Web Application Security Testing?

Question by RJ: Web Application Security Testing?
When testing web applications for security vulnerabilities, what are the main items to test for? I know of the OWASP top ten but are there other test that should be run as well? What type of authentication test should be run? Any help is appreciated.

Best answer:

Answer by Wei C
Other web vulnerability scanners perform pretty much what OWASP does, I’d say. I mean, you know the drill – SQL Injection, XSS, data validation, denial-of-service, error codes, weak encryption, bots posting junks onto your database, brute-force against the login page, authentication bypass, hijacks, GET parameter attacks, framework safety… those sorts of common attacks against a web app. I sometimes also invite other friendly testers to see if there’s anything else I need to do security wise – human testers are always more creative than codes – but a lot of times if other vulnerability scanners (acunetix? shadow?) can’t find anything wrong with you, your app shouldn’t be easily broken by average people.

Your server should be tested out for vulnerabilities for sure, and run other security softwares if necessary (firewall? IDS? antivirus?) I used to run SecureIIS (eeye) on my server to prevent web attacks, but if poorly configured that software can get pretty annoying – it blocks everything, even non-malicious requests. The more security features used, the more stress on the server also.

Things you should pay attention during login:
1. You shouldn’t allow weak passwords.
2. Passwords, hints should be hashed.
3. Limited attempts to avoid bots
4. Is it done via a secure channel?
5. SQL Injection possible in your code?
6. Is there a sign of identity theft? (sign-in from different location or computer?)
7. What type of resources can be accessed/allocated after an user is in?
8. If you use cookie to keep a person verified, could it be compromised and hijack/used by another person?
9. Is there a chance inputing username or password can lead to an error page? (An error sometimes tells a lot how your database or web app is designed)

Know better? Leave your own answer in the comments!