There are tons of good papers[1] and a bunch of questions on StackOverflow[2] about designing and developing for security, but all of them seem to concentrate on what you should do.However, recently I was after something different: a "visit a page, try this and that" kind of things, you know. A list of simple actions one should to go through once development is done, to make sure the solution is secure. Here's something I've come up with so far:Security Blackbox Checklist. * Submit incorrect/malicious data to make sure that input is validated for type, length, format and range by javascript. * Turn off client-side validation and repeat the step above, to make sure that (a) you also validate on the server, (b) input is validated on the server for type, length, format, and range, (c) free form input is sanitized, (d) output that includes input is encoded with HtmlEncode and UrlEncode. * Insert extremely large amount of data in the query string as per http://www.example.com/foo?bar=HugeAmountOfData to make sure you constrain inputs and do boundary checks. * Visit a POST action via GET, to make sure that "form submit" actions are restricted to be POST-only. * If applicable, upload a file of incorrect size/format (huge file, empty file, executable with renamed extension, etc) to make sure uploads are handled gracefully. * Access the URL as a user without correct permissions, to make sure permissions are explicitly tested via action/controller attributes. * Access the URL providing non-existing details (like non-existing product ids, items you don't have access to, etc) to make sure a correct error (404 or 403 etc) is returned. * Access the sensitive page via HTTP, to make sure it's available via HTTPS only.Security Whitebox Checklist.Read more: codevanced