Web application security is the process of protecting websites against different security threats that exploit vulnerabilities in an application’s code. Common targets for web application attacks are content management systems (e.g., WordPress), database administration tools (e.g., phpMyAdmin). Testing your Web application security is something that needs be taken seriously.
Here is a list of Web Application Security Testing Checklist that should be checked before you decide website live.
1. Server-side control:- Use HTTPS(SSL) for confidential data i.e. for all web pages which carry confidential data like password, All the Secret answer for security question should be submitted via HTTPS(SSL).
2. Server Side Validation:- Use of Server-side validation is also important because by using client-side validation anyone can interfere the important credentials and can also remove validations by disabling browser jquery. For example, use Server Side Validation for form. Use “Firebug” and “TamperData” to perform this test and also you can disable jquery(browser). (You can tamper for minimum length of password, set only new password without old password >> You got to remove the old password element from Firebug from the client-side and then submit it )
3. SQL Injection:- Check for SQL injection, that invalid credentials should not be accepted by the database. You can check SQL Injection for any page in your application that accepts user-supplied information to access a database.
- Check SQL Injection for the login form, signup form, or “forgot password” form.
- A dynamic page that uses URL variables such as ID (product information pages are also used for test SQL injection).
4. Cross Site Scripting (XSS):- Check that User should not be able to inject malicious scripts in the web application.
5. Password Protection:- Set rules for the strong password for avoiding Brute force attacks.
- Rules for setting a password should be same across all the modules like the Registration form, Change password, and Forgot password. If these rules differ than hacker might exploit it through brute force method.
- In order to protect the account to a greater extent against brute force attack mechanisms, the password should be a combination of alphabets + numeric + special characters
- Password needs to be masked with input type = password.
6. Forgot Password Protection:- Set strong rules for forgot password like-
- There should be a restriction on the number of forgot password requests sent per day or in “X” hours interval or have a captcha so that automated requests are not sent.
- The URL has to expire after used once.
- The token associated with the URL should not be guessable or there should not be any pattern which could be easily cracked.
- If the URL is not used within “X” hours then it has to expire (Example: Once the URL is generated, if it is not used then it has to expire after “72 hours”
- When a new token is generated the old ones should expire even if they are not used.
- No website should send the password via e-mails by resetting automatically. There has to be URL which should be used by end-user to set the new password of his / her choice.
- While typing the secret answer in Forgot Password the secret answer needs to be masked (Secret Answer is also part of authentication which is similar to the password).
- Once the password is set, you might want to take end-user to logged in state or requesting him/her to log in now with the hyperlink (I, personally would recommend taking to login page and requesting him/her to log in with new password)
7. Registration or login:- Captcha should be used at the time of registration and login in order to avoid automation.
8. Change Password:- User should not be able to login with old password after change password.
- Once the password is changed successfully. The user should not be able to log in again with his old password & new password both.
- If Login credentials are changed on Mozilla Firefox then the user should login with the same credentials on Google Chrome. And when the password is changed for the account in Google Chrome, After this, refresh or try to navigate to some webpage which is allowed to be navigated only by logged in end-users then the end-user in Mozilla Firefox web browser has to log out as he/she is in the session which has old password.
9. Security Question and Secret Answer:-
- Frame the security question in such a way that they are not obvious to be known. It would be good if the user is provided with an option of choosing a customized security question.
- Secret/security answers should be stored in the database as hashes and not plain text.
- Security answer needs to be masked with input type = password.
10. Session Management:-
- Users whose activity is idle for some time should be automatically logged out by expiring his session.
- No confidential details like password should be saved in the cookie.
- Check what information cookie carries & try to tamper with it using Mozilla addon Tamper Data.
- Captcha characters should not be displayed in the cyclic fashion.
- Captcha images should not be allowed to download at one time using add-on like “DownThemAll”
- Use http://free-ocr.com/ to see if captcha could be decrypted.
- Every refresh of a webpage should display new captcha every time.
- I personally insist on using Google reCaptcha for your web application because it has not been cracked till date.
- Usage of the question and answers type of captcha in textual format is good but, not good enough.
We hope this post is helpful for you.
If your friend also wants to know about this post Please share with them, so they will also get to know about the same. If you have any question or query please let us know by sending a comment below.Kindly don’t forget to follow us on Facebook and Twitter and Subscribe to Youtube Channel for latest upcoming software testing videos.