SECURITY CONTROL ASSESSMENT YES/NO

Spiders, Robots and Crawlers

Search Engine Discovery/Reconnaissance
Identify application entry points
Testing for Web Application Fingerprint
Application Discovery
Analysis of Error(SSL
SSL/TLS Testing Codes
Version, Algorithms, Key length,
Digital Cert. Validity) - SSL Weakness
DB Listener Testing
Infrastructure - DB Listener
Configuration weak
Management Testing -
Infrastructure Configuration management
Application Configuration Management Testing - weakness
Application Configuration
Testing for File Extensions management
Handling - Fileweakness
extensions
handling
Old, backup and unreferenced files - Old, backup and
unreferenced
Infrastructure files
and Application Admin Interfaces - Access
to Admin interfaces
Testing for HTTP Methods and XST - HTTP Methods
enabled,
Credentials XSTtransport
permitted, HTTP
over Verb
an encrypted channel -
Credentials transport over an encrypted channel
Testing
Testing for
for user enumeration
Guessable - User
(Dictionary) enumeration
User Account -
Guessable user account
Brute
TestingForce Testing - Credentials
for bypassing authenticationBrute forcing- Bypassing
schema
authentication
Testing schema
Testing for
for vulnerable
Logout andremember password
Browser Cache and pwd - -
Management
reset - Vulnerable remember password, weak
Logout function not properly implemented, browser pwd reset
cache weakness
Testing
Testing for CAPTCHA
Multiple - Weak
Factors Captcha implementation
Authentication - Weak Multiple
Factors Authentication
Testing for Race Conditions - Race Conditions
vulnerability
Testing for Session Management Schema - Bypassing
Session Management
Testing for Schema,- Weak
Cookies attributes Session
Cookies are setToken
not ‘HTTP
Only’, ‘Secure’, and no time validity
Testing
Testing for
for Session
ExposedFixation
Session -Variables
Session Fixation
- Exposed sensitive
session variables
Testing for CSRF - CSRF
Testing
Testing for
for Path Traversal
bypassing - Path Traversal
authorization schema - Bypassing
authorization schema
Testing for Privilege Escalation - Privilege Escalation
Testing for Business Logic - Bypassable business logic
Testing for Reflected Cross Site Scripting - Reflected XSS
Testing for Stored Cross Site Scripting - Stored XSS
Testing for DOM based Cross Site Scripting - DOM XSS
Testing for Cross Site Flashing - Cross Site Flashing
SQL Injection - SQL Injection
LDAP Injection - LDAP Injection
ORM Injection - ORM Injection
XML Injection - XML Injection
SSI Injection - SSI Injection
XPath Injection - XPath Injection
IMAP/SMTP Injection - IMAP/SMTP Injection
Code Injection - Code Injection
OS Commanding - OS Commanding
Buffer overflow - Buffer overflow
Incubated
Testing forvulnerability - Incubated vulnerability
HTTP Splitting/Smuggling - HTTP Splitting,
Smuggling
Testing for SQL Wildcard Attacks - SQL Wildcard
vulnerability
Locking Customer Accounts - Locking Customer
Accounts
Testing for DoSObject
User Specified Buffer Allocation
Overflows--User
Buffer Overflows
Specified Object
Allocation
User Input as a Loop Counter - User Input as a Loop
Counter
Writing User Provided Data to Disk - Writing User
Provided
Failure toData to Disk
Release Resources - Failure to Release
Resources
Storing too Much Data in Session - Storing too Much
Data in Session
WS Information Gathering - N.A.
Testing WSDL - WSDL Weakness
XML Structural Testing - Weak XML Structure
XML
HTTPcontent-level Testing - XML
GET parameters/REST content-level
Testing - WS HTTP GET
parameters/REST
Naughty SOAP attachments - WS Naughty SOAP
attachments
Replay Testing - WS Replay Testing
AJAX Vulnerabilities - N.A.
AJAX Testing - AJAX weakness
NETWORK SECURITY ASSESSMENT
Host Discovery
Port Scanning
Banner Grabbing/OS Fingerprinting
Scan
Drawfor Vulnerabilities
Network Diagrams

Prepare Proxies
Document all Findings

Important Tools used for Network Pentesting

Frameworks
Kali Linux, Backtrack5 R3, Security Onion
Reconnaisance
Smartwhois, MxToolbox, CentralOps, dnsstuff, nslookup, DIG, netcraft
Discovery
Angry IP scanner, Colasoft ping tool, nmap, Maltego, NetResident,LanSurveyor, OpManager
Port Scanning
Nmap, Megaping, Hping3, Netscan tools pro, Advanced port scannerService Fingerprinting Xprobe, nmap, zenmap
Enumeration
Superscan, Netbios enumerator, Snmpcheck, onesixtyone, Jxplorer, Hyena,DumpSec, WinFingerprint, Ps Tools, NsAuditor, Enum4Linux, nslookup, Netsca
Scanning
Nessus, GFI Languard, Retina,SAINT, Nexpose
Password Cracking
Ncrack, Cain & Abel, LC5, Ophcrack, pwdump7, fgdump, John The Ripper,Rainbow Crack
Sniffing
Wireshark, Ettercap, Capsa Network Analyzer
MiTM Attacks
Cain & Abel, Ettercap
Exploitation
Metasploit, Core Impact
1. CONNECTION REQUESTS: If you receive a request from LinkedIn or other social networks, be
wary if you do not know the person or do not have any connections with the requester.
2. GOOGLE SEARCH PROFILE: Before accepting, do a quick Google search on the profile’s contact
details, workplace and education. If no results are found it is highly likely a scam (fake account).
3. SHARED CONNECTION: Do you have shared connections in common with the person requesting
a connection with you? If not, be suspicious of the request and do some research.
4. PHOTO SEARCH: Do a profile photo search in Google to see what the results are. If no results
are returned, it is highly likely a scam.
5. CHECK EMAIL ADDRESS: If the request appears to be valid and you accept, quickly check the
email account. If it is from something like bk.ru domain, then it is likely a phishing scam.
6. AUTO RESPONSES: After accepting a request you might receive an automated message. This is
another indication that it may be fake as it is common to get automated responses from phishing
scams.
7. ASK ADVICE: If you are uncertain ask a colleague for advice. A second, or even third opinion is
worth the time it takes to get it. At very least it prevents you from accepting the request
immediately and regretting it later.
8. DELETE CONNECTION: Once you’ve confirmed it’s a scam, do NOT communicate with the
account. Instead, report it to the social network and remove the connection at once.

1. DOES
3. IS IT ATHE
VALID CONTACT?
MESSAGE Do youHYPERLINKS?
CONTAIN know the person sending
Before clickingtheonemail?
any hyperlinks check the link
before clicking on it. A link may mask the website to which
2. IS THE EMAIL ADDRESS VALID? You can usually hover over the emailit links. If you’re on atocomputer,
address hover
see the full
over the link without clicking
domain and check if it is real. it and you’ll probably notice the full URL of the link’s destination in a
lower corner of your browser. If the message is from your bank or another organization you use,
it is best to go directly to their website by typing the URL into your browser. You can even call
them to find out if the message is authentic.
4. LEAST PRIVILEGE: Use a Standard User and not Administrator when clicking on links or opening
attachments.
5. SCAN ATTACHMENTS: Be cautious when opening any email attachments. If you can, scan it with
your anti-virus program before opening. Note: Make sure to keep updates of all the software you
use so that you have the latest security fixes running.
6. BACKUP: Make sure you have a backup of important information including, photos, software,
or other files if you are infected by malware or your information may be lost forever. There are
plenty of Cloud options online if you do not currently have one.
7. REPORT: Report any suspicious incidents and activity to the organization that the email appears
to be from. Most companies list their contact or support information on their website so look
their for contact information first.
Authentication
Application Password Functionality
Test password quality rules
Test remember me functionality
Test password reset and/or recovery
Test password change process
Test CAPTCHA
Test multi-factor authentication
Test for logout functionality presence
Test for default logins
Test for out-of-channel notification of account lockouts and successful password changes
Test for consistent authentication across applications with shared authentication schema/SSO and alternative channels
Test for weak security question/answer

Additional Authentication Functionality

Test for user enumeration
Test for authentication bypass
Test for brute force protection
Test for credentials transported over an encrypted channel
Test for cache management on HTTP (eg Pragma, Expires, Max-age)
Test for user-accessible authentication history

Authorization
Test for path traversal
Test for vertical access control problems (a.k.a. privilege escalation)
Test for horizontal access control problems (between two users at the same privilege level)
Test for missing authorization
Test for insecure direct object references

Cryptography
Check if data which should be encrypted is not
Check for wrong algorithms usage depending on context
Check for weak algorithms usage
Check for proper use of salting
Check for randomness functions
Firewall Audit Checklist:
Record checklist details
Pre-Audit Information Gathering:
Make sure you have copies of security policies
Check you have access to all firewall logs
Gain a diagram of the current network
Review documentation from previous audits
Identify all relevant ISPs and VPNs
Obtain all firewall vendor information
Understand the setup of all key servers
Review the Change Management Process:
Review the procedures for rule-base maintenance
Analyze
Determinethewhether
process all
forprevious
firewall changes
changes were
authorized
Audit
Make the
sureFirewall's Physical and
your management OS Security:
servers are physically
secure
Check the access procedures to these restricted
locations
Verify all vendor updates have been applied
Make sure the OS passes common hardening checks
Assess the procedures for device administration
Optimize Your Rule Base:
Delete redundant rules
Delete or disable unused objects
Evaluate the order of firewall rules for performance
Remove unused connections
Document the rules and changes for future reference
Conduct a Risk Assessment:
Review industry best practices for methodology
Ask a series of thorough questions
Document your assessment and save as a report
Improve Firewall Processes:
Replace error-prone manual tasks with automations
1. “Conduct a serial of methodical and Repeatable tests “ is the
best way to test the web server along with this to work through all
of the different application Vulnerabilities.
2. “Collecting as Much as Information” about an organization
Ranging from operation environment is the main area to
3. Performing
concentrate onweb
the server Authentication
initial stage Testing,
of web server Pen use Social
testing.
engineering techniques to collect the information about the
Human Resources, contact Details and other Social Related
information.
4. Gathering Information about the Target, use whois database
query tools to get the Details such as Domain name, IP address,
5. Fingerprint web
Administrative server
Details, to gather information
autonomous such DNS
system number, as server
etc.
name, server type, operating systems, an application running on
the server etc use fingerprint scanning tools such as, Netcraft,
HTTPrecon , ID Serve.
6. Crawel Website to gather Specific information from web pages,
such as email addresses
7. Enumerate web server Directories to extract important
information about web functionalities, login forms etc.
8. Perform Directory traversal Attack to access Restricted
Directories and execute the command from outside of the Web
9. Performing
server vulnerability scanning to identify the weakness in
root directories.
the network use the vulnerability scanning tools such as
HPwebinspect, Nessus . and determine if the system can be
exploited.
10. Perform we cache poisoning attack to force the web server’s
cache to flush its actual cache content and send a specifically
crafted request which will be stored in the cache.
11. Performing HTTP response splitting attack to pass malicious
data to a vulnerable application that includes the data in an HTTP
response header.
12. Bruteforce SSH,FTP, and other services login credentials to gain
unauthorized access.
13. Perform session hijacking to capture valid session cookies and
ID’s,use tools such as Burb suite , Firesheep ,jhijack to
automated session hijacking.
14. Performing MITM attack to access the sensitive information by
intercepting the altering the communications between the end
users and web servers.
15. Use tools such as webalizer, AWStats to examine the web
server logs
Services

Unnecessary Windows services are disabled.

Services are running with least-privileged accounts.
FTP, SMTP, and NNTP services are disabled if they are not required.
Telnet service is disabled.

Protocols
WebDAV is disabled if not used by the application OR it is secured
if it is required.
TCP/IP
NetBIOSstackand isSMB
hardened
are disabled (closes ports 137, 138, 139, and
445).

Accounts
Unused accounts are removed from the server.
Guest account is disabled.
IUSR_MACHINE account
If your applications is disabled
require anonymous if it is not used
access, by theleast-
a custom application.
privileged anonymous
The anonymous accountaccount
does notis created.
have write access to Web
content directories and cannot execute command-line tools.
Strong
Remoteaccount andrestricted.
logons are password policies are enforced
(The “Access for thefrom
this computer server.
the
network” user-right is removed from the Everyone group.)
Accounts are not shared among administrators.
Null sessions (anonymous logons) are disabled.
Approval is required for account delegation.
Users and administrators do not share accounts.
No more than two
Administrators are accounts
required exist
to loginon
the Administrators
locally group.
OR the remote
administration solution is secure.

Files and Directories

Files and directories are contained on NTFS volumes
Web siteare
Log files content is located
located on a non-system
on a non-system NTFS volume.
NTFS volume and not on the
same volume where the Web site content resides.
The Everyone group is restricted (no access to \WINNT\system32
or
WebWeb
sitedirectories).
root directory has denied write ACE for anonymous
Internet accounts.
Content directories have deny write ACE for anonymous Internet
accounts.
Remote administration application is removed
Resource kit tools, utilities, and SDKs are removed.
Sample applications are removed

Shares
All unnecessary shares are removed (including default
administration
Access shares).
to required shares is restricted
Administrative shares (C$ and Admin$)(the
are Everyone
removed ifgroup
they does
are not
not have access).
required (Microsoft Management Server (SMS) and Microsoft
Operations Manager (MOM) require these shares).

Ports
Internet-facing interfaces are restricted to port 80 (and 443 if SSL is
used)
Intranet traffic is encrypted (for example, with SSL) or restricted if
you do not have a secure data center infrastructure.
Registry
Remote registry(HKLM\System\CurrentControlSet\Control\LSA\
SAM is secured access is restricted.
NoLMHash).

Auditing and Logging

Failed logon attempts are audited.
IIS log
Log filesfiles
areare relocatedwith
configured andan
secured.
appropriate size depending on the
application security requirement.
Log files are regularly archived and analyzed.
Access to the Metabase.bin file is audited.
IIS is configured for W3C Extended log file format auditing.

Server Certificates
Ensure
Only usecertificate date
certificates forranges are valid.purpose (For example, the
their intended
server
Ensurecertificate is not used
the certificate’s forkey
public e-mail).
is valid, all the way to a trusted
root authority.
Confirm that the certificate has not been revoked.