The Complete Checklist to Web App Pentest (OWASP Top 10)

The updated OWASP Top 10 vulnerabilities of 2021 witnessed some significant changes with new threats such as insecure design, software, and data integrity failures, and server-side request forgery rising to secure spots amongst the top 10 most critical vulnerabilities of the year.

These emerging threats highlight the modern-day cybercriminal’ capacity to adapt and change their tactics to best the countermeasures developed by cybersecurity specialists. Today, a web application penetration test is undeniably the best way to combat such issues and address the numerous potentially damaging real-world exploits.

At the same time, it is challenging for businesses to circumvent the potential limits of human attention and memory and maintain the consistency of these tests without the help of a comprehensive checklist.

A checklist ensures that critical objectives are tested, and optimal outcomes are accomplished consistently on every run, guiding and reminding testers on the tasks to be done, what to look out for, where to look, points to be considered, and best practices to follow during the pen test.

It also enables testers to meticulously and methodically validate and address security threats in critical web application components such as authentication, authorization, configuration, session management, and data validation mechanisms.

This informative read aims to provide a comprehensive OWASP web app penetration testing checklist to enable developers to maintain complete consistency in their pen tests where no stone is left unturned.

Following this checklist may be precisely what your business needs to streamline your penetration tests and substantially decrease the likelihood of potential exploits to safeguard yourself against the emerging threats of 2023.

What is OWASP Top 10?

The OWASP Top 10 is a globally recognized industry standard for web application security and developers, which documents most of the known critical web application security risks.

This documentation is updated to reflect the Top 10 prevalent vulnerabilities every year to promote safer coding practices and create general awareness of the potential dangers present in web applications.

Top 10 OWASP security risks

Leveraging the OWASP Top 10 is an excellent way for developers to arm their web applications against a growing list of possible exploits and, in most cases, instrumental in an application’s success. Here are the last updated OWASP Top 10 vulnerabilities as of 2021:

1. Broken Access Control

Broken access control is a significant flaw where an attacker gains unauthorized access to web applications, sensitive data, or other resources by circumventing standard security procedures. This vulnerability will likely happen when businesses have incorrectly implemented permissions and access controls.

2. Cryptographic Failures

Cryptographic failures are vulnerabilities from weak encryptions, which attackers can exploit to access sensitive company and application data.

3. Injection and Cross-Site Scripting

Injection and Cross-site Scripting (XSS) is a cyber-attack where an attacker injects malicious scripts into the input fields of a trusted or benign website. Through XSS attacks, cybercriminals use web applications to transmit this malicious code as browser scripts to other end users.

4. Insecure Design

Insecure design is a form of vulnerability that arises from developers and IT security teams foreseeing and assessing potential flaws in the code design phase that may pose a significant threat later on. This attack frequently occurs when application developers fail to follow the best secure coding practices when designing their web applications.

5. Security Misconfiguration

Security misconfigurations are vulnerabilities that occur when the system or web application’s configuration settings are not configured or improperly configured, leading to an attacker gaining unauthorized access. Such problems frequently emerge when security teams and developers leave the configuration settings on default or perform incorrect configurations.

6. Vulnerable and Outdated Component

While security patches and updates for software keep them safe against emerging attack vectors, when they no longer receive such support, they become increasingly susceptible to attacks over time. Such attacks also occur when users don’t apply updates regularly, leaving the web applications vulnerable and open to several possible exploits. Such exposures caused by exposed software components are known as Vulnerable and Outdated Components.

7. Identification and Authentication Failures

Identification and authentication failures occur when the applications fail to authenticate and verify a user’s identity, who then goes on to access the system assuming a false unverified identity. This vulnerability commonly occurs with systems and applications that don’t implement effective authentication and session management functions.

8. Software and Data Integrity Failures

Software and data integrity failures happen when attackers gain access to sensitive user and application information through integrity violations from unsecured infrastructure and code. The most common instances of this vulnerability are when web applications heavily rely on libraries, modules, and plugins from untrusted third-party sources, repositories, and content delivery networks (CDNs).

9. Security Logging and Monitoring Failures

Security Logging and Monitoring Failures are vulnerabilities where attackers bypass or disable logging mechanisms to cover their tracks and mask their malicious activity within the application. In such instances, it becomes increasingly challenging for security teams to detect, track, and respond to attackers and their exploits.

10. Server-Side Request Forgery

Server-side request forgery (SSRF) is a vulnerability that allows the attacker to induce the server-side application to make illegitimate requests to forced locations. Through this vulnerability, attackers may be able to strongarm the server to connect to external systems to leak sensitive data such as login and authorization credentials.

The OWASP checklist for Web App Penetration testing

Without any further delay, let us dive into the OWASP web application penetration checklist to conduct a thorough web app pen test:

1. Information Gathering

The first step is to gather as much information about the target web application as possible.

Manual site exploration

• First on the checklist is to perform manual site exploration for potential weak spots.

Locating the robot.txt files

• Identify and retrieve the robot.txt files that tell search engine crawlers which URLs they can access on your site. They can be retrieved using GNU Wge, a computer program that can retrieve content from web servers. This approach aims to crawl the website for missing or hidden content. Also, look for other files that can expose content, such as sitemap.xml and .DS_Store.

Identify versions and channels

• Here you must review the software versions of the web, mobile web, mobile app, and web services. Additionally, study the database information and technical components for potential errors and bugs.

Implement DNS-based techniques

• Perform DNS inverse queries, DNS zone Transfers, and web-based DNS Searches.

Perform Directory style Searching and vulnerability scanning

• Next on the list is leverage tools such as Nessus and NMAP to probe for URLs.

Identify the Entry point of the application.

• Tools such as OWSAP ZAP, Burp Proxy, Webscarab, Tamper Data, and TamperIE identify an application’s entry points.

Perform Web Application Fingerprinting

• Here use Nmap, Amap, and service Fingerprinting to conduct grouping of information to detect the software, network protocols, operating systems, or hardware devices on the network. Web application fingerprinting also helps match the signature of the target web server with the list of known signatures contained within the .txt files.

Test for recognized file extensions, types, and directories

• Test for common file extensions such as .exe, .asp, .html, and .php.

Identify client-side source code

• Next is to examine the source code from the client-side pages of the application’s front end.

2. Authentication Testing

Through authentication testing, you must run a series of checks to try and gain access to sensitive credentials to gain login access to the web app.

Test for logout functionality presence

• Check the effectiveness of the logout functionality and if it’s possible to continue using the session after logging out. Additionally, check if the application automatically logs users out if they are inactive for a certain period.

Test for cache management on HTTP

• Check sources such as the browser cache storage for any remaining sensitive information.

Test password reset and recovery functionalities for flaws

• Test exploitable vulnerabilities such as weak security questions and answers.

Test remember my password functionality

• Check if the ‘Remember my password’ functionality is implemented correctly by checking the HTML code of the login page.

Test for authentication bypass

• Test if any hardware devices directly and independently communicating with authentication infrastructure using a separate channel can be used to bypass authentication.

Test CAPTCHA

• Test for authentication vulnerabilities with the CAPTCHA security functionality.

Test password change process

• Test the password change process and attempt to change a password using tactics like social engineering, cracking secretive questions, and guessing.

Test the Web Application Firewall

• Testing for weak spots and misconfigurations within web application firewalls can help identify if there are opportunities to implement SQL injections to steal sensitive data.

3. Authorization Testing

Authorization testing involves testing the target web app to understand how the authorization mechanism works. Any information gathered in this stage will be instrumental in circumventing the authorization mechanism.

Test for vertical Access control problems

• Test for the opportunity to perform privilege or role escalation through manipulation to access restricted resources.

Test for path traversal

• Perform input vector calculation and analyze the input validation functions presented in the web application.

Test for Cookie Tampering

• Test for cookie and parameter Tampering using web spider tools.

HTTP request tampering

• Test for HTTP Request Tempering and check the possibility of gaining unauthorized access to application resources.

4. Configuration Management Testing

Check directory and file enumeration review server and application documentation. Additionally, check the infrastructure and application admin interfaces.

Perform network and web server scanning

• Perform a network scan and analyze the web server banner.

Check for backup, old, and unreferenced files

• Check and verify the presence of backups, old documentation, and unreferenced files such as passwords, source codes, and installation paths.

Identify SSL/TLS ports

• Use tools such as Nmap and Nessus to review and pinpoint the ports used for SSL/TLS services using NMAP and NESSUS.

Review OPTIONS HTTP

• Use utilities such as Netcat and Telnet to review Options HTTP.

Test for HTTP methods and Cross Site Tracing (XST)

• Test for HTTP methods and XST to gain the credentials of legitimate application users.

Check log files, source code, and default error codes

• Conduct configuration management tests on the web application to access and review log files, source code, and default error codes.

5. Session Management Testing

The goal here is to check if the target application securely creates session tokens and cookies, with the hopes of forging a cookie to hijack user sessions.

Test for Cross-Site Request Forgery

• Review the restricted URL areas and test the possibility of Cross-Site Request Forgery.

Confirm that new session tokens are issued upon login, role change, and logout

• Review the encryptions, proxies, caching, and GET and POST. Check session tokens for possible reusability.

Cookie Forging

• Accumulate an adequate quantity of cookie samples and analyze their algorithms. Check for the possibility of forging a validated cookie to perform an attack.

Testing the cookie attributes

• Use intercept proxies such as OWASP ZAP and Burp Proxy to test the cookie attributes. Utilize traffic intercept proxies such as Tamper data to check for the possibility of tampering with the data transmitted between the client and the server.

Test for session fixing

• Try to attack to hijack a valid user session through session fixing.

6. Data Validation Testing

It is time to validate the data and databases for potential vulnerabilities that can be exploited.

Identify javascript coding errors

• Analyze the source code for JavaScript coding errors.

Test for SQL Injection

• Check for the possibility of leveraging SQL injection tools such as sqldumper, SQL power injector, and sqlninja to implement SQL injections such as Union SQL injection, standard SQL injection, and blind SQL query tests.

Test for HTML Injection

• Use tools such as XSS proxy, Backframe, XSS Assistant, Burp Proxy, and OWASP ZAP test for leverageable XSS vulnerabilities.

Test for LDAP Injection

• Perform LDAP injection testing to acquire sensitive user and host information.

Test for IMAP/SMTP Injection

• Perform IMAP/SMTP injection testing to attempt to access the backend mail server.

Test for XPath Injection

• Perform XPATH Injection testing to attempt to access sensitive information.

Test for XML Injection

• Perform XML injection testing to learn about the application’s XML information structure.

Test for Code Injection

• Perform code injection testing by submitting input processed by the web server as an included file or dynamic code to identify input validation errors.

Buffer Overflow testing

• Perform buffer overflow testing to check if the program gauges if the application stores more data in the buffer than intended. This test helps gain knowledge on the application control flow and stack and heap memory.

Test for HTTP Splitting/Smuggling

• Test for HTTP splitting and smuggling for cookies and redirect information to gauge the possibility of performing cache poisoning or cross-site scripting.

7. Denial of Service Testing

Carry out a denial of service or load testing on the target application to identify potential vulnerabilities to carry out DoS attacks.

Check for slowdown

• Send a bombardment of requests that perform intensive database operations and observe for any performance issues and error messages.

Manual source code analysis

• Perform manual source code to check every line for potential vulnerabilities. Once completed, submit a range of inputs with varying lengths to the vulnerable spots in the applications.

Test for SQL wildcard DoS

• Test for SQL wildcard attacks for application information testing. Enterprise Networks should choose the best DDoS Attack prevention services to ensure DDoS attack protection and prevent their network.

User Specified Object Allocation DoS

• Test for user-specified object allocation to determine the maximum number of objects the application can handle and if you can exhaust the server’s resources by allocating a considerable number of objects.

Exploit the input field

• Use tools such as Loop counter with controlled iterations to overwhelm the application’s input field with requests.

Application-layer Flood

• Using an automated script, conduct an application-layer flooding attack by submitting an excessively long input value for the server to log requests beyond its computational capability.

In conclusion, if followed meticulously, this complete checklist should allow you to reduce operational failures, application errors, and loopholes in the application’s infrastructure.

Suppose you feel you need further assistance in conducting your penetration tests. In that case, several professional penetration testing service providers exist to help you implement thorough and effective penetration tests on your web applications.

Secure Web applications withSecureLayer7’s comprehensive penetration testing services

SecureLayer7 is an internationally renowned professional continuous penetration testing company that helps customers spot high-risk web application vulnerabilities from the OWASP Top 10 list and those on frameworks such as SANS and NIST.

SL7 provides full security service to your web application with automated and manual testing to identify and remediate all risks challenging your application security.

We will also assist you in uncovering Zero Day vulnerabilities within a wide range of web applications and proactively and promptly address and disclose the issues. Once conducting the necessary tests, we provide comprehensive business-oriented reports detailing our findings, including security gaps identified in the web application, firmware, and thick client software.

Our client reports will also contain suggested threat mitigation solutions, their description, proof of concepts, and security exposure information. Leverage our API penetration testing to identify and prioritize vulnerabilities in the API endpoints to improve its overall security posture.

SL7 will ultimately deploy all necessary patch verifications to check if we have successfully fixed all vulnerabilities and thoroughly secured the web applications. Our services and the expert pen test team will guarantee high-quality results while considerably decreasing costs.

Contact us to find out how we identify and mitigate all your web app vulnerabilities.

Summary:

The emerging cyber threats to businesses and the capability of the modern-day cybercriminal to adapt and change their tactics to best the countermeasures developed by cybersecurity specialists are underlining the necessity for thorough penetration testing. By streamlining these tests, businesses can routinely uncover and address vulnerabilities within critical components on every iteration to ensure that even the slightest exposure does not go overlooked. This informative read aims to provide a comprehensive OWASP web app penetration testing checklist to streamline and conduct consistent testing that circumvents the potential limits of human memory and propensity to perform errors.