Auditing Web Servers and Web Applications

Web Servers

Web Applications

Last updated 3 years ago

hashtagWeb Servers

hashtagVerify that the web server is running on a dedicated logical system not shared with other critical applications.

hashtagVerify that the web server is fully patched and updated with the latest approved code.

hashtagVerify that unnecessary services, modules, objects, and APIs are removed or disabled. Running services and modules should be operating under the least privileged accounts.

hashtagVerify that only appropriate protocols and ports are allowed to access the web server.

hashtagVerify that accounts allowing access to the web server are managed appropriately and use strong passwords.

hashtagEnsure that appropriate controls exist for files, directories, and virtual directories.

hashtagEnsure that unnecessary information such as version and directory listings are not exposed through the web interface.

hashtagEnsure that the web server has appropriate logging enabled and that monitoring processes are in place.

hashtagEnsure that script extensions are mapped appropriately.

hashtagVerify the validity of any server certificates in use.

hashtagWeb Applications

hashtagEnsure that the web application is protected against injection attacks.

hashtagReview the application for authentication and session management vulnerabilities.

hashtagVerify that sensitive data is identified and protected appropriately. Ensure proper use of encryption technologies to protect sensitive data.

hashtagReview the web server for exposure to XML external entities (XXE) attacks.

hashtagVerify that proper access controls are enforced.

hashtagReview controls surrounding maintaining a secure configuration.

hashtagReview the website for cross-site-scripting vulnerabilities.

hashtagReview protections against exploitation of deserialization sequences.

hashtagReview processes to ensure vulnerabilities are not present in libraries, frameworks, or other components.

hashtagEnsure that adequate logging is present and review processes for examining log data.

hashtagReview the security training provided to application development teams and ensure that development teams understand secure coding practices.

hashtagVerify that all input is validated prior to use by the web server.

hashtagEvaluate the use of proper error handling.

hashtagReview web application redirects and forwards to verify that only valid URLs are accessible.

hashtagVerify that controls are in place to prevent cross-site request forgery (CSRF or XSRF).

Web Servers

Verify that the web server is running on a dedicated logical system not shared with other critical applications.

Verify that the web server is fully patched and updated with the latest approved code.

Verify that unnecessary services, modules, objects, and APIs are removed or disabled. Running services and modules should be operating under the least privileged accounts.

Verify that only appropriate protocols and ports are allowed to access the web server.

Verify that accounts allowing access to the web server are managed appropriately and use strong passwords.

Ensure that appropriate controls exist for files, directories, and virtual directories.

Ensure that unnecessary information such as version and directory listings are not exposed through the web interface.

Ensure that the web server has appropriate logging enabled and that monitoring processes are in place.

Ensure that script extensions are mapped appropriately.

Verify the validity of any server certificates in use.

Web Applications

Ensure that the web application is protected against injection attacks.

Review the application for authentication and session management vulnerabilities.

Verify that sensitive data is identified and protected appropriately. Ensure proper use of encryption technologies to protect sensitive data.

Review the web server for exposure to XML external entities (XXE) attacks.

Verify that proper access controls are enforced.

Review controls surrounding maintaining a secure configuration.

Review the website for cross-site-scripting vulnerabilities.

Review protections against exploitation of deserialization sequences.

Review processes to ensure vulnerabilities are not present in libraries, frameworks, or other components.

Ensure that adequate logging is present and review processes for examining log data.

Review the security training provided to application development teams and ensure that development teams understand secure coding practices.

Verify that all input is validated prior to use by the web server.

Evaluate the use of proper error handling.

Review web application redirects and forwards to verify that only valid URLs are accessible.

Verify that controls are in place to prevent cross-site request forgery (CSRF or XSRF).