1 –
3. SQL Injection : ‘; waitfor delay’00:00:05′–

XSS Checks

1. XSS Javascript
2. XSS Encoded
3. XSS Cookie
4. Is CSRF possible?

Input Validation Checks

1. Use proxy to by-pass client side validation?
2. Generate errors for information disclosure?
3. Web Page source reveals sensitive application information
4. HTTP Headers manipulation
5. View state manipulation
6. GET and POST parameter manipulation

Secure Storage Checks

1. Are passwords stored in clear text?
2. Is sensitive information like Credit Card encrypted?
3. What encryption algo used? Standard or Proprietary?
4. Is connection string in clear text?
5. Any passwords hard-coded in application?

Browser Checks

1. Check browser history? Are sensitive pages cached?
2. Is data cached by search engines or desktop search engine?
3. Any hard-coded secrets in javascripts?
4. Web Page code reveals sensitive comments?

File Checks

1. Is file upload /download allowed?
2. Can files be downloaded directly from URL?
3. Can malicious files be uploaded?

Environment Checks

1. Are default apps installed?
2. Are default accounts enabled? Do they have strong passwords?
3. Is firewall deployed?
4. Is code obfuscated?
5. Can detect server details using banner grabbing?
6. Are forms bot resistant?

Via: Dharmesh Mehta

Tags: security checklist, security checkpoints, security testing, webapplication security