Web Application Security Testing Resources [Link]

com/projects/webappsec_testing_resources/

Home
Blog
Study
Writing
Projects
Connect
About

Web Application Security Testing Resources

Home » Projects » Web Application Security Testing Resources

Table of Contents
Web Application Security Testing Methodologies
Web Application Hacker’s Handbook Testing Checklist
Web Application Hacker’s Handbook Chapter 20 Methodology
The OWASP Testing Checklist
Suites and Frameworks
Standalone Scanning Tools
Vulnerable Test Websites
Utilities
Browser Extensions
Additional Resources

Web Application Security Testing Methodologies

Security assessments in general, and certainly web security assessments, are nearly as much art as
science, so everyone has their own favorite method. Below are a few of the main methodologies that are
out there.

Web Application Hacker’s Handbook Testing Checklist

Web Application Hacker’s Handbook Chapter 20 Methodology

1 of 12 29-01-2015 15:21
Web Application Security Testing Resources [Link]

The OWASP Testing Checklist

WAHH Checklist WAHH Chap. 20 OWASP Checklist

Recon and Map the Application’s Information

Analysis Content Gathering
Test Handling of Analyze the Configuration
Access Application Management Testing
Test Handling of Test Client-side Authentication
Input Controls Testing
Test Application Test Application Logic Session Management
Logic Test the Authentication Authorization Testing
Assess Mechanism Business Logic
Application Test the Session Testing
Hosting Management Data Validation
Miscellaneous Mechanism Testing
Checks Test Access Controls Denial of Service
Test for Input-based Testing
Vulnerabilities Web Services Testing
Test for Function- Ajax Testing
specific Vulnerabilities
Test for Logic Flaws
Test for Shared Hosting
Vulnerabilities
Test for Web Server
Vulnerabilities
Miscellaneous Checks

Web Application Hacker’s Handbook Checklist ([Link]

/wahh/[Link])

[ **Reproduced with permission from authors; copyright Dafydd Stuttard and Marcus Pinto ]

Recon and Analysis

Map visible content
Discover hidden and default content
Test for debug parameters
Identify the technologies used
Map the attack surface
Test Handling of Access
Authentication
Test password quality rules
Test for username enumeration
Test resilience to password guessing
Test any account recovery function
Test any “remember me” function
Test any impersonation function
Test username uniqueness
Check for unsafe distribution of credentials
Test for fail-open conditions

2 of 12 29-01-2015 15:21
Web Application Security Testing Resources [Link]

Test any multi-stage mechanisms

Session Handling
Test tokens for meaning
Test tokens for predictability
Check for insecure transmission of tokens
Check for disclosure of tokens in logs
Check mapping of tokens to sessions
Check session termination
Check for session fixation
Check for cross-site request forgery
Test for fail-open conditions
Check cookie scope
Access Controls
Understand the access control requirements
Test effectiveness of controls, using multiple accounts if possible
Test for insecure access control methods (request parameters, Referer header, etc)
Test the Handling of Input
Fuzz all request parameters
Test for SQL injection
Identify all reflected data
Test for reflected XSS
Test for HTTP header injection
Test for arbitrary redirection
Test for stored attacks
Test for OS command injection
Test for path traversal
Test for script injection
Test for file inclusion
Test for SMTP injection
Test for native software flaws (buffer overflow, integer bugs, format strings)
Test for SOAP injection
Test for LDAP injection
Test for XPath injection
Test Application Logic
Identify the logic attack surface
Test transmission of data by the client
Test for reliance on client-side input validation
Test any thick-client components (Java, ActiveX, Flash)
Test multi-stage processes for logic flaws
Test handling of incomplete input
Test trust boundaries
Test transaction logic
Assess Application Hosting
Test segregation in shared infrastructures
Test segregation between ASP-hosted applications
Test for web server vulnerabilities
Default credentials
Default content
Proxy functionality
Virtual hosting mis-configuration
Bugs in web server software

3 of 12 29-01-2015 15:21
Web Application Security Testing Resources [Link]

Miscellaneous Tests
Check for DOM-based attacks
Check for frame injection
Check for local privacy vulnerabilities
Persistent cookies
Caching
Sensitive data in URL parameters
Forms with autocomplete enabled
Follow up any information leakage
Check for weak SSL ciphers

Web Application Hacker’s Handbook Testing Methodology [From Chapter 20 of the

WAHH]

[ **Reproduced with permission from authors; copyright Dafydd Stuttard and Marcus Pinto ]

Notice that this methodology is quite different from the checklist provided above. Also keep in mind that
the book itself provides additional detailed steps in each of the sections listed. This is meant to help one
compare methodology approaches, not to provide the actual content.

Map the Application’s Content

Explore Visible Content
Consult Public Resources
Discover Hidden Content
Discover Default Content
Enumerate Identifier-Specified Functions
Test for Debug Parameters
Analyze the Application
Identify Functionality
Identify Data Entry Points
Identify the Technologies Used
Map the Attack Surface
Test Client-side Controls
Test Transmission of Data via the Client
Test Client-side Control Over User Input
Test Thick-client Components
Test the Authentication Mechanism
Understand the Mechanism
Test Password Quality
Test for Username Enumeration
Test Resilience to Password Guessing
Test Any Account Recovery Function
Test Any Remember Me Function
Test Any Impersonation Function
Test Username Uniqueness
Test Predictability of Auto-Generated Credentials
Check for Unsafe Transmission of Credentials
Test for Logic Flaws
Exploit Any Vulnerabilities to Gain Unauthorized Access
Test the Session Management Mechanism
Understand the Mechanism

4 of 12 29-01-2015 15:21
Web Application Security Testing Resources [Link]

Test Tokens for Meaning

Test Tokens for Predictability
Check for Insecure Transmission of Tokens
Check for Disclosure of Tokens in Logs
Check Mapping of Tokens to Sessions
Test Session Termination
Check for Session Fixation
Check for XSRF
Check Cookie Scope
Test Access Controls
Understand the Access Control Requirements
Testing with Multiple Accounts
Testing with Limited Access
Test for Insecure Access Control Methods
Test for Input-Based Vulnerabilities
Fuzz All Request Parameters
Test for SQL Injection
Test for XSS and Other Response Injection
Test for OS Command Injection
Test for Path Traversal
Test for Script Injection
Test for File Inclusion
Test for Function-Specific Input Vulnerabilities
Test for SMTP Injection
Test for Native Software Vulnerabilities
Test for SOAP Injection
Test for LDAP Injection
Test for XPath Injection
Test for Script Injection
Test for File Inclusion
Test for Logic Flaws
Identify the Key Attack Surface
Test Multistage Processes
Test Handling of Incomplete Input
Test Trust Boundaries
Test Transaction Logic
Test for Shared Hosting Vulnerabilities
Test Segregation in Shared Infrastructures
Test Segregation between ASP-Hosted Applications
Test for Web Server Vulnerabilities
Test for Default Credentials
Test for Default Content
Test for Dangerous HTTP Methods
Test for Proxy Functionality
Test for Virtual Hosting Misconfiguration
Test for Web Server Software Bugs
Miscellaneous Checks
Check for DOM-based Attacks
Check for Frame Injection
Check for Local Privacy Vulnerabilities
Follow Up Any Information Leakage

5 of 12 29-01-2015 15:21
Web Application Security Testing Resources [Link]

Check for Weak SSL Ciphers

The OWASP Testing Methodology Checklist ([Link]

/Testing_Checklist)

Information Gathering
Spiders, Robots, and Crawlers
Search Engine Discovery/Reconnaissance
Identify application entry points
Testing for Web Application Fingerprint
Application Discovery
Analysis of Error Codes
Configuration Management Testing
SSL/TLS Testing (SSL Version, Algorithms, Key length, Digital Cert. Validity)
DB Listener Testing
Infrastructure Configuration Management Testing
Application Configuration Management Testing
Testing for File Extensions Handling
Old, backup and unreferenced files
Infrastructure and Application Admin Interfaces
Testing for HTTP Methods and XST
Authentication Testing
Credentials transport over an encrypted channel
Testing for user enumeration
Testing for Guessable (Dictionary) User Account
Brute Force Testing
Testing for bypassing authentication schema
Testing for vulnerable remember password and pwd reset
Testing for Logout and Browser Cache Management
Testing for CAPTCHA
Testing Multiple Factors Authentication
Testing for Race Conditions
Session Management
Testing for Session Management Schema
Testing for Cookies attributes
Testing for Session Fixation
Testing for Exposed Session Variables
Testing for CSRF
Authorization Testing
Testing for Business Logic
Business Logic Testing
Testing for Business Logic
Data Validation Testing
Testing for Reflected Cross Site Scripting
Testing for Stored Cross Site Scripting
Testing for DOM based Cross Site Scripting
Testing for Cross Site Flashing
SQL Injection
LDAP Injection
ORM Injection
XML Injection

6 of 12 29-01-2015 15:21
Web Application Security Testing Resources [Link]

SSI Injection
XPath Injection
IMAP/SMTP Injection
Code Injection
OS Commanding
Buffer overflow
Incubated vulnerability
Testing for HTTP Splitting/Smuggling
Denial of Service Testing
Testing for SQL Wildcard Attacks
Locking Customer Accounts
Testing for DoS Buffer Overflows
User Specified Object Allocation
User Input as a Loop Counter
Writing User Provided Data to Disk
Failure to Release Resources
Storing too Much Data in Session
Web Services Testing
WS Information Gathering
Testing WSDL
XML Structural Testing
XML content-level Testing
HTTP GET parameters/REST Testing
Naughty SOAP attachments
Replay Testing
Web Services Testing
WS Information Gathering
Testing WSDL
XML Structural Testing
XML content-level Testing
HTTP GET parameters/REST Testing
Naughty SOAP attachments
Replay Testing
Web Services Testing
AJAX Vulnerabilities
AJAX Testing

Suites / Frameworks
Burp Suite
The premier tool for performing manual web application vulnerability assessments and penetration
tests. The pro version includes a scanner, and the Intruder tool makes the offering stand out
amongst its peers.
HP WebInspect
An enterprise-focused tool suite that includes a scanner, proxy, and assorted other tools.
WebScarabNG
The latest version of this famous suite from OWASP. Includes a web services module that allows
you to parse WSDLs and interact with their associated functions.
IBM AppScan
IBM’s enterprise-focused suite.

7 of 12 29-01-2015 15:21
Web Application Security Testing Resources [Link]

Acunetix
Acunetix’s enterprise-focused suite.
NTOSpider
NTObjectives’s enterprise-focused suite.
W3af
w3af is a Web Application Attack and Audit Framework. The project’s goal is to create a
framework to find and exploit web application vulnerabilities that is easy to use and extend.
Websecurify
Websecurify is a powerful web application security testing environment designed from the ground
up to provide the best combination of automatic and manual vulnerability testing technologies.
Samurai
Websecurify is a powerful web application security testing environment designed from the ground
up to provide the best combination of automatic and manual vulnerability testing technologies.
Skipfish
A fully automated, active web application security reconnaissance tool written by Michal Zalewski
of Google.
RAFT (Response Analysis and Further Testing Tool)
RAFT is a testing tool for the identification of vulnerabilities in web applications. RAFT is a suite
of tools that utilize common shared elements to make testing and analysis easier. The tool provides
visibility in to areas that other tools do not such as various client side storage.
Zed Attack Proxy (ZAP)
The Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding
vulnerabilities in web applications. It is designed to be used by people with a wide range of security
experience and as such is ideal for developers and functional testers who are new to penetration
testing. ZAP provides automated scanners as well as a set of tools that allow you to find security
vulnerabilities manually.

Standalone Web Assessment Tools

Nikto
Nikto is an command line Open Source (GPL) web server scanner which performs comprehensive
tests against web servers for multiple items, including over 6400 potentially dangerous files/CGIs,
checks for outdated versions of over 1000 servers, and version specific problems on over 270
servers.
Wikto
Wikto is Nikto for Windows – but with a couple of fancy extra features including Fuzzy logic error
code checking, a back-end miner, Google assisted directory mining and real time HTTP
request/response monitoring. Wikto is coded in C# and requires the .NET framework.

Web Assessment Utilities

[Link] Charset Encoder / String Encrypter
A online, feature-rich tool for changing the encoding of input.

Browser Extensions
Websecurify Chrome Extension
The Chrome Extension version of the Websecurify tool. Performs a scan and tells you the results
summary, but there’s no authentication or detailed view of findings. It’s more of a quick-touch
option before you run a real tool.

8 of 12 29-01-2015 15:21
Web Application Security Testing Resources [Link]

XSS Me
The Firefox Extension.
SQL Inject Me
The Firefox Extension.

Vulnerable Test Websites

These sites are purposely vulnerable for the purpose of testing web app security scanners. They are
designed for this purpose, but I’d check to make sure it’s ok before scanning them (just to be sure).

Internet-accessible

Google Gruyere
This one is from Google and you can do it both online and as a local install.
[Link] (HP)
I happen to know this one is o.k. to scan.
[Link] (IBM)
[Link] (Acunetix)
[Link] (Acunetix)
[Link] (Acunetix)
[Link] (Acunetix)
Cenzic’s Crack Me Bank
Hacker Test
This one is not like the others; it’s not a full website you’d scan, but rather more like a puzzle where
you proceed through various levels.
[Link]
Another challenge, similar to Hacker Test.
The Enigma Group
A beginner-focused online resource for web hacking.
HACKME Game
A software security learning game.
OWASP Hackademic
An OWASP project aimed at helping people learn web security through a series of challenges.
Test Page for the x5s Tool
A test page for XSS meant to be used with the X5S tool.

Download and Configure

Broken Web Apps Project (OWASP)

This is the one you want first; it has over a dozen broken web apps to play with.
Bonsai Moth
A VMware image with a collection of broken web applications that you can use for testing web
scanners and static analysis tools as well as providing an intro to webappsec.
Web Security Dojo (Maven)
Similar to OWASP’s Broken Web Apps project, i.e. multiple broken web apps in one place.
Webgoat (OWASP)
This is the grand pubah of the testing sites because it includes training with it. Note that it’s on the
Broken Web Apps image listed above.
Damn Vulnerable Web App
BadStore

9 of 12 29-01-2015 15:21
Web Application Security Testing Resources [Link]

Hackme Bank (McAfee)

Hackme Casino (McAfee)
Hackme Books (McAfee)
Hackme Shipping (McAfee)
Hackme Travel (McAfee)
Moth (Bonsai)
SecuriBench (Stanford)
Vicnum (ipsaplus)
Google Gruyere
This one is from Google and you can do it both online and as a local install.
Bodgeit
This is a project named Bodgeit hosted with Google.
The Butterfly
[Link]
Hackxor
LampSecurity
MultiDae
Insecure Web App Project (OWASP)
Vicnum (OWASP)
Peruggia
Puzzlemall
SQLol
SQLol
WackoPicko
Web Security Dojo

Additional Resources
Hack This Site Community
Hellbound Hackers
p0wnlabs
Watcher Tests

References
In adding to the lists of vulnerable sites over the years I’ve benefitted from other lists on the Internet,
including Astyran which I believe to be a phenomenal websec resource in general.

1 27

Share Share Share Share Share Share

Related…

Generate Test Data For IT Testing

An Elegant Command-line Bandwidth Test
IQ Is Real, And It Matters
10 Ways to Test Your Website Performance
Linkclump for Web Testing

10 of 12 29-01-2015 15:21
Web Application Security Testing Resources [Link]

Have an opinion on this? You can reply via Twitter, via email, discuss it here, or comment below.

1 Comment

Davide Puggioni •

Hi Daniel, very informative article. To the Internet-accessible websites section I would add
also this site [Link] where you can test a series of webapps for XSS,SQLi in your
sandbox.
• •

:: RSS
:: Twitter
:: Github

Get Email Updates

Explore content

- Recommended
- Sitemap
- Discovered ?

Categories

Archives

Twitter

11 of 12 29-01-2015 15:21
Web Application Security Testing Resources [Link]

Tweets Follow

InfoSec Taylor Swift 5h

@SwiftOnSecurity
Asimov's laws are a storytelling device,
a proxy, for the overarching
challenges in assigning morality and
controls to machines.
Retweeted by ◉ Daniel Miessler
Expand

◉ Daniel Miessler 11h

@DanielMiessler
OH: "Gamify the security of your
development lifecycle." @AppSecCali
#infosec
Expand

◉ Daniel Miessler 17h

@DanielMiessler
Twitter: When to Follow vs. Add to a
List |
[Link]/blog/twitter-f…
#twitter [Link]/cAM39eNzXi

Expand
Tweet to @DanielMiessler

Recent posts

Two Types of Free Will

Take 1 Security Podcast: Episode 3
The Difference Between Love and Hate in a World Without Free Will
Twitter: Should You Follow Someone or Add Them to a List?
Creating a Realtime Traffic Dashboard with Google Analytics

© Daniel Miessler 1999-2015 | Stack | Share | Syndication | Privacy

12 of 12 29-01-2015 15:21