Web Application Security Test Plans

This is a collection of test plans that will assist in web application security assessments. The test plans are scenario specific and can be used individually or in applicable combination. The test plans use two tools, OWASP ZAP and Web Developer plug in. This test plan is not meant to take the place of other security assurance activities such as vulnerability scanning. You can find my evaluation of open source and low cost scanners in the web scanner section.

Before you begin, you will need two things before you start:

  • Download and install OWASP ZAP. ZAP is not immediately intuitive so it is highly recommended that you find a ZAP Youtube video if you can’t attend one of my workshops.
  • Download and install the Web Developer plug in for your FireFox, Chrome, or Opera browser.

If interested, you can read my review of ZAP in the web scanner section of this site.

(Note: I will add the hyperlinks as these test plans get added. )

Getting Started

  1.  Pre-testing Checklist
  2. Documentation Review
  3. Authentication Tests

Concurrent Sessions

      1. Encrypted Login
      2. POST
      3. Time Out
      4. Password Change Processes
      5. Password Autocomplete
      6. Locked on Failed Attempts

Session Management

  1. Insecure Cookies
  2. Session Fixation

File Upload Security

  1. Virus upload test
  2. Executable Test
  3. Bypass Client-side Authentication test
  4. Web Directory Test

Including Dangerous Objects Tests

  1. Developer Comments
  2. Third-party Libraries
  3. Unlicensed Code
  4. High Value Directories
  5. Testing for Back-up Files.

Testing Your SSL

  1. GlobalSign