- Configuration and Deployment Management Testing (OWASP Testing Guide, WSTG-CONF)
Checklist
💡 Copy this table in your favorite note program to keep track of your tests.
| Tasks | Status/Comments |
|---|---|
| Network / Infrastructure Configuration | WSTG-CONF-01 |
| File Extensions Handling – Sensitive Information | WSTG-CONF-03 |
| HTTP Methods | WSTG-CONF-06 |
| HTTP Strict Transport Security (HSTS) | WSTG-CONF-07 |
| Rich Internet Applications (RIA) Cross Domain Policy | WSTG-CONF-08 |
| Testing for vulnerabilities in other third-party applications or technologies (e.g. , SharePoint, WebRTC, Google Web Toolkit (GWT)) * | |
| File Permissions | WSTG-CONF-09 |
| Subdomain Takeover | WSTG-CONF-10 |
| Content-Security-Policy (CSP) HTTP Header | WSTG-CONF-12, in GitHub OWASP Testing Guide |
| Path Confusion | WSTG-CONF-13, in GitHub OWASP Testing Guide |
| MIME Sniffing | |
| Directory listing |
Network / Infrastructure Configuration
WSTG-CONF-01: Test Network Infrastructure Configuration (OWASP Testing Guide)
- Understanding IP Addressing and CIDR Charts (RIPE NCC)
The different elements that make up the infrastructure need to be determined in order to understand how they interact with a web application and how they affect its security.
All the elements of the infrastructure need to be reviewed in order to make sure that they don’t contain any known vulnerabilities.
A review needs to be made of the administrative tools used to maintain all the different elements.
The authentication systems, need to reviewed in order to assure that they serve the needs of the application and that they cannot be manipulated by external users to leverage access.
- Review the applications’ configurations set across the network and validate that they are not vulnerable.
- Validate that used frameworks and systems are secure and not susceptible to known vulnerabilities due to unmaintained software or default settings and credentials.
Other – TO COMPLETE
❗ Page in progress
WSTG-CONF-03: Test File Extensions Handling for Sensitive Information (OWASP Testing Guide)
WSTG-CONF-06: HTTP Methods (OWASP Testing Guide)
WSTG-CONF-07: Test HTTP Strict Transport Security (OWASP Testing Guide)
WSTG-CONF-08: Test RIA Cross Domain Policy (OWASP Testing Guide)
WSTG-CONF-09: Test File Permission (OWASP Testing Guide)
WSTG-CONF-10: Test for Subdomain Takeover (OWASP Testing Guide)
Directory listing
See Directory Listing.