WebSecurity Checklist

brickborderSecurity

Nov 3, 2013 (3 years and 11 months ago)

77 views


Page
1

of
2



Web
Security
Checkl
ist



Check

Description

Required
(Yes / No)

Authorization

/
Authentication

Login, Forgot Password and Change Password pages on SSL.


All sensitive pages (Account Settings, Payment) over SSL


Strong Password Policy. (Passwords Min
/Max length, Password
strength checker)


Has CAPTCHA or security question to resend password change
link on forgot password page


Has CAPTCHA to prevent password guessing after
five

unsuccessful login attempts


Pages require authentication should not

be accessible without
authentication using direct URL’s. In this case we have to show a
customized error page.


AutoComplete set to OFF on User profile, Account Settings, Credit
Card/Payment pages


Reset password link should be expires after use or wi
thin some
time interval if not used


Session Management

Session Timeout be always present (as per
requirement)


Session Id expires on request tampering


Sensitive data should be encrypted in cookie


X user’s data should not be viewed with Y’s sessio
n id


Session expires on logout and delete all related cookies


Logged out user’s session should not be re
-
used


New session id should be generated on login


Has ‘Remember Me’ feature then cookie should not expires on
browser close, but it should e
xpires on logout


SQL Injection

SQL injection should be properly handled for all input fields
.

1. SQL Injection: ‘

2. SQL Injection: ‘ OR 1=1



XSS

(Cross Site Scripting)

Cross Site Scripting

should be properly handled for all input fields

<script>ale
rt(‘test’);</script>


Secure Storage Check

1. Passwords should not be stored in clear text. It must be
encrypted.

2. Any passwords should not be hard
-
coded in application.


Input Validation check

1.
Must be a combination of client and server side validat
ion.

2. Need to handle all special symbols in input



Browser Checks

Sensitive pages should not be cached in browser



Page
2

of
2



Avoid any hard
-
coded secrets in javascripts


Web Page code should not expose sensitive comments


File Checks

Appropriate permission

to upload /download files


Files cannot be downloaded directly from URL, if it requires
authentication


Only allowed extensions files can be uploaded


AJAX request tempering

There should be a check at server end to validate any request,
user may chan
ge the request parameters by using any tool and
tries to do non
-
authorize activity.


Web Services

Web services should have a token to validate the request is
authenticated and authorize to do requested action.


Cross Site Request
Forgery (CSRF)

Every for
m / page should have a token which will expire after
some time so that an inactive page will expire after some time
and any request from that page will not be served.