Authentication Checks 1. Login and Change Password pages on SSL?2. All sensitive pages (accepting SSN, Credit Card) over SSL?3. Strong Password Policy? (Joe Accounts/Blank Passwords/Max Password Age/Min Password Age, etc)4. Is Forgot Password page secure?5. Password Change forced on 1st login?6. Re-authenticate before moving to sensitive pages (Edit Account Info?)7. Prompts old password before changing password?8. Has "Remember Me" feature? If so, how's password stored?9. Warns before allowing "Remember Me"?10. Has CAPTCHA to prevent password guessing?11. Does show error msgs like "Invalid User/Invalid Password"?12. Can auth. be by-passed for privileged URL's?13. Is AutoComplete set to OFF?14. Is password re-submitted on 'Back/Refresh' of browser?15. SQL Injection in login?
Session Management 1. Is session id random enough?2. Session Timeout present?3. Stored in what form? (persistent cookie/in-memory cookie)?4. Session Id expires on request tampering?5. Sensitive data in cookie?6. Can you see X user's data with Y's session id?7. Session expires at server-side on logout?8. Can logged out user's session be re-used?9. Is new session id generated on login?10. Is cookie over-written on logout?
Input Validation Checks 1. Use proxy to by-pass client side validation?2. Generate errors for information disclosure?3. Web Page source reveals sensitive application information4. HTTP Headers manipulation5. Viewstate manipulation6. GET and POST parameter manipulation
Secure Storage Checks 1. Are passwords stored in clear text?2. Is sensitive information like Credit Card encrypted?3. What encryption algo used? Standard or Proprietary?4. Is connection string in clear text?5. Any passwords hard-coded in application?
File Checks 1. Is file upload /download allowed?2. Can files be downloaded directly from URL?3. Can malicious files be uploaded?
Environment Checks 1. Are default apps installed?2. Are default accounts enabled? Do they have strong passwords?3. Is firewall deployed?4. Is code obfuscated?5. Can detect server details using banner grabbing?6. Are forms bot resistant?