Monday, July 17, 2017

Security and Penetration test checklist for Web-Applications | David Tzemach

During the testing process of any application (including Web-Based application), we must run tests that will help us to understand how well the application is secured before release it to the market, this phase of testing, will allow us to determine the vulnerabilities, Security Gaps and to determine how well do we keep the confidential data of the tested application.

In this post, we will review the main points and consideration that you should follow when executing this kind of tests, please make sure that you adjust this checklist for your own needs and based on the testing effort that is needed. 

This testing levels will include different testing methods, such as:
  • Authentication tests.
  • Penetration testing.
  • Brute Force testing.
  • SQL injection tests.



  • Validate that there is no sensitive data that is stored as a record in the registry.
  • Validate that any security issue is documented in a corresponding log file.
  • Validate that the site will run on a specific list of browsers (specified by the user), this list should not support old and insecure browser versions.
  • Validate that the security logs are written and maintained with the relevant access permission.

A Browser related tests

  • Validate that the user will not see any sensitive/encrypted data in the web page URL.
  • Validate that the user cannot manipulate the URL of the site with invalid Attributes.
  • Validate that the “View source code” function does not reveal sensitive data.
  • Validate that all data that stored in the browser cookie is encrypted.
  • Validate that all secured pages are configured to use HTTPS protocol (instead of HTTP).

Malicious and 3rd part attacks

  • Validate the resilience of the user passwords in case of “Guessing” attacks.
  • Validate that your site can handle Simple Object Access Protocol (SOAP).
  • Validate that the network traffic between the client/Server is secured.
  • Validate the system can handle Denial of Service attacks (DOS).
  • Validate the system can handle Document Object Model (DMM).
  • Validate the system can handle brute Force attacks.
  • Validate the system can handle XPath injection.
  • Validate the site against HTTP header injections.
  • Validate that your site can handle script attacks.
  • Run SQL injection attacks.

Security of the site host (Back End server)

  • Validate that there is no authentication information that is hard coded in the site.
  • Validate that the server is configured to run with the latest security updates.
  • Validate that the communication between the client/Server is secured with the relevant certificate (in any case that the site is using this authentication method).
  • In any case of a failure (Client/server Side), you must validate that the information that displayed to the customer will not reveal the back end server information or any other sensitive data (404 error page will be just fine).
  • Validate that the Back End server will decline files with a potential to cause damage (exe/bat).

Authentication and authorization test scenarios

  • Validate that the authentication fields do not allow the auto complete mechanism.
  • Validate that the user answers the security questions before restarting his password.
  • Validate that the authentication process is performed with an encrypted channel.
  • Validate the authentication process that uses “impersonation” method.
  • Validate that every refresh of the site will trigger a new Captcha code.
  • Validate that the security answers are not saved in DB as plain text.
  • Validate that the data that entered in the password field is masked.
  • Validate that the user authentication data is not stored in cookies.
  • Validate that the session tokens are transmitted in secure channels.
  • Validate that the user authentication password is created based on predefined quality rules (Complexity, length etc.).
  • Login access should be prohibiting when the user exceeded the number (usually 2-3) of unsuccessful attempts.
  • Validate that when the user lost/change a current password, he cannot access the site with the old pass.
  • Validate that the user can perform operations on the site based on the Role and permission rights.
  • Validate that the “Reset” password function is working when the user as lost is credentials.
  • Validate that your site contains Captcha validation so the spam bots do not spam your site.

Site Runtime session

  • Validate that there is no trace of the user credential when he logout from the system.
  • Validate that the cookie session is terminated in a defined time frame/log out.
  • Validate that the security policies are enforced.
  • Validate that in any case that the user logged out of the site, he cannot navigate the site without re-authentication.
  • Validate that security of the site when the user is moving from Secure to insecure pages.

Input Fields

  • Validate that the user cannot overwrite the application files.
  • Validate that the user cannot upload Folders (Files only).
  • Validate that the site can handle empty inputs.
  • Validate that the site can handle partial inputs.
  • Validate that there is a filter between the Client/Back-end servers that filter any malicious files that are uploaded by the user.
  • Validate that the site can handle a malicious attack attempts on input fields (Usually via Scripts/HTML Tags).


  1. Thanks for the checklist David. It is really good.
    I was wondering if we can also get to know how to perform these tests as some of them can be understood by reading and others are bit difficult to comprehend.
    For example: Validate the system can handle Document Object Model (DMM).


  2. For web application security penetration Testing becomes really an important to build a secure system which can be used by users without any kind of worries about hacking or data loss. A lot of test scenario which are tested as a part of web application security testing.


My Presentations