Web Application Security Checklist

Been assessing the vulnerabilities of a site I’m building at the moment and trying to come up with a list of potential vulnerabilities so that I can check that I’ve dealt with them all. This is where I’ve got to so far please point out any you think I’ve missed.


  • errors aren’t displayed, other than we just had an error if really necesary, not the details
  • errors are logged
  • if logged to files those files aren’t accessible by visitors

Only public viewable files are visible

  • access to any non public folders are restricted
  • includes, class definitions settings files etc.
  • if you were to try and access they would act like a resource that doesn’t exist

Parameter filtering

  • input isn’t trusted
  • input is filtered, escaped etc
  • output is escaped

SQL injection

  • query params are quoted, bound dealt with according to your database
  • the security of access to the database itself
  • database users
  • database server access

Vulnerabilities of software included

Any ready made systems, libraries used in the site are at the latest version and they don’t publish what version they are at. Including language and server software versions e.g. say ruby don’t say ruby 1.9

Cross site scripting

Origin of requests

  • where origin of requests should be via self make sure it is.

Brute force

  • login points throttle repeated requests in order to slow down dictionary attacks
  • log repeated login attempts by ip and useragent
  • block abusers according to blocking policy


  • passwords are non dictionary words and of adequate length and variety of case and character
  • passwords are stored encrypted in a way that makes unencrypting them awkward if they were ever accessed.


  • all public forms have some form of captcha device
  • all public email addresses are obscured in some way

File system access

  • ftp, sftp, ssh users
  • file permissions are correct

Access with curl and more bot like access paths mirror that of normal browser based viewer or are more restricted.


  • unsuccessful logins and successful logins are logged.

Monitoring of access and file modification times to check files havn’t been modified when they shouldn’t have been by some other than authorised source.

Well that is my first attempt I guess I can always add to it as I think of new issues and read more. Hopefully without getting too paranoid.