CHECKLIST FOR DEVELOPERS AND TESTERS
If you have been thinking of starting security testing as a programmer or tester, here is the basic checklist to get started. Look below!
- Make sure robots.txt file doesn’t give details about sensitive URLs like /admin /administration /admin.aspx /administratorLogin/index.php or any other file that leads malicious user to navigate to administrator login form.
- Make sure your 403 pages are shown as 404 on the front-end without giving a hint to the hacker about sensitiveness of the webpage.
- Mask your server details like Apache / PHP / ASP which gives hint about the server details and also programming languages used. Also, mark the version number of your server and programming language used.
- Add HTTPS / SSL Certificate if your website has money transactions or authentication pages.
- Make sure server side validations are implemented for every form data. For instance: On client side there is a JS code that stop from entering DOB as 31/Feb/1999, but malicious hacker can bypass JS client-side validation using addon like “Tamper Data” and submit invalid DOB to the server. This shouldn’t be possible and server side validation is important for every form data.
- Make sure 404 page is implemented securely. Try using URLs like http://example.com/page-that-doesnt-exist, http://example.com/example/hey.asdf, http://example.com//hello//..//whatsup, http://subdomaindoesntexist.example.com, and more combinations. Sometimes, the webpage displays some sensitive data if the server doesn’t know to handle a particular URL type.
- Make sure unnecessary ports that are not being used or closed or set as filtered. I recommend “filtered” instead of “closing”. The only ports that I see should be open are 80 and 443 (HTTP = 80 | 443 = HTTPS).
- Make sure your directory listing is set to OFF. This is one place which can look like a great treasure if directory listing is set to on.
- If you are using a framework like DJANGO or any other development framework, make sure DEBUG is turned off before you deploy on the production server.
- Make sure the session ids are dynamic. You can look into these session ids or cookie ids by using Live HTTP Headers addon on Firefox. Check for it without and with logged in session to also know about “session fixation” vulnerabilities.
- Make sure you have closed the ports which are critical and kept HTTP, HTTPS open (because you want your users to visit your web application or website). I insist on using “filtered” state instead of “closed” for much better results. You can do the port scanning by using nmap (open-source utility)
Once you install nmap, you can open terminal on Mac (I use Mac currently) and type,
(You will get the IP address of the website)
sudo nmap -sS IP-address-of-the-website