Manual Security Testing Checklist

What is Security Testing?

In simple words, Security testing is a non-functional testing technique to verify if an information system or an application protects data and maintains functionality as intended. There are various ways to do security testing. But the important thing is that we can not overlook its need. Security testing is a vast topic, and it will take time to master the subject. But, here, I have listed a few points that can be taken care of without prior knowledge of security testing techniques.

First of all, let’s categorise manual security testing as per its characteristics:

1. Authentication Testing
2. Authorization Testing
3. Configuration Management Testing
4. Session Management Testing
5. Data Validation Testing
6. Denial of Service Testing

?Authentication Testing:

Authentication is identifying users and validating whom they claim to be. For example, a User with the correct key can unlock the door lock.

This is the very first step in any security process. We need to check the points below to validate any application's authenticity or to do authentication testing.

1. Check if a user with a valid username-password combination can access the application.
2. Check if it is possible to “reuse” the session after Logout.
3. Check if the application having an automated logout module automatically logs out a user has been idle for a certain amount of time.
4. Check whether any sensitive information remains stored in the browser cache(UserId or password or any secret key)
5. Check and try to reset the password by social engineering, cracking secretive questions and guessing.
6. Check if the “Remember my password” Mechanism is implemented by checking the HTML code of the login page.
7. Check if the hardware devices directly communicate independently with authentication infrastructure using an additional communication channel.
8. Test CAPTCHA for authentication vulnerabilities presented or not.
9. Check whether any weak security questions/answers are presented.
10. A successful SQL injection could lead to the loss of customer trust, and attackers can steal phone numbers, addresses, and credit card details. Placing a web application firewall can filter out malicious SQL queries in the traffic.

Authorization Testing:

People have a myth that authentication and authorizations are the same.?For example, in real life, Authentication is something to get access to the house, and Authorization means you have access to the house; however, you do not have the privilege to use the things of the house if you have permission to access it.

1. Test the Role and Privilege Manipulation to Access the Resources.
2. Test For Path Traversal by Performing input Vector Enumeration and analyzing the input validation functions presented in the web application.
3. Test for cookie and parameter Tampering using web spider tools.
4. Test for HTTP Request Tempering and check whether to gain illegal access to reserved resources.

?Configuration?Management Testing

In Configuration Management testing, we must ensure that these items are managed carefully in the entire project and product life cycle.

1. Check the directory and file enumeration (list of files), and review server and application documentation. Also, check the infrastructure and application admin interfaces.
2. Analyze the *Web server banner and Perform network scanning.

* Web server banner: The web server often shows the world what type of server it is, its version number, and the operating system. This information is available in header fields and can be acquired using a web browser to make a simple HTTP request to any web application. It is often called the web server banner.

1. Check and verify the presence of old Documentation and Backup and referenced files such as source codes, passwords, and installation paths.
2. Check and identify the ports associated with the SSL/TLS services.
3. Review OPTIONS HTTP method using Netcat and Telnet.

E.g.,

• OPTIONS/index.html HTTP/1.1
• OPTIONS * HTTP/1.1
• Test for HTTP methods and XST for credentials of legitimate users.
• Perform an application configuration management test to review the information of the source code, log files, and default error codes.

Session Management Testing:

To avoid continuous authentication for each website or service page, web applications implement various mechanisms to store and validate credentials for a pre-determined timespan. These mechanisms are known as Session Management.

1. Check the URL’s in the restricted area to test for "Cross-site Request Forgery" (imitation).
2. Test for "Exposed Session" variables by inspecting encryption and reusing session token, Proxies and caching, GET and POST.
3. Collect a sufficient number of cookie samples, analyse the cookie sample algorithm, and forge a valid Cookie to perform an attack.
4. Test the cookie attribute using intercept proxies such as Burp Proxy, OWASP ZAP, or traffic intercept proxies such as Tamper Data.
5. Test the session Fixation to avoid sealing the user session.(session Hijacking )

?Data Validation Testing

Input validation, or data validation, is the proper testing of any input supplied by a user or application. Input validation prevents improperly formed data from entering an information system. Because it is difficult to detect a malicious user trying to attack software, applications should check and validate all input entered into a system. Input validation should occur when data is received from an external party, especially if the data is from untrusted sources. Incorrect input validation can lead to injection attacks, memory leakage, and compromised systems. While input validation can be either whitelisted or blacklisted, it is preferable to whitelist data. Whitelisting only passes expected data. We can

1. Performing Sources code Analyze for javascript Coding Errors.
2. Perform Union Query SQL injection testing, standard SQL injection Testing, and blind?SQL query Testing using tools such as SQL ninja,sqldumper, SQL power injector, etc.
3. Analyze the HTML Code, Test for stored XSS, and leverage stored XSS using tools such as XSS proxy, Back frame, Burp Proxy, OWASP, ZAP, and XSS Assistant.
4. Perform LDAP(Lightweight Directory Access Protocol) injection testing for sensitive information about users and hosts.
5. Perform IMAP/SMTP injection Testing to Access the Backend Mail server.
6. Perform XPATH Injection Testing to access the confidential information
7. Perform XML injection testing to learn information about XML Structure.
8. Perform Code injection testing to identify input validation Errors.
9. Perform Buffer Overflow testing for Stack and heap memory information and application control flow.
10. Test for HTTP Splitting and smuggling for cookies and HTTP redirect information.

Denial of Service Testing

A denial of Service (DoS) attack is an attempt by hackers to make a network resource unavailable. It usually interrupts the host, temporary or indefinitely, which is connected to the internet. These attacks typically target services hosted on mission-critical web servers such as banks and credit card payment gateways.

1. Send Any Large number of Requests that perform database operations and observe any Slowdown and?New Error Messages.
2. Perform manual source code analysis and submit a range of varying input lengths to the applications
3. Test for SQL wildcard attacks for application information testing. Enterprise Networks should choose the best DDoS Attack prevention services to ensure DDoS attack protection and prevent their network.
4. Test for User specifies object allocation and whether a maximum number of objects that the application can handle.
5. Enter a Large Extreme number of the input field used by the application as a Loop counter. Protect your website from future attacks. Also, Check your Company's DDOS Attack Downtime Cost.
6. ?Use a script to automatically submit an excessively long value for the server that can log the request.

Reference: https://gbhackers.com/web-application-penetration-testing-checklist-a-detailed-cheat-sheet/

https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/06-Session_Management_Testing/01-Testing_for_Session_Management_Schema