Web App Fingerprint
-
Auto-complete status
-
Technology Identification
-
Client-side frameworks
-
CMS identification
-
Plugin/Add-on Identification
-
Fuzzing
-
Source code check
-
robots.txt file.
-
Info Leak via cache
-
Domain interface
-
Trace/Track Method
-
Server fingerprint
-
Debug Method in IIS
-
Server response default banner
Application Entry Point
-
Web Forms
-
Login
-
Registration
-
Forget Password
-
Search
-
Comment Section
-
Upload forms
-
Data submission forms(contact, etc)
-
GET/POST requests
-
Hidden POST parameters
Session Management
-
Strict Transportation Policy checking
-
Cookie
-
Sensitive info over cookie
-
Cookie with httpOnly flag
-
Cookie with no secure flag
-
Path attribute not set in session cookie
-
Apache HTTPOnly cookie disclosure
-
cookie scope
-
Persistent cookies
-
Session
-
Session Hijacking
-
Session prediction(tokens predictability)
-
Session randomness
-
Session Token in URL
-
Session expiration mechanism legitimacy
-
Reissued Session IDs for user critical actions
-
Session cookie before and after login
-
Meanings in token
-
Secure transmission of tokens
-
Disclosure of tokens in logs
-
mapping of tokens to sessions
-
Cross-site request forgery
-
Log Out functionality
-
Session termination,fixation, and expiration
-
Session Relay
-
Sensitive data removal(cache, temp, …)
Registration Process
-
Email verification
-
Client side validation
-
Browser history information leak
-
Browser credential storage
-
SSL
-
Automation(auto-fill form)
-
Auto-Complete in HTML form
-
Captcha
-
Password strength check
-
Stored XSS
Authenticity Testing
-
Username enumeration
-
Resilience to password guessing
-
Bypass Authentication using SQL Injection
-
Credentials transmission over SSL or not?
-
Account lockout
-
Check for 0Auth functionality
-
User credentials are stored in browser memory in clear text
-
Back Refresh Attack (Refer OWASP)
-
Username uniqueness
-
Unsafe distribution of credentials
-
Fail-open conditions
Error Code
-
Test 404, 301 etc pages by /test.php, /test.aspx etc..
-
Use Input data - *&^%$#@!
-
Send wrong cookie value to generate error
-
Change value to hidden parameter to generate error
-
Add "[]" in all parameters
-
Change get req to post and post to get to generate error
-
Bypassing Web Firewalls to generate error
-
JavaScript Obfuscation
-
Alphanumeric Characters in JavaScript
-
Alphanumeric Object Error state
-
Result checks(true, false, NaN, …)
My Account
-
Check for CSRF
-
Check for CSRF token bypass
-
Tamper user id to change other user's account information
-
Impersonate other user's account
-
Check account deletion functionality
Access Control
-
Access control requirements
-
insecure access control methods (request parameters, Referrer header, etc)
Forgot Password
-
Username enumeration
-
Reset token key expiration time
-
Check if password getting changed over SSL or not
-
Weak password policy testing
-
Predict reset token
-
Check bruteforcing for security answer
-
All Active user sessions should be destroyed when user change his password
Product Selection & Purchase
-
Change product id to purchase higher valued price at lower cost
-
Change value of gift voucher to receive more gifts vouchers instead of 1
-
Add product to other user's cart
-
Delete product from other user's cart
-
Place order behalf of other user
-
Give negative values in price to add money in your account + buying product
-
Check payment card gateway testing
Booking
-
Check other user's e-ticket
-
Get refund behalf of other user
-
Get more refund by changing refund amount
-
Book business/high class ticket by changing parameter value of economy class variable
-
Book deluxe room by changing parameter value of normal room fare
-
Book multiple seats/rooms by changing quantity parameter value for 1 seat/room book
-
Multiple test cases based on application functionality
-
Injection Attacks
-
SQL Injection
-
Blind based
-
Boolean based
-
Error based
-
X-Query Injection
-
SSI Injection
-
LDAP Injection
-
SMTP injection
-
SOAP injection
-
XML Injection
-
XPATH Injection
-
Remote Code Injection
-
OS Command Injection
-
Code Injection
-
Script injection
-
Frame injection
-
Host header attack(header injection)
-
XSS
-
Reflected
-
Stored XSS
-
Cross site flashing
-
Open Redirection
-
Arbitrary File Download Vulnerability
Automated Testing
-
Send messege as other user (Applicable inside authentication)
-
Captcha testing
-
Captcha bypass
-
Bruteforce
-
Password Masking
-
CSRF identifier
-
Hidden parameters
-
Forms with autocomplete enabled
Misc
-
Internal files leaked
-
Internal IP disclosed
-
Clickjacking vulnerability
-
ASP.Net viewstate encrypted or not.
-
Apache Multiview Attack
-
Application does not display Last login time and date
-
Weak Etag disclosed
-
Server side validation is not in place
-
Sensitive Information gets stored in History
-
Oracle Padding attack ASPX
-
Downloadable objects
-
Comment
-
Cross site scripting
-
Comment behalf of other users
-
CAPTCHA Testing
-
Identify parameters which are used to send CAPTCHA
-
Captcha Replay attack
-
Remove captcha parameter and send request to server
-
Check whether the logic f or generating CAPTCHAs is there in a .js file itself?
-
Captcha should not disclose absolute path
-
Captcha elements should not be selected in a cyclic fashion(a pre-made list)
-
Result of POST without captcha element
-
Background noise
-
audio to text noise & TTS tests
-
refresh captcha on page load
-
server-side validation only
-
server-side captcha generation
-
Check with free-ocr tool
-
Create a ML Vision model to use as OCR
-
Insert captcha check response if captcha value is false change to true and forward response
-
Spam Prevention & Detection
-
DOM-based attacks
-
local privacy vulnerabilities
-
Sensitive data in URL parameters
-
Weak SSL ciphers check
-
application logic attacks
Analysis
-
Tests & Test Automation
-
Map visible content
-
Discover hidden & default content
-
debug parameters visibility
-
Identify data entry points
-
Identify the technologies used
-
Map the attack surface