Security testing is an extremely important – but often overlooked – component of website testing. It’s troubling if your website isn’t intuitively usable, detrimental if it doesn’t function properly, but it can be disastrous if a website isn’t secure. You can expose users’ personal information, inadvertently help hackers spread malicious code or suffer a full take down if you do not properly test your website.

To help make sure websites are secure, the Open Web Application Security Project has put together a comprehensive “Web Application Security Testing Cheat Sheet” to help guide testers and security experts. The cheat sheet is divided into 13 pain points and includes more than 100 checkpoints. To give you an idea of what to look for, here are the first two points from each category:

Information Gathering
- Manually explore the site
- Spider/crawl for missed or hidden content

Configuration Management
- Check for commonly used application and administrative URLs
- Check for old, backup and unreferenced files

Secure Transmission
- Check SSL versions, Algorithms, Key length
- Check for Digital Certificate Validity (Duration, Signature and CN)

Authentication
- Test for user enumeration
- Test for authentication bypass

Session Management
- Establish how session management is handled in the application (eg. tokens in cookies, token in URL)
- Check session tokens for cookies flags (httpOnly and secure)

Authorization
- Test for path traversal
- Test for bypassing authorization schema

Data Validation
- Test for Reflected Cross Site Scripting
- Test for Stored Cross Site Scripting

Denial of Service
- Test for anti-automation
- Test for account lockout

Business Logic
- Test for feature misuse
- Test for lack of non-repudiation

Cryptography
- Check if data which should be encrypted is not
- Check for wrong algorithms usage depending on context

Risky Functionality – File Uploads
- Test that acceptable file types are whitelisted
- Test that file size limits, upload frequency and total file counts are defined and are enforced

Risky Functionality – Card Payment
- Test whether card numbers are stored

HTML 5
- Test Web Messaging
- Test for Web Storage SQL injection

For more tips, review the full OWASP Security Testing Cheat Sheet and read uTest’s free Software Security Testing whitepaper that covers common attacks, helpful testing tools and tips on building the best testing team.