[email protected]
Search…
[email protected]
About Calvin Lai (fkclai)
My Work
Exploit/CVE PoC
ZeroLogon Exploit
Remote Retrieved Chrome saved Encrypted Password
Twitter Control an RCE attack
Hacking Report (HTB)
Hits & Summary
Windows Machine
Linux Machine
Penetration Testing Checklists
Web Application PenTest
Network/System PenTest
Mobile Application PenTest
Red Team (Windows)
01 Reconnaissance
02 Privileges Escalation
03 Lateral Movement
04 AD Attacks
05 Bypass-Evasion
06 Kerberos Attack
99 Basic Command
Exploitation Guide
01 Reconnaissance
02 Port Enumeration
03 Web Enumeration
04 Windows Enum & Exploit
05 File Enumeration
06 Reverse Shell Cheat Sheet
07 SQL Injection
08 BruteForce
09 XSS Bypass Checklist
10 Spring Boot
11 WPA
12 Payload list
Vuln Hub (Writeup)
MrRobot
CYBERRY
MATRIX 1
Node-1
DPwwn-1
DC7
AiWeb-2
AiWeb-1
BrainPan
CTF (Writeup)
Hacker One
CTF Learn
P.W.N. University - CTF 2018
HITCON
Pwnable
Useful Command/Tools
Windows
Linux
Offensive Security Lab & Exam
Lab
Powered By
GitBook
Web Application PenTest
Information Gathering/Information Leakage
Identify the product information with the latest version
Outdated components or known vulnerability (CVE) found in the identified product
Access to the default URL or admin page of the identified product
Any opening port other than 80 and 443
Any sensitive data found on the website
Encryption
HTTPS is enabled and only TLS 1.2 or above is available
Correctness of the certification information
SSL Certificate strength, at least > 2048 bits
Weak Ciphers are supported
Authentication
Only use the POST HTTP method to transfer the login data
Possible to change the valid session with another user id during the login process
Browser back to resend the login
Possible to identify user id from the application response/behaviour
Cached in session key or cookie with login information / sensitive data
Default / guessable login credentials used
Implemented effective logout mechanism, e.g. invalidate the session and login required
Implemented session timeout, e.g. max of 1 hour if no business requirement.
Implemented CAPTCHA or other brute force attack prevention mechanism
Implemented account locking mechanism
Does not allow multiple logins
Authorization
Possible to obtain higher-level function access
Possible to obtain other user’s data
Is the site structure guessable and accessible
Vulnerable to Path Traversal attack
Password Management
What is the password policy
Allow change password
Implemented maximal length of password
Vulnerable to the reset password process
Session / Cookie Management
Session-Id stored in the cookie only
Vulnerable to the Session fixation or CSRF attack
Session-Id change after login
Session-Id guessable
The cookie session lifetime setting, expired when the browser is closed
Restricted the cookie access within the same domain, HTTP Only and secure flag enable
Data Validation
Input data are parsed or encoded for output
Implemented the server-side parsing mechanism
SSRF
Vulnerable to Injection of
o XSS (included: Reflected, Stored and DOM Based )
o SQL (included: Error, Union, Boolean and time base)
o XPath
o XML
o Command
o LDAP
Web Service API
Guessable of the API service call
Authentication required
Authorization implemented
All input validate on the server-side
All input/output data format is defined with validation control
Others check
Clickjacking
Frame Tampering
Invalidated redirects and forwards
Secure HTTP Respond Header setting
Error handling
File upload control
Previous
Tabby
Next - Penetration Testing Checklists
Network/System PenTest
Last modified
2mo ago
Copy link
Contents
Information Gathering/Information Leakage
Encryption
Authentication
Authorization
Password Management
Session / Cookie Management
Data Validation
Web Service API
Others check