tags:
- Cyber-Security
Web App Fingerprint
- Auto-complete status
- Technology Identification
- Client-side frameworks
- CMS identification
- Plugin/Add-on Identification
- Fuzzing
- Source code check
- robots.txt file.
- Info Leak via cache
- Domain interface
- Trace/Track Method
- Server fingerprint
- Debug Method in IIS
- Server response default banner
Application Entry Point
- Web Forms
- Login
- Registration
- Forget Password
- Search
- Comment Section
- Upload forms
- Data submission forms(contact, etc)
- GET/POST requests
- Hidden POST parameters
Session Management
- Strict Transportation Policy checking
- Cookie
- Sensitive info over cookie
- Cookie with httpOnly flag
- Cookie with no secure flag
- Path attribute not set in session cookie
- Apache HTTPOnly cookie disclosure
- cookie scope
- Persistent cookies
- Session
- Session Hijacking
- Session prediction(tokens predictability)
- Session randomness
- Session Token in URL
- Session expiration mechanism legitimacy
- Reissued Session IDs for user critical actions
- Session cookie before and after login
- Meanings in token
- Secure transmission of tokens
- Disclosure of tokens in logs
- mapping of tokens to sessions
- Cross-site request forgery
- Log Out functionality
- Session termination,fixation, and expiration
- Session Relay
- Sensitive data removal(cache, temp, …)
Registration Process
- Email verification
- Client side validation
- Browser history information leak
- Browser credential storage
- SSL
- Automation(auto-fill form)
- Auto-Complete in HTML form
- Captcha
- Password strength check
- Stored XSS
Authenticity Testing
- Username enumeration
- Resilience to password guessing
- Bypass Authentication using SQL Injection
- Credentials transmission over SSL or not?
- Account lockout
- Check for 0Auth functionality
- User credentials are stored in browser memory in clear text
- Back Refresh Attack (Refer OWASP)
- Username uniqueness
- Unsafe distribution of credentials
- Fail-open conditions
Error Code
- Test 404, 301 etc pages by /test.php, /test.aspx etc..
- Use Input data - *&^%$#@!
- Send wrong cookie value to generate error
- Change value to hidden parameter to generate error
- Add "[]" in all parameters
- Change get request to post and post to get to generate error
- Bypassing Web Firewalls to generate error
- JavaScript Obfuscation
- Alphanumeric Characters in JavaScript
- Alphanumeric Object Error state
- Result checks(true, false, NaN, …)
My Account
- Check for CSRF
- Check for CSRF token bypass
- Tamper user id to change other user's account information
- Impersonate other user's account
- Check account deletion functionality
Access Control
- Access Control requirements
- insecure access control methods (request parameters, Referrer header, etc)
Forgot Password
- Username enumeration
- Reset token key expiration time
- Check if password getting changed over SSL or not
- Weak password policy testing
- Predict reset token
- Check bruteforcing for security answer
- All Active user sessions should be destroyed when user change his password
Product Selection & Purchase
- Change product id to purchase higher valued price at lower cost
- Change value of gift voucher to receive more gifts vouchers instead of 1
- Add product to other user's cart
- Delete product from other user's cart
- Place order behalf of other user
- Give negative values in price to add money in your account + buying product
- Check payment card gateway testing
Booking
- Check other user's e-ticket
- Get refund behalf of other user
- Get more refund by changing refund amount
- Book business/high class ticket by changing parameter value of economy class variable
- Book deluxe room by changing parameter value of normal room fare
- Book multiple seats/rooms by changing quantity parameter value for 1 seat/room book
- Multiple test cases based on application functionality
- Injection Attacks
- SQL Injection
- Blind based
- Boolean based
- Error based
- X-Query Injection
- SSI Injection
- LDAP Injection
- SMTP injection
- SOAP injection
- XML Injection
- XPATH Injection
- Remote Code Injection
- OS Command Injection
- Code Injection
- Script injection
- Frame injection
- Host header attack(header injection)
- XSS
- Reflected
- Stored XSS
- Cross site flashing
- Open Redirection
- Arbitrary File Download Vulnerability
- Send messege as other user (Applicable inside authentication)
- Captcha testing
- Captcha bypass
- Bruteforce
- Password Masking
- CSRF identifier
- Hidden parameters
- Forms with autocomplete enabled
Misc
- Internal files leaked
- Internal IP disclosed
- Clickjacking vulnerability
- ASP.Net viewstate encrypted or not.
- Apache Multiview Attack
- Application does not display Last login time and date
- Weak Etag disclosed
- Server side validation is not in place
- Sensitive Information gets stored in History
- Oracle Padding attack ASPX
- Downloadable objects
- Comment
- Cross site scripting
- Comment behalf of other users
- CAPTCHA Testing
- Identify parameters which are used to send CAPTCHA
- Captcha Replay attack
- Remove captcha parameter and send request to server
- Check whether the logic f or generating CAPTCHAs is there in a .js file itself?
- Captcha should not disclose absolute path
- Captcha elements should not be selected in a cyclic fashion(a pre-made list)
- Result of POST without captcha element
- Background noise
- audio to text noise & TTS tests
- refresh captcha on page load
- server-side validation only
- server-side captcha generation
- Check with free-ocr tool
- Create a ML Vision model to use as OCR
- Insert captcha check response if captcha value is false change to true and forward response
- Spam Prevention & Detection
- DOM-based attacks
- local privacy vulnerabilities
- Sensitive data in URL parameters
- Weak SSL ciphers check
- application logic attacks
Analysis
- Tests & Test Automation
- Map visible content
- Discover hidden & default content
- debug parameters visibility
- Identify data entry points
- Identify the technologies used
- Map the attack surface
- Web App - Pen Testing Tools
- Web Server Security