Application Security Concerns - General checklist

Dear colleagues, clients, friends, acquaintances,

Thank you for all your support! I am really happy to see that many people are actually motivated by the things that I do and I am even happier to see that you are considering Application Security as your career path.

You probably know that sometimes I am short on time, but I have answered back to most of you in the emails that I get constantly (yeey), and what I have realized is that most of your questions were asking "When do you know that a certain product is Safe & Well-protected?" or "When do we need to stop with testing?" and I would like to answer that question in this article since the answer is not that simple.

Short answer: There is no such thing as 100% Safe. There is only minimizing the risk to a level that will have really low impact since all abuse cases are more-or-less handled securely. When you have that, Stop, but never stop fully. Improve, and evolve. Period.

Long answer: There are world-wide standards that actually cover most of the technical concerns and if your components are implemented and tested properly, and if they contain the security counter-measures in place, the risk factor is going to be considerably minimized and we can then stop, and say that the application is safe "enough" and well-protected since all abuse cases that were tested, are handled safely and doesn't present a risk that would affect the system greatly.

Anyway, what I am also going to do in this article - I am going to share my General checklist that I follow while evaluating complex projects. For free.

The following checklist will be useful reference to you, because it will help you take into consideration all counter-measures that needs to be implemented.

I know that Application Security is rather complex domain and you need to understand the full-stack mindset for a start, but if you need secure product, just follow the checklist and you will have safer product in no-time.

General Application Security Checklist:

• Conduct Search Engine Discovery and Reconnaissance for Information Leakage
• Fingerprint Web Server
• Review Webserver Metafiles for Information Leakage
• Enumerate Applications on Webserver
• Review Webpage Comments and Metadata for Information Leakage
• Identify application entry points
• Map execution paths through application
• Fingerprint Web Application Framework
• Fingerprint Web Application
• Map Application Architecture
• Test Network/Infrastructure Configuration
• Test Application Platform Configuration
• Test File Extensions Handling for Sensitive Information
• Backup and Unreferenced Files for Sensitive Information
• Enumerate Infrastructure and Application Admin Interfaces
• Test HTTP Methods
• Test HTTP Strict Transport Security
• Test RIA cross domain policy
• Test Role Definitions
• Test User Registration Process
• Test Account Provisioning Process
• Testing for Account Enumeration and Guessable User Account
• Testing for Weak or unenforced username policy
• Test Permissions of Guest/Training Accounts
• Test Account Suspension/Resumption Process
• Testing for Credentials Transported over an Encrypted Channel
• Testing for default credentials
• Testing for Weak lock out mechanism
• Testing for bypassing authentication schema
• Test remember password functionality
• Testing for Browser cache weakness
• Testing for Weak password policy
• Testing for Weak security question/answer
• Testing for weak password change or reset functionalities
• Testing for Weaker authentication in alternative channel
• Testing Directory traversal/file include
• Testing for bypassing authorization schema
• Testing for Privilege Escalation
• Testing for Insecure Direct Object References
• Testing for Bypassing Session Management Schema
• Testing for Cookies attributes
• Testing for Session Fixation
• Testing for Exposed Session Variables
• Testing for Cross Site Request Forgery
• Testing for logout functionality
• Test Session Timeout
• Testing for Session puzzling
• Testing for Reflected Cross Site Scripting
• Testing for Stored Cross Site Scripting
• Testing for HTTP Verb Tampering
• Testing for HTTP Parameter pollution
• Testing for SQL Injection
• Oracle Testing
• MySQL Testing
• SQL Server Testing
• Testing PostgreSQL
• MS Access Testing
• Testing for NoSQL injection
• Testing for LDAP Injection
• Testing for ORM Injection
• Testing for XML Injection
• Testing for SSI Injection
• Testing for XPath Injection
• IMAP/SMTP Injection
• Testing for Code Injection
• Testing for Local File Inclusion
• Testing for Remote File Inclusion
• Testing for Command Injection
• Testing for Buffer overflow
• Testing for Heap overflow
• Testing for Stack overflow
• Testing for Format string
• Testing for incubated vulnerabilities
• Testing for HTTP Splitting/Smuggling
• Analysis of Error Codes
• Analysis of Stack Traces
• Testing for Weak SSL/TSL Ciphers, Insufficient Transport Layer Protection
• Testing for Padding Oracle
• Testing for Sensitive information sent via unencrypted channels
• Test Business Logic Data Validation
• Test Ability to Forge Requests
• Test Integrity Checks
• Test for Process Timing
• Test Number of Times a Function Can be Used Limits
• Testing for the Circumvention of Work Flows
• Test Defenses Against Application Mis-use
• Test Upload of Unexpected File Types
• Test Upload of Malicious Files
• Testing for DOM based Cross Site Scripting
• Testing for JavaScript Execution
• Testing for HTML Injection
• Testing for Client Side URL Redirect
• Testing for CSS Injection
• Testing for Client Side Resource Manipulation
• Test Cross Origin Resource Sharing
• Testing for Cross Site Flashing
• Testing for Clickjacking
• Testing WebSockets
• Test Web Messaging
• Test Local Storage

I hope that this article was useful for you!

Thank you for your attention,

Dragan Ilievski