A Security Test CheckList

1. If you do not log on to the system, directly enter the URL of the logon page to see if it is accessible;

2. If you do not log on to the system, enter the URL of the downloaded file to see if the file can be downloaded;

For example, enter http: // url/download? Name = file: whether the file can be downloaded

3. After logging out, click the back button to access the previous page;

4. Can I use a simple password for ID/password authentication;

For example, if the password is more than 6 characters long, a combination of letters and numbers does not contain the ID, and the connected letters or numbers cannot exceed n digits.

5. In the ID/password authentication method, the same account is not logged on at the same time on different machines

6. Whether the account is locked after the wrong password is entered for several consecutive times in ID/Password Authentication Mode

7. Whether important information (such as password, ID card, and credit card number) is displayed in plaintext during input or query;

Enter the javascript: alert (doucument. cookie) command in the address bar of the browser to check whether important information exists;

Can you see important information in the html source code;

8. Manually change the parameter value in the URL to access a page without permission.

For example, the URL parameter of a common user is l = e, and the URL parameter of an advanced user is l = s, after logging on to the system as a normal user, change the parameter e in the URL to s to access the page without access permissions.

9. Can unmodifiable parameters in the URL be modified;

10. After uploading executable files with the same extension as the server-side language (jsp, asp, php) or exe, check whether the files can run directly on the server.

11. Can I use '--' or1 = 1-'as the user name when registering a user?

12. parameters transmitted to the server (such as query keywords and URL parameters) include special characters ('. 'and1 = 1 --. 'and1 = 0 --. '. 'or 1 = 0 --) can be processed normally?

13. During the add operation, enter the script tag (<script> alert ("") </script>) in all input boxes to save the script;

14. Is the function automatically completed when important information (password, ID card number, and credit card number) is added or modified?

(Use autocomplete = 0 in the form tag to disable auto-completion)

15. Enter the following URL in the URL for download

Http: // url/download. jsp? File = c: \ windows \ system32 \ drivers \ etc \ hosts, http: // url/download. jsp? File =/etc/password

16. Whether to process the session Validity Period

17. Whether the error information contains SQL statements, SQL error information, and the absolute path of the web server.