Hi,

since I find checklists a great way of preventing stupid mistakes, here's one for web application security. It doesn't cover every single aspect, and the more exotic risks aren't mentioned. But it should help getting the basic security measures right -- including the ones that are often overlooked. For an extensive security evaluation, check the OWASP list.



General security
  • Forms:
    • Does every action with permanent effects require an anti-CSRF token?
  • Queries:
    • Are all dynamic queries implemented with prepared statements?
    • Is all input passed through the parameters of the statement?

    Fallback: manual escaping of input
    • Is the insertion context safe? The input must be inside a quoted string literal.
    • Is the input escaped using the right character encoding?
  • Inserting into HTML:
    • Is the context safe? The inserted data must be outside a HTML tag or inside a quoted attribute. When inserting into a script attribute, check the JavaScript part below.
    • Is the input escaped using the right character encoding?
  • Inserting into JavaScript
    • Is the context safe? The input must be inside a quoted string literal, and this string mustn't be evaluated with functions like eval() or setTimeout().
    • Are all characters encoded as \xHH or \uHHHH using the right character encoding?


Web server security
  • Does the web server run on minimum system privileges?
  • Is access control set up correctly?
  • Are all critical information transferred over HTTPS? When dealing with forms, both the form page itself and the target page have to use HTTPS.
  • Is every text resource (HTML, JavaScript, CSS) delivered with an explicit character encoding in the HTTP headers?


PHP security
  • Is register_globals turned off?
  • Is allow_url_include turned off and open_basedir set?
  • Are all dangerous functions like shell_exec() and phpinfo() disabled?
  • Is error displaying turned off?
  • Are session IDs only transferred and received via cookies?


Database security
  • Does the database daemon run on minimum system privileges?
  • Is the database authentication set up correctly? Remote access must be disabled or limited to the IP(s) of the application server. The root account must be limited to local access. All accounts need strong passwords from a cryptographically secure random number generator.
  • Does the database role have minimum privileges? The root account must not be used for the application.


Session security
  • Is the session ID cryptographically secure?
  • Is the cookie set to HttpOnly and also to secure if using HTTPS?
  • Does the session have an absolute time limit?


Passwords:
  • Do the passwords have a minimum and a maximum length?
  • Are the passwords hashed with bcrypt or an equally secure algorithm?
  • Does the hashing take place on the server?
  • Are the password hashes only stored in the users table?


Login form:
  • If users login with their email address: Is it impossible to determine the existence of an address from the form feedback? This includes explicit messages as well as the implicit behaviour of the form (like time differences).
  • Is the number of login attempts limited?


Password reset
  • Does the password reset require a random nonce?
  • Does the user receive the nonce via email?
  • Is the nonce cryptographically secure?
  • Is only the hash of the nonce stored in the database?
  • Is it impossible to determine the existence of an email address from the form feedback? This includes explicit messages as well as the implicit behaviour of the form (like time differences).
  • Is the number of reset attempts limited?


User profile
  • Does changing the password or email address require the current password?