Tuesday 24 January 2012

Web Security Testing Checklist

1. Try to directly access bookmarked web page without login to the system. 
2. Do not sign-on system, directly try to download the file from the available download url, such as the inputhttp://url/download?name=file and check if the systems restrict you to download the file. 
3. sign out and then press the Back button to access the page accessed before. 
4. ID / password authentication method: check with valid and invalid passwords, password rules say cannot be less than 6 charecters, user id and password cannot be the same etc.


5. Important information (such as passwords, ID numbers, credit card numbers, etc.) should not get displayed in the input box when typing. They should be all encrypted and in asterix format. 
6. Manually change the parameter value in the URL to check if you can access special pages. For example, suppose in a web system If ordinary users access the corresponding url in the parameters l = e and the corresponding url for advanced users in the parameters l = s. Now if a user manually change the value from e to s it should not allow you to access the page. 
12. In the url, enter the following address to check if it can be downloaded restricted files:http://url/download.jsp?file=C: \ windows \ system32 \ drivers \ etc \ hosts, http://url/download.jsp?file = / etc / passwd 
13. After session time out try to access restricted page.
14. Error messages whether they contain sql statements, sql error messages, as well as web server's absolute path, etc. 
15. ID / password authentication, the same account on different machines can not log on at the same time. So at a time only one user can login to the system with an user id.
16. ID / password authentication methods, entered the wrong password several times and check if the account gets locked. 
17. Add or modify important information (passwords, ID numbers, credit card number, etc.). Check if it gets reflected immeditely or caching the old values.


No comments:

Post a Comment