wapt generic checklist
TRANSCRIPT
8/17/2019 WAPT Generic CheckList
http://slidepdf.com/reader/full/wapt-generic-checklist 1/6
SR. NO.
1
2
3
4
56
7
8
9
10
11
12
13
14
15
16
17
18
19
20
2122
23
24
25
26
27
28
29
30
3132
33
34
35
36
37
38
8/17/2019 WAPT Generic CheckList
http://slidepdf.com/reader/full/wapt-generic-checklist 2/6
39
40
41
42
43
44
4546
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
7172
73
74
75
76
77
78
8/17/2019 WAPT Generic CheckList
http://slidepdf.com/reader/full/wapt-generic-checklist 3/6
79
80
81
82
83
84
85
86
87
88
89
8/17/2019 WAPT Generic CheckList
http://slidepdf.com/reader/full/wapt-generic-checklist 4/6
(%pe / (est $ase
Input Validation
Check for input validation of 'type', lenth, for!at, rane
"alidation of all u#er input# at #erver$#ide %Client &ide ypa##(
&tored )&&
*e+ected )&&
e#t for &-.i e#t for /ile pload for!at validation#
e#t for & inection +a#
e#t for *. redirection
Content &poon
uer ver+o#
). :nection
.; :nection
)path :nection
;irectory raver#al
). ;enial of &ervice
Error/Output Handling
Check for Cu#to! <rror ae#
Check for &erver <rror# di#played
=o #en#itive infor!ation %ip addre##, data>a#e error !e##ae#, lepath#, #tack trace( i
?.<ncode%( and *.<ncode%( u#ed to #afely output u#er input
Authentication Flaws
e#t for &-. inection authentication >ypa##;irect acce## to internal o>ect# %le#,*.# etc@(
e#t for tru#t relation >eteen linked application#
a##ord recovery !echani#! i# #ecured %old pa##ord i# not #ent to u#er, protected a
Chane pa##ord !echani#! i# #ecured %old pa##ord i# reAuired,no #en#itive hidden
if &-. authentication i# u#ed, credential# are adeAuately #ecured over the ire %&&.( a
raniBation pa##ord policy i!ple!ented
a##ord lenth
a##ord co!pleity
a##ord hi#tory re#triction
ccount lock$out policy i!ple!ented&inle loin i!ple!ented per u#er
#erna!e enu!eration not po##i>le
rotection aain#t >rute$force attack#%CC?(
a##ord co!!unication over netork #hould >e #ecure
.a#t loin dateDti!e di#played
e#t for ack$>utton >ro#in%cache !anae!ent i##ue(
e#t C&*/ protection
/ail &afe Check@ :f an errorDeception i# enerated, check if application i# fallin #afely ounauthoriBed acce##@
8/17/2019 WAPT Generic CheckList
http://slidepdf.com/reader/full/wapt-generic-checklist 5/6
a##ord in clear tet
a##ord #tored in data>a#e u#in #ecure ha#hin !echani#!
a##ord# are #tored #ecurely a# #alted ha#he#@
:!proper &e##ion :; validation%>ackdoor#(
u>lic and *e#tricted area# #ereated into #eparate folder# %code>a#e(
a##ord re#et !echani#! i# protected
anain lockedDnon$active account#<i#tence of 'defaultDte#tDdu!!y' account#
Session Management
&e##ion :;# #hould >e rando!
&e##ion :;# #hould >e non$predicta>le
&e##ion :;# #hould have cookie +a# i!ple!ented %httponly,#ecure(
&e##ion ti!e$out i!ple!ent
rotection aain#t #e##ion ation
rotection aain#t #e##ion hiackin
&e##ion varia>le# in E< reAue#t
te#t for er#i#tent #e##ion varia>le#
*eplay ttack
Authoriation Flaws
cce## to #y#te! level re#ource# i# re#tricted%& co!!and inection,./:(
ypa##in u#er acce## control !atri
e#t for direct *. acce## to privileed contentDaction# %vertical e#calation(
e#t for acce## to contentDaction of other u#er# %horiBontal e#calation(
ll role# dened in the application are identied and the re#ource# acce##i>le to each r
d!ini#tration interface# are #ecured
Application/Ser!er Miscon"guration;irectory :ndein di#a>led
&en#itive data i# not pa##ed in E< *.#
e#tD;efaultDackup pae# #tored on #erver
lain$tet le# containin #en#itive infor!ation #tored on #erver%refF code>a#e(
uto$co!plete ena>led
eak &&. cipher#uite ena>led
:nfor!ation leakae $ ver#ion di#clo#ure,#y#te! le path infor!ation, ip addre## etc@(
Eoole :ndeed data
&en#itive data #tored in hidden eld#
pplication not runnin ith privileed rolepplication lo# found
pplication !aintain# audit$trail of #en#itive action#
>u#e of functionality
? ver># ena>led%race,ut,;elete,ropnd(
$roduction environ!ent# #ereation
;oe# #tore live u#er dataG
pplication ;enial of #ervice
8/17/2019 WAPT Generic CheckList
http://slidepdf.com/reader/full/wapt-generic-checklist 6/6
? *e#pon#e &plittin
nti uto!ation not i!ple!ented
ClickHackin
Secure #ata Storage
Check# for #ecure #torae of data
;ata #torae co!pliance check of &en#itive data #uch a# Credit Card ;etail# D a##or
$r%ptograph% he de#in identie# correct cryptoraphic alorith! for the application'# data encrypt
<ncryption key are #ecured@
<ncryptin #en#itve conuration le#
&usiness 'ogic
pplication loic >ypa## due to i!proper per!i##ion#
>u#e of /unctionalitie#
ypa## application proce## +o