Web Application Security Testing Resources


Table of Contents

Web Application Security Testing Methodologies

Security assessments in general, and certainly web security assessments, are nearly as much art as science, so everyone has their own favorite method. Below are a few of the main methodologies that are out there.

WAHH Checklist
WAHH Chap. 20
OWASP Checklist
  • Recon and Analysis
  • Test Handling of Access
  • Test Handling of Input
  • Test Application Logic
  • Assess Application Hosting
  • Miscellaneous Checks
  • Map the Application’s Content
  • Analyze the Application
  • Test Client-side Controls
  • Test Application Logic
  • Test the Authentication Mechanism
  • Test the Session Management Mechanism
  • Test Access Controls
  • Test for Input-based Vulnerabilities
  • Test for Function-specific Vulnerabilities
  • Test for Logic Flaws
  • Test for Shared Hosting Vulnerabilities
  • Test for Web Server Vulnerabilities
  • Miscellaneous Checks
  • Information Gathering
  • Configuration Management Testing
  • Authentication Testing
  • Session Management
  • Authorization Testing
  • Business Logic Testing
  • Data Validation Testing
  • Denial of Service Testing
  • Web Services Testing
  • Ajax Testing

Web Application Hacker’s Handbook Checklist (http://portswigger.net/wahh/tasks.html)

[ **Reproduced with permission from authors; copyright Dafydd Stuttard and Marcus Pinto ]

  • Recon and Analysis
    • Map visible content
    • Discover hidden and default content
    • Test for debug parameters
    • Identify the technologies used
    • Map the attack surface
  • Test Handling of Access
    • Authentication
      • Test password quality rules
      • Test for username enumeration
      • Test resilience to password guessing
      • Test any account recovery function
      • Test any “remember me” function
      • Test any impersonation function
      • Test username uniqueness
      • Check for unsafe distribution of credentials
      • Test for fail-open conditions
      • Test any multi-stage mechanisms
    • Session Handling
      • Test tokens for meaning
      • Test tokens for predictability
      • Check for insecure transmission of tokens
      • Check for disclosure of tokens in logs
      • Check mapping of tokens to sessions
      • Check session termination
      • Check for session fixation
      • Check for cross-site request forgery
      • Test for fail-open conditions
      • Check cookie scope
    • Access Controls
      • Understand the access control requirements
      • Test effectiveness of controls, using multiple accounts if possible
      • Test for insecure access control methods (request parameters, Referer header, etc)
  • Test the Handling of Input
    • Fuzz all request parameters
    • Test for SQL injection
    • Identify all reflected data
      • Test for reflected XSS
      • Test for HTTP header injection
      • Test for arbitrary redirection
      • Test for stored attacks
    • Test for OS command injection
    • Test for path traversal
    • Test for script injection
    • Test for file inclusion
    • Test for SMTP injection
    • Test for native software flaws (buffer overflow, integer bugs, format strings)
    • Test for SOAP injection
    • Test for LDAP injection
    • Test for XPath injection
  • Test Application Logic
    • Identify the logic attack surface
    • Test transmission of data by the client
    • Test for reliance on client-side input validation
    • Test any thick-client components (Java, ActiveX, Flash)
    • Test multi-stage processes for logic flaws
    • Test handling of incomplete input
    • Test trust boundaries
    • Test transaction logic
  • Assess Application Hosting
    • Test segregation in shared infrastructures
    • Test segregation between ASP-hosted applications
    • Test for web server vulnerabilities
      • Default credentials
      • Default content
      • Proxy functionality
      • Virtual hosting mis-configuration
      • Bugs in web server software
  • Miscellaneous Tests
    • Check for DOM-based attacks
    • Check for frame injection
    • Check for local privacy vulnerabilities
      • Persistent cookies
      • Caching
      • Sensitive data in URL parameters
      • Forms with autocomplete enabled
    • Follow up any information leakage
    • Check for weak SSL ciphers

Web Application Hacker’s Handbook Testing Methodology [From Chapter 20 of the WAHH]

[ **Reproduced with permission from authors; copyright Dafydd Stuttard and Marcus Pinto ]

Notice that this methodology is quite different from the checklist provided above. Also keep in mind that the book itself provides additional detailed steps in each of the sections listed. This is meant to help one compare methodology approaches, not to provide the actual content.

  • Map the Application’s Content
    • Explore Visible Content
    • Consult Public Resources
    • Discover Hidden Content
    • Discover Default Content
    • Enumerate Identifier-Specified Functions
    • Test for Debug Parameters
  • Analyze the Application
    • Identify Functionality
    • Identify Data Entry Points
    • Identify the Technologies Used
    • Map the Attack Surface
  • Test Client-side Controls
    • Test Transmission of Data via the Client
    • Test Client-side Control Over User Input
    • Test Thick-client Components
  • Test the Authentication Mechanism
    • Understand the Mechanism
    • Test Password Quality
    • Test for Username Enumeration
    • Test Resilience to Password Guessing
    • Test Any Account Recovery Function
    • Test Any Remember Me Function
    • Test Any Impersonation Function
    • Test Username Uniqueness
    • Test Predictability of Auto-Generated Credentials
    • Check for Unsafe Transmission of Credentials
    • Test for Logic Flaws
    • Exploit Any Vulnerabilities to Gain Unauthorized Access
  • Test the Session Management Mechanism
    • Understand the Mechanism
    • Test Tokens for Meaning
    • Test Tokens for Predictability
    • Check for Insecure Transmission of Tokens
    • Check for Disclosure of Tokens in Logs
    • Check Mapping of Tokens to Sessions
    • Test Session Termination
    • Check for Session Fixation
    • Check for XSRF
    • Check Cookie Scope
  • Test Access Controls
    • Understand the Access Control Requirements
    • Testing with Multiple Accounts
    • Testing with Limited Access
    • Test for Insecure Access Control Methods
  • Test for Input-Based Vulnerabilities
    • Fuzz All Request Parameters
    • Test for SQL Injection
    • Test for XSS and Other Response Injection
    • Test for OS Command Injection
    • Test for Path Traversal
    • Test for Script Injection
    • Test for File Inclusion
  • Test for Function-Specific Input Vulnerabilities
    • Test for SMTP Injection
    • Test for Native Software Vulnerabilities
    • Test for SOAP Injection
    • Test for LDAP Injection
    • Test for XPath Injection
    • Test for Script Injection
    • Test for File Inclusion
  • Test for Logic Flaws
    • Identify the Key Attack Surface
    • Test Multistage Processes
    • Test Handling of Incomplete Input
    • Test Trust Boundaries
    • Test Transaction Logic
  • Test for Shared Hosting Vulnerabilities
    • Test Segregation in Shared Infrastructures
    • Test Segregation between ASP-Hosted Applications
  • Test for Web Server Vulnerabilities
    • Test for Default Credentials
    • Test for Default Content
    • Test for Dangerous HTTP Methods
    • Test for Proxy Functionality
    • Test for Virtual Hosting Misconfiguration
    • Test for Web Server Software Bugs
  • Miscellaneous Checks
    • Check for DOM-based Attacks
    • Check for Frame Injection
    • Check for Local Privacy Vulnerabilities
    • Follow Up Any Information Leakage
    • Check for Weak SSL Ciphers

The OWASP Testing Methodology Checklist (https://www.owasp.org/index.php/Testing_Checklist)

  • Information Gathering
    • Spiders, Robots, and Crawlers
    • Search Engine Discovery/Reconnaissance
    • Identify application entry points
    • Testing for Web Application Fingerprint
    • Application Discovery
    • Analysis of Error Codes
  • Configuration Management Testing
    • SSL/TLS Testing (SSL Version, Algorithms, Key length, Digital Cert. Validity)
    • DB Listener Testing
    • Infrastructure Configuration Management Testing
    • Application Configuration Management Testing
    • Testing for File Extensions Handling
    • Old, backup and unreferenced files
    • Infrastructure and Application Admin Interfaces
    • Testing for HTTP Methods and XST
  • Authentication Testing
    • Credentials transport over an encrypted channel
    • Testing for user enumeration
    • Testing for Guessable (Dictionary) User Account
    • Brute Force Testing
    • Testing for bypassing authentication schema
    • Testing for vulnerable remember password and pwd reset
    • Testing for Logout and Browser Cache Management
    • Testing for CAPTCHA
    • Testing Multiple Factors Authentication
    • Testing for Race Conditions
  • Session Management
    • Testing for Session Management Schema
    • Testing for Cookies attributes
    • Testing for Session Fixation
    • Testing for Exposed Session Variables
    • Testing for CSRF
  • Authorization Testing
    • Testing for Business Logic
  • Business Logic Testing
    • Testing for Business Logic
  • Data Validation Testing
    • Testing for Reflected Cross Site Scripting
    • Testing for Stored Cross Site Scripting
    • Testing for DOM based Cross Site Scripting
    • Testing for Cross Site Flashing
    • SQL Injection
    • LDAP Injection
    • ORM Injection
    • XML Injection
    • SSI Injection
    • XPath Injection
    • IMAP/SMTP Injection
    • Code Injection
    • OS Commanding
    • Buffer overflow
    • Incubated vulnerability
    • Testing for HTTP Splitting/Smuggling
  • Denial of Service Testing
    • Testing for SQL Wildcard Attacks
    • Locking Customer Accounts
    • Testing for DoS Buffer Overflows
    • User Specified Object Allocation
    • User Input as a Loop Counter
    • Writing User Provided Data to Disk
    • Failure to Release Resources
    • Storing too Much Data in Session
  • Web Services Testing
    • WS Information Gathering
    • Testing WSDL
    • XML Structural Testing
    • XML content-level Testing
    • HTTP GET parameters/REST Testing
    • Naughty SOAP attachments
    • Replay Testing
  • Web Services Testing
    • WS Information Gathering
    • Testing WSDL
    • XML Structural Testing
    • XML content-level Testing
    • HTTP GET parameters/REST Testing
    • Naughty SOAP attachments
    • Replay Testing
  • Web Services Testing
    • AJAX Vulnerabilities
    • AJAX Testing

Suites / Frameworks

  • Burp Suite
    The premier tool for performing manual web application vulnerability assessments and penetration tests. The pro version includes a scanner, and the Intruder tool makes the offering stand out amongst its peers.
  • HP WebInspect
    An enterprise-focused tool suite that includes a scanner, proxy, and assorted other tools.
  • WebScarabNG
    The latest version of this famous suite from OWASP. Includes a web services module that allows you to parse WSDLs and interact with their associated functions.
  • IBM AppScan
    IBM’s enterprise-focused suite.
  • Acunetix
    Acunetix’s enterprise-focused suite.
  • NTOSpider
    NTObjectives’s enterprise-focused suite.
  • W3af
    w3af is a Web Application Attack and Audit Framework. The project’s goal is to create a framework to find and exploit web application vulnerabilities that is easy to use and extend.
  • Websecurify
    Websecurify is a powerful web application security testing environment designed from the ground up to provide the best combination of automatic and manual vulnerability testing technologies.
  • Samurai
    Websecurify is a powerful web application security testing environment designed from the ground up to provide the best combination of automatic and manual vulnerability testing technologies.
  • Skipfish
    A fully automated, active web application security reconnaissance tool written by Michal Zalewski of Google.
  • RAFT (Response Analysis and Further Testing Tool)
    RAFT is a testing tool for the identification of vulnerabilities in web applications. RAFT is a suite of tools that utilize common shared elements to make testing and analysis easier. The tool provides visibility in to areas that other tools do not such as various client side storage.
  • Zed Attack Proxy (ZAP)
    The Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing. ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.

Standalone Web Assessment Tools

  • Nikto
    Nikto is an command line Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 6400 potentially dangerous files/CGIs, checks for outdated versions of over 1000 servers, and version specific problems on over 270 servers.
  • Wikto
    Wikto is Nikto for Windows – but with a couple of fancy extra features including Fuzzy logic error code checking, a back-end miner, Google assisted directory mining and real time HTTP request/response monitoring. Wikto is coded in C# and requires the .NET framework.

Web Assessment Utilities

Browser Extensions

  • Websecurify Chrome Extension
    The Chrome Extension version of the Websecurify tool. Performs a scan and tells you the results summary, but there’s no authentication or detailed view of findings. It’s more of a quick-touch option before you run a real tool.
  • XSS Me
    The Firefox Extension.
  • SQL Inject Me
    The Firefox Extension.

Vulnerable Test Websites

These sites are purposely vulnerable for the purpose of testing web app security scanners. They are designed for this purpose, but I’d check to make sure it’s ok before scanning them (just to be sure).


Download and Configure

Additional Resources


In adding to the lists of vulnerable sites over the years I’ve benefitted from other lists on the Internet, including Astyran which I believe to be a phenomenal websec resource in general.

- Subscribe via RSS
- Follow on Twitter
- Collaborate on Github

Have an opinion on this? You can reply via Twitter, send me an email, or leave a comment below.