Security assessments in general, and certainly web security assessments, are nearly as much art as science, so everyone has their own favorite method. Below are a few of the main methodologies that are out there.

WAHH Checklist WAHH Chap. 20 OWASP Checklist Recon and Analysis

Test Handling of Access

Test Handling of Input

Test Application Logic

Assess Application Hosting

Miscellaneous Checks Map the Application’s Content

Analyze the Application

Test Client-side Controls

Test Application Logic

Test the Authentication Mechanism

Test the Session Management Mechanism

Test Access Controls

Test for Input-based Vulnerabilities

Test for Function-specific Vulnerabilities

Test for Logic Flaws

Test for Shared Hosting Vulnerabilities

Test for Web Server Vulnerabilities

Miscellaneous Checks Information Gathering

Configuration Management Testing

Authentication Testing

Session Management

Authorization Testing

Business Logic Testing

Data Validation Testing

Denial of Service Testing

Web Services Testing

Ajax Testing

[ **Reproduced with permission from authors; copyright Dafydd Stuttard and Marcus Pinto ]

Recon and Analysis

Map visible content



Discover hidden and default content



Test for debug parameters



Identify the technologies used



Map the attack surface

Test Handling of Access

Authentication



Test password quality rules





Test for username enumeration





Test resilience to password guessing





Test any account recovery function





Test any “remember me” function





Test any impersonation function





Test username uniqueness





Check for unsafe distribution of credentials





Test for fail-open conditions





Test any multi-stage mechanisms



Session Handling



Test tokens for meaning





Test tokens for predictability





Check for insecure transmission of tokens





Check for disclosure of tokens in logs





Check mapping of tokens to sessions





Check session termination





Check for session fixation





Check for cross-site request forgery





Test for fail-open conditions





Check cookie scope



Access Controls



Understand the access control requirements





Test effectiveness of controls, using multiple accounts if possible





Test for insecure access control methods (request parameters, Referer header, etc)

Test the Handling of Input

Fuzz all request parameters



Test for SQL injection



Identify all reflected data



Test for reflected XSS





Test for HTTP header injection





Test for arbitrary redirection





Test for stored attacks



Test for OS command injection



Test for path traversal



Test for script injection



Test for file inclusion



Test for SMTP injection



Test for native software flaws (buffer overflow, integer bugs, format strings)



Test for SOAP injection



Test for LDAP injection



Test for XPath injection

Test Application Logic

Identify the logic attack surface



Test transmission of data by the client



Test for reliance on client-side input validation



Test any thick-client components (Java, ActiveX, Flash)



Test multi-stage processes for logic flaws



Test handling of incomplete input



Test trust boundaries



Test transaction logic

Assess Application Hosting

Test segregation in shared infrastructures



Test segregation between ASP-hosted applications



Test for web server vulnerabilities



Default credentials





Default content





Proxy functionality





Virtual hosting mis-configuration





Bugs in web server software

Miscellaneous Tests

Check for DOM-based attacks



Check for frame injection



Check for local privacy vulnerabilities



Persistent cookies





Caching





Sensitive data in URL parameters





Forms with autocomplete enabled



Follow up any information leakage



Check for weak SSL ciphers

[ **Reproduced with permission from authors; copyright Dafydd Stuttard and Marcus Pinto ]

Notice that this methodology is quite different from the checklist provided above. Also keep in mind that the book itself provides additional detailed steps in each of the sections listed. This is meant to help one compare methodology approaches, not to provide the actual content.

Map the Application’s Content

Explore Visible Content



Consult Public Resources



Discover Hidden Content



Discover Default Content



Enumerate Identifier-Specified Functions



Test for Debug Parameters

Analyze the Application

Identify Functionality



Identify Data Entry Points



Identify the Technologies Used



Map the Attack Surface

Test Client-side Controls

Test Transmission of Data via the Client



Test Client-side Control Over User Input



Test Thick-client Components

Test the Authentication Mechanism

Understand the Mechanism



Test Password Quality



Test for Username Enumeration



Test Resilience to Password Guessing



Test Any Account Recovery Function



Test Any Remember Me Function



Test Any Impersonation Function



Test Username Uniqueness



Test Predictability of Auto-Generated Credentials



Check for Unsafe Transmission of Credentials



Test for Logic Flaws



Exploit Any Vulnerabilities to Gain Unauthorized Access

Test the Session Management Mechanism

Understand the Mechanism



Test Tokens for Meaning



Test Tokens for Predictability



Check for Insecure Transmission of Tokens



Check for Disclosure of Tokens in Logs



Check Mapping of Tokens to Sessions



Test Session Termination



Check for Session Fixation



Check for XSRF



Check Cookie Scope

Test Access Controls

Understand the Access Control Requirements



Testing with Multiple Accounts



Testing with Limited Access



Test for Insecure Access Control Methods

Test for Input-Based Vulnerabilities

Fuzz All Request Parameters



Test for SQL Injection



Test for XSS and Other Response Injection



Test for OS Command Injection



Test for Path Traversal



Test for Script Injection



Test for File Inclusion

Test for Function-Specific Input Vulnerabilities

Test for SMTP Injection



Test for Native Software Vulnerabilities



Test for SOAP Injection



Test for LDAP Injection



Test for XPath Injection



Test for Script Injection



Test for File Inclusion

Test for Logic Flaws

Identify the Key Attack Surface



Test Multistage Processes



Test Handling of Incomplete Input



Test Trust Boundaries



Test Transaction Logic

Test for Shared Hosting Vulnerabilities

Test Segregation in Shared Infrastructures



Test Segregation between ASP-Hosted Applications

Test for Web Server Vulnerabilities

Test for Default Credentials



Test for Default Content



Test for Dangerous HTTP Methods



Test for Proxy Functionality



Test for Virtual Hosting Misconfiguration



Test for Web Server Software Bugs

Miscellaneous Checks

Check for DOM-based Attacks



Check for Frame Injection



Check for Local Privacy Vulnerabilities



Follow Up Any Information Leakage



Check for Weak SSL Ciphers

Information Gathering

Spiders, Robots, and Crawlers



Search Engine Discovery/Reconnaissance



Identify application entry points



Testing for Web Application Fingerprint



Application Discovery



Analysis of Error Codes

Configuration Management Testing

SSL/TLS Testing (SSL Version, Algorithms, Key length, Digital Cert. Validity)



DB Listener Testing



Infrastructure Configuration Management Testing



Application Configuration Management Testing



Testing for File Extensions Handling



Old, backup and unreferenced files



Infrastructure and Application Admin Interfaces



Testing for HTTP Methods and XST

Authentication Testing

Credentials transport over an encrypted channel



Testing for user enumeration



Testing for Guessable (Dictionary) User Account



Brute Force Testing



Testing for bypassing authentication schema



Testing for vulnerable remember password and pwd reset



Testing for Logout and Browser Cache Management



Testing for CAPTCHA



Testing Multiple Factors Authentication



Testing for Race Conditions

Session Management

Testing for Session Management Schema



Testing for Cookies attributes



Testing for Session Fixation



Testing for Exposed Session Variables



Testing for CSRF

Authorization Testing

Testing for Business Logic

Business Logic Testing

Testing for Business Logic

Data Validation Testing

Testing for Reflected Cross Site Scripting



Testing for Stored Cross Site Scripting



Testing for DOM based Cross Site Scripting



Testing for Cross Site Flashing



SQL Injection



LDAP Injection



ORM Injection



XML Injection



SSI Injection



XPath Injection



IMAP/SMTP Injection



Code Injection



OS Commanding



Buffer overflow



Incubated vulnerability



Testing for HTTP Splitting/Smuggling

Denial of Service Testing

Testing for SQL Wildcard Attacks



Locking Customer Accounts



Testing for DoS Buffer Overflows



User Specified Object Allocation



User Input as a Loop Counter



Writing User Provided Data to Disk



Failure to Release Resources



Storing too Much Data in Session

Web Services Testing

WS Information Gathering



Testing WSDL



XML Structural Testing



XML content-level Testing



HTTP GET parameters/REST Testing



Naughty SOAP attachments



Replay Testing

Web Services Testing

WS Information Gathering



Testing WSDL



XML Structural Testing



XML content-level Testing



HTTP GET parameters/REST Testing



Naughty SOAP attachments



Replay Testing

Web Services Testing

AJAX Vulnerabilities



AJAX Testing

<

h2>OWASP ASVS

The OWASP ASVS is a phenomenal testing methodology for faster tests where your primary goal is making sure you’re not missing something major.

It breaks things down by the risk of the application you’re testing, based on three levels:

Level 1: Opportunistic, meant for all software

Level 2: Standard, for applications that contain sensitive data that requires protection

Level 3: Advanced, for the most critical applications

The testing sections cover the following.

And for each of those sections you get a table that looks like this:

Burp Suite

The premier tool for performing manual web application vulnerability assessments and penetration tests. The pro version includes a scanner, and the Intruder tool makes the offering stand out amongst its peers.

The premier tool for performing manual web application vulnerability assessments and penetration tests. The pro version includes a scanner, and the Intruder tool makes the offering stand out amongst its peers. Netsparker

One of the best automated scanning tools on the market right now, which is why I’m currently doing a sponsorship deal with them for the site. For automated scanning I’d say that Netsparker and WebInspect are pretty close in quality of results, with every other tool being significantly behind.

One of the best automated scanning tools on the market right now, which is why I’m currently doing a sponsorship deal with them for the site. For automated scanning I’d say that Netsparker and WebInspect are pretty close in quality of results, with every other tool being significantly behind. HP WebInspect

An enterprise-focused tool suite that includes a scanner, proxy, and assorted other tools.

An enterprise-focused tool suite that includes a scanner, proxy, and assorted other tools. WebScarabNG

The latest version of this famous suite from OWASP. Includes a web services module that allows you to parse WSDLs and interact with their associated functions.

The latest version of this famous suite from OWASP. Includes a web services module that allows you to parse WSDLs and interact with their associated functions. IBM AppScan

IBM’s enterprise-focused suite.

IBM’s enterprise-focused suite. Arachni

Acunetix

Acunetix’s enterprise-focused suite.

Acunetix’s enterprise-focused suite. AppSpider

Rapid 7’s enterprise-focused suite, based on the NTObjectives scanner.

Rapid 7’s enterprise-focused suite, based on the NTObjectives scanner. W3af

W3af is a Web Application Attack and Audit Framework. The project’s goal is to create a framework to find and exploit web application vulnerabilities that is easy to use and extend.

W3af is a Web Application Attack and Audit Framework. The project’s goal is to create a framework to find and exploit web application vulnerabilities that is easy to use and extend. Websecurify

Websecurify is a powerful web application security testing environment designed from the ground up to provide the best combination of automatic and manual vulnerability testing technologies.

Websecurify is a powerful web application security testing environment designed from the ground up to provide the best combination of automatic and manual vulnerability testing technologies. Samurai

Samurai is another web scanner by InGuardians.

Samurai is another web scanner by InGuardians. Skipfish

A fully automated, active web application security reconnaissance tool written by Michal Zalewski of Google.

A fully automated, active web application security reconnaissance tool written by Michal Zalewski of Google. RAFT (Response Analysis and Further Testing Tool)

RAFT is a testing tool for the identification of vulnerabilities in web applications. RAFT is a suite of tools that utilize common shared elements to make testing and analysis easier. The tool provides visibility in to areas that other tools do not such as various client side storage.

RAFT is a testing tool for the identification of vulnerabilities in web applications. RAFT is a suite of tools that utilize common shared elements to make testing and analysis easier. The tool provides visibility in to areas that other tools do not such as various client side storage. Zed Attack Proxy (ZAP)

The Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing. ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.

Nikto

Nikto is an command line Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 6400 potentially dangerous files/CGIs, checks for outdated versions of over 1000 servers, and version specific problems on over 270 servers.

Nikto is an command line Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 6400 potentially dangerous files/CGIs, checks for outdated versions of over 1000 servers, and version specific problems on over 270 servers. Wikto

Wikto is Nikto for Windows – but with a couple of fancy extra features including Fuzzy logic error code checking, a back-end miner, Google assisted directory mining and real time HTTP request/response monitoring. Wikto is coded in C# and requires the .NET framework.

Yehg.net Charset Encoder / String Encrypter

A online, feature-rich tool for changing the encoding of input.

Websecurify Chrome Extension

The Chrome Extension version of the Websecurify tool. Performs a scan and tells you the results summary, but there’s no authentication or detailed view of findings. It’s more of a quick-touch option before you run a real tool.

The Chrome Extension version of the Websecurify tool. Performs a scan and tells you the results summary, but there’s no authentication or detailed view of findings. It’s more of a quick-touch option before you run a real tool. XSS Me

The Firefox Extension.

The Firefox Extension. SQL Inject Me

The Firefox Extension.

These sites are purposely vulnerable for the purpose of testing web app security scanners. They are designed for this purpose, but I’d check to make sure it’s ok before scanning them (just to be sure).

Internet-accessible

Google Gruyere

This one is from Google and you can do it both online and as a local install.

This one is from Google and you can do it both online and as a local install. zero.webappsecurity.com (HP)

I happen to know this one is o.k. to scan.

I happen to know this one is o.k. to scan. demo.testfire.net (IBM)

test.acunetix.com (Acunetix)

testphp.vulnweb.com (Acunetix)

testasp.acunetix.com (Acunetix)

testaspnet.acunetix.com (Acunetix)

Hacker Test

This one is not like the others; it’s not a full website you’d scan, but rather more like a puzzle where you proceed through various levels.

This one is not like the others; it’s not a full website you’d scan, but rather more like a puzzle where you proceed through various levels. Hax.tor

Another challenge, similar to Hacker Test.

Another challenge, similar to Hacker Test. The Enigma Group

A beginner-focused online resource for web hacking.

A beginner-focused online resource for web hacking. HACKME Game

A software security learning game.

A software security learning game. OWASP Hackademic

An OWASP project aimed at helping people learn web security through a series of challenges.

An OWASP project aimed at helping people learn web security through a series of challenges. Test Page for the x5s Tool

A test page for XSS meant to be used with the X5S tool.

Download and Configure

Hack This Site Community

Hellbound Hackers

p0wnlabs

Watcher Tests

In adding to the lists of vulnerable sites over the years I’ve benefitted from other lists on the Internet, including Astyran which I believe to be a phenomenal websec resource in general.