Secure-D Web Application Security Test Checklist summarizes well-known weaknesses, vulnerabilities and best practices into review topics with short description and recommendation. Its objective is to aid penetration tester in reviewing the web application thoroughly.
This is not a Working Paper that Secure-D uses to serve the web application penetration test service but rather the public contribution version.
This document aims to assist penetration tester to cover any possible weaknesses, vulnerabilities and policy compliance. As a result, it may contain duplicates or similar issues in different review topics and could be excessive for many penetration test project. It is advised that the tester reviews the whole document and decide to test on more important topics within the limited time.
For developer, this document will also be useful to study each weaknesses and vulnerabilities and improve code quality by following the guidelines.
We decide to use same key words to indicate requirement levels standard with RFC2119. When the document says "MUST", it is an absolute requirement. This is to emphasize the importance of the security in that review topic.
This checklist maybe similar to OWASP and CWE. We see it's different in details and does NOT replace OWASP and CWE by any means. We recommend you to study OWASP and CWE documentation as well.
OWASP Web Security Testing Guide
OWASP Testing Guide
OWASP Verification Standard
CWE
We are open to any contributions. Any missing review topics are welcome. You could open either Issues or Pull Requests.
Open source projects are made available and contributed to under licenses that include terms that, for the protection of contributors, make clear that the projects are offered “as-is”, without warranty, and disclaiming liability for damages resulting from using the projects.