If your organization develops web applications or depends upon them for critical business functions, web app penetration testing is one of the best ways to ensure they are safe from cyberthreats. Our web application penetration testing checklist breaks down two critical resources you can use as guidance for your efforts, including a projected pen test workflow.
Creating an OWASP-Informed Web App Pentesting Checklist
The Open Web Application Security Project (OWASP) provides open, community-sourced resources and materials as a leader in web application security. The OWASP Top 10 and Testing Guide place amongst the valuable resources they publish. When developing a web application penetration testing procedure or a checklist to assess your web app pentesting program, these two essential resources should be your first point of contact.
Below, we’ll focus on two critical components that inform a pentesting checklist based on these materials.
Penetration testing should be conducted by experienced cybersecurity professionals that stay up-to-date on the latest threat intelligence. OWASP materials create a solid foundation for your organization to familiarize itself with web application security and your web pentest checklist, informing your internal procedures or collaboration with a pentesting partner, like RSI Security.
Checklist Component #1: OWASP Top 10 Web App Security Risks
Understanding your pentest results relies on developing current threat intelligence (i.e., knowledge about the latest cyberthreats, attack methods, vulnerabilities, and more). Without understanding what you’re looking for or at, penetration testing results will only reveal so much. To begin, you should familiarize yourself with the OWASP Top 10 Web Application Security Risks. As of 2021, the most common and potentially dangerous threats are the following:
- Broken access control – Issues with controls and configurations that prevent inappropriate user behaviors were tested for in 94 percent of web apps, with a 3.81 percent incidence rate.
- Cryptographic failures – These flaws most commonly entail either a complete lack of cryptography or incomplete or improper cryptographic controls, exposing web app data.
- Injection – Most commonly involving injections of malicious code, these threats were tested for in 94 percent of web apps in 2021, with a max incidence rate of 19 percent.
- Insecure design – A broad new category that comprises various design flaws, as distinct from implementation flaws. The max incidence rate for these threats was 24.19 percent.
- Security misconfiguration – This category moved up from #6 in the previous test; it relates to flaws in implemented settings and had an acreage incidence of four percent.
- Vulnerable and outdated concepts – This category, related to missing updates, moved up from #9 on the previous version of the list, published in 2017. Its incidence rate is 8.77 percent, the highest among the top 10.
- Identification and authentication failures – Any inability to authenticate user identity falls under this category, which is closely related to #1 and, thus, significantly dangerous.
- Software and data integrity failures – This is a new category for 2021, comprising threats of incomplete or insufficient integrity verification, such as through automatic updates.
- Security logging and monitoring failures – These threats involve the inability to detect or log security breaches. The incidence rate is 6.51 percent, the second-highest in the top 10.
- Server-side request forgery (SSRF) – This occurs when web apps fetch resources without verifying URLs supplied by users. The max incidence rate is low (2.72 percent), but SSRF is increasingly common and exponentially more dangerous in the cloud.
These threats don’t constitute a web pentesting checklist on their own; instead, they are a foundation for the more organization-specific body of threat intelligence you use for testing.
Note that numbers nine and ten on OWASP’s list have been added from an industry-wide survey. Amongst the survey results exclusively, security logging and monitoring failures ranked at number three, while SSRF ranked at number one. Given that the Top 10 list is intended to provide a broad consensus, OWASP included these two risks under “the scenario where the security community members are telling us this is important, even though it’s not illustrated in the data at this time.” Accordingly, all ten threats should be well represented in your pen test checklist.
Previous OWASP Top 10 Risks—Updates from 2017
The OWASP Top 10 Web App Security List receives updates every few years. Prior to the 2021 update, the most recent version was released in 2017. A significant change from the previous version is that some older risks have been condensed into those above. The risks that were listed in 2017 but superseded by or combined into their 2021 counterparts are:
- XML external entities (XEE) – These threats involve attackers uploading XML files or editing existing XML documents to exploit XML processors. Previously ranked at four, XEE risks are now included under the 2021 list’s “security misconfiguration” at five.
- Cross-site scripting (XSS) – These threats involve Reflected XSS (unvalidated or unescaped inputs), Stored XSS (unsanitized inputs) or DOM XXS (attacker-controllable data). Previously ranked at seven, XSS risks are now included under “injection” at three.
- Insecure deserialization – This relatively complex threat vector involves deserialization exploits through modified app logic or tampered data. Remaining at eight, these threats are now included under the new category for 2021, “software and data integrity failures.”
While three new risks have been identified and added, and two risks fell in rank (i.e., injection from one to three, broken authentication from two to seven), no risk fell completely off the list.
Checklist Component #2: OWASP Web App Penetration Checklist
The OWASP Web Application Penetration Testing Checklist breaks assessment down into a repeatable, 17-part framework. While the checklist doesn’t provide guidance on specific testing methodologies in rigorous detail, it does outline a workflow overview. Namely, OWASP suggests that web application penetration tests progress through 17 stages (see below), with pen testers attempting to exploit all vulnerabilities they discover.
This is because, even if the exploitation is not successful, the knowledge of how well an exploitation is prevented can contribute to your organization’s overall understanding of its web app security—strengths and weaknesses.
Web Application Pentesting Workflow: Enumerated Checklist
The stages of a web application pen test, per OWASP, include the following:
- AppDOS – Comprising two total Ref Numbers:
- OWASP-AD-001: Secure against web app traffic flooding
- OWASP-AD-002: Secure against web app account lockout
- AccessControl – Comprising five total Ref Numbers:
- OWASP-AC-001: Analyze web app access control parameters
- OWASP-AC-002: Ensure web app requires user authorization
- OWASP-AC-003: Prevent authorization parameter manipulation
- OWASP-AC-004: Scan for authorization requirement bypasses
- OWASP-AC-005: Ensure proper workflow sequence enforcement
- Authentication – Comprising two total Ref Numbers:
- OWASP-AUTHN-001: Ensure authentication endpoints are HTTPS
- OWASP-AUTHN-002: Ensure no authentication bypass is possible
- Authentication.User – Comprising eight total Ref Numbers:
- OWASP-AUTHN-003: Ensure credentials are sent on encrypted channels
- OWASP-AUTHN-004: Scan for accounts using unsecure, default credentials
- OWASP-AUTHN-005: Ensure usernames do not use public (“wallet”) information
- OWASP-AUTHN-006: Ensure complexity of passwords to prevent easy guessing
- OWASP-AUTHN-007: Require alternative credential to initiate password reset
- OWASP-AUTHN-008: Ensure accounts are locked after repeated login attempts
- OWASP-AUTHN-009: Ensure select structures are not allowed in passwords
- OWASP-AUTHN-010: Ensure no user passwords are blank or can be blank
- Authentication.SessionManagement – Comprising five total Ref Numbers:
- OWASP-AUTHSM-001: Ensure session token durations are appropriate
- OWASP-AUTHSM-002: Ensure session tokens timeout appropriately
- OWASP-AUTHSM-003: Ensure tokens are changed between sessions
- OWASP-AUTHSM-004: Ensure tokens are deleted when sessions end
- OWASP-AUTHSM-005: Ensure session tokens are formatted correctly
- Configuration.Management – Comprising seven total Ref Numbers:
- OWASP-CM-001: Ensure servers don’t support manipulation of resources
- OWASP-CM-002: Determine whether sites are or can be virtually hosted
- OWASP-CM-003: Ensure known vulnerabilities are adequately patched
- OWASP-CM-004: Ensure no backup files of source code are available
- OWASP-CM-004: Ensure all common configuration issues are resolved
- OWASP-CM-005: Ensure web server components don’t open vulnerabilities
- OWASP-CM-006: Scan for common directories within the web app root
- OWASP-CM-007: Secure all language and web app defaults appropriately
- Configuration.Management Infrastructure – Comprising one Ref Number:
- OWASP-CM-008: Ensure admin interfaces to infrastructure are private
- Configuration.Management.Application – Comprising one Ref Number:
- OWASP-CM-009: Ensure admin interfaces to web apps are private
- Error Handling – Comprising two total Ref Numbers:
- OWASP-EH-001: Ensure app error messages do not disclose vulnerabilities
- OWASP-EH-002: Ensure user error messages do not disclose vulnerabilities
- DataProtection – Comprising two total Ref Numbers:
- OWASP-DP-001: Ensure no sensitive HTML data is cached in browser history
- OWASP-DP-002: Ensure data confidentiality and integrity data is protected
- DataProtection.Transport – Comprising five total Ref Numbers:
- OWASP-DP-003: Ensure no SSL versions have cryptographic weaknesses
- OWASP-DP-004: Ensure web server does not allow anonymous key exchange
- OWASP-DP-005: Ensure no weak SSL algorithms are made available
- OWASP-DP-006: Ensure website uses appropriate key lengths for apps
- OWASP-DP-007: Ensure web apps use only valid digital certificates
- InputValidation – Comprising one Ref Number:
- OWASP-IV-001: Ensure no web app input components process scripts
- InputValidation.SQL – Comprising one Ref Number:
- OWASP-IV-002: Ensure no input components process SQL commands
- InputValidation.OS – Comprising one Ref Number:
- OWASP-IV-003: Ensure no input components process OS commands
- InputValidation.LDAP – Comprising one Ref Number:
- OWASP-IV-004: Ensure no input components process LDAP commands
- InputValidation.XSS – Comprising one Ref Number:
- OWASP-IV-005: Ensure web apps won’t store or reflect malicious code
- BufferOverflow – Comprising four total Ref Numbers:
- OWASP-BO-001: Ensure web apps aren’t susceptible to buffer overflows
- OWASP-BO-002: Ensure web apps aren’t susceptible to heap overflows
- OWASP-BO-003: Ensure web apps aren’t susceptible to stack overflows
- OWASP-BO-004: Ensure web apps aren’t susceptible to format string overflows
Your organization may model a web app pentesting checklist directly after OWASP’s prescribed workflow. However, it may be more beneficial to weigh the relevance of these factors against any compiled internal threat intelligence.
Working with a managed security services provider (MSSP), such as a security program advisory specialist, will help to determine which metrics are most apt for your needs—given your risk environment and the nature of your web applications.
NIST SP 800-30 Rev. 1 – Guide for Conducting Risk Assessment
If your organization seeks broader insight into pentesting and results, OWASP recommends supplementing knowledge with the National Institute of Standards and Technology’s (NIST) Special Publication 800-30, Risk Management Guide for Information Technology Systems.
SP 800-30 (and its published revision, see below) is particularly useful in providing additional context and reference for C-suite executives and other senior leaders looking to understand IT systems risks to inform decision-making. However, it’s also applicable in other contexts beyond web application pentesting. For example, the US Department of Health and Human Services (HHS) lists SP 800-30 amongst its NIST-created HIPAA Security Rule compliance guidance materials.
If your organization is directly involved in the healthcare sector or works in a business associate capacity with a covered entity, SP 800-30 can facilitate seamless compliance with the Security Rule. You should also work with a HIPAA advisory provider to ensure the communication and monitoring infrastructure are in place to comply with the Privacy and Breach Notification Rules.
Note: SP 800-30, initially published in 2002, was revised in 2012. SP 800-30 Rev. 1, Guide for Conducting Risk Assessment, supersedes the original, though most core elements are the same.
Other Considerations For Web Application Penetration Testing
Your organization may elect to conduct penetration testing on its web apps exclusively, or it may conduct more comprehensive penetration testing across all systems. In general, there are two primary kinds of penetration tests that can be applied to nearly any security system component:
- External pen testing – A simulated attack that begins from outside the organization, with little to no pre-negotiated knowledge about or access to its systems. The primary focus is usually the initial entry points into the system as a whole or a component thereof.
- Internal pen testing – A simulated attack that begins with the tester negotiating some prior knowledge of an organization’s systems or special access to them. The primary focus is usually how the attacker moves internally and how fast they reach total control.
Your organization may also use a hybrid approach, such as a pen test that begins externally then continues internally. Or, you may use external pen testing on some systems (i.e., firewalls and web filters), then internal pen testing on web apps or web app development infrastructure.
Professional Web Application Penetration Testing Solutions
To recap the above, the two most critical resources for developing your web application penetration testing checklist are OWASP’s Top 10 Web Application Security Risks and its prescribed Web App Penetration Testing Checklist. While it may be tempting to use the latter as-is, your organization should instead use OWASP’s list as a base model, then customize specific steps and thresholds to your risk environment.
As a cybersecurity expert offering pentesting services and security program advisory, RSI Security can help guide your efforts.
Contact RSI Security today to start!