TwoTalesDev/4WDCSA.co.za
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
84dc35c8d5b01fa129ae7d99334a03f34e825dfd
4WDCSA.co.za/PHASE_1_SECURITY_TESTING_CHECKLIST.md
twotalesanimation 076053658b Task 11: Create comprehensive security testing checklist 
Created PHASE_1_SECURITY_TESTING_CHECKLIST.md with:

1. CSRF Protection Testing (5 test cases)
   - Valid/invalid/reused tokens, cross-origin attempts

2. Authentication & Session Security (5 test cases)
   - Session regeneration, timeout, fixation prevention, cookie flags

3. Rate Limiting & Account Lockout (5 test cases)
   - Brute force prevention, lockout messaging, timeout reset

4. SQL Injection Prevention (5 test cases)
   - Login, booking, comment, union-based injections

5. XSS Prevention (5 test cases)
   - Stored/reflected/DOM-based XSS, event handlers

6. File Upload Validation (8 test cases)
   - Malicious extensions, MIME type mismatch, path traversal, permissions

7. Input Validation (8 test cases)
   - Email, phone, name, date, amount, password strength

8. Audit Logging & Monitoring (5 test cases)
   - Login attempts, CSRF failures, file uploads, queryable logs

9. Database Security (3 test cases)
   - User permissions, backup encryption, connection security

10. Deployment Security Checklist (6 categories)
    - Debug code removal, HTTPS enforcement, file permissions

11. Performance & Stability (3 test cases)
    - Large data loads, concurrent users, session cleanup

12. Go-Live Security Sign-Off (4 sections)
    - Security review, code review, deployment review, user communication

13. Phase 2 Roadmap
    - WAF implementation, rate limiting, CSP, connection pooling, JWT, security headers

Complete coverage of all Phase 1 security implementation with test procedures,
pass criteria, and sign-off process for production deployment.
2025-12-03 13:32:17 +02:00

20 KiB
Raw Blame History

Phase 1 Security Testing Checklist

4WDCSA.co.za - Pre-Go-Live Validation

Date Created: December 3, 2025
Status: READY FOR TESTING
Phase: 1 - Security & Stability (Weeks 1-3)

1. CSRF (Cross-Site Request Forgery) Protection

Implementation Complete

  • CSRF token generation function: generateCSRFToken() (64-char hex, 1-hour expiry)
  • CSRF token validation: validateCSRFToken() (single-use, auto-removal)
  • All POST forms include hidden CSRF token field
  • All POST processors validate CSRF tokens before processing

Forms Protected (13 forms)

  • login.php - User authentication
  • register.php - New user registration
  • forgot_password.php - Password reset request
  • account_settings.php - Account info form
  • account_settings.php - Password change form
  • trip-details.php - Trip booking
  • campsite_booking.php - Campsite booking
  • course_details.php - Course booking (driver training)
  • bush_mechanics.php - Course booking (bush mechanics)
  • driver_training.php - Course booking
  • comment_box.php - Blog comment submission
  • membership_application.php - Membership application
  • campsites.php (modal) - Add campsite form
  • bar_tabs.php (modal) - Create bar tab form
  • submit_pop.php - Proof of payment upload

Backend Processors Protected (12 processors)

  • validate_login.php - Login validation
  • register_user.php - User registration
  • process_booking.php - Booking processing
  • process_payments.php - Payment processing
  • process_eft.php - EFT processing
  • process_application.php - Application processing
  • process_course_booking.php - Course booking
  • process_camp_booking.php - Campsite booking
  • process_trip_booking.php - Trip booking
  • process_membership_payment.php - Membership payment
  • process_signature.php - Signature processing
  • create_bar_tab.php - Bar tab creation
  • add_campsite.php - Campsite addition
  • submit_order.php - Order submission

Test Cases

Test 1.1: Valid CSRF Token Submission

Steps:

  1. Load login form (captures CSRF token from form)
  2. Fill in credentials
  3. Submit form with valid CSRF token in POST data
  4. Expected result: Login succeeds

Pass Criteria: Login processes successfully

Test 1.2: Missing CSRF Token

Steps:

  1. Create form request with no csrf_token field
  2. POST to login.php
  3. Expected result: 403 error, login fails

Pass Criteria: Response code 403, error message displays

Test 1.3: Invalid CSRF Token

Steps:

  1. Load login form
  2. Modify csrf_token value to random string
  3. Submit form
  4. Expected result: 403 error, login fails

Pass Criteria: Response code 403, error message displays

Test 1.4: Reused CSRF Token

Steps:

  1. Load login form, capture csrf_token
  2. Submit form once (succeeds)
  3. Submit same form again with same token
  4. Expected result: 403 error, second submission fails

Pass Criteria: Second submission rejected

Test 1.5: Cross-Origin CSRF Attempt

Steps:

  1. From external domain (e.g., attacker.com), create hidden form targeting 4WDCSA login
  2. Attempt to submit without CSRF token
  3. Expected result: Failure

Pass Criteria: Request rejected without valid CSRF token

2. AUTHENTICATION & SESSION SECURITY

Implementation Complete

  • Session regeneration after successful login
  • 30-minute session timeout
  • Session cookie security flags (httpOnly, secure, sameSite)
  • Password hashing with password_hash() (argon2id)
  • Email verification for new accounts

Test Cases

Test 2.1: Session Regeneration

Steps:

  1. Get session ID before login
  2. Login successfully
  3. Get session ID after login
  4. Expected result: Session IDs are different

Pass Criteria: Session ID changes after login

Test 2.2: Session Timeout

Steps:

  1. Login successfully
  2. Wait 31 minutes (or manipulate session time)
  3. Attempt to access protected page
  4. Expected result: Redirected to login

Pass Criteria: Session expires after 30 minutes

Test 2.3: Session Fixation Prevention

Steps:

  1. Pre-generate session ID
  2. Create hidden form that sets this session
  3. Attempt to login with pre-set session
  4. Expected result: Session ID should change anyway

Pass Criteria: Session regenerates regardless of initial state

Test 2.4: Cookie Security Headers

Steps:

  1. Login and inspect response headers
  2. Check Set-Cookie header
  3. Expected result: httpOnly, secure, sameSite=Strict flags present

Pass Criteria: All security flags present

Test 2.5: Plaintext Password Storage

Steps:

  1. Query users table directly
  2. Check password column
  3. Expected result: Hashes, not plaintext (should start with 2y or argon2id)

Pass Criteria: All passwords are hashed

3. RATE LIMITING & ACCOUNT LOCKOUT

Implementation Complete

  • Login attempt tracking in login_attempts table
  • 5 failed attempts = 30-minute lockout
  • IP-based and email-based tracking
  • Audit logging of all lockouts

Test Cases

Test 3.1: Brute Force Prevention

Steps:

  1. Attempt login with wrong password 5 times rapidly
  2. Attempt 6th login
  3. Expected result: Account locked for 30 minutes

Pass Criteria: 6th attempt blocked with lockout message

Test 3.2: Lockout Message

Steps:

  1. After 5 failed attempts, inspect error message
  2. Expected result: Clear message about lockout and duration

Pass Criteria: User-friendly lockout message appears

Test 3.3: Lockout Reset After Timeout

Steps:

  1. Fail login 5 times
  2. Wait 31 minutes (or manipulate database time)
  3. Attempt login with correct credentials
  4. Expected result: Login succeeds

Pass Criteria: Lockout expires automatically

Test 3.4: Successful Login Clears Attempts

Steps:

  1. Fail login 3 times
  2. Login successfully
  3. Fail login again 5 times
  4. Expected result: Lockout happens on 5th attempt (not 2nd)

Pass Criteria: Attempt counter resets after successful login

Test 3.5: IP-Based Rate Limiting

Steps:

  1. From one IP, fail login 5 times
  2. From different IP, attempt login
  3. Expected result: Different IP should not be blocked

Pass Criteria: Rate limiting is per-IP, not global

4. SQL INJECTION PREVENTION

Implementation Complete

  • All queries use prepared statements with parameterized queries
  • getResultFromTable() refactored with column/table whitelisting
  • Input validation on all user-supplied data
  • Audit logging for validation failures

Test Cases

Test 4.1: Login SQL Injection

Steps:

  1. In login form, enter email: ' OR '1'='1
  2. Enter any password
  3. Submit
  4. Expected result: Login fails, no SQL error reveals

Pass Criteria: Login rejected, no database info disclosed

Test 4.2: Booking Date SQL Injection

Steps:

  1. In booking form, modify date parameter to: 2025-01-01'; DROP TABLE bookings;--
  2. Submit form
  3. Expected result: Bookings table still exists, error message appears

Pass Criteria: Table not dropped, invalid input rejected

Test 4.3: Comment SQL Injection

Steps:

  1. In comment box, enter: <script>alert('xss')</script>' OR '1'='1
  2. Submit comment
  3. Expected result: Stored safely as text, no execution

Pass Criteria: Comment stored but not executed

Test 4.4: Union-Based SQL Injection

Steps:

  1. In search field, enter: '; UNION SELECT user_id, password FROM users;--
  2. Expected result: Query fails, no results

Pass Criteria: Union injection blocked

Test 4.5: Prepared Statement Verification

Steps:

  1. Review process_booking.php code
  2. Verify all database queries use $stmt->bind_param()
  3. Expected result: No direct variable interpolation in SQL

Pass Criteria: All queries use prepared statements

5. XSS (Cross-Site Scripting) PREVENTION

Implementation Complete

  • Output encoding with htmlspecialchars()
  • Input validation on all form fields
  • Content Security Policy headers (recommended)

Test Cases

Test 5.1: Stored XSS in Comments

Steps:

  1. In comment form, enter: <script>alert('XSS')</script>
  2. Submit comment
  3. View blog post
  4. Expected result: Script does NOT execute, appears as text

Pass Criteria: Script tag appears as text, no alert()

Test 5.2: Reflected XSS in Search

Steps:

  1. Navigate to search page with: ?search=<img src=x onerror=alert('xss')>
  2. Expected result: No alert, image tag fails, text displays

Pass Criteria: No JavaScript execution

Test 5.3: DOM-Based XSS in Member Details

Steps:

  1. In member info form, enter name: "><script>alert('xss')</script>
  2. Save
  3. View member profile
  4. Expected result: Name displays with quotes escaped

Pass Criteria: HTML injection prevented

Test 5.4: Event Handler XSS

Steps:

  1. In profile update, attempt: onload=alert('xss')
  2. Submit
  3. Expected result: onload attribute removed or escaped

Pass Criteria: Event handlers sanitized

Test 5.5: Data Attribute XSS

Steps:

  1. In form, enter: <div data-code="javascript:alert('xss')"></div>
  2. Submit
  3. Expected result: Safe storage, no execution

Pass Criteria: Data attributes safely stored

6. FILE UPLOAD VALIDATION

Implementation Complete

  • Hardcoded MIME type whitelist per file type
  • File size limits enforced (5MB images, 10MB documents)
  • Extension validation
  • Double extension prevention
  • Random filename generation
  • is_uploaded_file() verification
  • Image validation with getimagesize()

Test Cases

Test 6.1: Malicious File Extension

Steps:

  1. Attempt to upload shell.php.jpg (PHP shell with JPG extension)
  2. Expected result: Upload rejected

Pass Criteria: Double extension detected and blocked

Test 6.2: Executable File Upload

Steps:

  1. Attempt to upload shell.exe or shell.sh
  2. Expected result: Upload rejected, error message

Pass Criteria: Executable file types blocked

Test 6.3: File Size Limit

Steps:

  1. Create 6MB image file
  2. Attempt upload as profile picture (5MB limit)
  3. Expected result: Upload rejected

Pass Criteria: Size limit enforced

Test 6.4: MIME Type Mismatch

Steps:

  1. Rename shell.php to shell.jpg
  2. Attempt upload
  3. Expected result: Upload rejected (MIME type is PHP)

Pass Criteria: MIME type validation catches mismatch

Test 6.5: Random Filename Generation

Steps:

  1. Upload two profile pictures
  2. Check uploads directory
  3. Expected result: Both have random names, not original

Pass Criteria: Filenames are randomized

Test 6.6: Image Validation

Steps:

  1. Create text file with .jpg extension
  2. Attempt to upload as profile picture
  3. Expected result: getimagesize() fails, upload rejected

Pass Criteria: Invalid images rejected

Test 6.7: File Permissions

Steps:

  1. Upload a file successfully
  2. Check file permissions
  3. Expected result: 0644 (readable but not executable)

Pass Criteria: Files not executable after upload

Test 6.8: Path Traversal Prevention

Steps:

  1. Attempt upload with filename: ../../../shell.php
  2. Expected result: Random name assigned, path traversal prevented

Pass Criteria: Upload location cannot be changed

7. INPUT VALIDATION

Implementation Complete

  • Email validation (format + length)
  • Phone number validation
  • Name validation (no special characters)
  • Date validation (proper format)
  • Amount validation (numeric, reasonable ranges)
  • ID number validation (South African format)
  • Password strength validation (min 8 chars, special char, number, uppercase)

Test Cases

Test 7.1: Invalid Email Format

Steps:

  1. In registration, enter email: notanemail
  2. Submit form
  3. Expected result: Form rejected with error

Pass Criteria: Invalid emails rejected

Test 7.2: Email Too Long

Steps:

  1. In registration, enter email with 300+ characters
  2. Submit form
  3. Expected result: Form rejected with error

Pass Criteria: Email length limit enforced

Test 7.3: Phone Number Validation

Steps:

  1. In application form, enter phone: abc123
  2. Submit
  3. Expected result: Form rejected

Pass Criteria: Non-numeric phones rejected

Test 7.4: Name with SQL Characters

Steps:

  1. In application, enter name: O'Brien'; DROP TABLE--
  2. Submit
  3. Expected result: Name safely stored without SQL execution

Pass Criteria: Special characters handled safely

Test 7.5: Invalid Date Format

Steps:

  1. In booking form, enter date: 32/13/2025
  2. Submit
  3. Expected result: Form rejected with error

Pass Criteria: Invalid dates rejected

Test 7.6: Weak Password

Steps:

  1. In registration, enter password: password123
  2. Submit
  3. Expected result: Form rejected (needs uppercase, special char)

Pass Criteria: Weak passwords rejected

Test 7.7: Password Strength Check

Steps:

  1. Enter password: SecureP@ssw0rd
  2. Expected result: Password accepted

Pass Criteria: Strong passwords accepted

Test 7.8: Negative Amount Submission

Steps:

  1. In booking, attempt to set amount to -100
  2. Submit
  3. Expected result: Invalid amount rejected

Pass Criteria: Negative amounts blocked

8. AUDIT LOGGING & MONITORING

Implementation Complete

  • auditLog() function logs all security events
  • audit_log table stores: user_id, action, table, record_id, details, timestamp
  • Failed login attempts logged
  • CSRF failures logged
  • Failed validations logged
  • File upload operations logged
  • Admin actions logged

Test Cases

Test 8.1: Login Attempt Logged

Steps:

  1. Perform successful login
  2. Query audit_log table
  3. Expected result: LOGIN_SUCCESS entry present

Pass Criteria: Login logged with timestamp

Test 8.2: Failed Login Attempt Logged

Steps:

  1. Attempt login with wrong password
  2. Query audit_log table
  3. Expected result: LOGIN_FAILED entry present

Pass Criteria: Failed login logged

Test 8.3: CSRF Failure Logged

Steps:

  1. Submit form with invalid CSRF token
  2. Query audit_log table
  3. Expected result: CSRF_VALIDATION_FAILED entry

Pass Criteria: CSRF failures tracked

Test 8.4: File Upload Logged

Steps:

  1. Upload profile picture
  2. Query audit_log table
  3. Expected result: PROFILE_PIC_UPLOAD entry with filename

Pass Criteria: Uploads tracked with details

Test 8.5: Audit Log Queryable

Steps:

  1. Admin queries audit log for specific user
  2. View all actions performed by user
  3. Expected result: Complete action history visible

Pass Criteria: Audit trail is complete and accessible

9. DATABASE SECURITY

Implementation Complete

  • Database user with limited privileges (no DROP, no ALTER)
  • Prepared statements throughout
  • login_attempts table for rate limiting
  • audit_log table for security events
  • users.locked_until column for account lockout

Test Cases

Test 9.1: Database User Permissions

Steps:

  1. Connect as database user (not admin)
  2. Attempt to DROP table
  3. Expected result: Permission denied

Pass Criteria: Database user cannot drop tables

Test 9.2: Backup Encryption

Steps:

  1. Check database backup location
  2. Verify backups are encrypted
  3. Expected result: Backups not readable without key

Pass Criteria: Backups secured

Test 9.3: Connection Encryption

Steps:

  1. Check database connection settings
  2. Verify SSL/TLS enabled
  3. Expected result: Database uses encrypted connection

Pass Criteria: Database traffic encrypted

10. DEPLOYMENT & CONFIGURATION SECURITY

Implementation Needed Before Go-Live

  • Remove phpinfo() calls
  • Hide error messages from users (log to file instead)
  • Set error_reporting to E_ALL but display_errors = Off
  • Remove debug code and print_r() statements
  • Update .htaccess to disable directory listing
  • Set proper file permissions (644 for PHP, 755 for directories)
  • Verify HTTPS enforced on all pages
  • Update robots.txt to allow search engines
  • Review sensitive file access (no direct access to uploads)
  • Set Content-Security-Policy headers

Pre-Go-Live Checklist

  • phpinfo.php deleted
  • testenv.php deleted
  • env.php contains production credentials
  • Database backups configured and tested
  • Backup restoration procedure documented
  • Incident response plan documented
  • Admin contact information documented

11. PERFORMANCE & STABILITY

Implementation Complete

  • Database queries optimized with indexes
  • Session cleanup for expired CSRF tokens
  • Error handling prevents partial failures

Test Cases

Test 11.1: Large Comment Load

Steps:

  1. Load blog post with 1000+ comments
  2. Measure page load time
  3. Expected result: Loads within 3 seconds

Pass Criteria: Performance acceptable

Test 11.2: Concurrent User Stress

Steps:

  1. Simulate 50 concurrent users logging in
  2. Monitor database connections
  3. Expected result: No timeouts, all succeed

Pass Criteria: System handles load

Test 11.3: Session Cleanup

Steps:

  1. Generate 1000 CSRF tokens
  2. Wait for expiration (1 hour)
  3. Check session size
  4. Expected result: Session not bloated, tokens cleaned

Pass Criteria: Cleanup occurs properly

12. GO-LIVE SECURITY SIGN-OFF

Requirements Before Production Deployment

Security Review

  • All 11 Phase 1 tasks completed and tested
  • No known security vulnerabilities
  • Audit log functional and accessible
  • Backup and recovery tested
  • Incident response plan documented

Code Review

  • No debug code in production files
  • No direct SQL queries (all parameterized)
  • No hardcoded credentials
  • All error messages user-friendly
  • HTTPS enforced on all pages

Deployment Review

  • Database migrated successfully
  • All tables created with proper indexes
  • File permissions set correctly (644/755)
  • Upload directories outside web root (if possible)
  • Backups configured and tested
  • Monitoring/logging configured

User Communication

  • Security policy documented and communicated
  • Password requirements communicated
  • MFA/email verification process clear
  • Incident contact information provided
  • Data privacy policy updated

13. SIGN-OFF

Tested By

  • QA Team: _________________________ Date: _________
  • Security Team: _________________________ Date: _________
  • Project Manager: _________________________ Date: _________

Approved For Deployment

  • Authorized By: _________________________ Date: _________
  • Title: _________________________________

Notes & Issues

[Space for any issues found and resolutions]

Next Steps After Phase 1 (Phase 2 - Hardening)

  1. Implement Web Application Firewall (WAF)

    • Add ModSecurity or equivalent
    • Block known attack patterns

  2. Add Rate Limiting at HTTP Level

    • Prevent DDoS attacks
    • Limit API requests per IP

  3. Implement Content Security Policy (CSP)

    • Restrict script sources
    • Prevent inline script execution

  4. Add Database Connection Pooling

    • Replace global $conn with connection pool
    • Improve performance under load

  5. Implement API Authentication

    • Add JWT or OAuth for API calls
    • Secure AJAX requests

  6. Add Security Headers

    • X-Frame-Options: DENY
    • X-Content-Type-Options: nosniff
    • Strict-Transport-Security: max-age=31536000

  7. Automated Security Testing

    • Add OWASP ZAP to CI/CD pipeline
    • Automated SQL injection testing
    • Automated XSS testing

End of Security Testing Checklist

Reference in New Issue View Git Blame Copy Permalink