Session Management

Does the application use its own custom-built session handling

Session Handling
mechanism, or does it use the built-in mechanism’s of ASP.Net,
Mechanism
Java, etc.?

Single Session Is a single session enforced or can the user be simultaneously

Enforced logged in from multiple locations?

(If multiple sessions are supported): Verify that an active session list
Session List
is displayed in the account profile or similar of each user. The user
Displayed
should be able to terminate any active session.

Randomness of Does the site use a cryptographically random session token (at least
Session Token 64 bits of entropy)? (for example, a GUID)

Does the site pass the session token from page to page in a cookie
Method of Passing or hidden field (good), or in the URL (not secure)? If you disable
Session Token cookies in the browser, does application switch to passing session
token in the URL?

If the site is accessed using a browser that has cookies disabled (or
if you send a raw HTTP request to the site without any cookies in it),
Cookieless does the application begin passing the session ID from page to page
Sessions in the URL? (This is common with applications that use JSESSIONID
but other frameworks can be affected to. See "Cookieless Sessions
Enabled" in the CVL)

Use of Secure Does the site mark its session cookie(s) with the “secure” attribute
Cookies so it can only be passed via SSL?

Does the site mark its session cookie(s) with the “HttpOnly”
Use of HttpOnly
attribute so the cookie cannot be accessed via client-side Javascript
Cookies
code?

Use of SameSite Does the site mark the session cookie(s) with the "SameSite"
Cookies attribute?

Use of Non-
Does the site use session cookies (with no “Expiration” attribute) for
Persistent Cookies
storing its session token, or does it use persistent cookies (with an
For Tracking
Session “Expiration” attribute set to a future date)? Session cookies should
be used.

Is the scope of the session cookie as restrictive as possible?

The most restrictive scope would be to not set a “Domain” attribute
for the cookie so that it is only passed back to pages within the
FQDN that set the cookie. Some apps require a broader scope, such
as “.yourcompany.com” so that the cookie can be passed to
Cookie Scope
multiple subdomains.
When possible session tokens should use the "__Host-" prefix
(https://developer.mozilla.org/en-
US/docs/Web/HTTP/Headers/Set-Cookie) to provide session cookie
confidentiality.

Does the application have a session timeout that is tracked server-

side? What happens when a user attempts to access the site after
Session Timeout
the user’s session has timed out? Can a session be maintained
indefinitely?

Permissive or Does the web application allow a user to choose their own session
Strict Session ID (permissive), or will the application only accept session IDs that
Management were generated by the application (strict)?

Generating New Does the application generate a new session and assign a new
Session After session id to the user immediately after a successful login? (to
Login protect against Session Fixation attacks)

Logout Does the application provide a Logout link for the user?
Functionality Does clicking on the Logout link result in the session being
destroyed on the server-side as well as clearing any session
cookies?

Contents of Do the cookies set by the application contain any sensitive

Cookies info, such as the User ID, Roles, system info, etc.?

Cross-Site
Is the application vulnerable to Cross-Site Request Forgery attacks?
Request Forgery

Converting POST Is it possible to convert POST requests to GET requests? If so, does
to GET this introduce any security risks, such as CSRF?

Is it possible to frame the application's pages? If yes, the application

ClickJacking
is vulnerable to ClickJacking.

Does the application have a "Remember Me" option? If so, does

"Remember Me"
using that functionality introduce any new issues, such as storing
functionality
sensitive information in cookies?
Cross-Origin Does the application set an overly permissive CORS policy, an
Resource Sharing invalid policy (allowing the wildcard * origin), or allowing the null
Issues origin?
 Authentication

Should the test environment be Internet facing? Is it?

Check via a VPN such as TunnelBear to rule out whitelisted AppSec
IP addresses. If Internet Accessible, have any test sites been indexed
in search engines such as Google or Shodan which may increase
Internet
their exposure or reveal naming conventions? When testing search
Accessible?
engines, do not submit the test domain name (e.g.,
"site:staging.appsecconsulting.com") but instead use elimination
searches like "site:appsecconsulting.com
site:www.appsecconsulting.com"

Does the site employ a standard authentication mechanism or does

it use a custom authentication solution? Custom authentication
Authentication
schemes should be looked at very closely. Investigate Header usage
Mechanisms
such as Origin header is not used for authentication or access
control decisions.

Does the application verify the user can access the email address
Email Verification entered by the user for password resets and other
administrative/sensitive tasks.

Verify all authentication controls are enforced on the server side.

Server-Side
Only content designated as public should be anonymously
Authentication
accessible via both the user interface and direct requests. Account
Enforcement
lockout should also be enforced on the server side.

Does the site store user credentials in a cookie and use this as the
Storing sole means of controlling access to user’s “logged- in” pages? If yes,
Credentials In a this means that the logout button can’t destroy user’s session
Cookie server-side. Recommend storing credentials in session, server-side.
Even encrypted credentials shouldn’t be stored client-side.

Evaluate password complexity requirements against company’s IT

Security standards. Verify that there are no password composition
Password
rules limiting the type of characters permitted. There should be no
Complexity
requirement for upper or lower case or numbers or special
characters. Passwords should be at least 12 characters.

Does the application disallow long passwords (at least 64

Password Length characters)? Can present as limited password field length or as
incomplete matching. No truncation.

Password
Comparison Does the application perform a case insensitive comparison for
submitted passwords?

Space Character
Verify that passwords can contain spaces.
Allowed

Unicode Verify that Unicode characters are permitted in passwords.

Characters A single Unicode code point is considered a character, so 12 emoji
Allowed or 64 kanji characters should be valid and permitted.

Password Manger Are the password complexity rules password manger friendly? Can
Friendly passwords be pasted? Can browser password helpers be used?

Verify that the user can choose to either temporarily view the
entire masked password, or temporarily view the last typed
Unmask Password
character of the password on platforms that do not have this as
native functionality.

Password Verify that a password strength meter is provided to help users set
Strength Meter a stronger password.

If access is gained to DB or another issue allows you to determine

password storage, how are passwords handled/stored? Are they
Password Storage modified/truncated? PDKDF2 is best, bcrypt/scrypt are good
options too. Is a salt (>= 8 secure random bytes) and sufficient work
factor (>=1000 iterations) used?

Common Verify that measures are in place to block the use of commonly
Passwords chosen passwords and weak passphrases (such as the top 1,000 or
Allowed 10,000 most common passwords).

Password Verify that there are no requirements to periodically change the

Rotation and password, or tracking of password history. NOTE: Does not apply to
History PCI related tests.

Password Change
Verify users can change their password.
Ability

Verify that the use of a weak authenticator (i.e. SMS or email) is

limited to secondary verification and transaction approval and not
2FA - Weak as a replacement for more secure authentication methods. Verify
Authenticators that stronger methods are offered before weak methods, users are
aware of the risks, or that proper measures are in place to limit the
risks of account compromise.
 Verify that clear text out-of-band authenticators, such as SMS (text
2FA - Clear-Text
message) or PSTN (telephone), are not offered by default, and
Authenticators
stronger alternatives such as push notifications are offered first.

2FA - Out of Band Verify that any out-of-band verifier expires requests, codes, or
Verifier Expiration tokens after 10 minutes.

2FA - Out of Band Verify that the out-of-band verifier authentication requests, codes,
Verifier Single- or tokens are only usable once, and only for the original
Use authentication request.

OTP Expiration Verify that time-based OTPs have a defined lifetime before expiring.

Does the site track failed login attempts server-side and lock user id
Account Lockout
after a certain number of failed login attempts?

Does the site provide a generic login failure message that doesn’t
indicate whether or not the user ID attempted was a valid user ID?
Generic Login
For example, “Your user ID or password is incorrect.”. Please do a
Failure Message
diff of the responses, not just a visual inspection. Also check for
application response time differences.

Forgot Password Does the Forgot Password feature give you feedback that indicates
Logic – whether or not an entered user ID is valid? Please do a diff of the
Information responses, not just a visual inspection. Also check for application
Disclosure response time differences.

Forgot Password
Verify password hints or knowledge-based authentication (so-called
Logic - Security
"secret questions") are not present.
Questions Used

Does the Forgot Password feature allow the user to choose from
Forgot Password
only a pre-defined list of strong questions? Allowing a user to
Logic – Strength of
choose their own security question, or having questions that are
Security
easy to brute force the answers to (“What is the color of your
Questions
favorite car?”) is a security issue.

Is there any way to bypass the security question and jump straight
Forgot Password to the “Reset password” page, or manipulate the site into
Logic Bypass changing/resetting another user’s password? Are there other logic
flaws such as bypassing an out-of-band verifier if used?
 Upon requesting a password reset or after answering the security
question correctly, does the application:

1. Send a time-sensitive, one-time use, unique link to the email

Forgot Password
address on file, requiring the user to follow that link before
Logic –
setting a new password. (best)
Establishing New
2. Reset the user’s password to a randomly generated temporary
Password
value of no less than 8 characters, email it to the email address on
file, and force user to change password to a permanent value at
next login. (not as secure)
3. Other. (evaluate case-by-case)

Does the system email the address on file when security

information (password/security q's/new device added/email/2FA
Notification of
token) is changed, or the user is logging in from unknown or risky
Sensitive Account
locations?
Changes
Does this include origin information such as Date/Time, Browser,
Operating System, IP Address, and/or Approximate Location?

Does the application present to the user information about their

Notification of last session?
Last Login Does this include origin information such as Date/Time, Browser,
Operating System, IP Address, and/or Approximate Location?

Does the password reset/new account confirmation link expire after

Link Expiration
a short period of time. Less than one day?

Terminate
Verify the user is prompted with the option to terminate all other
Sessions on
active sessions after a successful change password process.
Password Change

Verify all account identity authentication functions (such as update

Weak profile, forgot password, disabled / lost token, etc.) that might
Authentication regain access to the account are at least as resistant to attack as the
Functions primary authentication mechanism. Use of TOTP or other soft
token, or mobile push are ideal.

Reauthenticating
Does the application ask the user to re-enter their old password
User When
when making a password change, changing other security info such
Performing
as the security question and answer or email address/username, or
Sensitive
performing a high dollar amount money transfer?
Transactions

Use of POST
Method When
Passing
Credentials
Are credentials always submitted to the web server via the POST
method? Are the user id and/or password ever passed in the URL?

Is autocomplete set to false for sensitive inputs?

Disabling Browser
Autocomplete
(Note: We do not report this issue for login forms, modern browsers
Feature
will ignore anyway to encourage use of password managers.)

Does Application
Are the application’s usernames unpredictable or do they follow a
Use Unpredictable
pattern? (such as all being 5-digit numbers)
User Names?
Verify that anti-automation is in place to prevent breached
Automation
credential testing, brute forcing, data exfiltration, excessive actions
Protection
or file uploads and account lockout attacks.
Verify there are no default passwords in use for the application
Default
framework or any components used by the application (such as
Credentials
“admin/password”)
 Configuration

Does application log unhandled exceptions and show user a generic

tech diff message rather than displaying the detailed error?

Are all pages that should be internal use only placed in a separate
folder with IP restrictions? Are very sensitive debug in a separate
folder that is protected with strong authentication plus IP
restrictions?

Are there any backup files or other unnecessary files in web-

accessible folders? (home.old, home.bak, etc.)

Are there any .inc files used by the application? Is the web server
configured not to serve up these .inc files? (IIS 6 is good by default,
IIS 5 needs to be configured to respond with a 404 for .inc files or
other specific file types.)

Is Directory Browsing enabled on any of the web folders?

Is any sensitive information included in HTML, Javascript, or other

comments? For example, developer names, system info, URLs to
admin pages, etc.

Does the application set the proper response headers to prevent

browsers and intermediate proxies from caching sensitive content?
(Cache-Control: no-cache, no-store)

Refer to the SSL Checks Tab for up to date checks

For applications that are Internet-facing, or that have

Production servers that are Internet-facing, run a Qualys or
Nessus scan to test for infrastructure-level issues. For
Nessus scans, save .nessus file and .html report
(Vulnerabilities by Plug-in) to the repo. For Qualys, save
PDF report to repo.

When ETag header is present is the Apache version older than

2.4.1? This was fixed in 2.4.1 but reports as a false positive in
scanners. A partial fix has been ported to 2.2.21.
More info https://bz.apache.org/bugzilla/show_bug.cgi?id=49623

Is detailed software version information exposed by the application

for example, PHP, IIS, Apache, and ASP. Netversion numbers
displayed in HTTP response headers. Note that Qualys is not always
reliable at detecting this.
Are outdated software versions with known vulnerabilities in use?
For example, outdated PHP, IIS, Apache, IIS, and SQL Server
versions.

Run an authenticated application-level scan of all

pages/transactions that are safe to scan. Be sure to include
functionality that is available to all user Roles - this may require
multiple scans. Manually explore each page/transaction before
scanning so the scanner will have a good baseline request - do not
rely only on automated spidering to find content to scan. Configure
the scanner to automatically re-login to maintain session if needed.
If systemic issues such as XSS are identified by the scanner,
generate a scan report that details these issues.

Verify that the application accepts only a defined set of required

HTTP request methods, such as GET and POST, and unused methods
(e.g. TRACE, PUT, and DELETE) are explicitly blocked. Non-standard
HTTP verbs can sometimes bypass application logic.

Verify that a suitable "Referrer-Policy" header is included, such as

"no-referrer" or "same-origin".

Verify that if application assets, such as JavaScript libraries, CSS

stylesheets or web fonts, are hosted externally on a content
delivery network (CDN) or external provider, Subresource Integrity
(SRI) is used to validate the integrity of the asset.

NOTE: Do not report this for files where using SRI is likely to cause
breaking (such as files subject to frequent updates); this is best used
with files that include a version number in the path.

Does the application index content that is not supposed to be

publicly accessible? If so, the application search may leak
information about the existence of files or their content. Conduct a
number of queries against the application search to determine if
this is an issue.
 Sensitive Data Handling
Are the following data elements being masked if they are returned
in a response from the application? SSN, DOB, DLN, CC#, Bank
Account #, Password, Security Answer

Is there any sensitive Production data stored in non- Production

databases?

Outside of cookies, does the application persist any sensitive

application data locally using the Web Storage API (javascript
window.localStorage), WebSQL(Chrome only), IndexedDB, userData
(IE <10 only), Flash SharedObject or HTMLCanvas? In browser Dev
Tools, look under the "Storage" tab in Firefox or "Application" tab in
Chrome to view LocalStorage, WebSQL (Chrome only) and
IndexedDB data.

Verify that all sensitive data is sent to the server in the HTTP
message body or headers (i.e., URL parameters are never used to
send sensitive data).

Privilege Escalation

Are there any security weaknesses that could allow one user to gain
access to another user’s account data? For example, an Account
Number being passed around by the application that could be
tampered with to access another user’s account data.

Are there any security weaknesses that could allow a low privileged
user to gain higher privileges? For example, can normal user access
pages and transactions meant only for admin users?

Are there any secret parameters like “debug=true” that will cause
the application to provide access to extra functionality?

Is sensitive static content accessible without proper authentication

or authorization? Check files such as static web resource files,
documents, images and so on for proper access permissions.
Improper authentication or authorization may be found in user-
provided (uploaded) files, built-in files, help pages, single-page
application modules, etc.

Does the application use references such as ID values to reference

application objects? Can data be accessed, modified or deleted by
modifying ID values without proper authentication or authorization
checks? Manually attempt to access object IDs that are known to be
associated with other users/tenants. If object references appear
somewhat sequential, use Burp Intruder to scan reasonable ranges
to attempt to find new content.

Verify that administrative interfaces are not accessible to untrusted

parties. This includes middleware interfaces such as Tomcat
Manager as well as application specific interfaces. Access can often
be restricted to the Intranet or a corporate IP range to dramatically
reduce the risk of unauthorized access.

Verify administrative interfaces use appropriate multi-factor

authentication to prevent unauthorized use.

Does the application contain hidden or otherwise disabled

parameters or functionality that can be discovered and accessed by
re-enabling hidden form elements (Burp ->
Proxy/Options, "Response Modification", "Unhide hidden form
fields) or inspecting the application code? Single page applications
such as those built with React and Angular may contain references
to data and functionality that is hidden from the current user's
view.

Verify that frameworks protect against mass parameter assignment

attacks, or that the application has countermeasures to protect
against unsafe parameter assignment, such as marking fields private
or similar.

Verify that the same access control rules implied by the

presentation layer are enforced on the server side.
 Logical Vulnerability Checks

Are there any multi-step processes used by the application where

it’s possible to skip steps in a way that exploits the application? For
example, can you skip straight to the “reset password” page
without answering the security question first, or skip past a page
that requires solving a captcha?

Verify the application has appropriate limits for specific business

actions or transactions which are should be enforced on a per user
basis. (example: you cannot transfer more than $100 dollar per 24
hour period. Try multiple transactions which add-up to over $100.
Similarly, Verify the application has business logic limits and
validation to protect against likely business risks or threats
(postdated transactions for example). Lightweight threat modeling
can assist with this exercise.

Are there any parameters passed around by the application that

could be tampered with to exploit the application? For example,
modifying the price of an item by manipulating a hidden field value
or changing an invoice number to view another customer’s invoice?

PCI Compliance
Does the application always mask credit card number in all server
responses, displaying at most the first 6 and last 4 digits of card
number? Does it respond with full card number in any situation?
(For example, when page re- renders after an edit, or when user
back-buttons to the previously-completed credit card page.)

Flash/Flex

Run SWFScan against any significant SWFs hosted on the

site and examine results for any actionable vulnerabilities.

Examine any FlashVars accepted as input by the SWF and

determine whether any of them can be manipulated to
compromise the security of the application.
Examine any communication between the SWF and web
server (typically HTTP requests, although sometimes this
will be raw TCP traffic). Determine whether these requests
can be manipulated to compromise the security of the
application.

Does the web server host a crossdomain.xml file that allows

Flash access from any domain?

Java

For Java versions less than 1.6.0_24, check codebase for

Double.parseDouble() and try to crash app by inputting the
value: 2.2250738585072011e-308

Apache
Is the Apache server status page publicly accessible? The
default path for this is /server-status, but it can be
configured to other paths.

ASP.NET

Is the WebResource.axd acting as a padding oracle? Use PadBuster

or a related tool to check.

Is ASP.NET Tracing turned on? Navigate to

http://sampleapplication/trace.axd to check.

For ASP.Net applications, is the built-in request validationturned on

for all web pages? It can be turned off on a per-
page basis, so all pages should be checked.

SAML Authentication

Does the SAML signature validation remove comments as part of

canonicalization when validating the signature? See
https://developer.okta.com/blog/2018/02/27/a-breakdown-of-the-
new-saml-authentication-bypass-vulnerability

Can the SAML response be Base64 decoded and the saml2:NameID

element value be modified to assume the role of another
authenticated user? Note that two users are needed in order to test
this vulnerability and one user has to be a subset of the other user
(i.e. test-user1 and user1).
See https://developer.okta.com/blog/2018/02/27/a-breakdown-of-
the-new-saml-authentication-bypass-vulnerability

Token Integrity and Validation

Attempt to decode the token using base64, URL, or other common

decoding mechanisms. Burp Suite's Decoder may turn out to be
useful. Tokens that lack entropy, as checked using sequencer, can
often be decoded.

Check whether the token type is similar to a JWT Token, if so,

attempt the following JWT checks .. all of which can be attempted
using the script "JWT_tool.py" : 1. Change the token "alg" value to
None and resubmit to the site to check whether the token is
accepted. 2. Change the algorithm to HS256 and use a public key
obtained from the server as the signing key. 3. If the token type is
HS256, try cracking the key. 4. If the key can be cracked, or the
server is performing inadequate checks, tamper with the token by
modifying any paramters pertaining to the user's id or authorization
level in order to escalate privileges or trigger errors/injection
attacks.
Architecture

Do not use Flash, Active-X, Silverlight, NACL, clientside Java or other

client side technologies not supported natively via W3C browser
standards.

Does the application contain .js.map files? Examine these files for
information disclosures such as application paths, functions,
sensitive developer comments.

Cloud

If applicable, check for the existence of s3 buckets. Is the bucket

public or private?
For public buckets, should this bucket be public? Are there any
sensitive files hosted?
For all buckets, verify that the ACL on buckets does not allow
writing arbitrary files (check both unauthenticated writes as well as
writes with a valid AWS access key).
Ssl :

Name Description

Install the application on the mobile device or emulator,

with a before and after snapshot taken of the file system
Deprecated Public and (if applicable) registry. Analyze the files to determine
Key Length whether they contain sensitive information, such as
passwords, private encryption keys, credit card numbers,
etc.
Default Self-
If system is in production this needs to be addressed.
Signed
Often project teams will not bother in a QA environment
Certificates
SSL Certificate
Signed With Weak Is the SSL certificate signed using a weak algorithm such
Hashing as SHA1 or MD5? (SHA256 is recommended)
Algorithm
CRIME Check to see if TLS Compression is disabled
TLS Heartbleed
Test server for Heartbleed vulnerability
Vulnerability
Site Lacks Strict If the site is a sensitive Internet-facing site, does it lack a
Transport Strict Transport Security Policy? (check for Strict-Transport-
Security Policy Security HTTP response header)
"Does the server support seucre client initiated
Renegotiation allowing DoS attacks? Insecure renegotiation?
Renegotiation
IIS6 and up are not affected. https://blogs.iis.net/nazim/is-iis
vulnerable-to-the-thc- ssl-dos-attack-tool"
If SSL is being used, is SSL Version 2 enabled? If yes, this
SSL Version 2
is a PCI compliance issue. openssl s_client -ssl2 -connect
Enabled
SERVERNAME:443 > SERVERNAME_SSLV2.txt"
SSL Version 3 If SSL is being used, is SSL Version 3 enabled?
Enabled
Is TLS Version 1.0 enabled? For PCI, TLS 1.0 is being
TLS Version 1.0 deprecated in 2018 and should be entered as a Best
Enabled Practice finding until June 30, 2018; at which point this
will become a Medium finding.
TLS 1.2 or TLS 1.3 Is TLS Versions 1.2 or 1.3 support? If not, clients may not
Supported be able to connect in the future.
SSL RC4 Cipher Are RC4 ciphers enabled?
Suites Enabled
BEAST Deprecated - do not report.

Lack of Perfect If the site is a sensitive Internet-facing site, does it lack

Forward Secrecy ciphers that support Perfect Forward Secrecy?
SSL - Weak or If SSL is being used, are any NULL or weak ciphers
NULL Ciphers enabled (less than 128-bit)? Pass
Enabled
Lack of AEAD Does the server support AEAD suites with TLS 1.2 (AES-
Pass
Ciphers GCM, ChaCha20)?
Requires that both server and client are vulnerable. Run
scripts to see if server is vulnerable. The report should
state that the exploit can only happen if the client is also
OpenSSL CCS vulnerable
Pass
Injection Reference:
http://www.tripwire.com/state-of-security/incident-
detection/detection-script-for-cve-2014-0224-openssl-
cipher-change-spec-injection/
Weak / Common Does the server support weak (< 2048 bit) Diffie-Hellman
Pass
DH Primes primes?
TLS POODLE Is the server vulnerable to the TLS variant of POODLE?
Pass
Vulnerability
DROWN Is the certificate used by ANY service that supports SSLv2
Pass
Vulnerability (includes mail or other services).
Are 3DES cipher suites supported, with no Keep-Alive limit? If
SWEET32 3DES ciphers are enabled, run the following
Pass
Vulnerability command:
yawast scan https://www1.example.com--tdessessioncount
FOR ALL TESTS. Ensure that domains have a Certification
Authority Authorization (CAA) record scoped to only allow CA
certificates from the CA’s in use by the company.
Domain
Details can be found in the CVL template.
Certification
To install CAA check toolon Kali:
Authority
apt-get update && apt-get install golang mkdir ~/go go get Pass
Authorization
github.com/weppos/dnscaa
(CAA) Record Does
git clone https://github.com/weppos/dnscaa.git cd dnscaa
Not Exist
go build cmd/digcaa/digcaa.go
To run CAA tool:
./digcaa google.com
Symantec Signed FOR ALL TESTS. Pass
Certificate In Use Ensure that Symantec-signed certificates are not in use.
TLS ROBOT Ensure that the in-scope server(s) are not vulnerable to the TLS
Pass
Vulnerability ROBOT attack.
Verify that proper certification revocation, such as Online
OCSP Stapling Certificate Status Protocol (OCSP) Stapling, is enabled and Pass
configured.
Verify that the server is not vulnerable to POODLE,
Padding Oracles GOLDENDOODLE, or other padding oracle issues. Pass