If you were tasked to conduct a security audit on a server/database-backed web app, where would you start?

Let's say you were brought on to inspect and a company's web app, built on something common like PHP/Rails/Node/etc.

What's your check list, what are you looking for?

Comments

[HS]

Lot of professional answers but I would start by looking how many keys are stored in plain text in config file on backend server.

I would also check how many of these are used by the frontend. Some developers leave keys embedded in HTML like hidden input and sometimes you can get the key by inspecting network traffick with dev tools in browser if your app frontend uses 3rd party api but tries to hide the key by uglifying JS. Many forget to keep the keys on back and act as a middleware.

Then classics like sql injection, xss, those kind of things.

Later I would call sec experts to check for real threats which are security stuff and not common mistakes.

[Médéric Burlet]

As @andrew_brown pointed out OWASP and Kali have a lot of amazing tools. I would recommend every company to use ZAP from OWASP as a good starting point. It has a big list of automated tests which of course need you to verify afterwards manually or using other tools but it does warn on many things.

owasp.org/index.php/OWASP_Zed_Atta...

[Thoughtful Technology Partners LLC]

The responses posted provide good information. The only thing I would add is referencing the OWASP ASVS (application security verification standard) as it describes the security that should be built into the application - input handling, session management, use of secure ciphers, privileged command execution etc. This is the link to OWASP ASVS:

owasp.org/images/3/33/OWASP_Applic...

The other item I didn't see mentioned (I may have missed it) but is proper implementation of TLS.

Additional considerations include application and database configuration and secure configuration of the execution venue. Running the application on AWS EC2 instances versus GCP GKE (intentionally drawing a stark contrast) brings different security considerations.

[Guillaume Gautreau]

1. Make a precise list of valuables things you have to protect (data, access to the app for your clients, your own processing power, your bandwidth).
2. For each point in the previous list, try to list all the possible breaches you can think of
3. For each breaches, evaluate the probability and the eventual cost of an exploit of the breach
4. Sort the list by probability * cost and list possible counter measures for the most important possible issues.

[Cristiano D. Silva]

You should check:

• Web language security patches
• Web framework security patches
• Web application passes OWASP
• Web server access
• Database server access
• Database users
• Permissions for the users on the webserver
• Contents of data (you could easily find spam if the web layer is insecure) on the database
• If the servers are accessible from the web without a VPN or proper security (AWS has a good direction on that)
• If the servers OS has the latest security patches
• CVE's

For the majority, you will be dealing, very likely, with outdated servers and unauthorized access or improper permissions for user access.

[Kurt Kemple]

I would start from the back of the stack and work towards the front end. The theory being that locking down the DB operations and access will give the most benefit vs time spent as the source is secure. Then I would start fanning out to any services that interact with the data source and make sure they are secure. Lastly moving on to any clients that interact with those services.

[scottshipp]

The first thing to check is if they’re using the default admin account on the database and if it is still using the default password or something easily crackable. You’d be surprised...

[Ari Kalfus]

OWASP has a great web app testing methodology guide to walk you through a bunch of checks: owasp.org/index.php/Web_Applicatio...

These are kind of the minimum, a tester would want to expand based on what behavior exists in the application, but that guide is a great baseline.

[Ari Kalfus]

Also, business logic inconsistencies and access control misconfigurations (or failures) are something I prioritize, as these are the kind of things an automated scanner or tool is not really able to find.

[John Ralph Umandal]

I would check if there's any session checking / auth verification.

Most of big non-tech company rely too much on VPN and don't invest money on security, thinking that it would not be possible for someone to actually access to an app without getting inside the network.

[Simon Massey]

• What's the security policy for the code. If it's on public git service (eg GitHub) is 2FA enabled for all contributors
• is git branch protection enabled with at least one reviewer. That way a worm writing a rogue dependency into package.json is less like to slip something in
• how are secrets handled such as database credentials. are they git-secret encrypted and strong.
• does the configured database user have too much privileges (uses ”admin” or ”postgres” accounts) it should be a none default account granted the minimum privileges possible
• are the default accounts of the database secured with strong passwords.
• is there regular backups of the database. are they encrypted before moving off the host to a secure location. is the restore of backups regularly tested.
• is there a CI/CD pipeline and does it have security vulnerability scanning enabled (snyk.io) and is the build failed for anything other than low severity issues
• are low severity security scanned issues regularly reviewed and fixed by default. those that wont be fixed is the reason documented and peer reviewed (eg ”we don't use that logic”). are those reasons periodically reviewed to check they are still valid
• are deployments against git tagged versions of the code. have branch protection and githooks been set to prevent updating tags or forces rewrites of history in git that could hide the history of a backdoor being added into the code base
• are git release tags annotated tags and gpg signed ’git tag -s’ so that we know exactly who said that version of the code is good to release in a way that cannot be faked
• is the OS or base container layer up to date and regularly patched. stale Dockerfiles and images with cached out-of-date base image layers is sadly typical. the release build should run with flags to disable layer caching to force download of latest patches from upstream
• does the code run on the current long term support version(s) of the web technology it uses. is there a policy to promptly upgrade to support the next long term support version and a deprecate support for expired versions.
• is the software frequently rebuilt and redeployed pick up newly discovered security issues (if the code is only pushed every few months known security bugs are not fixed for months)
• is HTTPS enforced and is the cert properly protected (such as git-secret encrypted)
• is 2FA enforced for access to all infrastructure (eg AWS account)
• is the app appropriately firewalled (only specific ports enabled)
• are docker images running as root (mostly everything on hub.docker.com does) you should only docker images as a regular user. s2i images typically do this properly if you need a move away from root images.
• is there a ”security” label for bugs in the issue tracker and are issues with that label prioritised with a low response time to triage them rather than just ignoring it as not a fun feature to build.
• did the app write it's own authentication and authorization logic. if it did that's an epic fail.
• does the app allow the forcing of 2FA for privileged accounts
• is all input to the app sanitised (library to scrub SQL injection)
• is static code analysis being applied to the code base and the build failed for issues. most security bugs are simple code errors and code that passes a lint is likely to have less bugs so less holes
• is there peer review of all pull requests. most security bugs are simple code errors and code that is clear and understood by two devs is less likely to have bugs that lead to security errors
• has penetration testing been performed against the application
• has the codebase been reviewed to ensure that role based access control is properly enforced
• are cookies handled correctly such as marked as secure so only sent over HTTPS
• are assets loaded from public CDN which may be a route to inject attacks. use your own CDN and ensure you checked the hash for the files you put there against the official releases or built them yourself
• check CORS correctly configured and XSRF protection in place
• are passwords correctly stretched and salted or better yet use SRP6a authentication protocol
• are users emailed on and changes to their account
• are strong passwords enforced? check part of the hash of passwords against the Troy Hnt ”have I been pwned” API of half a billion compromised passwords.
• is the login screen tested against the most popular password managers so that users can use randomised strong passwords
• are the users offered recovery codes or password recovery using shamir secret sharing scheme