Web Application PenTest

Information Gathering/Information Leakage

• Identify the product information with the latest version

• Outdated components or known vulnerability (CVE) found in the identified product

• Access to the default URL or admin page of the identified product

• Any opening port other than 80 and 443

• Any sensitive data found on the website

Encryption

• HTTPS is enabled and only TLS 1.2 or above is available

• Correctness of the certification information

• SSL Certificate strength, at least > 2048 bits

• Weak Ciphers are supported

Authentication

• Only use the POST HTTP method to transfer the login data

• Possible to change the valid session with another user id during the login process

• Browser back to resend the login

• Possible to identify user id from the application response/behaviour

• Cached in session key or cookie with login information / sensitive data

• Default / guessable login credentials used

• Implemented effective logout mechanism, e.g. invalidate the session and login required

• Implemented session timeout, e.g. max of 1 hour if no business requirement.

• Implemented CAPTCHA or other brute force attack prevention mechanism

• Implemented account locking mechanism

• Does not allow multiple logins

Authorization

• Possible to obtain higher-level function access

• Possible to obtain other user’s data

• Is the site structure guessable and accessible

• Vulnerable to Path Traversal attack

Password Management

• What is the password policy

• Allow change password

• Implemented the maximal length of the password

• Vulnerable to the reset password process

Session / Cookie Management

• Session-Id stored in the cookie only

• Vulnerable to the Session fixation or CSRF attack

• Session-Id change after login

• Session-Id guessable

• The cookie session lifetime setting, expired when the browser is closed

• Restricted the cookie access within the same domain, HTTP Only and secure flag enable

Broken Access Control

• Higher Privilege functions should not be able to be executed by lower privilege

• Server-side checking implementation or hidden URL or parameter driven

• JS Functions via the developer console

• Copy and Paste of URL

Validation

• Input data are parsed or encoded for output

• Implemented the server-side parsing mechanism

• CSP enables correctly

• Parameter bypass Character

  • // /\ \\ %00 @ ''

  • URL encoding

  • double encodings

• Captcha Bypass

  • Change of HTTP request type

  • Modify or remove the captcha parameter

  • Parameter pollution

  • No timeout or session mechanism

  • Guessable

• Open redirect bypass

  • JS open redirects

  • Hiddenlink open redirects

  • using // /\ %00 @ to bypass

  • Parameter pollution

• JWT

  • Secret is leaked

  • The server never checks the secret

  • The secret is guessable or brute forceable

• CSRF

  • Check the CSRF Token exists on the CRUD action

  • Server-side or client-side validation

  • Token length and guessable

  • Any parameter with token

  • Accepts empty parameter

  • Responds without CSRF token

  • The token is not session bound

• Vulnerable to Injection of

o XSS (included: Reflected, Stored and DOM Based )

o SQL (included: Error, Union, Boolean, and time base)

o XPath

o XML

o Command

o LDAP

Web Service API

• Guessable of the API service call

• Authentication required

• Authorization implemented

• All input validate on the server-side

• All input/output data format is defined with validation control

Others check

• Clickjacking

• Frame Tampering

• Invalidated redirects and forwards

• Secure HTTP Respond Header setting

• Error handling

• File upload control