I’m frequently asked by people what to check for when doing a web app review. Usually the people asking are other IT people and they understand the basics of security – they’re just not sure what to check. This request comes in a lot of forms – sometimes it’s a developer wanting to know what I’m going to do to their application, sometimes it’s a program manager wanting to know so they can explain to the business, and sometimes it’s a friend who’s been asked by management to review a legacy or purchased web app and needs a starting place. There are two main sources I suggest.

1. The OWASP testing guide. This is without a doubt the best resource. It’s designed for the person who is actually doing the testing, and contains all the details, the explanations, and contains all the testing you can think of. The only downside is that the current version is 349 pages long. (V4 is due out very soon, and will likely be longer). This is far more detail than most people want, and far longer than what most people can handle.
2. I’ve been looking for a sort of “cliff notes” version of the testing guide for a while, and I think I’ve found one that’s workable (sort of). The OWASP Application Security Verification Standards are clearly not designed to be a comprehensive list of things to test for a web app, and doesn’t contain any of the “how” aspects of testing, but it provides a quick list of things to check. At only a few pages long it’s much easier to read, and the verification requirements themselves are even shorter. Because it also provides standard for different levels of assurance, you can decide just how important security is to this particular app and review the appropriate controls.

This is partially a teaser for the talk I’m giving at AppSecDC on Domino security. (If you’re reading this after the talk has been given, I’ll have the slides and other information up on the Domino security page). In Domino, views are created which display certain data to the user. Many times a developer will assume that if they don’t advertise a view, no one will find it (security through obscurity anyone?) and don’t bother to apply the correct permissions. As a penetration tester I’m sure you’d like to find these views, but what are they called? If you look at the Domino help files, you’ll get some ideas. There are many pieces of sample code, and often a developer will cut and paste the applicable code. The names Domino favors in the help files are as follows, sorted by times used.

135 – By Category
36 – View A
31 – All
26 – Main
23 – Categorized
22 – Main View
13 – All Documents
6 – Topics
4 – By Author
3 – By Date\Ascending By Main Topic
3 – People
3 – Boots
2 – Products
2 – My View
2 – folderName
2 – CategoryView
2 – By Subject
2 – All Documents by CustomerNumber
2 – All documents
1 – XML
1 – Work Schedule
1 – viewName
1 – Transportation
1 – Stock
1 – Setup
1 – Sales Records
1 – Sales Leads
1 – Phone book
1 – My Favorites
1 – Locations
1 – Internet Profile
1 – Folder1
1 – Employees
1 – Discussion
1 – Days by Key
1 – Christmas
1 – By Category and Author
1 – By Category
1 – By category
1 – Authors
1 – All by Status & Project
1 – Open\By Project & Priority
1 – Open\By Due Date

OWASP has uploaded a whole bunch of videos of the talks given at AppSec USA 2010 in Irving CA in early September. There are some very good talks in there by some very good people.

On a related note, I’m going to be talking at AppSecDC in November on Domino security. Come check it out.

This is nothing more than a blatant advertisement for OWASP, but they have an upcoming conference in NYC in late September that might be of interest to people here.