Web App Fingerprint

  • Auto-complete status
  • Technology Identification
    • Client-side frameworks
    • CMS identification
    • Plugin/Add-on Identification
    • Fuzzing
    • Source code check
  • robots.txt file.
  • Info Leak via cache
  • Domain interface
  • Trace/Track Method
  • Server fingerprint
  • Debug Method in IIS
  • Server response default banner

Application Entry Point

  • Web Forms
    • Login
    • Registration
    • Forget Password
    • Search
    • Comment Section
    • Upload forms
    • Data submission forms(contact, etc)
  • GET/POST requests
  • Hidden POST parameters

Session Management

  • Strict Transportation Policy checking
  • Cookie
    • Sensitive info over cookie
    • Cookie with httpOnly flag
    • Cookie with no secure flag
    • Path attribute not set in session cookie
    • Apache HTTPOnly cookie disclosure
    • cookie scope
    • Persistent cookies
  • Session
    • Session Hijacking
    • Session prediction(tokens predictability)
    • Session randomness
    • Session Token in URL
    • Session expiration mechanism legitimacy
    • Reissued Session IDs for user critical actions
    • Session cookie before and after login
    • Meanings in token
    • Secure transmission of tokens
    • Disclosure of tokens in logs
    • mapping of tokens to sessions
    • Cross-site request forgery
  • Log Out functionality
    • Session termination,fixation, and expiration
    • Session Relay
    • Sensitive data removal(cache, temp, …)

Registration Process

  • Email verification
  • Client side validation
  • Browser history information leak
  • Browser credential storage
  • SSL
  • Automation(auto-fill form)
  • Auto-Complete in HTML form
  • Captcha
  • Password strength check
  • Stored XSS

Authenticity Testing

  • Username enumeration
  • Resilience to password guessing
  • Bypass Authentication using SQL Injection
  • Credentials transmission over SSL or not?
  • Account lockout
  • Check for 0Auth functionality
  • User credentials are stored in browser memory in clear text
  • Back Refresh Attack (Refer OWASP)
  • Username uniqueness
  • Unsafe distribution of credentials
  • Fail-open conditions

Error Code

  • Test 404, 301 etc pages by /test.php, /test.aspx etc..
  • Use Input data - *&^%$#@!
  • Send wrong cookie value to generate error
  • Change value to hidden parameter to generate error
  • Add "[]" in all parameters
  • Change get request to post and post to get to generate error
  • Bypassing Web Firewalls to generate error
    • JavaScript Obfuscation
    • Alphanumeric Characters in JavaScript
      • Alphanumeric Object Error state
      • Result checks(true, false, NaN, …)

My Account

  • Check for CSRF
  • Check for CSRF token bypass
  • Tamper user id to change other user's account information
  • Impersonate other user's account
  • Check account deletion functionality

Access Control

  • Access control requirements
  • insecure access control methods (request parameters, Referrer header, etc)

Forgot Password

  • Username enumeration
  • Reset token key expiration time
  • Check if password getting changed over SSL or not
  • Weak password policy testing
  • Predict reset token
  • Check bruteforcing for security answer
  • All Active user sessions should be destroyed when user change his password

Product Selection & Purchase

  • Change product id to purchase higher valued price at lower cost
  • Change value of gift voucher to receive more gifts vouchers instead of 1
  • Add product to other user's cart
  • Delete product from other user's cart
  • Place order behalf of other user
  • Give negative values in price to add money in your account + buying product
  • Check payment card gateway testing

Booking

  • Check other user's e-ticket
  • Get refund behalf of other user
  • Get more refund by changing refund amount
  • Book business/high class ticket by changing parameter value of economy class variable
  • Book deluxe room by changing parameter value of normal room fare
  • Book multiple seats/rooms by changing quantity parameter value for 1 seat/room book
  • Multiple test cases based on application functionality

Input Data Validation

  • Injection Attacks
    • SQL Injection
      • Blind based
      • Boolean based
      • Error based
    • X-Query Injection
    • SSI Injection
    • LDAP Injection
    • SMTP injection
    • SOAP injection
    • XML Injection
    • XPATH Injection
    • Remote Code Injection
    • OS Command Injection
    • Code Injection
    • Script injection
    • Frame injection
    • Host header attack(header injection)
  • XSS
    • Reflected
    • Stored XSS
    • Cross site flashing
  • Open Redirection
  • Arbitrary File Download Vulnerability

Automated Testing

  • Netsparker
  • Burp Scan

Contact Us / Complaining/Feedback

  • Send messege as other user (Applicable inside authentication)
  • Captcha testing
  • Captcha bypass
  • Bruteforce

Web Forms

  • Password Masking
  • CSRF identifier
  • Hidden parameters
  • Forms with autocomplete enabled

Misc

  • Internal files leaked
  • Internal IP disclosed
  • Clickjacking vulnerability
  • ASP.Net viewstate encrypted or not.
  • Apache Multiview Attack
  • Application does not display Last login time and date
  • Weak Etag disclosed
  • Server side validation is not in place
  • Sensitive Information gets stored in History
  • Oracle Padding attack ASPX
  • Downloadable objects
  • Comment
    • Cross site scripting
    • Comment behalf of other users
  • CAPTCHA Testing
  • Identify parameters which are used to send CAPTCHA
    • Captcha Replay attack
    • Remove captcha parameter and send request to server
    • Check whether the logic f or generating CAPTCHAs is there in a .js file itself?
    • Captcha should not disclose absolute path
    • Captcha elements should not be selected in a cyclic fashion(a pre-made list)
    • Result of POST without captcha element
    • Background noise
    • audio to text noise & TTS tests
    • refresh captcha on page load
    • server-side validation only
    • server-side captcha generation
  • Check with free-ocr tool
  • Create a ML Vision model to use as OCR
  • Insert captcha check response if captcha value is false change to true and forward response
  • Spam Prevention & Detection
  • DOM-based attacks
  • local privacy vulnerabilities
  • Sensitive data in URL parameters
  • Weak SSL ciphers check
  • application logic attacks

Analysis

  • Tests & Test Automation
  • Map visible content
  • Discover hidden & default content
  • debug parameters visibility
  • Identify data entry points
  • Identify the technologies used
  • Map the attack surface
  • Web App - Pen Testing Tools
  • Web Server Security