Code Audit Fast Track
Authenticating Users
Building Login Forms
Does the login form transmit data across a secure connection?
Does the login form use the HTTP POST method instead of GET?
Does the application validate the login form input?
Does the form reveal sensitive information through hidden form fields?
Do error messages reveal too much information?
Using Forms Authentication
Does the web.config file contain user credentials when other alternatives would be more secure?
Does the web.config file contain cleartext user credentials?
Does the web.config file use the most secure settings for cookies?
Using Windows Authentication
If you’re using basic authentication, is the traffic encrypted with SSL?
Does the site design allow credentials to be sent when moving from an SSL page to an unencrypted page?
Can an attacker launch brute-force attacks against privileged accounts?
Can an attacker relay brute-force attacks from the Web server to other systems?
Using Passport Authentication
Is Passport authentication sufficient given the nature of the Web site?
Blocking Brute-Force Attacks
Does the site enforce account lockout? What risks are involved with this policy?
Does the site have any features to slow brute-force attacks?
Does the site have any features to fool automated brute-force tools?
Does the site have any features to stop automated attacks, such as asking for a secret question or using a CAPTCHA?
Does the application provide advanced user settings to restrict access to an account?
Does the application have any way to limit or suspend an account suspected of abuse?
Authorizing Users
Deciding How to Authorize
Does the system have a solid roles-based security framework?
Does the system use multiple layers of authentication?
Employing File Authorization
Does the system define the minimum NTFS file permissions required to run the application?
Does the system use file authorization to implement both resource-based and role-based security?
Applying URL Authorization
Does the authorization section of the web.config for protected content start by denying unauthenticated users?
Does the authorization section end with a default rule allowing all or denying all users?
Are all allow verb elements followed with deny verb elements?
Does the application use HttpForbiddenHandler or HttpNotFoundHandler to block everyone’s access to certain files?
Authorizing Users Through Code
Does the application use declarative, imperative, and explicit role checks to provide multiple layers of authorization?