Checklist for Auditing Web Servers
qVerify that the web server is running on a dedicated system and not in conjunction with other critical applications.
qVerify that the web server is fully patched and updated with the latest approved code.
qDetermine if the web server should be running additional tools to aid in the protection of the web server.
qVerify that unnecessary services or modules are disabled. Running services and modules should be running with least privileged accounts.
qVerify that only appropriate protocols and ports are allowed to access the web server.
qVerify that accounts allowing access to the web server are managed appropriately and hardened with strong passwords.
qEnsure that appropriate controls exist for files, directories, and virtual directories.
qEnsure that the web server has appropriate logging enabled and secured.
qEnsure that script extensions are mapped appropriately.
qVerify that unnecessary or unused ISAPI filters are removed from the server.
qVerify the validity and use of any server certificates in use.
Checklist for Auditing Web Applications
qVerify that all input is validated prior to use by the web server.
qVerify that proper authorization controls are enforced.
qBroken authentication and session management
qReview the website for cross-site scripting vulnerabilities.
qVerify that the server is updated with all known patches for buffer overflows.
qEnsure that the web application is protected against injection attacks.
qEvaluate the use of proper error handling.
qEnsure that secure storage mechanisms are used correctly and appropriately.
qDetermine the use of adequate controls to prevent denial of service.
qReview controls surrounding maintaining a secure configuration.