wapt generic checklist

8/17/2019 WAPT Generic CheckList

http://slidepdf.com/reader/full/wapt-generic-checklist 1/6

SR. NO.

1

2

3

4

56

7

8

9

10

11

12

13

14

15

16

17

18

19

20

2122

23

24

25

26

27

28

29

30

3132

33

34

35

36

37

38



39

40

41

42

43

44

4546

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

7172

73

74

75

76

77

78



79

80

81

82

83

84

85

86

87

88

89



(%pe / (est $ase

Input Validation

Check for input validation of 'type', lenth, for!at, rane

"alidation of all u#er input# at #erver$#ide %Client &ide ypa##(

&tored )&&

*e+ected )&&

e#t for &-.i e#t for /ile pload for!at validation#

e#t for & inection +a#

e#t for *. redirection

Content &poon

uer ver+o#

). :nection

.; :nection

)path :nection

;irectory raver#al

). ;enial of &ervice

Error/Output Handling

Check for Cu#to! <rror ae#

Check for &erver <rror# di#played

=o #en#itive infor!ation %ip addre##, data>a#e error !e##ae#, lepath#, #tack trace( i

?.<ncode%( and *.<ncode%( u#ed to #afely output u#er input

Authentication Flaws

e#t for &-. inection authentication >ypa##;irect acce## to internal o>ect# %le#,*.# etc@(

e#t for tru#t relation >eteen linked application#

a##ord recovery !echani#! i# #ecured %old pa##ord i# not #ent to u#er, protected a

Chane pa##ord !echani#! i# #ecured %old pa##ord i# reAuired,no #en#itive hidden

if &-. authentication i# u#ed, credential# are adeAuately #ecured over the ire %&&.( a

raniBation pa##ord policy i!ple!ented

a##ord lenth

a##ord co!pleity

a##ord hi#tory re#triction

ccount lock$out policy i!ple!ented&inle loin i!ple!ented per u#er

#erna!e enu!eration not po##i>le

rotection aain#t >rute$force attack#%CC?(

a##ord co!!unication over netork #hould >e #ecure

.a#t loin dateDti!e di#played

e#t for ack$>utton >ro#in%cache !anae!ent i##ue(

e#t C&*/ protection

/ail &afe Check@ :f an errorDeception i# enerated, check if application i# fallin #afely ounauthoriBed acce##@



a##ord in clear tet

a##ord #tored in data>a#e u#in #ecure ha#hin !echani#!

a##ord# are #tored #ecurely a# #alted ha#he#@

:!proper &e##ion :; validation%>ackdoor#(

u>lic and *e#tricted area# #ereated into #eparate folder# %code>a#e(

a##ord re#et !echani#! i# protected

anain lockedDnon$active account#<i#tence of 'defaultDte#tDdu!!y' account#

Session Management

&e##ion :;# #hould >e rando!

&e##ion :;# #hould >e non$predicta>le

&e##ion :;# #hould have cookie +a# i!ple!ented %httponly,#ecure(

&e##ion ti!e$out i!ple!ent

rotection aain#t #e##ion ation

rotection aain#t #e##ion hiackin

&e##ion varia>le# in E< reAue#t

te#t for er#i#tent #e##ion varia>le#

*eplay ttack

Authoriation Flaws

cce## to #y#te! level re#ource# i# re#tricted%& co!!and inection,./:(

ypa##in u#er acce## control !atri

e#t for direct *. acce## to privileed contentDaction# %vertical e#calation(

e#t for acce## to contentDaction of other u#er# %horiBontal e#calation(

ll role# dened in the application are identied and the re#ource# acce##i>le to each r

d!ini#tration interface# are #ecured

Application/Ser!er Miscon"guration;irectory :ndein di#a>led

&en#itive data i# not pa##ed in E< *.#

e#tD;efaultDackup pae# #tored on #erver

lain$tet le# containin #en#itive infor!ation #tored on #erver%refF code>a#e(

uto$co!plete ena>led

eak &&. cipher#uite ena>led

:nfor!ation leakae $ ver#ion di#clo#ure,#y#te! le path infor!ation, ip addre## etc@(

Eoole :ndeed data

&en#itive data #tored in hidden eld#

pplication not runnin ith privileed rolepplication lo# found

pplication !aintain# audit$trail of #en#itive action#

>u#e of functionality

? ver># ena>led%race,ut,;elete,ropnd(

$roduction environ!ent# #ereation

;oe# #tore live u#er dataG

pplication ;enial of #ervice



? *e#pon#e &plittin

nti uto!ation not i!ple!ented

ClickHackin

Secure #ata Storage

Check# for #ecure #torae of data

;ata #torae co!pliance check of &en#itive data #uch a# Credit Card ;etail# D a##or

$r%ptograph% he de#in identie# correct cryptoraphic alorith! for the application'# data encrypt

<ncryption key are #ecured@

<ncryptin #en#itve conuration le#

&usiness 'ogic

pplication loic >ypa## due to i!proper per!i##ion#

>u#e of /unctionalitie#

ypa## application proce## +o

wapt generic checklist

Documents