OWASP Web Application Security

Quick Reference Guide

0.2

Copyright and License

Copyright 2013 The OWASP Foundation.
This document is released under the Creative Commons Attribution ShareAlike 3.0 license. For any reuse or
distribution, you must make clear to others the license terms of this work.
http://creativecommons.org/licenses/by-sa/3.0/

Introduction
ThischecklistcontainsthebasicsecuritychecksthatshouldbeimplementedinanyWebApplication.

Thechecklistcontainsfollowingcolumns:

NameItisthenameofthecheck.
CheckQuestionItcontainsacheckintheformofaquestion.
RequiredAnswerThiscolumncontainstheanswerthatisrequiredforthecheckquestion.
HowtocheckItcontainssimpledescriptionhowthisshouldbetested.
CommentsAdditionalcommentsaboutthecheckcontainingbestpracticeandreferencestoOWASPdocumentation.

Web Application Security Checklist

Name

CheckQuestion

Simplepasswords Haveusersgotsimple
password?
Simplepassword
without
verification

RA

Howtocheck
Usermanagement
Checkifapasswordmeetsthepolicy.

No

Doestheapplicationcheck
Checkifapasswordmeetsthepolicy
complexityofthe
duringthechangingprocess.
Yes
passwordduringthe
passwordchange?
Emptypasswords Canemptypasswordsbe
Checkiftheusercanchangeapasswordto
No
used?
ablankpassword.
Savingloginand Doesthebrowserask
Oneneedscheck,ifserver'sresponse
password
userstostoretheirlogin
containproperparameter
No
andpassword?
(AUTOCOMPLETE=OFFinIE,
disableautocompleteinFirefox,etc.).

Comments
Ifthereisnopolicy,checkifthepasswordmeets
OWASPrecommendation:
OWASPReferencePasswordlength&complexity
Ifthereisnopolicy,checkifthepasswordmeets
OWASPrecommendation:
OWASPReferencePasswordlength&complexity
OWASPReferencePasswordlength&complexity
OWASPTestingforVulnerableRememberPassword

Lackof
verification
duringpassword
change
Usingold
passwords

Istheoldpassword
requiredduringthe
passwordchange?

Passwordreset
DoS

Isitpossibletoresetuser
passwordbyproviding
knowndata,without
confirmationthrough
separatechannel(email,
phone,SMS)?
Istheaccountblocked
afterfewtries?
Isthereanyprotection
againstautomaticaccount
creation(forexample
CAPTCHA)?

Lockingaccount
afterfewtries
Automatic
accountcreation

Cantheuserchangea
passwordtotheprevious
one?

Locking(Disabling) Isthemessageforexisting
nonexisting
accountthesameasthe
account
messagefornonexisting
accountwhenonetriesto
lockthisaccount?
Information
aboutwrong

Arethereanydifferences
betweenthemessage

Yes

No

Checkifduringtheprocessofchanging
password,oldpasswordisrequired.

Whenanattackerstealsthesession,she/hewillnot
beabletochangethepasswordiftheoldoneis
required.

Checkifusercanchangepasswordtothe
previousone.

Usingthepreviouspasswordimpliesthattheusersare
notwillingtochangetothenewone.Iftheuseris
usingthesamepasswordalltime,thepasswordis
morevulnerabletobeguessed.
OWASPTestingforVulnerablePwdReset

Checkifthepasswordresettoolforces
theusertoimmediatelychangepassword.
Checkifpasswordisresetonlyby
No
answeringsecretquestions.

Checkifaccountislockedafterfewtriesof
login.
CheckAccessibility:CAPTCHAmustbe
accessiblebyall.AudioCAPTCHAfor
visuallyimpaired.
CheckifImagesoftextaredistorted
Yes
randomly.
Checkifresponseissentincleartextor
encrypted/hashedform.
Yes

Comparetworesponsesfromthelogin
request:
Accountexistsandislockedand
Yes
passwordiscorrect.
Accountdoesnotexist.
Bothresponsesshouldbethesame.
Comparetworesponsesfromthelogin
No
request:

Thisprotectsagainstbruteforceattack.Thelockcan
betemporary.
Thischeckisonlyfortheapplicationsthatallow
creatingthenewuseraccounts.
CAPTCHApreventsagainstmalicioussoftwarethat
createsaccountforSPAMpurpose.
PreventDictionaryattackinpasswordsystems,
Protectwebsiteregistrationbybots.
Encryption/hashalgorithmshouldbesufficiently
strong.
Ifthereisadifferentmessageanattackerisableto
enumeratetheexistingaccounts.

Ifthereisadifferentmessageanattackerisableto
enumeratetheexistingaccounts.
3

loginand
password

whenaccountdoesn'texist
Accountiscorrectandpasswordis
andthemessagewhen
wrong.
accountiscorrectbut
Accountdoesnotexistandpasswordis
passwordiswrongduring
random.
theloginprocess?
Bothresponsesshouldbethesame.
Publicloginand
Aretheloginand
Theloginandpasswordshouldalwaysbe
password
passwordsentasclear
No sentviaHTTPSinsteadofHTTP
text?
Logoutuserafter Istheuserloggedoutafter
Waitrequiredamountoftimeandseeif
aperiodoftime
periodofinactivity(usually
theusersessionwasterminated.
Yes
30min)?

Logoutuserafter
closing
application
Logintwiceon
thesameuser
Lackof"Change
Password"
functionality
Random
SessionID
SimpleSessionID

Doestheapplicationlog
outafteritwasclosed?
Cantwosessionsofthe
sameuserbedone?
Canuserchangehis
password?

IsSessionIDrandom?
IsSessionIDsimple?

Yes
No

Checkonthedifferentbrowsersiftwo
simultaneoussessionscanbecreated.

Yes
Sessionmanagement
TheSequencertabfromBurpSuitecanbe
Yes
usedtocheckthesessionrandomness.
Thischeckshouldbedonefromsource
codeperspective.Youneedtocheckifthe
mechanismofSessionIDgenerationis
predictableifanattackerknowsthecode
No
onhowSessionIDsaregenerated,isthe
nextSessionIDpredictable.
Forexample:SessionIDisMD5fromtime
stamp.ForoutsiderthisIDisveryrandom

Iftheloginandpasswordarenotencrypted,thereis
possibilitythatcanbehijackedbyanattacker.
Eachapplicationshouldlogouttheuserafteraperiod
oftime.Thetimeisaddictedtotypeoftheapplication
butitnevershouldbeinfinite.Thisoneshouldbe
implementedontheserverside.
OWASPReferenceSessionExpiration
OWASPReferenceClientSideDefensesforSession
Management

OWASPReferenceSimultaneousSessionLogons

Allapplicationsshouldgivetheusersopportunityto
changepasswordanytime.

OWASPReferenceSessionPrediction
OWASPReferenceSessionIDEntropy
OWASPReferenceSessionManagement
Implementations

Changing
SessionIDafter
logout
Changing
SessionIDafter
login
Usingold
SessionID
SendingSessionID
throughGET

butifyouknowthatthisisMD5from
timestampitislikelytopredictnextIDs.
DoestheSessionIDchange
Thesecheckscanbeperformedbyusinga
afterlogout?
proxytoolandcapturingthewholelogin
Yes
event.
DoestheSessionIDchange
Checkiftheresponsefromthelogin
afterlogin?
Yes requestsetnewcookie.
Doestheserverusethe
oldSessionID?
IstheSessionIDsentin
GETparameters?

No

No

Checkiftheservercanbeforcedtousethe
oldsessioncookie.
Checkifthereisanyrequestthatsend
SessionIDintheGETparameter.

Changing
SessionIDwhen
thechannelis
changed
Securecookies

IstheSessionIDchanged

afterswitchingtotheopen
Yes
channel?

Cookie'sdomain

Isthecookie'sdomainset
toparent?
IstheHTTPOnlyoption
addedtocookies?

OptionHTTPOnly

TRACEmethod

Isthesecureattributeset
tothecookies?

CantheTRACEmethodbe
used?

ItisgoodpracticetodeletetheSessionIDfromthe
browserthatisnotusedanymore.
OWASPReferenceRenewSessionIDAfterAny
PrivilegeLevelChange
OWASPReferenceRenewSessionIDAfterAny
PrivilegeLevelChange
OWASPReferenceRenewSessionIDAfterAny
PrivilegeLevelChange
SensitiveinformationwithinURLsmaybeloggedin
variouslocations,includingtheuser'sbrowser,the
webserver,andanyforwardorreverseproxyservers
betweenthetwoendpoints.
OWASPReferenceTransportLayerSecurity

Capturethesetofcookiesthataregetting OWASPReferenceSecureAttribute
generatedbytheWebApplicationand
Yes
checkforthesecureattributeinthecookie
whichcontainsimportantinformation.
CookieAnalysiscanfetchusthischeck.
OWASPReferenceDomainandPathAttributes
Yes
Capturethecookieusingaproxylikeburp
Yes orthesamecanbecheckedbyusing
extensionsofFirefox.
ServerHTTP
Checkforthedifferentverbsthatare
No
enabledintheserver.

OWASPReferenceHttpOnlyAttribute

PUTmethod
Serverversion

Contentsof
robots.txt

Accessto
.htpasswd
UsingSSL

SSLCipher
Strength
SSLv2
SSLcertificate
expiry
SSLcertificate
validation
Negative
amounts
Verysmall
amount

CanthePUTmethodbe
used?
Doesserversendits
versionnumberinthe
header?
Istherobots.txt
accessible?Arethereany
sensitivedirectories
inside?
Isitpossibletoaccessto
the.htpasswdfile?

No

No

Checkforthedifferentverbsthatare
enabledintheserver.
CheckHTTPresponseifthereisany
informationabouttheserver.

Ifanattackerknowstheserverversion,she/hecan
createmoreadjustedtypesofattacks.This
informationalsohelpsinautomatedattackson
particularserverversion.

No

No

Communicationchannel
IftheapplicationisusingHTTPScheckifit
possibletosendrequestusingHTTP,in
Yes
particularifusercanlogintothe
application.
Canweakciphersbeused?
ThiscanbecheckbySSLDiggerwhichis
No
freetool.
IstheSSLversion2used?
ThiscanbecheckbySSLDiggerwhichis
No
freetool.
DidtheSSLcertificate
Thiscanbedoneusingabrowser.
No
expire?
IstheSSLcertificatevalid
Thiscanbedoneusingabrowser.
Yes
forthedomain?
OnlineBankingApplicationChecks
Arethenegative

No
transactionspossible?
Arethereanytransactions

wheretheamountisvery No
small(forexample0,001)?
Isthechannelencrypted?

Enablesanattackertouploadmaliciouscontent.

OWASPReferenceTransportLayerSecurity

Transferonitself

Currency
conversion
Creditcard
numbers
revealed
Historyof
account
Accountbalance
Incorrectdeposit

Incorrectperiod

Canonemakethetransfer

onthesameaccount
No
(src=dest)?
Isthecurrencyconversion

madeproperlyduringthe Yes
transfer?
Arethecreditcards

numbersvisible?
No

Canoneseetheotheruser
historyoftheaccount?
Canoneseetheother
accountbalance?
Canonemakeinvestment
onthelowervaluethatis
required?
Canotherperiodbe
providedthanrequiredby
form?

No
No

No

No

Others
Itthetechnologyname
CheckifintheHTTPresponseany
usedinapplication
informationaboutframework,platformis
No
revealedforexamplePHP
stored.
orASPversion?
POSTsentbyGET Cantheparametersfrom
CheckifrequestsmadebyPOSTcanbe
thePOSTrequestbesent Yes doneusingGETmethodespeciallylogin
usingtheGETparameters?
request.
XFrameOptions DoesapplicationuseX
Checkformainpage,loginpage,user
FrameOptionHTTP
settingspage.
Yes
headerwithDENYor
SAMEORIGINvalue?
Softwareversion

Ifanattackerknowsthetechnologyversion,she/he
cancreatemoreadjustedtypesofattacks.This
informationalsohelpsinautomatedattackson
particulartechnology.

OWASPClickjacking
OWASPClickjackingDefenseCheatSheet

SilverlightCross
DomainPolicy
FlashCross
DomainPolicy

Isthewildcardusedinthe
policyfile?
Isthewildcardusedinthe
policyfile?

No

No

Externalscripts
onloginpage

Arethereanyscripttags
withsrcfromexternal
domainonloginpage?
Cacheableentries Arethepageswith
confidentialinfobeing
cachedbythebrowser?

OWASPReferenceClientSideCrossDomain
Requests
Thereareonlyasmallnumberoflegitimateusecases
forfullwildcard(*)permissions.Ifgrantingfull
permissionisabsolutelynecessary,thenthebest
practiceistocreateasubdomainonyoursitewhose
explicitpurposeistoservecrossdomaindata.
AnotheroptionistoleverageFlashPlayerssupportof
perdirectorycrossdomainpermissionsandplacethe
dataandthefullwildcardcrossdomainpolicywithina
subdirectoryofthesitededicatedforthatpurpose.
Fullwildcardsoninternalnetworkscanalsobe
dangeroussincetheycanresultinexternalcontent
beinggrantedaccesstointernalresources.Afull
wildcardshouldalsoneverappliedtotheheaders
attributeoftheallowhttprequestheadersfrom
elementorthetoportsattributeoftheallowaccess
fromelementinproduction.Once,awildcard
permissionhasbeendeployed,itcanbevery
challengingtorestrictpermissionsatalaterdate
becausethereisnoeasywaytoidentifywhatcontent
dependsonthatpermission.
OWASPReferenceClientSideCrossDomain
Requests

No

No

OWASPReferenceTestingforLogoutandBrowser
CacheManagement

Contributors
Monika Chakraborty monikac@itsecurit.com
Piotr Duszyski piotr@duszynski.eu
ukasz Pilorz lukasz.pilorz@owasp.org
Amit Kumar Sharma (aKs) amitsharma2009@gmail.com
Pawe Wylecia pawel.wylecial@gmail.com
Marek Zmysowski marek.zmyslowski@owasp.org