Auditing Web Servers and Web Applications

Web Servers

Web Applications

Last updated 2 years ago

Web Servers

Verify that the web server is running on a dedicated logical system not shared with other critical applications.

Verify that the web server is fully patched and updated with the latest approved code.

Verify that unnecessary services, modules, objects, and APIs are removed or disabled. Running services and modules should be operating under the least privileged accounts.

Verify that only appropriate protocols and ports are allowed to access the web server.

Verify that accounts allowing access to the web server are managed appropriately and use strong passwords.

Ensure that appropriate controls exist for files, directories, and virtual directories.

Ensure that unnecessary information such as version and directory listings are not exposed through the web interface.

Ensure that the web server has appropriate logging enabled and that monitoring processes are in place.

Ensure that script extensions are mapped appropriately.

Verify the validity of any server certificates in use.

Web Applications

Ensure that the web application is protected against injection attacks.

Review the application for authentication and session management vulnerabilities.

Verify that sensitive data is identified and protected appropriately. Ensure proper use of encryption technologies to protect sensitive data.

Review the web server for exposure to XML external entities (XXE) attacks.

Verify that proper access controls are enforced.

Review controls surrounding maintaining a secure configuration.

Review the website for cross-site-scripting vulnerabilities.

Review protections against exploitation of deserialization sequences.

Review processes to ensure vulnerabilities are not present in libraries, frameworks, or other components.

Ensure that adequate logging is present and review processes for examining log data.

Review the security training provided to application development teams and ensure that development teams understand secure coding practices.

Verify that all input is validated prior to use by the web server.

Evaluate the use of proper error handling.

Review web application redirects and forwards to verify that only valid URLs are accessible.

Verify that controls are in place to prevent cross-site request forgery (CSRF or XSRF).

Web Servers

Verify that the web server is running on a dedicated logical system not shared with other critical applications.

Verify that the web server is fully patched and updated with the latest approved code.

Verify that unnecessary services, modules, objects, and APIs are removed or disabled. Running services and modules should be operating under the least privileged accounts.

Verify that only appropriate protocols and ports are allowed to access the web server.

Verify that accounts allowing access to the web server are managed appropriately and use strong passwords.

Ensure that appropriate controls exist for files, directories, and virtual directories.

Ensure that unnecessary information such as version and directory listings are not exposed through the web interface.

Ensure that the web server has appropriate logging enabled and that monitoring processes are in place.

Ensure that script extensions are mapped appropriately.

Verify the validity of any server certificates in use.

Web Applications

Ensure that the web application is protected against injection attacks.

Review the application for authentication and session management vulnerabilities.

Verify that sensitive data is identified and protected appropriately. Ensure proper use of encryption technologies to protect sensitive data.

Review the web server for exposure to XML external entities (XXE) attacks.

Verify that proper access controls are enforced.

Review controls surrounding maintaining a secure configuration.

Review the website for cross-site-scripting vulnerabilities.

Review protections against exploitation of deserialization sequences.

Review processes to ensure vulnerabilities are not present in libraries, frameworks, or other components.

Ensure that adequate logging is present and review processes for examining log data.

Review the security training provided to application development teams and ensure that development teams understand secure coding practices.

Verify that all input is validated prior to use by the web server.

Evaluate the use of proper error handling.

Review web application redirects and forwards to verify that only valid URLs are accessible.

Verify that controls are in place to prevent cross-site request forgery (CSRF or XSRF).