OWASP Web Application Penetration Testing Checklist

Checklist

Application Flooding (OWASP-AD-001)

Mitigation Strategies:

1. Rate Limiting: Implement rate limiting on your APIs to restrict the number of requests a user can make in a given time period.
2. Load Balancing: Use load balancers to distribute incoming traffic across multiple servers, preventing any single server from being overwhelmed.
3. Caching: Implement caching mechanisms to reduce the load on your backend services.
4. WAF (Web Application Firewall): Deploy a WAF to filter out malicious traffic and mitigate DDoS attacks.

Application Lockout (OWASP-AD-002)

Mitigation Strategies:

1. Account Lockout Policies: Implement account lockout policies after a certain number of failed login attempts.
2. CAPTCHA: Use CAPTCHAs to prevent automated login attempts.
3. Two-Factor Authentication: Implement two-factor authentication to add an additional layer of security.

Parameter Analysis (OWASP-AC-001)

Mitigation Strategies:

1. Input Validation: Ensure strict input validation on all parameters.
2. Parameterized Queries: Use parameterized queries to prevent SQL injection.
3. Sanitization: Sanitize all inputs to remove any malicious code.

Authorization (OWASP-AC-002)

Mitigation Strategies:

1. Access Control Checks: Implement robust access control checks for all resources.
2. Role-Based Access Control (RBAC): Use RBAC to restrict access based on user roles.
3. Audit Logging: Maintain detailed logs of access to resources for auditing purposes.

Authorization Parameter Manipulation (OWASP-AC-003)

Mitigation Strategies:

1. Session Management: Ensure that session IDs are securely generated and cannot be manipulated.
2. Validation: Validate all session tokens and authorization parameters on the server side.
3. Monitoring: Continuously monitor for unusual patterns in authorization requests.

Authorized Pages/Functions (OWASP-AC-004)

Mitigation Strategies:

1. Authentication Checks: Ensure authentication checks are performed before accessing any protected resource.
2. Access Control Lists (ACLs): Implement ACLs to define and enforce who can access what.
3. Security Testing: Regularly test the application for bypass vulnerabilities using automated tools and manual testing.

Application Workflow (OWASP-AC-005)

Mitigation Strategies:

1. State Management: Ensure proper state management within the application to enforce workflows.
2. Transaction Controls: Use transaction controls to maintain the integrity of workflow sequences.
3. Business Logic Validation: Validate business logic on the server side to ensure workflow integrity.

Authentication Endpoint Request Should Be HTTPS (OWASP-AUTHN-001)

Mitigation Strategies:

1. SSL/TLS: Enforce SSL/TLS for all authentication endpoints.
2. HSTS (HTTP Strict Transport Security): Implement HSTS to ensure browsers only interact with your site over HTTPS.
3. Certificate Management: Regularly update and manage SSL/TLS certificates.

Authentication Bypass (OWASP-AUTHN-002)

Mitigation Strategies:

1. Input Validation: Validate all input data to prevent injection attacks.
2. Secure Code Practices: Follow secure coding practices to prevent vulnerabilities like SQL injection.
3. Penetration Testing: Regularly perform penetration testing to identify and fix authentication bypass vulnerabilities.

Credentials Transport Over an Encrypted Channel (OWASP-AUTHN-003)

Mitigation Strategies:

1. Use HTTPS: Ensure that all credentials are transmitted over HTTPS.
2. Secure Storage: Store credentials securely using hashing and encryption techniques.
3. Encryption Protocols: Use strong encryption protocols such as TLS 1.2 or higher.

Default Accounts (OWASP-AUTHN-004)

Mitigation Strategies:

1. Disable Default Accounts: Disable or remove default accounts from the application.
2. Change Default Credentials: Change default credentials immediately upon deployment.
3. Auditing: Regularly audit user accounts to ensure no default accounts are active.

Username (OWASP-AUTHN-005)

Mitigation Strategies:

1. Unique Usernames: Ensure usernames are unique and not easily guessable.
2. Non-Public Identifiers: Avoid using public identifiers like email addresses or social security numbers as usernames.
3. Input Validation: Validate and sanitize usernames to prevent injection attacks.

Password Quality (OWASP-AUTHN-006)

Mitigation Strategies:

1. Password Complexity Requirements: Enforce strong password policies requiring a mix of letters, numbers, and special characters.
2. Password Length: Require passwords to be of a minimum length, such as at least 12 characters.
3. Password Expiry: Implement policies to periodically require users to change their passwords.

Password Reset (OWASP-AUTHN-007)

Mitigation Strategies:

1. Secure Reset Mechanism: Use secure mechanisms for password resets, such as email verification or security questions.
2. Limit Attempts: Limit the number of password reset attempts to prevent abuse.
3. Notifications: Notify users of password reset requests via email or other channels.

Password Lockout (OWASP-AUTHN-008)

Mitigation Strategies:

1. Lockout Policies: Implement lockout policies after a specified number of failed login attempts.
2. Progressive Delays: Use progressive delays for login attempts after multiple failures.
3. Monitoring and Alerts: Monitor and alert administrators of repeated failed login attempts.

Password Structure (OWASP-AUTHN-009)

Mitigation Strategies:

1. Disallow Special Characters: Disallow special characters that can be used for SQL injection in passwords.
2. Sanitization: Sanitize password inputs to prevent injection attacks.
3. Validation: Validate passwords against a set of rules to ensure they are secure.

Blank Passwords (OWASP-AUTHN-010)

Mitigation Strategies:

1. Mandatory Passwords: Enforce mandatory password creation during account setup.
2. Validation: Validate that passwords are not blank during login and registration processes.
3. Policy Enforcement: Implement policies to ensure passwords cannot be set to blank.

Session Token Length (OWASP-AUTHSM-001)

Mitigation Strategies:

1. Token Length: Ensure session tokens are of adequate length (e.g., at least 128 bits).
2. Randomness: Use cryptographically secure random number generators for token creation.
3. Entropy: Ensure high entropy in session tokens to prevent guessing attacks.

Session Timeout (OWASP-AUTHSM-002)

Mitigation Strategies:

1. Timeout Policies: Implement session timeout policies to invalidate sessions after a period of inactivity.
2. Renewal Mechanism: Provide mechanisms for users to renew their sessions without re-authenticating unnecessarily.
3. User Notifications: Notify users before their session expires to prevent loss of work.

Session Reuse (OWASP-AUTHSM-003)

Mitigation Strategies:

1. Token Regeneration: Regenerate session tokens upon login and after critical actions.
2. Secure Transitions: Ensure tokens are secure when transitioning between SSL and non-SSL pages.
3. Session Isolation: Isolate session data to prevent reuse across different contexts.

Session Deletion (OWASP-AUTHSM-004)

Mitigation Strategies:

1. Logout Mechanism: Provide a secure logout mechanism that invalidates the session token.
2. Token Expiry: Ensure tokens expire and are deleted server-side upon logout.
3. User Notifications: Inform users of successful logout actions.

Session Token Format (OWASP-AUTHSM-005)

Mitigation Strategies:

1. Non-Persistent Tokens: Use non-persistent session tokens that are not stored in browser history or cache.
2. Secure Storage: Store session tokens securely using HttpOnly and Secure flags for cookies.
3. Token Validation: Regularly validate the session token's integrity on the server side.

HTTP Methods (OWASP-CM-001)

Mitigation Strategies:

1. Restrict Methods: Disable HTTP methods like PUT, DELETE, and TRACE if not used.
2. Whitelist Methods: Implement a whitelist of allowed HTTP methods.
3. Monitoring: Monitor and log all HTTP method usage for potential abuse.

Virtually Hosted Sites (OWASP-CM-002)

Mitigation Strategies:

1. Isolation: Ensure each site is isolated from others on the same server.
2. Access Controls: Implement strict access controls for each virtually hosted site.
3. Monitoring: Monitor for vulnerabilities across all hosted sites to prevent cross-site compromises.

Known Vulnerabilities / Security Patches (OWASP-CM-003)

Mitigation Strategies:

1. Regular Updates: Regularly update all components to their latest versions.
2. Vulnerability Scanning: Perform regular vulnerability scans to identify and patch known issues.
3. Patch Management: Implement a robust patch management process to ensure timely updates.

Back-up Files (OWASP-CM-004)

Mitigation Strategies:

1. Access Controls: Restrict access to backup files to authorized personnel only.
2. Encryption: Encrypt backup files to protect their contents.
3. Storage Location: Store backup files in secure, non-public directories.

Web Server Configuration (OWASP-CM-004)

Mitigation Strategies:

1. Harden Configuration: Follow best practices to harden web server configurations.
2. Disable Directory Listings: Ensure directory listings are disabled.
3. Remove Unnecessary Files: Remove or secure sample files and default configurations.

Application Configuration Management (OWASP-CM-005)

Mitigation Strategies:

1. Configuration Files Security: Store configuration files securely with restricted access.
2. Version Control: Use version control for managing configuration changes.
3. Environment Segregation: Segregate configurations for different environments (development, staging, production).

Source Code Disclosure (OWASP-CM-006)

Mitigation Strategies:

1. Access Controls: Implement access controls to prevent unauthorized access to source code.
2. Error Handling: Ensure proper error handling to avoid revealing stack traces or source code details.
3. Code Reviews: Perform regular code reviews to identify and fix potential disclosure risks.

Cookie Attributes (OWASP-CRYPST-001)

Mitigation Strategies:

1. Secure Flag: Set the Secure flag on cookies to ensure they are only transmitted over HTTPS.
2. HttpOnly Flag: Use the HttpOnly flag to prevent JavaScript access to cookies.
3. SameSite Attribute: Use the SameSite attribute to mitigate CSRF attacks.

Password Storage (OWASP-CRYPST-002)

Mitigation Strategies:

1. Hashing Algorithms: Use strong hashing algorithms like bcrypt for password storage.
2. Salting: Add a unique salt to each password before hashing.
3. Encryption: Encrypt password hashes for an additional layer of security.

Session Tokens (OWASP-CRYPST-003)

Mitigation Strategies:

1. Secure Generation: Use secure methods to generate session tokens.
2. Token Length: Ensure session tokens are of adequate length and complexity.
3. Expiration: Implement expiration policies for session tokens.

Authentication Token Management (OWASP-CRYPST-004)

Mitigation Strategies:

1. Secure Transmission: Ensure authentication tokens are transmitted securely using HTTPS.
2. Token Expiry: Set expiration times for tokens and refresh them periodically.
3. Revocation: Provide mechanisms for token revocation upon logout or when suspected of compromise.

Sensitive Information Storage (OWASP-CRYPST-005)

Mitigation Strategies:

1. Encryption: Encrypt sensitive information at rest and in transit.
2. Access Controls: Implement strict access controls to sensitive data.
3. Data Masking: Use data masking techniques to protect sensitive information in non-production environments.

User Roles (OWASP-DV-001)

Mitigation Strategies:

1. Role-Based Access Control (RBAC): Implement RBAC to ensure users can only access resources permitted by their roles.
2. Granular Permissions: Define granular permissions for different user roles.
3. Audit Logging: Maintain logs of role changes and access requests for auditing purposes.

User Enumeration (OWASP-ERR-001)

Mitigation Strategies:

1. Generic Error Messages: Use generic error messages to prevent user enumeration.
2. Response Consistency: Ensure responses are consistent regardless of whether a user exists or not.
3. Rate Limiting: Implement rate limiting to slow down enumeration attacks.

Sensitive Data Exposure (OWASP-ERR-002)

Mitigation Strategies:

1. Data Minimization: Only collect and store necessary data.
2. Encryption: Encrypt sensitive data in transit and at rest.
3. Access Controls: Implement strict access controls to sensitive data.

Information Leakage (OWASP-ERR-003)

Mitigation Strategies:

1. Error Handling: Ensure proper error handling to avoid revealing internal information.
2. Remove Debugging Information: Ensure debugging information is not present in production environments.
3. Logging: Review and sanitize log files to remove sensitive information.

Cacheable HTTPS Response (OWASP-HT-001)

Mitigation Strategies:

1. Cache-Control Headers: Use Cache-Control headers to prevent caching of sensitive HTTPS responses.
2. No-Store Directive: Use the no-store directive for sensitive data.
3. Secure Cookies: Set secure attributes on cookies to prevent caching.

HTTP Response Splitting (OWASP-HT-002)

Mitigation Strategies:

1. Input Validation: Validate and sanitize all inputs to prevent header injection.
2. Use Framework Protections: Use protections provided by web frameworks against response splitting.
3. Consistent Encoding: Ensure consistent encoding of headers.

Cross-Origin Resource Sharing (CORS) (OWASP-HT-003)

Mitigation Strategies:

1. Restrict Origins: Limit allowed origins in CORS policies.
2. Proper Headers: Ensure proper use of CORS headers (e.g., Access-Control-Allow-Origin).
3. Credentials Handling: Be cautious with Access-Control-Allow-Credentials to prevent cross-origin leaks.

HTML/JavaScript Comments (OWASP-IN-001)

Mitigation Strategies:

1. Remove Comments: Remove unnecessary comments from HTML and JavaScript code.
2. Minification: Minify HTML and JavaScript code to reduce the visibility of comments.
3. Review Comments: Regularly review comments to ensure they do not contain sensitive information.

Variable Names (OWASP-IN-002)

Mitigation Strategies:

1. Obfuscation: Obfuscate variable names in production code to make reverse engineering more difficult.
2. Review Names: Use meaningful but non-revealing variable names.
3. Minification: Minify JavaScript to obfuscate variable names.

External Systems Access (OWASP-OTG-AUTHZ-001)

Mitigation Strategies:

1. Access Control Policies: Implement strict access control policies for external systems.
2. Auditing: Audit access to external systems regularly.
3. Least Privilege: Follow the principle of least privilege for access to external systems.

Sensitive Data in URLs (OWASP-OTG-CONFIG-006)

Mitigation Strategies:

1. Avoid Sensitive Data: Avoid including sensitive data in URLs.
2. Use POST Requests: Use POST requests to transmit sensitive data.
3. Encryption: Ensure URLs are transmitted over HTTPS.

Sensitive Data in Headers (OWASP-OTG-CONFIG-007)

Mitigation Strategies:

1. Header Security: Avoid including sensitive data in HTTP headers.
2. Custom Headers: Use custom headers for sensitive information, with encryption if necessary.
3. Transmission Security: Ensure headers are transmitted over HTTPS.

Insecure Password Storage (OWASP-OTG-CRYPST-003)

Mitigation Strategies:

1. Strong Hashing: Use strong hashing algorithms like bcrypt for password storage.
2. Salting: Add unique salts to each password before hashing.
3. Encryption: Encrypt hashed passwords for additional security.

Sensitive Data Logging (OWASP-OTG-INFO-001)

Mitigation Strategies:

1. Sanitize Logs: Ensure sensitive data is not logged.
2. Access Controls: Restrict access to logs containing sensitive information.
3. Review Logs: Regularly review logs to ensure compliance with data protection policies.

Sensitive Data Transmission (OWASP-OTG-INFO-002)

Mitigation Strategies:

1. Use HTTPS: Ensure all sensitive data is transmitted over HTTPS.
2. Encryption Protocols: Use strong encryption protocols for data transmission.
3. Secure Channels: Use secure channels for data transmission, such as VPNs for internal communications.

Code Execution on the Server (OWASP-OTG-INPVAL-001)

Mitigation Strategies:

1. Input Validation: Implement strict input validation to prevent code injection.
2. Sanitization: Sanitize all inputs to remove malicious code.
3. Use Framework Protections: Use security features provided by web frameworks to prevent code execution.

Code Execution on the Client (OWASP-OTG-INPVAL-002)

Mitigation Strategies:

1. Content Security Policy (CSP): Implement CSP to restrict sources of executable scripts.
2. Sanitization: Sanitize all outputs to prevent XSS attacks.
3. Input Validation: Validate and sanitize inputs to prevent client-side code execution.

Directory Traversal (OWASP-OTG-INPVAL-003)

Mitigation Strategies:

1. Input Validation: Validate and sanitize all inputs to prevent directory traversal.
2. Access Controls: Implement access controls to restrict file access.
3. Path Normalization: Normalize file paths to prevent directory traversal.

File Inclusion (OWASP-OTG-INPVAL-004)

Mitigation Strategies:

1. Input Validation: Validate and sanitize inputs to prevent file inclusion attacks.
2. Whitelisting: Use whitelists for allowable files and directories.
3. Access Controls: Implement strict access controls to prevent unauthorized file inclusion.

Client-Side JavaScript Injection (OWASP-OTG-INPVAL-005)

Mitigation Strategies:

1. Sanitization: Sanitize all inputs to prevent JavaScript injection.
2. CSP: Implement CSP to restrict sources of executable scripts.
3. Escaping: Escape special characters in JavaScript code.

Command Injection (OWASP-OTG-INPVAL-006)

Mitigation Strategies:

1. Input Validation: Implement strict input validation to prevent command injection.
2. Use Safe Functions: Use functions that are safe from command injection vulnerabilities.
3. Sanitization: Sanitize all inputs to remove potential command injection vectors.

SQL Injection (OWASP-OTG-INPVAL-007)

Mitigation Strategies:

1. Parameterized Queries: Use parameterized queries to prevent SQL injection.
2. ORMs: Use Object-Relational Mappers (ORMs) to interact with the database securely.
3. Sanitization: Sanitize all inputs to remove SQL injection vectors.

XML Injection (OWASP-OTG-INPVAL-008)

Mitigation Strategies:

1. Input Validation: Validate and sanitize XML inputs to prevent injection.
2. Use Secure Parsers: Use secure XML parsers that are resistant to XML injection.
3. Disable External Entities: Disable external entities in XML parsers to prevent XXE attacks.

Buffer Overflow (OWASP-OTG-INPVAL-009)

Mitigation Strategies:

1. Bounds Checking: Implement bounds checking to prevent buffer overflow.
2. Safe Functions: Use functions that are safe from buffer overflow vulnerabilities.
3. Input Validation: Validate and sanitize all inputs to prevent buffer overflow.

Canonicalization (OWASP-OTG-INPVAL-010)

Mitigation Strategies:

1. Input Validation: Validate and canonicalize inputs to prevent attacks that exploit encoding.
2. Sanitization: Sanitize inputs to remove malicious content.
3. Encoding: Use consistent encoding practices throughout the application.

Cross-Site Scripting (XSS) (OWASP-OTG-INPVAL-011)

Mitigation Strategies:

1. Sanitization: Sanitize all inputs and outputs to prevent XSS.
2. CSP: Implement CSP to restrict sources of executable scripts.
3. Escaping: Escape special characters in HTML and JavaScript code.

Cross-Site Request Forgery (CSRF) (OWASP-OTG-SESS-001)

Mitigation Strategies:

1. CSRF Tokens: Use CSRF tokens to protect against CSRF attacks.
2. SameSite Cookies: Use the SameSite attribute for cookies to prevent CSRF.
3. Referer Validation: Validate the referer header to ensure requests originate from trusted sources.

Session Fixation (OWASP-OTG-SESS-002)

Mitigation Strategies:

1. Token Regeneration: Regenerate session tokens upon login and after critical actions.
2. Secure Cookies: Use secure attributes for cookies to prevent fixation.
3. Session Management: Implement robust session management practices to prevent fixation.

Session Hijacking (OWASP-OTG-SESS-003)

Mitigation Strategies:

1. HTTPS: Use HTTPS to protect session tokens in transit.
2. Secure Cookies: Use secure and HttpOnly flags for cookies.
3. Token Rotation: Rotate session tokens periodically to reduce the risk of hijacking.

Session Timeout (OWASP-OTG-SESS-004)

Mitigation Strategies:

1. Timeout Policies: Implement session timeout policies to invalidate sessions after inactivity.
2. Token Expiry: Set expiration times for session tokens.
3. User Notifications: Notify users before session expiry to prevent data loss.

Session Management Mechanisms (OWASP-OTG-SESS-005)

Mitigation Strategies:

1. Token Storage: Store session tokens securely using HttpOnly and Secure flags.
2. Session Isolation: Isolate session data to prevent reuse across different contexts.
3. Token Validation: Regularly validate session tokens on the server side.

Cross-Site Tracing (XST) (OWASP-OTG-CLIENT-001)

Mitigation Strategies:

1. Disable TRACE: Disable the TRACE method on the web server.
2. Input Validation: Validate and sanitize inputs to prevent XST.
3. Monitoring: Monitor for XST attempts and respond appropriately.

Security Misconfiguration (OWASP-OTG-CONFIG-001)

Mitigation Strategies:

1. Default Settings: Remove or change default settings that are insecure.
2. Secure Configurations: Follow best practices for securing configurations.
3. Regular Audits: Perform regular audits of configurations to ensure they are secure.

Insecure Deserialization (OWASP-OTG-INPVAL-012)

Mitigation Strategies:

1. Input Validation: Validate and sanitize inputs before deserialization.
2. Safe Methods: Use safe methods for deserialization that are resistant to attacks.
3. Monitoring: Monitor for deserialization vulnerabilities and respond promptly.

Unvalidated Redirects and Forwards (OWASP-OTG-INPVAL-013)

Mitigation Strategies:

1. Input Validation: Validate all inputs to prevent unvalidated redirects and forwards.
2. Whitelist URLs: Use a whitelist of allowed URLs for redirects and forwards.
3. User Confirmation: Require user confirmation before performing redirects or forwards.

Insufficient Logging and Monitoring (OWASP-OTG-INPVAL-014)

Mitigation Strategies:

1. Comprehensive Logging: Implement comprehensive logging for security events.
2. Regular Monitoring: Regularly monitor logs for suspicious activity.
3. Alerting: Set up alerts for critical security events to respond quickly.

Business Logic Vulnerabilities (OWASP-OTG-INPVAL-015)

Mitigation Strategies:

1. Input Validation: Validate inputs to ensure they conform to expected business logic.
2. Logic Checks: Implement checks to enforce business logic rules.
3. Testing: Regularly test for business logic vulnerabilities using both automated tools and manual testing.

Security of Third-Party Components (OWASP-OTG-INPVAL-016)

Mitigation Strategies:

1. Component Analysis: Regularly analyze third-party components for vulnerabilities.
2. Version Control: Keep third-party components up-to-date with the latest security patches.
3. Risk Assessment: Perform risk assessments of third-party components to understand their impact on security.

API Security (OWASP-OTG-INPVAL-017)

Mitigation Strategies:

1. Authentication and Authorization: Implement strong authentication and authorization for API access.
2. Rate Limiting: Use rate limiting to prevent abuse of APIs.
3. Input Validation: Validate and sanitize all API inputs to prevent injection attacks.

Mobile Security (OWASP-OTG-INPVAL-018)

Mitigation Strategies:

1. Secure Storage: Ensure secure storage of sensitive data on mobile devices.
2. Secure Communication: Use secure communication channels for mobile apps.
3. Code Obfuscation: Obfuscate mobile app code to make reverse engineering more difficult.

Cloud Security (OWASP-OTG-INPVAL-019)

Mitigation Strategies:

1. Access Controls: Implement strict access controls for cloud resources.
2. Data Encryption: Encrypt data stored in the cloud to protect it.
3. Compliance: Ensure compliance with relevant security standards and regulations for cloud environments.