The Complete Checklist to Web App Pentest (OWASP Top 10)

web application penetration test
When should you conduct a web application penetration test?
January 31, 2023
List of the best penetration testing companies
The Best Web App Pentest Service Companies
February 3, 2023

February 1, 2023

The updated OWASP Top 10 vulnerabilities of 2021 witnessed some significant changes with new threats such as insecure design, software, and data integrity failures, and server-side request forgery rising to secure spots amongst the top 10 most critical vulnerabilities of the year.

These emerging threats highlight the modern-day cybercriminal’ capacity to adapt and change their tactics to best utilize the countermeasures developed by cybersecurity specialists. Today, a web application penetration test is undeniably the best way to combat such issues and address the numerous potentially damaging real-world exploits.

At the same time, it is challenging for businesses to circumvent the potential limits of human attention and memory and maintain the consistency of these tests without the help of a comprehensive checklist.

A checklist ensures that critical objectives are tested, and optimal outcomes are accomplished consistently on every run, guiding and reminding testers on the tasks to be done, what to look out for, where to look, points to be considered, and best practices to follow during the pen test.

It also enables testers to meticulously and methodically validate and address security threats in critical web application components such as authentication, authorization, configuration, session management, and data validation mechanisms.

This informative read aims to provide a comprehensive OWASP web app penetration testing checklist to enable developers to maintain complete consistency in their pen tests, where no stone is left unturned.

Following this checklist may be precisely what your business needs to streamline your penetration tests and substantially decrease the likelihood of potential exploits to safeguard itself against the emerging threats of 2024.

What is OWASP Top 10?

The OWASP Top 10 is a globally recognized industry standard for web application security and developers that documents most of the known critical web application security risks

This documentation is updated to reflect the Top 10 prevalent vulnerabilities every year to promote safer coding practices and create general awareness of the potential dangers present in web applications.

Organizations use the OWASP Top 10 to prioritize their security efforts and ensure their web applications are secure.

The newest version of OWASP Top 10 brings in three new and four modified categories, including Insecure Design, Software, Data Integrity Failures, Server-Side Request Forgery, Broken Access Control, Cryptographic Failures, Injection, and Security Misconfiguration.

These changes have made OWASP Top 10 a more comprehensive measure for web application security, enabling developers and security experts to identify and mitigate vulnerabilities more efficiently.

Now let’s discuss each of the vulnerabilities and how to test them.

Top 10 OWASP security risks

Leveraging the OWASP Top 10 is an excellent way for developers to arm their web applications against a growing list of possible exploits and, in most cases, instrumental in an application’s success.

1. Broken Access Control

Broken access control is a significant flaw where an attacker gains unauthorized access to web applications, sensitive data, or other resources by circumventing standard security procedures. This vulnerability will likely happen when businesses have incorrectly implemented permissions and access controls.

For example, if a user can view or modify data or perform actions, they should not be able to due to inadequate access controls. This can happen due to poor authorization mechanisms, missing input validation, insufficient encryption, and other similar issues. 

This vulnerability allows unauthorized access to sensitive data or functionality that should be restricted to certain users. Examples of broken access control vulnerabilities include:

  • Horizontal privilege escalation
  • Vertical privilege escalation 
  • Insecure direct object references 
  • Missing function level access control

2. Cryptographic Failures

Cryptographic failures are vulnerabilities from weak encryptions, which attackers can exploit to access sensitive company and application data.

Testers should verify that the application’s encryption and decryption mechanisms are implemented correctly, and the keys are securely stored. Examples of cryptographic failures include weak passwords, outdated encryption algorithms, or improperly implemented key management. 

This vulnerability relates to insecure cryptographic practices that can lead to data breaches and unauthorized access. Examples of cryptographic failures include: 

  • Weak encryption algorithms 
  • Insecure key management 
  • Use of outdated protocols 
  • Lack of data integrity protection

3. Injection and Cross-Site Scripting

Injection and Cross-site Scripting (XSS) is a cyber-attack where an attacker injects malicious scripts into the input fields of a trusted or benign website. Through XSS attacks, cybercriminals use web applications to transmit this malicious code as browser scripts to other end users.

Examples of injection attacks include SQL injection, command injection, and XML injection, all of which can result in data theft, data loss, or system compromise. 

This vulnerability lets attackers inject malicious code or commands into a system through user input or other channels. Examples of injection vulnerabilities include: 

  • SQL injection 
  • Cross-site scripting (XSS) 
  • Command injection 
  • LDAP injection, Etc.

4. Insecure Design

Insecure Design is a new category for 2021 OWASP, It is a form of vulnerability that arises from developers and IT security teams foreseeing and assessing potential flaws in the code design phase that may pose a significant threat later on. This attack frequently occurs when application developers fail to follow the best secure coding practices when designing their web applications.

For example, a system that does not follow the principle of least privilege or does not properly segregate duties may be vulnerable to attack. 

This vulnerability occurs when security considerations are not considered during a system’s design phase. Examples of insecure design vulnerabilities include: 

  • Lack of input validation 
  • Poorly designed authentication mechanisms 
  • Inadequate error handling 
  • Insecure communication channels

5. Security Misconfiguration

Security misconfigurations are vulnerabilities that occur when the system or web application’s configuration settings are not configured or improperly configured, leading to an attacker gaining unauthorized access. Such problems frequently emerge when security teams and developers leave the configuration settings on default or perform incorrect configurations.

Examples of security misconfiguration vulnerabilities include 

  • Default passwords or settings that are not changed 
  • Unsecured ports or services 
  • Misconfigured firewalls or access controls 
  • Inadequate logging and monitoring settings

6. Vulnerable and Outdated Component

While security patches and updates for software keep them safe against emerging attack vectors, when they no longer receive such support, they become increasingly susceptible to attacks over time. Such attacks also occur when users don’t apply updates regularly, leaving the web applications vulnerable and open to several possible exploits. Such exposures caused by exposed software components are known as Vulnerable and Outdated Components.

Attackers can easily exploit these vulnerabilities to access sensitive information or take control of the application. Testing for this category involves identifying and assessing the third-party components used in the web application and checking if they have any known vulnerabilities.  

This can be done by using automated vulnerability scanners or manually reviewing the components and their version numbers against known vulnerabilities in public databases.

Examples of vulnerable and outdated component vulnerabilities include: 

  • Use of outdated operating systems or libraries 
  • Unpatched software vulnerabilities 
  • Use of unsupported software versions 
  • Failure to perform regular vulnerability scans or updates

7. Identification and Authentication Failures

Identification and authentication failures occur when the applications fail to authenticate and verify a user’s identity, who then goes on to access the system assuming a false unverified identity. This vulnerability commonly occurs with systems and applications that don’t implement effective authentication and session management functions.

Examples of identification and authentication failures include: 

  • Weak or easily guessable passwords 
  • Lack of two-factor authentication 
  • Improper session management 
  • Insufficient user validation

8. Software and Data Integrity Failures

Software and data integrity failures happen when attackers gain access to sensitive user and application information through integrity violations from unsecured infrastructure and code. The most common instances of this vulnerability are when web applications heavily rely on libraries, modules, and plugins from untrusted third-party sources, repositories, and content delivery networks (CDNs).

Testing for this risk involves checking the input validation mechanisms, cryptographic controls, and other security controls designed to prevent data tampering and ensure data integrity. 

This can be done using automated tools to inject malicious inputs or manually reviewing the source code and testing the application’s response to various inputs.

Examples of software and data integrity failures include: 

  • Malware or viruses 
  • Data tampering or manipulation 
  • Lack of data backup and recovery procedures 
  • Insufficient data validation and verification

9. Security Logging and Monitoring Failures

Security Logging and Monitoring Failures  are vulnerabilities where attackers bypass or disable logging mechanisms to cover their tracks and mask their malicious activity within the application. In such instances, it becomes increasingly challenging for security teams to detect, track, and respond to attackers and their exploits.

This can be done using automated tools to generate various security events or manually reviewing the application’s logs and monitoring systems.

This vulnerability occurs when a system fails to properly log and monitor security events.  

Examples of security logging and monitoring failures include: 

  • Inadequate or incomplete event logging 
  • Failure to detect or respond to security incidents 
  • Lack of monitoring for abnormal or suspicious activity 
  • Inadequate incident response procedures

10. Server-Side Request Forgery

Server-side request forgery (SSRF) is a vulnerability that allows the attacker to induce the server-side application to make illegitimate requests to forced locations. Through this vulnerability, attackers may be able to strongarm the server to connect to external systems to leak sensitive data such as login and authorization credentials.

Examples of server-side request forgery vulnerabilities include: 

  • Bypassing firewall or access controls 
  • Accessing internal systems or resources 
  • Exploiting server-side vulnerabilities 
  • Accessing sensitive data or functionality

The OWASP checklist for Web App Penetration testing

Without any further delay, let us dive into the OWASP web application penetration checklist to conduct a thorough web app pen test:

1. Information Gathering

The first step is to gather as much information about the target web application as possible.

  • Manual site exploration: First on the checklist is to perform manual site exploration for potential weak spots.
  • Locating the robots.txt files: Identify and retrieve the robot.txt files that tell search engine crawlers which URLs they can access on your site. They can be retrieved using GNU Wge, a computer program that can retrieve content from web servers. This approach aims to crawl the website for missing or hidden content. Also, look for other files that can expose content, such as sitemap.xml and .DS_Store.
  • Identify versions and channels: Here you must review the software versions of the web, mobile web, mobile app, and web services. Additionally, study the database information and technical components for potential errors and bugs.
  • Implement DNS-based techniques: Perform DNS inverse queries, DNS zone Transfers, and web-based DNS Searches.
  • Perform Directory style Searching and vulnerability scanning: Next on the list is leverage tools such as Nessus and NMAP to probe for URLs.
  • Identify the Entry point of the application: Tools such as OWSAP ZAP, Burp Proxy, Webscarab, Tamper Data, and TamperIE identify an application’s entry points.
  • Perform Web Application Fingerprinting: Here use Nmap, Amap, and service Fingerprinting to conduct grouping of information to detect the software, network protocols, operating systems, or hardware devices on the network. Web application fingerprinting also helps match the signature of the target web server with the list of known signatures contained within the .txt files.

2. Authentication Testing

Through authentication testing, you must run a series of checks to try and gain access to sensitive credentials to gain login access to the web app.

  • Test for logout functionality presence: Check the effectiveness of the logout functionality and if it’s possible to continue using the session after logging out. Additionally, check if the application automatically logs users out if they are inactive for a certain period.
  • Test for cache management on HTTP: Check sources such as the browser cache storage for any remaining sensitive information.
  • Test password reset and recovery functionalities for flaws: Test exploitable vulnerabilities such as weak security questions and answers.
  • Test remember my password functionality: Check if the ‘Remember my password’ functionality is implemented correctly by checking the HTML code of the login page.
  • Test for authentication bypass: Test if any hardware devices directly and independently communicating with authentication infrastructure using a separate channel can be used to bypass authentication.
  • Test CAPTCHA: Test for authentication vulnerabilities with the CAPTCHA security functionality.
  • Test password change process: Test the password change process and attempt to change a password using tactics like social engineering, cracking secretive questions, and guessing.
  • Test the Web Application Firewall: Testing for weak spots and misconfigurations within web application firewalls can help identify if there are opportunities to implement SQL injections to steal sensitive data.

3. Authorization Testing

Authorization testing involves testing the target web app to understand how the authorization mechanism works. Any information gathered in this stage will be instrumental in circumventing the authorization mechanism.

  • Test for vertical Access control problems:Test for the opportunity to perform privilege or role escalation through manipulation to access restricted resources.
  • Test for path traversal: Perform input vector calculation and analyze the input validation functions presented in the web application.
  • Test for Cookie Tampering: Test for cookie and parameter Tampering using web spider tools.
  • HTTP request tampering: Test for HTTP Request Tempering and check the possibility of gaining unauthorized access to application resources.

4. Configuration Management Testing

Check directory and file enumeration review server and application documentation. Additionally, check the infrastructure and application admin interfaces.

  • Perform network and web server scanning: Perform a network scan and analyze the web server banner.
  • Check for backup, old, and unreferenced files: Check and verify the presence of backups, old documentation, and unreferenced files such as passwords, source codes, and installation paths.
  • Identify SSL/TLS ports: Use tools such as Nmap and Nessus to review and pinpoint the ports used for SSL/TLS services using NMAP and NESSUS.
  • Review OPTIONS HTTP: Use utilities such as Netcat and Telnet to review Options HTTP.
  • Test for HTTP methods and Cross Site Tracing (XST): Test for HTTP methods and XST to gain the credentials of legitimate application users.
  • Check log files, source code, and default error codes: Conduct configuration management tests on the web application to access and review log files, source code, and default error codes.

5. Session Management Testing

The goal here is to check if the target application securely creates session tokens and cookies, with the hopes of forging a cookie to hijack user sessions.

  • Test for Cross-Site Request Forgery: Review the restricted URL areas and test the possibility of Cross-Site Request Forgery.
  • Confirm that new session tokens are issued upon login, role change, and logout: Review the encryptions, proxies, caching, and GET and POST. Check session tokens for possible reusability.
  • Cookie Forging: Accumulate an adequate quantity of cookie samples and analyze their algorithms. Check for the possibility of forging a validated cookie to perform an attack.
  • Testing the cookie attributes: Use intercept proxies such as OWASP ZAP and Burp Proxy to test the cookie attributes. Utilize traffic intercept proxies such as Tamper data to check for the possibility of tampering with the data transmitted between the client and the server.
  • Test for session fixing: Try to attack to hijack a valid user session through session fixing.

6. Data Validation Testing

It is time to validate the data and databases for potential vulnerabilities that can be exploited.

  • Identify javascript coding errors: Analyze the source code for JavaScript coding errors.
  • Test for SQL Injection: Check for the possibility of leveraging SQL injection tools such as sqldumper, SQL power injector, and sqlninja to implement SQL injections such as Union SQL injection, standard SQL injection, and blind SQL query tests.
  • Test for HTML Injection: Use tools such as XSS proxy, Backframe, XSS Assistant, Burp Proxy, and OWASP ZAP test for leverageable XSS vulnerabilities.
  • Test for LDAP Injection: Perform LDAP injection testing to acquire sensitive user and host information.
  • Test for IMAP/SMTP Injection: Perform IMAP/SMTP injection testing to attempt to access the backend mail server.
  • Test for XPath Injection: Perform XPATH Injection testing to attempt to access sensitive information.
  • Test for XML Injection: Perform XML injection testing to learn about the application’s XML information structure.
  • Test for Code Injection: Perform code injection testing by submitting input processed by the web server as an included file or dynamic code to identify input validation errors.
  • Buffer Overflow testing: Perform buffer overflow testing to check if the program gauges if the application stores more data in the buffer than intended. This test helps gain knowledge on the application control flow and stack and heap memory.
  • Test for HTTP Splitting/Smuggling: Test for HTTP splitting and smuggling for cookies and redirect information to gauge the possibility of performing cache poisoning or cross-site scripting.

7. Denial of Service Testing

Carry out a denial of service or load testing on the target application to identify potential vulnerabilities to carry out DoS attacks.

  • Check for slowdown: Send a bombardment of requests that perform intensive database operations and observe for any performance issues and error messages.
  • Manual source code analysis: Perform manual source code to check every line for potential vulnerabilities. Once completed, submit a range of inputs with varying lengths to the vulnerable spots in the applications.
  • Test for SQL wildcard DoS: Test for SQL wildcard attacks for application information testing. Enterprise Networks should choose the best DDoS Attack prevention services to ensure DDoS attack protection and prevent their network.
  • User Specified Object Allocation DoS: Test for user-specified object allocation to determine the maximum number of objects the application can handle and if you can exhaust the server’s resources by allocating a considerable number of objects.
  • Exploit the input field: Use tools such as Loop counter with controlled iterations to overwhelm the application’s input field with requests.
  • Application-layer Flood: Using an automated script, conduct an application-layer flooding attack by submitting an excessively long input value for the server to log requests beyond its computational capability.

Testers and developers must stay up-to-date with the latest OWASP Top 10 vulnerabilities and implement the necessary measures to safeguard against them. If followed meticulously, this OWASP’s Top 10 testing principles complete checklist should allow you to reduce operational failures, application errors, loopholes in the application’s infrastructure and  organizations can build secure and reliable web applications that protect their users and assets.

Secure Web applications with SecureLayer7’s Comprehensive Penetration Testing Services

SecureLayer7 offers professional continuous penetration testing services based on industry standards like OWASP Top 10, SANS, and NIST, backed by our team of skilled professionals with a proven track record in cybersecurity. We specialize in both web applications with automated and manual testing to address all web application security risks, including uncovering Zero Day vulnerabilities.

Our detailed business-oriented reports highlight security gaps, suggest mitigation solutions, fostering transparency, and enabling efficient communication throughout the testing process. Moreover, our services are designed to align with regulatory requirements such as PCI, SOC2, and GDPR compliance standards, ensuring that your organization meets essential security mandates. We ensure the deployment of necessary patches to fix vulnerabilities, guaranteeing high-quality results and cost reduction. Trust SecureLayer7 for expert penetration testing services that prioritize security, compliance, and quality assurance.

Enable Notifications OK No thanks